Fit Leaking leaks Identities
Fitness tracking companies Strava and Suunto released heatmaps which reveal military positions through their collection and visualization of fitness data. For this article I focus on the Strava based map because they offer a feature which makes the data easily exploitable. The global heatmap shows in aggregated and anonymized form every public actitvity uploaded by a Strava user. If this is done in rural and less trafficked localities, this can highlight excercise focused individuals, for example active military personnel. But in activity dense regions it is possible to find military bases and identify the individuals stationed there.
What’s the Problem?
While the current focus is on the presence, activity and profile of sensitive establishments identification is not covered in current media ouputs. Individuals serving duty on military bases can easily be identified and in certain cases their deployments can be historically tracked through the Strava service. The feature we exploit to identify personnel is called „Segments“.
Segments are member created and edited portions of tracks where athletes compete against each other. Users will try to run faster than other users who already ran this „Segment“. A segment could be marked private but the competitive and social encouragement factors seem to outweigh than the privacy factor. Therefore we can find public segments on several european and international army bases. To see the full leaderboard of a segment an adversary only needs a Strava account. No further authorization is required. We focus on military personnel in this article but the scenario is also applicable for companies and their employees as described in Scott-Railtons blog post.
We conducted a small case study after release of the heatmap. Therefore, we chose eleven military bases around the world and looked for segments on site, if any soldiers were identifiable and whether their identity was verifiable through official documents or reports in newspapers e.g.. From the eleven bases one did not contain a segment on site. In every base we could identify at least one individual with a military background and could verify this in ten cases.
Take for example the Panzer Kaserne in Böblingen, Germany. There is a highschool on site called „Stuttgart High School“ and if you look for „Segments“ in Strava you find the track of the highschool to be frequently used. All users which ran the segment and competed against each other are visible. Non-surprisingly most of them seem to have a military background.
If users that ran this segment share their running history on their profile it can be tracked where individual users were stationed over time. From the eleven individuals that we identified we could track six individuals to at least one more military base. It was also possible to determine when and where they’ve been on holiday. There are privacy settings in Strava which can prevent this leakage of private information, but they are multi layered and users always have to opt-out.
While we did our small case study by hand it seems easy to automatically scrape the segments for relevant data. Segments are always behind a URL of the following scheme „www.strava.com/segments/##########“. To see a preview of the leaderboard containing 20 athletes you do not need to be logged in.
In Conlusion this incident illustrates how interconnected we are and how many problems and potential threats arise from that interconnectedness. Location data offers giant threats for many parties. Especially if the data is owned and sold by private companies (Strava has an advertisement on the heatmap. It pitches Metro, which helps safety and transportation organizations to analyze trends and counts). The high granularity of the heatmap and the ease at which individuals in security zones can be identified underlines that Stravas current model of privacy is not working in practice.
Since Strava is an internationally used app this blog post is in English. If you need a german translation, contact me.