It seems like a big oversight
January 28, 2018 1:35 PM   Subscribe

The Global Heat Map, published in November 2017 by the GPS tracking company Strava (FitBit, JawBone, Vitofit), used satellite information to map the location and movements of subscribers to the company’s fitness service - including subscribers who were active-duty troops patrolling sensitive sites. WaPo picks up the story:
Nathan Rusen ... was inspired to look more closely, he said, after a throwaway comment by his father, who observed that the map offered a snapshot of “where rich white people are” in the world. “I wondered, does it show U.S. soldiers?” he said, and immediately zoomed in on Syria. “It sort of lit up like a Christmas.” (WaPo article by Liz Sly.)
posted by RedOrGreen (105 comments total) 46 users marked this as a favorite
 
Oops
posted by blakewest at 1:37 PM on January 28 [9 favorites]


Someone else looked for US-Mexico border crossings: https://twitter.com/poorleno111/status/957693387695706112
posted by Thisandthat at 1:43 PM on January 28 [9 favorites]


Ha ha ha ha!!!
posted by latkes at 1:51 PM on January 28


Oh my. In five minutes I just found an airfield in northwest Syria, next to the Iraq border. You can see which runway they jog next to.

This is insane!
posted by ianso at 1:59 PM on January 28 [5 favorites]


Strava's heatmap is really well done and an interesting piece of work. It's worth paying attention to entirely for itself, without this national security concern.

The security concern, well, ... if it's a real one the cat is long since out of the bag. The heatmap has been online for three months. Also Strava is literally designed for people to publically share GPS tracks. If soldiers are doing something where their locations should not be known, they really shouldn't be running a commercial company's software that tracks precise movement records and uplaods it to a website to share with other people. I don't think Strava deserves the blame here.

I'm working on a passive location tracking thing myself, just a small side project. Location data is intensely personal. The way people give it away not just to companies like Strava, but also to Facebook and Google, not to mention random ad trackers on ramdom websites. Yeah, it's not great. But this Strava heatmap isn't the problem.
posted by Nelson at 2:03 PM on January 28 [53 favorites]


The heatmap has been online for three months.

Only the latest version; versions of the heatmap have been available since at least 2015. It's hard for me to believe that all of the people expressing shock have really been unaware of this feature for those several years, but maybe it's not as well-known outside of my cyclist bubble as I imagine. In any case, of all the world events I've found upsetting since 2015, not a single one could possibly be ascribed to Strava-enabled leaking of the location of military installations. What a ridiculous case of manufactured outrage.
posted by enn at 2:13 PM on January 28 [9 favorites]


The Global Heat Map was really not what I thought it was from the name. I like "The Global Rich White People Who Exercise Map".

In people's defence, it can be super hard to disable location tracking. When I got my new phone I thought I had disabled all the location tracking only to have Google pop up with helpful suggestions about where to shop, ask me if I wanted to post a picture of my breakfast online, etc. It took multiple and repeated go-rounds to figure it out, and I knew what I was looking for. I do not own a fitbit (nor am I likely to get one) but I would imagine the interface is not conducive to disabling location tracking, and that when the marketing focuses on activity, fitness etc and never mentions how these things are actually tracked, most people are unaware.

That said, I just had a look at the fitbit site and hooboy do I have the heebies now. I can't believe people really want companies to have all this information about themselves, and pay the companies for the privilege of giving them all this personal info.
posted by Athanassiel at 2:17 PM on January 28 [17 favorites]


I usually say passive listening devices are something a cold-war era spy could only dream of, and people are now willingly putting them everywhere in their home because buttons are for plebs. This seems just a tiny extension from it.

also: haha, quitters. But I bet they still have knees :(
posted by lmfsilva at 2:19 PM on January 28 [12 favorites]


Found something weird in North Korea. There's a vase like shape to the east of Pyongyang (past the high intensity north/south single line that's also weirdly out in the middle of nothing). The path doesn't line up with anything there. So either it was bad data (and weirdly symmetrical), something from a plane, or some structure underground.
posted by Slackermagee at 2:27 PM on January 28 [8 favorites]


There's a Guardian article without the WaPo paywall.
posted by lagomorphius at 2:31 PM on January 28 [5 favorites]


it can be super hard to disable location tracking

Strava requires you to explicitly record and upload your tracks. It's like Flickr or Instagram but for GPS tracks rather than photos - until very recently you could do little else with it other than share GPS tracks.

I suppose it's possible some users aren't clear on exactly how public stuff uploaded there is, but everyone using it knew they were making a recording and sharing it.

(it is also possible if you use third-party devices/services and link them to your Strava account they could potentially upload everything you record without giving you much indication that's what they're doing, and without offering the privacy options the Strava app does)
posted by grahamparks at 2:37 PM on January 28 [9 favorites]


In people's defence, it can be super hard to disable location tracking.

