Social fitness apps like Strava, which enable you to track your fitness progress together with your friends, have become a popular way to lead a healthier life. But at the same time that they might be giving your health a boost, they could be having very negative consequences indeed for user privacy.
The controversy over Strava and its implications for the U.S. military
The latest privacy controversy involves the Strava fitness app and how it might have been unknowingly revealing the locations of sensitive U.S. military bases around the world, in places like Syria, Afghanistan, Somalia and Iraq. In those nations, enemy combatants suddenly had a new way to discover the locations of U.S. troops.
The problem started when the company introduced a “heat map” showing the locations of people using the Strava fitness app. The idea was simple – it was supposed to show peak locations of people getting into great physical shape. The map could show a billon activities all around the world. As might be expected, the heat map was brightest in the world’s most crowded urban locations, where city dwellers were using the Strava fitness app anytime they went out for a run, bike or swim.
However, what Strava failed to take into consideration was that military troops training for battle might be using the app as well anytime they did training drills. Thus, a U.S. military officer out for a run around a military base in Afghanistan would be creating a trail of data that would eventually get uploaded to the Strava app, and then to the Strava heat map. In a desolate nation like Afghanistan – a team of military soldiers would show up as a bright pinprick of light in an otherwise dark nation.
And that’s how enemy combatants could geolocate where the troops were. Previously, they might have known the approximate location of a new military staging area, but now they had a precise way to pinpoint activity and keep a close eye on changing military positions and relative troop strengths (brighter dots would imply more troops being added to an area). That, of course, potentially exposed these military personnel to enormous risk. In response, the U.S. military, at the prodding of military and government officials, now says that it is putting into effect strict new rules on the use of these social fitness apps amongst its overseas personnel.
Fitness apps are a risk for all consumers
Unfortunately, this is not just a standalone incident or unique situation. Privacy experts now highlight the perils of exposing your personal data to the public, especially if you are sharing data on social media (“Hey, check out this long run I just completed!”). In one obvious example, it might make it easier for someone to know the exact daily habits of a particular individual. And, in some cases, it could even make it possible to know the precise home address. Imagine going out for a long run and returning home, only to find a stranger waiting for you…
You would think that this would be an easily solvable problem – just toggle on the app’s user privacy settings, right? Wrong. The reason, quite simply, is that these apps don’t want you to turn on your privacy settings, and they make it as difficult as possible to find out how to do this.
In the case of Strava, you need to follow a circuitous route to discover the user privacy settings within the app. And even when you do find the “enhanced privacy” feature – which enables you to stop sharing data with friends – it might not give you the type of total privacy that you expect. In fact, Strava admits that even with the “enhanced privacy” feature, some data is still shared with third parties. The fitness tracker can still reveal potentially sensitive data.
Even worse, fitness apps are far more lax about privacy policies than other top apps. Only 70 percent of social fitness apps have some form of privacy policy, compared to 76 percent for other top apps. That means an astounding 30 percent of social fitness apps have no privacy policy at all – they haven’t even given a single thought to user privacy! Moreover, only 61 percent of these fitness apps have a privacy policy that can be read within the app store itself before downloading, compared to 71 percent of other apps. Thus, it appears that these apps really don’t want users digging too deeply into what types of data they are collecting. By the time you download an app, are you really going to ask too many questions about privacy?
Fitness apps may have a flawed business model
At the same time, these apps are collecting a variety of different data about you – not just fitness data, but also geo-location data and online behavior data. In one study, it was found that the typical fitness apps collect 8 different types of data about you. You see, their entire business model is based on data. Since most of these apps are free (and can be used without upgrading to a paid plan), they rely on advertisers to become profitable. So, they have a very vested interest in literally selling your data to the highest bidder.
This is a problem, for example, that Strava CEO James Quarles has recognized. His company still is not profitable, and so Strava is making its platform behave more like a social network. This in effect dramatically increases the amount of user behavioral data collected and will perhaps lead the way to profitability. While how much revenue is attributed to the sale or licensing of anonymized user data to third parties, including customers of the Strava Metro product, one thing is clear, fitness apps are not just about fitness anymore.
Fitness apps need to do more to protect user privacy
To their credit, some of the fitness apps – including Strava – have tried to add some additional features to protect user privacy, but usually only after a public outcry. For example, Strava now makes it possible to create a “geo-fence” around your activities, so that people don’t know your precise address. (However, a mobile security firm recently disclosed an easy way to crack this using simple triangulation and high school geometry.)
Going forward, it’s clear that social fitness apps such as Strava need to be doing more to enhance user privacy and safety. The recent snafu involving the disclosure of U.S. military personnel location data has increased awareness of the perils created by tracking apps. If you are concerned about sensitive data getting out into “the wild,” then you need to be taking steps of your own to know exactly how these apps are collecting data, and how they are using it.
