Strava is to limit access to its Global Heatmap, which shows where people undertake activities logged on the social network, to registered users after security concerns were raised earlier this year due to showing sensitive locations such as military installations.
The presence of such sites on the Global Heatmaps was first noted by Nathan Ruser, an analyst at the Institute for United Conflict Analysts, who said it was “not amazing for Op-Sec” [operational security] and that “US bases are clearly identifiable and mappable.”
Particular concerns were raised by security experts regarding countries such as Syria and Afghanistan, where it was thought likely that most users of the app would be military personnel.
Strava has told Reuters that changes to the Global Heatmap being rolled out from this week will mean that only registered users will be able to see data at street level, that places with limited activity will not be displayed until several users have posted activities there, and that private data will be removed each month through a refresh of the feature.
Chief Executive James Quarles told Reuters that the company was open about how it used data and that it was up to users about how much they share on it.
He said: “Our use is really explicit. You’re recording your activity in its location for the express purpose of analysing it or sharing it and to do so publicly.”
The company is encouraging users to familiarise themselves with Strava’s privacy features so as not to reveal information relating to sensitive locations.
Quarles added that the company had been in touch with defence and intelligence agencies in the US and had not been requested to remove the Global Heatmap.
He added that Strava had not been asked to make changes to the feature by any countries outside the US as a result of the revelations.
Jeffrey Lewis, an expert on nuclear nonproliferation and geopolitics at the Middlebury Institute of International Studies told Reuters that the biggest security issue was not the heat maps themselves, but the access they might give to information underlying them such as names and dates.
“The heat map is not the problem. The heat map was just a shocking demonstration of the incredible data they possess. The heat map just said, ‘Hack me,’” he explained.
However, according to Quarles, there is no evidence of attempts to hack the database, and Strava has no knowledge of any physical attacks that may have happened due to the heat map.
He believes lack of awareness of the Strava name outside the sports community had not helped the situation, saying: “We sounded like a nameless Silicon Valley company. We probably weren’t as well understood.”
When concerns were first raised in January, Strava said: "Our Global Heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform.
“It excludes activities that have been marked as private and user-defined privacy zones.
“We are committed to helping people better understand our settings to give them control over what they share.”
Simon has been news editor at road.cc since 2009, reporting on 10 editions and counting of pro cycling’s biggest races such as the Tour de France, stories on issues including infrastructure and campaigning, and interviewing some of the biggest names in cycling. A law and languages graduate, published translator and former retail analyst, his background has proved invaluable in reporting on issues as diverse as cycling-related court cases, anti-doping investigations, and the bike industry. He splits his time between London and Cambridge, and loves taking his miniature schnauzer Elodie on adventures in the basket of her Elephant Bike.