I don't think anyone is saying "Corporal Johnson is a real idiot!" so much as "Someone in the command structure should have figured this out and issued an order not to wear fitbits on the following installations..." Or, more realistically, someone in the military's elint community should have sent something up the chain so that an order could come back down from on high.
posted by GCU Sweet and Full of Grace at 2:38 PM on January 28 [28 favorites]


I usually say passive listening devices are something a cold-war era spy could only dream of, and people are now willingly putting them everywhere in their home because buttons are for plebs. This seems just a tiny extension from it.

It's going to get REALLY interesting when the Disney people are looking at the display of where people are ( magicbands ) and decide to start directing traffic.
posted by mikelieman at 2:41 PM on January 28 [8 favorites]


*drives out into the middle of nowhere and walks in a way that spells the word “IDIOTS”*
posted by inflatablekiwi at 2:45 PM on January 28 [23 favorites]


Ok, I stand corrected on the whole inadvertent location sharing thing, I will no longer try to make excuses for people. As I said, I don't have a fitbit. I agree, you would have thought someone higher up in the military might have thought of this and either ordered soldiers not to create accounts or organised something with the company. But there is that saying about "military intelligence" being an oxymoron.
posted by Athanassiel at 2:49 PM on January 28 [1 favorite]


here's an interesting one in Syria, on the east side of the Euphrates outside of Manbij, in Kurdish-controlled territory. if you check out the Google satellite view, you see a recently-constructed airstrip, suggesting the Strava trails are patrol routes around the perimeter of the base. there's also Strava activity down the highway at the cement plant.
posted by indubitable at 2:49 PM on January 28 [3 favorites]


"Someone in the command structure should have figured this out and issued an order not to wear fitbits on the following installations..." Or, more realistically, someone in the military's elint community should have sent something up the chain so that an order could come back down from on high.

you'd think, but according to the article, "the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity." Now, whether or not they encouraged Strava use along with that, I don't know... but I can certainly imagine people deciding to run group-wide fitness challenges to make use of those Fitbits and using Strava as the platform, particularly if -- as is likely -- those people in charge of fitness initiatives are clueless about how said platform works. (Strava, and all location sharing platforms, in large part function because most users don't think much about how they work.)
posted by halation at 2:51 PM on January 28 [18 favorites]


I love my privacy, but these are "free" services. I feel like I can only complain so much when the data is collected and monetized.
posted by Brocktoon at 2:54 PM on January 28 [6 favorites]


Check out the hotspots on Antarctica, and there's someone on a boat sailing around the bases on the Antarctic Peninsula, up the drake passage, past the Falklands, and back.
posted by I-Write-Essays at 3:04 PM on January 28 [5 favorites]


A lot of attention is being given to the idea of "Fitbits" and "GPS Devices," when, in reality, neither of those devices are uploading any data to the internet.

GPS is entirely a 1-way system (just like the radio in your car) --- it's essentially impossible to tell when a GPS receiver is turned on. If the Fitbit is recording your GPS track into its own internal memory, there's also seemingly little cause for concern unless you choose to upload and share those tracks, which is exactly what happened here.

GPS devices aren't the problem. Strava isn't the problem (although both are sure to get blamed). A lot of soldiers willingly chose to upload detailed information about their daily routine to a public website. The Army has a training and security problem, and it literally took years before anybody thought that this might be a problem.

Brocktoon: "I love my privacy, but these are "free" services. I feel like I can only complain so much when the data is collected and monetized."

Strava (thankfully) doesn't make its money by data-mining its customers. They have paid options (that are IMO worth every penny).
posted by schmod at 3:10 PM on January 28 [32 favorites]


TIL I'm rich cuz I use an activity tracker app on my phone despite making less than the Federal Poverty Level last year. So I got that going for me.

Which is nice.
posted by glonous keming at 3:12 PM on January 28 [26 favorites]


I can't wait for this year's Ronde van Kurdistan! The parcours for Termez-Kunduz-Termez looks pretty exciting as well.

I just love the Spring Classics!
posted by TheWhiteSkull at 3:14 PM on January 28 [5 favorites]


I use Strava to record my trips by bicycle specifically because I want the data to be collected and used by cities and others planning bicycle infrastructure. (Also.) Plus the heat map's really useful when I'm trying to find a reasonable route in an unfamiliar area.

But I'm not doing anything remotely classified, so including my data is not a huge problem. It's the easiest way for me to stand up and be counted as someone riding a bike, since the usual traffic counts don't measure anything but automobile traffic.
posted by asperity at 3:17 PM on January 28 [18 favorites]


*drives out into the middle of nowhere and walks in a way that spells the word “IDIOTS”*

The guy who runs GPS doodles is already taking it to the next level.
posted by peeedro at 3:22 PM on January 28 [28 favorites]


I'm baffled that anyone could frame this as a problem for the US Army and speculate on the best way to solve it for them. You get to know more about what your own country is doing (and who it is killing) in your name. It's like people getting mad when the New York Times published the Pentagon Papers.
posted by indubitable at 3:22 PM on January 28 [22 favorites]


I’m sorry, while I get the argument that Strava’s users should be smarter and not sync their data (or mark it public) if they’re concerned about this - I still think that Strava has a responsibility not just to adhere to the minimum requirements of its terms and conditions, but to help people protect themselves. It’s possible to identify the start and end of individual runs on this map, since presumably - like me - they rarely change up their routes. I just don’t think Strava should have done this.

