Fitness App Loophole Allows Access to Home Addresses
For Immediate Release
Despite attempts to anonymize user data, the fitness app Strava allows anyone to find personal information – including home addresses – about some users. The finding, which is detailed in a new study, raises significant privacy concerns.
“Strava users expect their personal information to be protected, and our work shows that this is not always the case,” says Anupam Das, senior author of a paper on the work and an assistant professor of computer science at North Carolina State University. “This could be particularly problematic for users who are concerned about stalkers or have other reasons to desire that their location data be kept from the public. For example, while Strava does not collect home addresses from users, we were able to infer home addresses for some users.”
Strava is a mobile fitness-tracking app that allows users to track their exercise activities, but also includes features designed to help users connect with each other. These features can be used to organize clubs around shared interests, such as hiking or cycling. For example, the app includes a “heatmap” feature that aggregates user data. While all of the user data is anonymized, the heatmap feature allows users to see where other Strava users go for hiking, running or cycling in a given area.
“Strava stresses that the heatmap feature uses only aggregate data, which should make it impossible for anyone to capture private information about any specific user,” Das says. “However, we found a loophole in certain conditions.”
Specifically, the researchers found it is possible to look up Strava users in a given area if those users provided city-level information in their profiles. It is also possible for users to look at the aggregate data on a heatmap and see where some of the anonymous users’ routes are likely to begin and end.
“In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person,” Das says. “However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user. Even users who have marked their accounts as private – meaning they have opted to share information only “with followers” – show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn’t necessarily provide additional protection against this tracking technique.”
“We did reach out to Strava about this, and the company has said that it does not share heatmap data unless several users are active in a given area,” says Kevin Childs, first author of the paper and a former undergraduate at NC State. “However, we were still able to identify the home addresses of some users in certain areas using the heatmap, and confirmed those identifications using voter registration data.”
However, there is something that users can do to protect their privacy.
“Users can go into their Strava account settings and opt out of contributing data to the ‘aggregated data usage’ feature, which would remove their routes from the heatmap altogether,” Das says.
The paper, “Heat Marks the Spot: De-Anonymizing Users’ Geographical Data on the Strava Heatmap,” was presented May 25 at the 7th Workshop on Technology and Consumer Protection (ConPro ’23) in San Francisco, Calif. The paper was co-authored by Daniel Nolting, an undergraduate at NC State.
Note to Editors: The study abstract follows.
“Heat Marks the Spot: De-Anonymizing Users’ Geographical Data on the Strava Heatmap”
Authors: Kevin Childs, Daniel Nolting and Anupam Das, North Carolina State University
Presented: May 25, ConPro ’23, San Francisco, Calif.
Abstract: Mobile fitness-tracking apps such as Strava are commonly used to record activities, track fitness progress, and form a community with like-minded people. In an effort to engage the community further, in 2018 Strava implemented an optout heatmap feature that anonymously aggregates all activities onto a single map. This allows users to find hot spots and active trails while simultaneously opening up the platform to deanonymization attacks like inferring users’ home addresses. By crawling the publicly available heatmap and through manual validation, we have demonstrated that the home address of highly active users in remote areas can be identified, violating Strava’s privacy claims and posing as a threat to user privacy.