Strava heatmaps found to violate users’ privacy, again

Strava provides one of the most popular exercise services in the world, with mobile apps designed to offer social features in addition to basic tracking. Mostly used by cyclists and runners, Strava apps are also prone to privacy issues when used together with their “heatmap” feature.

Strava implemented a heatmap feature in 2018, anonymously aggregating users’ outdoor activity (running, cycling, etc.) to help identify common trails and exercise hotspots, providing a “social” aspect to physical activity and giving users the chance to meet other fans of their preferred sport.

Soon after, researchers discovered that the Strava heatmap feature could be abused to reveal data about secret US military bases around the world. Now, yet another research has pointed out that heatmaps are a neat addition to exercise tracking – but only if users are conscious enough to minimize the impact those tracking apps can have on their privacy.

The study by researchers at NC State University highlights how the supposedly “anonymous” data contained in Strava’s public heatmaps can be “de-anonymized” to identify people’s home addresses. By combining heatmap data with specific metadata, the researchers were able to “predict” a user’s starting address with a 37.5% accuracy rate.

The identification process isn’t exactly straightforward, as it requires multiple steps to try and identify a user’s home. The first step in the study required collecting publicly available heatmaps in the states of Arkansas, Ohio, and North Carolina for a month. Next, the researchers used image analysis techniques to detect start/stop areas next to streets, which could provide a clue about specific homes linked to a source of the tracked activity.

The team then used “zoomed” OpenStreetMaps images to identify individual residence addresses. By abusing a poorly known search feature in Strava apps, the researchers went hunting for users who had registered a specific city as their “starting” location. Finally, they compared the endpoints from the heatmaps and users’ personal data from the aforementioned search feature, so that they could correlate the high activity points on the heatmap and the users’ addresses.

Many Strava users provide their real names or even photos when they register an account, so the correlation effort is feasible. The most active users were easier to identify, the researchers say, as they were providing more “heat” to Strava’s heatmaps. By posting an average number of 308 activities, the study says, a user could be “discovered” 37.5% of the time within a 100-meter threshold.

Leave a Reply

Your email address will not be published. Required fields are marked *