I own the company that makes Zombies, Run! - we have millions of users and many many run logs. We could do something like this, it would get us a ton of PR and, yes, money. But some things are worth more than PR and money. I wouldn’t want people to feel uncomfortable or unsafe or regret sharing their data with us.

We must expect better from the companies we entrust our data to. And we should have more sympathy for ‘stupid’ people who should know better than to share their data. We can all be stupid and we all deserve sympathy.
posted by adrianhon at 3:28 PM on January 28 [119 favorites]


In case anyone is wondering "Yeah the heatmap is kinda cool, but why?", as a cyclist I use it to find safe routes to use, assuming that routes that are heavily travelled are that way for a reason.

The blog post Nelson linked to says they exclude activities marked as "Private" from the heatmap, and Strava also allows you to create a privacy bubble of a size you choose around set locations, and excludes your activities in those areas from the heatmap.
posted by ghharr at 3:33 PM on January 28 [22 favorites]


adrianhon: " It’s possible to identify the start and end of individual runs on this map, since presumably - like me - they rarely change up their routes. "

Strava actually has a feature that lets you fuzz the start/end points of your activities for exactly this reason. (There are obviously still privacy concerns, but this arguably addresses the biggest one)
posted by schmod at 3:35 PM on January 28 [11 favorites]


Yeah, from a mountain biking perspective, it also has helped me discover trails in my area that I hadn't known about before.
posted by indubitable at 3:35 PM on January 28 [4 favorites]


I feel like someone has to appreciate the pun in the title, so I'm going to. Well done, RedOrGreen. That's a nice pun.
posted by Merus at 3:52 PM on January 28 [11 favorites]


I-Write-Essays:Check out the hotspots on Antarctica, and there's someone on a boat sailing around the bases on the Antarctic Peninsula, up the drake passage, past the Falklands, and back.

They are the major cruise ship routes. You can see the hotspots where the tourists jump off the boats for landings
posted by cholly at 4:01 PM on January 28 [6 favorites]


> There's a vase like shape to the east of Pyongyang (past the high intensity north/south single line that's also weirdly out in the middle of nothing).

I'm not seeing the vase-like shape, although the vertical line is clearly visible. If you turn satellite view on, you'll see the southernmost point of that line is at what looks like a hotel or office compound, with circular driveway that's canopied at the main building entrance. The northernmost point is a field with some industrial buildings. I'm willing to guess it's an executive resort or whatever the dictatorial counterpart is, and the line is the most popular jogging path for the guests. (To the west-southwest of the possible-resort there's a very large palace-like building with a vast reflecting pool, all surrounded by heavy tree cover. Possibly tellingly, Strava displays no activity there at all.)

I find it a little interesting that Strava has no activity logged along the Korean DMZ, with the exception of the border crossing between Seoul and Kaesong. I wonder if that means that the U.S. troops stationed there are an exception to the the Strava users.
posted by ardgedee at 4:02 PM on January 28 [4 favorites]


I don't see how this in any way could be seen as Strava's fault. They're supposed to match their users' data against a database of secret US bases before publishing it? Isn't this on the people who are actually living in said secret bases? Also, why just secret US bases, why not Russian, Chinese, & c.?
posted by signal at 4:08 PM on January 28 [13 favorites]


It is an example of how mass data collection makes it really hard to have things like "privacy" or "secrets" from those collecting it.

These companies have little incentive to protect user data and every incentive to make it as easy as possible for people's devices to send them all the information they can. And I'm certain there's many people whose entire job it is to convince users to volunteer their data using every psychological trick in the book. And on the shadier side, if there's a way to get around user controls for the data, I'm guessing there's a whole lot of less scrupulous companies working to find and exploit them.

You can't fix systemic issues by blaming the users.
posted by Zalzidrax at 4:16 PM on January 28 [11 favorites]


It's interesting that they have coverage in China; I know that China has very restrictive laws about geodata. I'm guessing that Strava has no offices there and is betting that China won't ban it from local App Stores.
posted by acb at 4:16 PM on January 28 [2 favorites]


Strava's hide start/end of exercise option doesn't actually work. It would take almost no effort to figure out where someone lives, since all it does is chop the beginning and ends off, leaving a suspicious perfectly circular hole.

I always start my runs at the same location that isn't my home.
posted by Yowser at 4:25 PM on January 28 [11 favorites]


So the same vase shape as in NK is on Jarvis Island, and apparently what it is fake data from an indoor cycling app.

The one in NK is very faint -- you can see it better in gray, I think.
posted by tavella at 4:28 PM on January 28 [4 favorites]


I use Strava to record my trips by bicycle specifically because I want the data to be collected and used by cities and others planning bicycle infrastructure. (Also.) Plus the heat map's really useful when I'm trying to find a reasonable route in an unfamiliar area.


