Strava heatmap might reveal your home address, researchers claim


It’s possible to identify your home address, especially if you’re choosing less popular Strava routes, researchers claim.

ADVERTISEMENT

Strava, one of the most popular fitness-tracking apps, introduced its heatmap feature in 2018. As you might’ve guessed, it shows ‘heated’ public spaces popular among athletes. Updated monthly, the heatmap feature aggregates data anonymously and lets you opt-out.

However, researchers from North Carolina State University demonstrated that it’s possible to identify the home addresses of highly active users. By analyzing the data from Strava’s heatmap feature and combining it with OpenStreetMaps and even voter registration data, researchers said there was a 37.5% chance of successfully revealing the address.

Strava believes this figure to be misleading “as the sample was not representative of most Strava users, and the research focused on a small few, select rural areas.”

If you live and train on popular Strava routes, the heatmap data is challenging to tie to a single user, so you can feel relatively safe. Many athletes on the app train on the same trails.

However, if you choose unpopular trails, there’s a good chance that you’re the only one generating the ‘heat’ in that area. Consider changing the app's privacy settings just to be safe.

Threat actors could use such data to build quite a comprehensive profile of a certain individual, including home addresses and popular paths.

“This information can be used for stalking or other invasions of the privacy of individuals. Additionally, on a wider scale, instead of ‘John Doe’ being just a name tied to an address, ‘John Doe’ can be categorized as an active individual living with certain workout behavior. This information can be utilized for targeted advertising and individual profiling and is potentially being collected without consent,” researchers noted, who reported their findings to Strava.

The research was first reported by Connect the Watts news outlet.

ADVERTISEMENT

As per researchers, the heatmap feature had been under the spotlight for its privacy risk before. Five years ago, a student from Australian National University found that the Strava heatmap highlighted the locations of military bases and outposts.

Strava’s response

In an email to Cybernews, Strava said it had a suite of privacy controls that give users control over their data.

“Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community,” the company said.

Its heatmap feature doesn’t show ‘heat’ unless multiple people have completed activity in a certain area.

“Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (`Only You`) for any given activity,” Strava’s spokesperson said.