A supposed privacy feature in Strava’s fitness tracking app may have exposed the private, hidden locations of its users.
The feature, known as “privacy zones,” allows users to mask their fitness activity in the area around their home or work, and other private locations, from other athletes on the fitness data sharing service. In other words, data from your run or cycle won’t be displayed on a map for others to see starting and ending at your front door.
But researchers say they can in some cases triangulate the exact location that the privacy zone is meant to mask, because of a flaw in how the app tracks the user’s activity.
It’s the second time in as many weeks that Strava, a fitness tracking and data sharing platform, has been embroiled in a privacy row over user data. Last week news broke that the company’s interactive heatmap exposed sensitive government and military sites. The controversy reignited debate about how much data personal fitness tracking devices collect, and what that data can be used for.
Wandera’s research into privacy zones, seen by ZDNet before it was published Wednesday, shows users’ private addresses are exposed by using the start and end points of a tracked activity to find the midpoint.
The researchers carried out tests with a privacy zone around its San Francisco office to demonstrate that even with a masked radius around the start and end point of a user’s activity, it was easy to pinpoint the exact endpoints — and therefore a person’s address, for example.
“If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the midpoint and where the privacy zone is centered on,” the research said.
“If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through three points,” it added.
To Strava’s credit, the company offers five fixed-radius privacy zone options around a person’s private locations — ranging from one-eighth of a mile to five-eighths of a mile. But even then, the researchers say, it’s possible to determine that radius using the endpoints of the user’s activity.
“As the privacy zone is of equal size in each activity, it’s possible to represent this graphically by increasing the radius of circles around each activity end marker until three or more circles intersect,” said the research.
Wandera’s director of systems engineering Dan Cuddeford said that criminals could exploit this weakness to build up “an accurate map of where to find expensive bikes they want to steal,” for example.
Wandera published the report because Strava did not fix the bug after researchers contacted the company last year.
When reached, Strava spokesperson Andrew Vontz told ZDNet prior to publication that the company will be rolling out more privacy options for users “in the coming weeks.”
“While Strava’s engineering team has been working to augment and improve privacy options well before we were contacted by this company and others, we appreciate their interest in our platform,” he said.