This may be as big a problem as any security issues. (Not your actions, the actions of cities.)

Using Strava data to plan infrastructure is something that cities do a lot; it's convenient and entirely wrong. Most of the effort in cycle planning is towards cycle facilities for transportation, rather than recreation -- yet Strava emphasizes recreation over transportation. The best example is in the Sacramento area, where the UC Davis campus -- perhaps the most bike-intensive area in the US -- shows up much less than any number of recreational routes nearby.

Strava also manages to emphasize the travel of people in the most powerful and already heard-from demographic, virtually no matter how you slice the population -- male/female, white/nonwhite, English speaking/other languages, rich/poor, educated/not educated, connected to technology/isolated, active/less active, enthusiastic cyclist/less enthusiastic. Using the data in a planning context is antidemocratic.
posted by Homeboy Trouble at 4:29 PM on January 28 [47 favorites]


See also: elite projection, where transport planning in our neoliberalised cities is driven by the whims of affluent elites, with the needs of the less affluent being shrugged off as “it'll trickle down”.
posted by acb at 4:40 PM on January 28 [15 favorites]


I own the company that makes Zombies, Run! - we have millions of users and many many run logs

I am embarrassed to admit this is the first MeFi’s own I’ve gotten really excited to have contributing here, but as a prolific Zombies, Run! user, thank you for that and your feelings on user privacy.
posted by corb at 5:00 PM on January 28 [15 favorites]


Strava (thankfully) doesn't make its money by data-mining its customers. They have paid options (that are IMO worth every penny).
Well actually, they totally do, or at least are trying to develop the line of business, with the the Strava Metro product. And, thankfully, even that is heavily anonymized.
posted by tmcw at 5:19 PM on January 28 [5 favorites]


someone in the military's elint community should have sent something up the chain so that an order could come back down from on high.

likely a lack of attention to a Red team. or lack of a Red team. the most effort in DOD information assurance is spent on STIG implementation and auditing.

backing up schmod on the GPS - nothing uploads through those devices without an explicit internet connection, which GPS is not.

were i a government attorney, i'd have a fast-track injunction issued to Strava: delete all historic and current records of military and intelligence service personnel.

and, uh, require them to publish for all MOCs and Sens - dodging the whole license plate tracking system. less latency, single data steward.
posted by j_curiouser at 5:20 PM on January 28


How would Strava know which users are military or intelligence? I guess the DoD would just give them a list of names? Or tell them which areas on the map to erase? Neither seem very smart.
posted by AFABulous at 5:25 PM on January 28 [4 favorites]


What is MOCs and Sens? Members of Congress and Senators? That seems vanishingly unlikely.
posted by AFABulous at 5:26 PM on January 28


If the US military is distributing FitBits to its troops and encouraging them to use Strava to do challenges, couldn’t they do a deal with Strava to licence their server code, putting a secure, military-only version of it on AWS GovCloud or a military intranet and configuring all personnel devices to use that?
posted by acb at 6:20 PM on January 28 [3 favorites]


All these base are belong to U.S.
posted by T.D. Strange at 6:27 PM on January 28 [36 favorites]


Most of the effort in cycle planning is towards cycle facilities for transportation, rather than recreation -- yet Strava emphasizes recreation over transportation.

That's absolutely true, and part of why I make a point of logging my rides, since I bike almost entirely for transportation. One thing that does help is the commute tag, since it's fairly easy for people to specify their usual transportation rides with it. As I understand it, Strava Metro does make use of that.

(Also, neato thing for automagically tagging commutes in Strava: Commute Marker.)

My other options for making my needs known are the traditional writing letters and attending meetings and pestering everyone, and those are all things I do regularly, but they don't provide the same kind of quantifiable data (even if it's not great) and don't tell me where my fellow commuters have found their usual routes unplowed or blocked on a given day.

I shouldn't have to rely on volunteer info provided to a private website to get a tiny fraction of the travel info that's easily available for anyone planning to drive (courtesy of every local TV or radio station, plus city, county, and state), but Strava's the most reliable source for that stuff at the moment. Which is just pathetic.
posted by asperity at 6:45 PM on January 28 [8 favorites]


I'm another Strava user that uses heat maps to find cycling routes when I travel. It's great for finding rides when you're stuck in the middle-of-nowhere. I'm dreading that this news will be justification for hiding heat maps in the future just because a bunch of dummies in the military feel compelled to upload their workout data.
posted by photoslob at 7:37 PM on January 28 [6 favorites]


I don’t think the article writer actually knows the difference between Strava and Fitbit, which is a little disappointing.
posted by the agents of KAOS at 7:52 PM on January 28 [5 favorites]


people are circling on the offshore oil rigs

Or perhaps it's an effect of the dynamic positioning of the drilling units

But it's always refreshing to see the thousands of men who are marooned out there, drilling away, keeping the heat on in New York

you can see the guys that run their boats, you can see their boats, even

*Goes to check the North Sea and South China Sea
posted by eustatic at 10:42 PM on January 28 [4 favorites]


> "I'm working on a passive location tracking thing myself, just a small side project. Location data is intensely personal."


