Privacy and safety concerns have been raised about Strava’s global heatmap feature, with research suggesting that it could reveal user locations, even on private mode.
Researchers at the North Carolina State University in Raleigh found that they could locate the start and end point of activities, especially in low-populated areas.
A spokesperson for the activity-tracking application said that Strava "does not track users or share data without their permission".
Introduced in 2018 to “improve user experience”, the global heatmap feature enables users to find new hiking, running and cycling routes, popular exercising hotspots in their area, and even find new training partners, should it be used in a certain way.
The feature is based on GPS data and is updated every month. It compiles data from the previous two years, compiling it into one single map, highlighting areas of activity with bright yellow and white lines.
Just one month after introducing it to the popular fitness app, Strava provided an opt-out function for the heatmap after discovering that it could pose a privacy and safety risk to its more than 100 million users.
Furthermore, there were even concerns that it was exposing secret or sensitive information through its global heatmap.
In a paper published last month, researchers said that people could use the heatmap feature to track Strava users to their home addresses.
The study found that all Strava users in a given lesser populated area can be looked up, to the extent that it is allegedly even possible to discover where users exercise routes begin and end.
“Strava users expect their personal information to be protected, and our work shows that this is not always the case,” Anupam Das, one of the authors of the paper, said. “This could be particularly problematic for users concerned about stalkers or have other reasons to desire that their location data be kept from the public.”
“In a densely populated area, with lots of routes and lots of users, there is so much data that it would be difficult to track any specific person,” Das added. “However, in areas where there are few users or few routes, it becomes a simple process of elimination, particularly if the person someone is looking for is a highly active Strava user.”
Das also suggested that making an account private doesn’t guarantee protection against this, although Strava told his researchers that its heatmaps only use aggregate data, making it impossible for anyone to capture private information.
“We did reach out to Strava about this, and the company has said it does not share heatmap data unless several users are active in a given area,” said Kevin Childs, first author of the study paper. “However, we were still able to identify the home addresses of some users in certain areas using the heatmap.”
"The safety and privacy of our community is our highest priority," a spokesperson for Strava said this week. "We've long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with.
"Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.
"The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (`Only You`) for any given activity.
"We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava. This includes simplifying our Privacy Policy with our Privacy Label at the top."