Strava tweaks Global Heatmap feature in response to military security concerns

Strava is to limit access to its Global Heatmap, which shows where people undertake activities logged on the social network, to registered users after security concerns were raised earlier this year due to showing sensitive locations such as military installations.

The presence of such sites on the Global Heatmaps was first noted by Nathan Ruser, an analyst at the Institute for United Conflict Analysts, who said it was “not amazing for Op-Sec” [operational security] and that “US bases are clearly identifiable and mappable.”

Particular concerns were raised by security experts regarding countries such as Syria and Afghanistan, where it was thought likely that most users of the app would be military personnel.

> Strava accused of giving away military secrets through its Global Heatmap

Strava has told Reuters that changes to the Global Heatmap being rolled out from this week will mean that only registered users will be able to see data at street level, that places with limited activity will not be displayed until several users have posted activities there, and that private data will be removed each month through a refresh of the feature.

Chief Executive James Quarles told Reuters that the company was open about how it used data and that it was up to users about how much they share on it.

He said: “Our use is really explicit. You’re recording your activity in its location for the express purpose of analysing it or sharing it and to do so publicly.”

The company is encouraging users to familiarise themselves with Strava’s privacy features so as not to reveal information relating to sensitive locations.

Quarles added that the company had been in touch with defence and intelligence agencies in the US and had not been requested to remove the Global Heatmap.

He added that Strava had not been asked to make changes to the feature by any countries outside the US as a result of the revelations.

Jeffrey Lewis, an expert on nuclear nonproliferation and geopolitics at the Middlebury Institute of International Studies told Reuters that the biggest security issue was not the heat maps themselves, but the access they might give to information underlying them such as names and dates.

“The heat map is not the problem. The heat map was just a shocking demonstration of the incredible data they possess. The heat map just said, ‘Hack me,’” he explained.

However, according to Quarles, there is no evidence of attempts to hack the database, and Strava has no knowledge of any physical attacks that may have happened due to the heat map.

He believes lack of awareness of the Strava name outside the sports community had not helped the situation, saying: “We sounded like a nameless Silicon Valley company. We probably weren’t as well understood.”

When concerns were first raised in January, Strava said: "Our Global Heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform.

“It excludes activities that have been marked as private and user-defined privacy zones.

“We are committed to helping people better understand our settings to give them control over what they share.”