Strava: A Curious Case for Security Awareness
by Graham Westbrook
The Strava Fitness app is marketed as a tool that “connects the world’s athletes.” Meaning, it’s an application for most phones and GPS-enabled watches that hosts fitness clubs and triathletes, gym rats and track stars, sweat-junkies and granola types – all in one platform. The power of Strava is in its ability to collect enough information to fulfill any New Years Resolution. The downside is that it also manages to publicize location, contact information and fitness activities on a heat-map, amounting to some “three trillion GPS data points” worldwide.
One researcher recently discovered, for example, that members of the armed forces were unintentionally mapping global military infrastructure as they jogged or biked with Strava. This is a classic case of data privacy loss: sensitive information disclosed to unauthorized parties inadvertently. Strava did not intend for these data points to uncover sensitive military outposts, of course. But consent is a fickle friend. Once the risk was ‘franchised’ to Strava, the unintentional disclosure was outside of military control.
From a user perspective, this brings many different forces to bear: users feel like they have limited control of their privacy, passive control of their consent and little reason to change. Privacy settings in most applications typically default public, risk declarations are in fine print and data just feeds the beast, right?
If users are made aware of the implications of their data-made-public, they are far more likely to take advantage of the control they do have over their privacy and exert it in a way that matters. Practically, this looks like changing default settings to private, opting out of inappropriate data gathering and employing the ultimate failsafe (if privacy disrespected): app removal. In the workplace, this means waging culture change by way of powerful awareness activities that communicate to employees in language and methods they can intuitively understand.
This Strava scenario could live and die as a classic case of data privacy loss. Or it could teach us something… that even curious cases like a map of the global military-fitness complex is a reason to reclaim privacy now.
Graham Westbrook is the Director of Intelligence & Content at Living Security. He has a B.A. in Intelligence Studies and is currently pursuing a M.S. in Criminal Justice/Forensic Psychology. Graham is an intelligence practitioner at the intersection of cybersecurity and human risk. He has bylines at Russia Direct (RBTH), Leksika, SANS and Living Security, and will be speaking at RMISC 2019.