Not only that - the IoT is ruining useful privacy in different ways: I wanted a CO2 sensor for home with app/web access. The one I bought first uploads all the data to a central server which then presents it to your mobile devices. I probably did not do my research well, because I did not realize it needed internet access to even function, so I was pretty mad about that.

But then I looked at the graphs of indoor CO2 levels and noise levels and discovered they pretty well show when the house is empty. I only wonder how long before a rogue employee starts selling this data, analyzed and packaged, wholesale, to organized crooks. And I hope that the mess we call home will not be too interesting or stand out much to warrant their attention.
posted by Laotic at 10:57 PM on January 28 [7 favorites]


You can definitely tell where the white people live in Milwaukee.

There's an 8 block x 1 block rectangle in my neighborhood that is much brighter than the surrounding area. That area is all just normal middle class houses, no parks or anything special. There's no reason people who live there would all make that same circle. I wonder what that's about.
posted by AFABulous at 11:08 PM on January 28


AFABulous, if you look at bicycle activity separately, it looks like one guy and his regular pattern-8 bike route.
posted by Laotic at 11:17 PM on January 28 [1 favorite]


Damn, dude, get more creative. It's pretty much all flat around there.
posted by AFABulous at 11:22 PM on January 28 [2 favorites]


But if he takes a different route every day, how can he race against his own time?
posted by I-Write-Essays at 12:12 AM on January 29 [8 favorites]


Huh. Well, isn't that interesting!

This reminds me of two things: when soldiers and their families compromised security through innocent seeming social media posts (related article. sourced via google.)

And on a much lighter note, the #goballsout campaign (raising awareness for testicular cancer) in New Zealand.
posted by freethefeet at 1:41 AM on January 29


Like world + dog locally doesn't know where these bases are anyway.
posted by GallonOfAlan at 3:01 AM on January 29


As an old, my response is ROFLMAO
posted by infini at 3:47 AM on January 29 [1 favorite]


@Paulmd199:
It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who travelled a route, and trivially obtain a list of users.
I was able to identify a solder running a route around a camp in Iraq and follow him home to France. Using the built in interface of Strava, in the manner in which it was intended.
posted by EndsOfInvention at 3:55 AM on January 29 [7 favorites]


Sure Syria.... look at mcdill airforce base in tampa. There is clearly someone who takes a boat to the base marina from his/her house. You can see exactly which street and pretty much figure out the house in about 2 minutes. If i were motivated it would take 3 minutes on the property appraisals web site to get a name etc.
posted by chasles at 4:39 AM on January 29


Just for people who might not know about fitbit - there are fitbit without GPS functionality. My fitbit doesn't have GPS.

This makes it less accurate for tracking distance than the ones with GPS, which is why people buy those.
posted by winna at 5:00 AM on January 29


Just reading this thread makes me feel like one of the faceless workstation flunkies trying to track Jason Bourne
posted by CheesesOfBrazil at 5:34 AM on January 29 [6 favorites]


"Sir, I've hacked Strava. Looks like Bourne forgot to ditch his Fitbit!"
"Excellent! Load up the live data, see where he is."
"Yes sir. OK, it appears he just started a run. He's tagged the session #FitFor2018 and right now he's... holy shit!"
"What? What is it!?"
"Sir, right now he's doing sprints... IN YOUR PRIVATE OFFICE"
posted by EndsOfInvention at 5:50 AM on January 29 [23 favorites]


A lot of soldiers willingly chose to upload detailed information about their daily routine to a public website. The Army has a training and security problem, and it literally took years before anybody thought that this might be a problem.

So much this: it's not the tools; it's how you use them.

I'm a huge Strava junkie. Strava or it didn't happen! But I'm doing so knowingly. I've set hidden locations around my house. I'll set activities to private, if I don't want someone to if I was out or where I was. I like to think I wouldn't be uploading location data if I'm sent to a classified location.

(Though, it begs the question: do private activities or hidden locations get entered into the global heatmap? I could see it going both ways: excluding because it's private, but including because, in general, I'm not the only one using those roads.)
posted by MrGuilt at 5:55 AM on January 29 [4 favorites]


Though, it begs the question: do private activities or hidden locations get entered into the global heatmap?

According to the Privacy page you linked to (emphasis mine):
Strava Metro & Heatmap
By contributing your anonymized public activity data to Strava Metro and the Heatmap you will:

Help make cycling and running better in your area
Help advocacy groups and planners to better understand and improve their bike- and pedestrian-friendly infrastructure
Help us better paint the picture of the world of Strava.
Learn more about these features and the ways in which we protect user privacy.

[_] Include my anonymized public activity data in Strava Metro and the Heatmap.
So I'd read that as anything you set as Private is not included in the heatmap.
posted by EndsOfInvention at 6:37 AM on January 29 [2 favorites]


So I'd read that as anything you set as Private is not included in the heatmap.

