Researchers at North Carolina State University in Raleigh (United States) have discovered that activity maps global or heatmaps of the Strava application are capable of revealing the location of the address of some active users of the application.
Strava is a platform that has more than 30 types of activities with functions that help athletes explore, socialize and monitor their progress, as defined on its website.
This service has a global activity map or heat map, a feature that was introduced in 2018 and that marks the physical activity of users anonymously. Thanks to it, they can find out which are the most traveled cycling routes or practicable trails, which allows them to improve brands or compare times with those registered by other users.
A group of researchers from the State University of North Carolina in Raleigh have discovered that, thanks to these heat maps, it is possible to violate the privacy of these users and find out where their residence is, by knowing the start and end place of recorded physical activity.
Specifically, in a document that explains how they reached this conclusion, the analysts indicate that it is possible to identify the address of some very active users of the application who reside in remote areas.
While it is true that these heat maps record activity anonymously researchers have found that “in areas with few active Strava users, the heat generated by an individual can be clearly visible.”
Thus, the home addresses of individual users can be “effectively” discovered based on user activity and the amount of heat generated in that cityas the signatories of this research have qualified.
To reach this conclusion, the data recorded for a whole month and publicly available through the Strava heat map, belonging to the states of Arkansas, Ohio and North Carolina, in the United States, were collected.
Once this information was collected, image analysis was carried out to detect physical activity start and end areas. In this way, it was possible to link the houses with the sources of activity, that is, with the users.
Once this data was confronted, the researchers created maps with various zoom levels using OpenStreetMap, thanks to which the individual addresses of these residences could be identified.
Next, a section of the application was accessed that stored the location of users who had registered a specific city as their location; something that they might have unknowingly pointed out when downloading and configuring the platform.
Once these data have been gathered and access to public data of these users, such as timestamps or distances traveled, they were able to filter to rule out matching profiles. Furthermore, their identities could be correlated with the location of their homes by extracting information from their accounts, such as real registration names and profile photos.
From this report, in addition, they clarify that the users with the greatest probability of being located in a certain house were those who registered a greater physical activity in the heat maps. This is because it could collect more information about them.
So much so that, after matching the data with the OpenStreetMap maps, the researchers point out that “with the threshold of 100 meters [de recorrido] and posting 308 activities, the chance of being discovered is 37.5 percent.”
As a result of this investigation, Strava wanted to clarify in a statement sent to BleepingComputer that “it does not track users or share data without their permission” and that heat maps do not show that heat “unless multiple people have completed an activity in a given area.”
Likewise, it has been recalled that any user of the platform who does not wish to contribute to these global activity maps can deactivate it through data use control.
However, it has said that it is “continually strengthening privacy tools” and providing more information to users about features to control their privacy experience.