The home address of Sweden’s prime minister Ulf Kristersson — along with several of his frequent locations and travel movements — was revealed through publicly available Strava uploads by his own bodyguards, in a major security breach that echoes last year’s investigation into how similar GPS data compromised the safety of world leaders including Donald Trump, Joe Biden and Emmanuel Macron.

As reported by Swedish newspaper Dagens Nyheter, a review of more than 1,400 Strava training activities uploaded by seven bodyguards assigned to government figures uncovered that, on at least 35 occasions, the sensitive routes were traceable to Kristersson’s private residence, his regular jogging loops, and international travel itineraries — including a family trip to the autonomous Finnish islands of Åland in October 2024.

The revelation follows Le Monde’s investigation from October last year, which found dozens of agents from the US Secret Service, France’s presidential GSPR, and Russia’s FSO openly uploading GPS logs of their movements to Strava. One such upload revealed Biden’s hotel location ahead of a key summit with Xi Jinping, while another showed Macron’s secret weekend at a Normandy resort — all deduced from the visible start and end points of jogging routes.

> Bodyguards using Strava are putting Trump, Macron, Biden and other world leaders in danger, French newspaper investigation claims

In Sweden’s case, Strava uploads by Kristersson’s personal protection team appear to have documented security details stretching back years, including movement patterns around Stockholm’s government buildings and Harpsund, the prime minister’s official country residence.

The most recent data came from “just a few weeks ago”, when a bodyguard recorded a run starting at Harpsund — publicly accessible to anyone using the platform.

The Swedish Security Service (Säpo) told the press they were “taking the findings very seriously” and had opened an investigation. “This is information that could be used to map the activities of the security service,” a spokesperson said, adding that bodyguards are just one “layer” of protection and that Säpo already assumes certain data “can be known in advance”. The service confirmed it is “taking measures to prevent this from happening again”.

Neither the prime minister’s office nor the Swedish government would comment on the situation, citing a policy of non-disclosure regarding the security of current or former ministers. Strava has not responded publicly.

The use of Strava by military and security personnel has long raised alarms. Back in 2018, the app’s Global Heatmap function — which aggregates publicly shared activity into an interactive visual map — was found to reveal the layout and activity patterns of military bases around the world. That included secret CIA black sites, drone launch centres in Djibouti, and even UK intelligence hubs like GCHQ Cheltenham.

> Licence to nick? Two men arrested for trying to steal bike from UK’s high-security spy base… while looking for beers

Strava Heatmap GCHQ.PNG
Strava Heatmap GCHQ (Image Credit: Farrelly Atkinson)

The problem, researchers have pointed out repeatedly, is that individual behaviour can be easily de-anonymised in remote areas. In 2023, a study by North Carolina State University showed how persistent “heat” signatures near residential buildings could be reverse-engineered to reveal personal addresses and habits of individual users — contradicting Strava’s claims of aggregated privacy.

In Wales, too, the consequences have gone beyond state security. Dyfed-Powys Police previously warned cyclists that thieves had been using Strava uploads to identify and locate expensive bikes.

“Some GPS data is so accurate it pinpoints the exact house where their rides have begun and ended,” an officer said, advising cyclists to activate privacy zones or start recording rides only after leaving their neighbourhood.

> ​Strava Heatmap could allow identification of user addresses, say researchers

Strava, for its part, says it offers “a suite of privacy controls” that allow users to hide start and end points of activities, limit who can view uploads, and opt out of aggregated features like the Heatmap.

It has previously insisted that “the safety and privacy of our community is our highest priority” and that no individual names are shown on the Heatmap unless users opt in and share their activities publicly.