Yes, they say that here

- Private activities are excluded outright
- Activities are cropped to respect user defined privacy zones
- Athletes with the Metro/heatmap opt-out privacy setting have all data excluded



Also, shoutout to the Mefi Strava group! Probably don't join if you're in covert ops.
posted by ghharr at 7:40 AM on January 29 [14 favorites]


CHECK OUT MY KOM OF AREA 51 BRAH
posted by entropicamericana at 8:39 AM on January 29 [7 favorites]


I own the company that makes Zombies, Run! - we have millions of users and many many run logs. We could do something like this, it would get us a ton of PR and, yes, money. But some things are worth more than PR and money. I wouldn’t want people to feel uncomfortable or unsafe or regret sharing their data with us.

Every single track in the Strava heat map was already public. They haven't made private data public, they've made public data browsable.
posted by grahamparks at 9:29 AM on January 29 [3 favorites]


Forgive the self-link, but people saw the widening gap between "obtaining permission" and "permissive use" a decade ago. It's been baked into the cake ever since the earliest social networks began mashing up human-generated data according to the same principles that made it attractive to mash up data that lacks a pulse. But as adrianhon says, it requires tech companies to possess a basic sense of responsibility, and most (though not all) have failed.
posted by holgate at 9:55 AM on January 29 [3 favorites]


AFABulous, if you look at bicycle activity separately, it looks like one guy and his regular pattern-8 bike route.

I live nearby. Both southern corners are a block off from Bublr bike share stations, so I guess someone has the world's shortest commute?
posted by Nonsteroidal Anti-Inflammatory Drug at 9:58 AM on January 29


And also: Remember that time AOL released "anonymous" search data? Turns out people tend to search for PII, like their own name or phone numbers, so even if you don't label the search data with customer information it was intrinsically included anyway.
posted by Nonsteroidal Anti-Inflammatory Drug at 10:01 AM on January 29 [3 favorites]


Frankly, blaming Strava for this is like blaming the existence of oxygen for wildfires. (I'd also like to mention that, as winna mentioned, Fitbit devices do not generally have GPS abilities - in fact when the Pentagon gave soldiers Fitbits in 2013, as breathlessly mentioned by our tech-ignorant WaPo writer, absolutely no Fitbit devices had GPS. I bet the Pentagon is still ok with those ones being used even by braindead military folk who don't know how to avoid signing up for a website that promises to make your location data public).
posted by the agents of KAOS at 10:05 AM on January 29 [4 favorites]


Also, comparing Strava and Zombies! Run in this context seems a little silly - one of them is an app you use to help yourself exercise that collects location data incidentally, one of them is an app you use in order to collect and by default share your location data. Unless of course Zombies! Run has dramatically changed since I was using it in 2016, maybe today it is advertised as a way to publicize and track your route!
posted by the agents of KAOS at 10:08 AM on January 29 [4 favorites]


> since all it does is chop the beginning and ends off, leaving a suspicious perfectly circular hole

It's been a while since I looked at the UI for this, but I think they mention this concern and suggest you not center it at your exact address.
posted by Horselover Fat at 11:03 AM on January 29 [1 favorite]


Privacy and military applications aside, one thing I noticed from looking at the heat map is the use of rivers and lakes here in Canada. The heavy use of some beaches for "water activities" definitely jives with my experience - so much so I could use this heat map to find lake & river beaches which are used less then others. It is also interesting to see the types of activity going on in the more remote corners of Canada - just a quick look at Northern Ontario and I'm seeing some incredible trips somebody made into the deep bush. Certain portage points between lakes (for instance in Algonquin Park here in Ontario, Canada) and their frequency of use are interesting as well.
posted by Ashwagandha at 11:08 AM on January 29 [1 favorite]


- Private activities are excluded outright

If this is so and the GI Joes left their activities public, then there is perhaps another explanation: the cunning military uses virtual bots or even physical drones to log simulated activity in places where they WANT the enemy to think there is something going on...

And both the reveal and this discussion is carefully orchestrated to sow doubt into the minds of adversaries.
posted by Laotic at 11:12 AM on January 29 [2 favorites]


Loose gps sink shps.
posted by mhum at 11:54 AM on January 29 [8 favorites]


Has anyone done followup reporting on whether any of the locations on the Strava map were actually security sensitive? I mean if an airbase is already visible on online maps, it's a likely bet the locals know it's there.

Remember that time AOL released "anonymous" search data?

I do, that had a big influence on me. And Strava, I think. But Strava is different. First, the only data that was shared was data given to Strava with permission to share it. The AOL release was done without any sort of meaningful user consent. Also Strava only released the raster map. That's aggregated in meaningful ways that prevent the kinds of correlations that were the problem with the AOL release. The Strava analogy to the AOL release would be if they released a set of tracks with user IDs attached to them, so you could watch the same person over time. They didn't. This heatmap doesn't even include single tracks other than what's visually apparent.

