Strava’s fitness heatmaps are a 'potential catastrophe'
By David Ingram
SAN FRANCISCO (Reuters) - Fitness-tracking app Strava said starting on Tuesday it will restrict access to an online map that shows where people run, cycle and swim and remove some data after researchers found it inadvertently revealed military posts and other sensitive sites.
Strava's heat map shows exercise routes in colors such as white, orange and purple that signify their popularity. The map drew worldwide attention in January when academics, journalists and private security experts used it to deduce where military personnel were deployed, by looking on the app for workout locations in war zones.
Strava is launching a new version of the heat map, a tool that displays data in map form, that will bar access to street-level details to anyone but registered Strava users, Strava Chief Executive James Quarles told Reuters.
Roads and trails with little activity will not show up on the revised map until several different users upload workouts in that area, the company said. The map will also be refreshed monthly to remove data people have made private.
Security experts previously spotted on Strava's map what they believed to be the movements of U.S. soldiers in Africa and of people who work at a suspected Taiwanese missile command, all of whom had shared workouts apparently without realizing the implications.
In some spots, such as Afghanistan, researchers speculated that most or all of Strava's users were soldiers or related personnel, making it easier to spot their bases.
Quarles said that the company did not anticipate that people would find sensitive information on the map because fitness data is shared voluntarily. The company does not track people without their knowledge, he said.
"Our use is really explicit," Quarles said in an interview, his first on the subject. "You're recording your activity in its location for the express purpose of analyzing it or sharing it and to do so publicly."
Strava customers have the option of keeping their workouts private, and the map included no names. But the episode underscored how big data sets held by Silicon Valley companies can be used for unintended purposes.
Strava's initial response, in which it pledged to help people better understand the app's privacy settings, was not enough for U.S. lawmakers, who demanded to know what steps the company was taking to protect privacy.
The privately held San Francisco company has 150 employees and bills itself as the "social network for athletes." It has 28 million users, 82 percent of whom are outside the United States.
People use Strava, or competitors such as Runkeeper or MapMyRide, to log exercise and follow the activity of friends or celebrity athletes. The services sync to GPS-enabled watches and other wearable technology.
It was not clear how much of a difference the company's changes would make. Quarles said he did not know how much data would be removed, and he said Strava was focused on educating its users about privacy settings as the most effective way to keep secret locations secret.
The real danger is the data that underlies the map including non-public information, like names, times and dates which spy agencies or others would like access to, said Jeffrey Lewis, a nuclear policy expert at the Middlebury Institute of International Studies.
"The heat map is not the problem. The heat map was just a shocking demonstration of the incredible data they possess. The heat map just said, 'Hack me,'" Lewis said.
Quarles said there have been no signs of hacking attempts, and that the company was not aware of any physical attacks due to Strava's heat map.
USE OF HEAT MAP
The idea behind the heat map, which launched in 2014, was to help people find new places to exercise. About 100,000 people use it, Quarles said.
The most recent version of the heat map launched in November, and a student in Australia was the first to identify sensitive sites. His Twitter posts and heat-map images drew unprecedented attention to the map.
Quarles said many people assumed the worst, such as that Strava had collected data secretly, because the company is little-known outside sports circles.
"We sounded like a nameless Silicon Valley company. We probably weren't as well understood," Quarles said.
The heat-map revelations prompted the U.S. Defense Department, which encourages personnel to limit their internet presence, to review security protocols.
Quarles said Strava has been in contact with U.S. defense and intelligence officials, and he said they did not ask Strava to take down the map.
Quarles, who previously was Facebook's (FB.O) vice president of Instagram business, met congressional staff in Washington, D.C., last month. A congressional aide confirmed the meeting but declined to comment further.
Despite widespread media coverage of the heat map, Strava did not have many inquiries from authorities outside the United States, Quarles said. "We've not been contacted to make any changes," he said.
(Reporting by David Ingram; Editing by Jonathan Weber and Cynthia Osterman)