By Praveen Kannan and Anna Strokolyst The Hotspot Shield team believes the internet should be open and secure …
Social fitness apps allow us to share our training, track our progress, and follow our friends’ workouts. They’ve done more to motivate people to stay active than perhaps any other workout tool, building a community for like-minded people to share their passion for health and fitness. The trouble is, these apps can also expose sensitive data like where we live and which trails we like to run—becoming a significant threat to our online privacy and safety.
Take Strava, for example. The popular training app used by millions of cyclists and runners around the world unknowingly exposed secret U.S. military bases when it published its annual global activity heatmap earlier this year. The report showed all of its users’ training routes, including some U.S. military members that were using the app while at secret CIA “black” sites. When their workouts showed up on the heatmap in these typically unfrequented locations, experts put two-and-two together.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
These were secret intelligence bases abroad that few knew existed, and yet here we could see not only where they were located, but what the officers’ typical training patterns entailed, where they’d be at what time of the day, and which routes they’d use outside of the safety of the base for their longer training runs.
As you can imagine, this information could be deadly in the hands of our enemies.
Is this Strava’s fault? Well, no, not really. Strava provides privacy settings where you can opt out of sharing your data and location. But then that kind of defeats the social aspect of the app itself. After all, if you just ran a new PR for the 5k distance, who wouldn’t want to share that triumph with all of their followers? In the case of the Strava military fiasco, however, this was a gross case of negligence, and these military members should have known better. But for the general public, the risks may not seem so pronounced.
The quantity of sensitive data we’re revealing in fitness apps is staggering. For instance, if you post your workouts to apps like Strava, MapMyRun, MapMyRide, Nike + RunClub, Runkeeper, and others, it’s likely that I could determine the times of day you usually leave the house to go for a run or ride, where you typically go on those workouts, and—most worryingly—precisely where your home is located. I can find all of this information in just a few minutes.
In fact, there are many well-known people—including movie stars and professional athletes—that are using these popular fitness apps and willingly sharing their information. I won’t name names—we’re in the business of protecting people’s privacy not exposing it, after all—but in many cases, I could tell you precisely where these celebrities live, and even which hotels they stayed at when out of town. This is clearly a safety and security concern.
We often think about social apps like Facebook, Twitter, and Instagram as being the most detrimental to our privacy and security. After all, it’s here we post precisely what we’re doing, share pictures of our kids, announce our birthday, and let people know when we’re on vacation. If you’re a burglar, social media is an easy tool to determine when someone is away from home. And if you’re a cybercriminal, you can pull much of the information you need to build a fake profile and steal someone’s identity.
Either way, both situations are dangerous.
Combine this with fitness apps and you get an incredibly granular picture of a person’s daily activity. We’d never tell a stranger where we live, and yet we’ll openly post our runs that start and finish at our front door without thinking twice.
I’m not here to say you shouldn’t use fitness apps; in fact, quite the opposite. I believe these apps empower people to workout longer, train harder, and generally become healthier and more active. But we shouldn’t forget about the information we’re sharing. Make it a point to go through your privacy settings and be sure to understand exactly what you’re sharing and who you’re sharing it with.
Strava, for its part, is using in-app notifications to prompt people to do just this, and it offers a feature called “Privacy Zone” which creates a digital ‘fogbank’ at the start and end points of your routes, making it significantly more difficult for creeps to figure out where you live.
If your preferred app doesn’t offer these settings (many don’t), or if you don’t want to make all your activities private, one simple tip is to not start the app until you’re at least a few blocks away from home. And be sure to change it up each time you workout to make it tougher for any bad guys to pinpoint your exact location.
As with all social media accounts, the data we share on fitness apps is something we need to be more mindful of. Because as the Strava military fiasco proves, it’s all too easy for our sensitive data to get out there—and you never know who might be watching.