No, the real Strava threat is the Strava site itself. Because there the tracks are labelled with user IDs. Also times. So not only do you know that someone in the secret CIA base on Kandahar likes to take the same walk, you know they do it exactly at 8am on Wednesday and Sunday. But again sharing data like this is Strava's entire purpose as a site, users run Strava explicitly to allow this kind of sharing.

Still I get why it looks creepy. There's an ongoing theme with technology where stuff that seems OK in small amounts is troubling when aggregated across whole populations. No one got worried when officer friendly noted out of state license plates coming in and out of his town. But set some cameras up to record every license plate on every major intersection and it begins to feel creepy. Give that technology to the federal immigration enforcers and it begins to feel like a police state.
posted by Nelson at 12:13 PM on January 29 [8 favorites]


> There's an ongoing theme with technology where stuff that seems OK in small amounts is troubling when aggregated across whole populations.

Yeah, this, exactly. It's the line where enough of a quantitative difference amounts to a qualitative difference.

(And it appears in many other tech-adjacent areas, like Uber's shenanigans with automatic remote computer wipes - on an individual basis, it would be decent security practice, but automating it and tying it to a "law enforcement" alarm makes it deeply unethical at the very least.)
posted by RedOrGreen at 1:15 PM on January 29 [3 favorites]


Good Verge piece on just how difficult is it to opt out of your run traces being shared on the heat map.
posted by adrianhon at 3:08 PM on January 29 [1 favorite]


Now I'm curious what the super secret black helicopter folks name their Strava segments.
posted by The World Famous at 3:24 PM on January 29 [1 favorite]


The Verge piece is a bit of a weird take: they're making it sound like it's really hard to keep your runs private. Making an activity private is very clear: there's a lock icon on every 'edit' page for every activity, above the fold even. The toggle is just as prominent in the web version.

The Verge is talking, instead, about a specific in-between setting: publicly sharing your runs, but not having them aggregated. Which, sure - it would be nice if it was more prominent, but it makes a lot of sense that such an option is not front and center, because it only really has value for people who are in sensitive areas of the world, and given that those users didn't click the very clearly labeled 'private' button, expecting them to click some 'semi-private' button seems like a stretch of the imagination.
posted by tmcw at 3:41 PM on January 29 [3 favorites]


Good Verge piece on just how difficult is it to opt out of your run traces being shared on the heat map.

Another article written by someone who has no fucking clue what Strava is or why people use it.

If you have any expectation of privacy you don't use Strava. As a personal run and ride tracker it is a terrible, threadbare app with lots of missing features. As a way of sharing what you're up to and seeing what others are up to, it is absolutely amazing. That's why people use it.

Painting it as a personal run tracker that's shiftily leaking and/or selling your data is garbage clickbait insanity.
posted by grahamparks at 5:34 PM on January 29 [8 favorites]


Why are we in Syria?

Anyway, absent an entity capable of killing me legally, this doesn’t bother me.

The fact that the government has this data should terrify everyone. Corporations can’t unilaterally kill us. Government can, and often does.
posted by NeoRothbardian at 6:16 PM on January 29


As a way of sharing what you're up to and seeing what others are up to, it is absolutely amazing. That's why people use it.

Exactly. Strava is a social media based on sharing fitness GPS data. If the U.S. military doesn't already prohibit the use of social media while deployed in secret locations or on secret troop movements, then that's incredibly stupid on the military's part. If it does have such a prohibition and personnel are violating the prohibition to use Strava, then that's incredibly stupid on the personnel's part.

But if military personnel were posting location-tagged Instagram photos that revealed the location and configuration of secret troop installations and movements, the headlines wouldn't be that Instagram did something wrong.

FWIW, the Washington Post headline gets it half right: U.S. soldiers are revealing sensitive information, not by jogging, but by posting the GPS data of their runs on a worldwide, free social media app.
posted by The World Famous at 6:38 PM on January 29 [3 favorites]


That feels like a bit of a cop-out. I think Zeynep Tufecki has the right perspective [Twitter thread, my emphasis]:
In the digital age, there is NO meaningful informed consent with regards to data privacy that operates at an individual level. Current implications are unknown; future uses are unknowable. Companies structurally cannot inform and we are in no position to consent. Nobody knows what machine learning will be able fairly successfully to infer about what set of data in the future, and what piece plays what role. People have hard time comprehending what a searchable database of many people's data reveal, etc. THERE IS NO INFORMED CONSENT HERE.
If you have any expectation of privacy you don't use Strava.

Again, this feels like a cop-out. Any is a big word.

(It is nearly twenty years since Scott McNealy said "You have zero privacy anyway. Get over it.")
posted by holgate at 7:03 PM on January 29 [4 favorites]


If you have any expectation of privacy you don't use Strava.

