Tuesday, January 30, 2018

Strava - SHARE! SHARE! SHARE! What, you shared? It's your fault!

Whenever you sign up for a free service, it's important to the service provider to have access to your data so that it can be sold. For that reason, service providers usually default accounts so that the account information is public.

What could go wrong?

An interactive map posted on the internet that shows the whereabouts of people who use Fitbit and similar devices also reveals highly sensitive information about the location and activities of soldiers at U.S. military bases, in what appears to be a major security oversight.

The GPS tracking company Strava published the Global Heat Map, using satellite information to map the movements of subscribers to the company's fitness service over a two-year period by illuminating areas of activity.


Normally that isn't much of an issue - if you're in the Los Angeles area, for example, there are a ton of people with wearables.

But what if you're in another part of the world? Such as...Afghanistan?


Now since the Taliban don't seem to be the type to run out and buy Fitbit, those few data points in the area can become VERY significant.

Zooming in on those brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites - presumably because U.S. soldiers and other personnel are using fitness trackers there.

So people are now reacting reactively, and asking why Strava would threaten to end civilization as we know it.

Strava's reply? It's not our fault:

“We are committed to helping people better understand our settings to give them control over what they share,” the company said, sharing a blogpost from 2017 which detailed eight things users can do to lock down their privacy on the service, including specifically opting out of the global heatmap by unchecking a box in the settings page.

Perhaps this whole thing can be chalked up to unintended consequences. The military wanted to battle obesity, so it encouraged personnel to wear the fitness trackers. Strava probably didn't think through the consequences of posting this information.

But if Strava is truly committed to the safety of its community...then why is the default privacy setting set to this?

The basic level is to choose to not use any privacy controls and make your info available publicly, like it would be on Twitter, for example.

And if you don't know the answer to the question of why privacy defaults to no privacy at all...here it is.

You own the information, data, text, software, sound, photographs, graphics, video, messages, posts, tags, or other materials you make available in connection with the Services (“Content”), whether publicly posted, privately transmitted, or submitted through a third party API (e.g. a photograph submitted via Instagram). You grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any Content that you post on or in connection with the Services.

Basically, when there is no privacy, Strava has a LOT of data that it can use for...things.

Oh, and by the way...

You understand that you, and not Strava, are entirely responsible for all Content that you upload, post, email, transmit or otherwise make available via the Services.

Again - it's YOUR fault, stupid user, for not correcting the privacy gap that we put into the software.

THOSE are the legal parameters that Strava - and many, many other companies - consider as binding. Not the non-binding "Nothing is more important than the safety of our community" feel-good statements.
blog comments powered by Disqus