How about this instead:

If your employer, the U.S. Military, orders you to keep your location secret, don't post your GPS data on a massively-popular GPS data-sharing social media network.
posted by The World Famous at 7:09 PM on January 29 [4 favorites]


Still doesn't address "future uses are unknowable" for anything with any kind of pooled user data collected under broad T&Cs. GPS in motion has always been low-hanging fruit. Skype could decide that it's a great idea to share GeoIP data from its calls to show how it connects people. Pornhub could decide to show what gets them off.
posted by holgate at 8:58 PM on January 29 [1 favorite]


Now I'm curious what the super secret black helicopter folks name their Strava segments.

You can go to Segment Explore and search for eg "Kandahar" to see a bunch of segments around Kandahar airfield. They're named like "Dan's KAF Segment 1" and "KAF East Runway N to South". And of course you can see a list of apparently real names (no online pseudonyms here) and profile photos in the league table of fastest times. This is literally all just out on display on the website, I'm not doing anything clever with the heatmap.
posted by EndsOfInvention at 1:26 AM on January 30 [5 favorites]


Pornhub could decide to show what gets them off.

pornhub has in fact already done a (very broad / state-by-state) version of this. [linking to an article about their 'State of the Union' and not direct to pornhub for, uh, probably obvious reasons; link available in article]
posted by halation at 4:21 AM on January 30 [1 favorite]


Wisconsin's is "milf," but, being the Dairy State, we meant to type in "milk."
posted by AFABulous at 8:06 AM on January 30 [4 favorites]


"milk i'd like to fuck"??
posted by EndsOfInvention at 8:58 AM on January 30 [3 favorites]


starts selling this data, analyzed and packaged

Or - their internet-connected device is inherently insecure - or their servers/data-store gets hacked...
posted by jkaczor at 9:21 AM on January 30 [1 favorite]


It seems kind of silly to blame soldiers for leaving their profile as public when a private, hackable company has access to these secret site locations whether the profile is public or not.
posted by latkes at 9:38 AM on January 30 [3 favorites]


It seems kind of silly to blame soldiers for leaving their profile as public when a private, hackable company has access to these secret site locations whether the profile is public or not.

Agreed. It's not clear who is to blame for U.S. military personnel having uploaded their GPS data to a social media site if we don't know the details of what their orders/instructions were. Whether their profiles were set to public or private is less significant than why they chose or were allowed to upload the data in the first place.
posted by The World Famous at 10:09 AM on January 30 [1 favorite]


Zynep Tufekci: The Latest Data Privacy Debacle. An NYT op/ed form of the tweets linked by holgate up above. Specifically the idea that individual users can't really meaningfully consent to data sharing because it's so hard to understand the implications.
posted by Nelson at 12:22 PM on January 30 [3 favorites]


There's a weird pentagram shaped area almost like a spider web or an amphitheater on the west edge of Nevada, anyone know what that is? Nothing there on a Google map.
posted by Rufous-headed Towhee heehee at 4:36 PM on January 30


You mean here? That's Burning Man, Black Rock City. You can even see how they've shifted the layout a bit from year to year.
posted by Nelson at 4:40 PM on January 30 [1 favorite]


Yeah I just figured it out. First guess was an underground giant spaceship :D lol. This is fascinating!!
posted by Rufous-headed Towhee heehee at 4:42 PM on January 30


Re Burning Man: I did not realize it was so far from civilization. Google imagery shows the tracks they've worn in the desert in the shape of the layout, do they really shift it every year? It does seem like a lot of work to triangulate the streets again and again. Could the strava data be off somehow, between years?
Also, shows some "water activities" right there in the desert. Probably someone in their truck-bed swimming pool, driving around?
posted by Laotic at 10:44 PM on January 30


More likely they picked a sport at random - Strava requires you to pick a sport for every track saved on it, and there's no "other" option for things that don't fit one of the options.
posted by grahamparks at 3:11 AM on January 31


Anonymous? Sorta-kinda ...
posted by milnews.ca at 10:51 AM on January 31


Best I can tell, the activities this person accessed were uploaded as public to a social media site. I don't want to take away from their achievements in the successful as-intended use of social media, but the NSA they ain't.
posted by ftm at 12:03 PM on January 31 [1 favorite]


Also, shows some "water activities" right there in the desert. Probably someone in their truck-bed swimming pool, driving around?

Strava only knows what kind of activity you're tracking based on what you tell it. If I hop in my car and tell Strava I'm kayaking, it will show that I kayaked down the freeway at 70 mph or whatever.
posted by The World Famous at 12:53 PM on January 31


Strava has an official response now. Doesn't say m uch other than "we take this seriously". But I wanted to call out this thing:
However, we learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations.
That bit about activity density seems important. In retrospect, they could have avoided a lot of problems if they didn't include tracks where only one or two people were ever in an area. Require there to be a certain number of separate people before that area shows up on the heatmap. Doesn't solve all problems and is a little tricky but I think it'd help a lot.
posted by Nelson at 3:43 PM on January 31 [2 favorites]


« Older Behold the power of a 12-string guitar   |   It's a premise, Sam. Run with it. Newer »


This thread has been archived and is closed to new comments