The venn diagram of problems faced by the US army, the world's second-largest military force, and myself, recipient of the second-largest muffin at the cafe this morning, tends to be two distinct circles: for example, not being able to find weapons of mass destruction in the Middle East (their circle), not being able to find the mailbox key (mine).
But, when it comes to a little app called Strava, it appears the US army and I are in the same, flimsy, boat.
Your running app might be revealing more about your movements than you realise. Credit:Stocksy
Strava, as billed on the App Store, is an app to "track your fitness activity". It offers settings for runners, cyclists and swimmers. I downloaded it because I, like many people at this time of year, am training for a run and a couple of friends recommended it.
It was a solid recommendation; Strava is very useful. It uses GPS technology to map your run from start to finish, giving your pace in real-time, as well as kilometre by kilometre splits. If you run the same route more than once, it tells you which was faster. On your profile, you can see all of the runs you have completed, and when you did them.
Of course, there's a catch for accessing these features for free, which is that Strava, which claims to have 42 million users with one million new downloads each month, has all of this data. This is what presented an issue for the US army last year, when a heat map created by Strava showing hot spots of Strava activity appeared to also show the locations of military bases and movement patterns of their residents.
But, what is of a more immediate concern to me, is that it also shares all of this information with your Facebook friends list, and some of it with total strangers.
Running is a relatively routine activity. So, if you're a person who runs from her house to a local park and back every Monday and Wednesday (as a woman on my Facebook friend list does, I now know), this information is, by default, visible to everyone on your Facebook friends list who also uses this app. If you're a person who does that in a good time, you might appear on one of the app's leaderboards, meaning that data is visible to everyone else on Strava.
"If your Facebook has got a small number of trusted people, it's not a big deal," says Susan McLean, a cyber safety expert and former Victorian police officer. "But, we know most people have friends of friends; a bigger group."
You can probably guess where this is going.
"Any app that shares your precise location is dangerous, full stop, let alone one that has routes which are often going to start at your front door, or your place of work," Ms McLean warns, adding that, although the risk of a stranger stalking you on the basis of your fitness routine is "incredibly remote", these apps are the sort of technology used in domestic violence, and can put you at risk of property crime.
"As well as telling people where you are, it's telling people where you're not."
I know what you're going to say: just set your profile to private. You can and, after multiple Google searches and the flicking of no fewer than six switches – my profile, my activities, the run I'd logged before realising I needed to set my activities separately, group activities, something called "Flybys", and finally the heat map, which I only found when trying to count the number of switches to include in this article – on different menus within the app, I think I have. But, moreso than other social networks, it is extremely difficult to lock down a Strava account.
Everything you put on Strava is public by default, and sneakily so.
The prompted way to set up the app is record a run. That means the first run I did on the app was completely public, before I was even able to access the app's settings. I did as I was told, completely unaware this would be publicly available.
How did I realise my run was public? In a sweaty post-trot daze, I noticed someone called Linda (surname withheld in this article, although not when it appeared on my phone screen) had "joined" me on my run. (She was a terrible running buddy: Why didn't she tell me to pull my finger out when I dropped things to a walk less than a kilometre from the finish line?)
Frustratingly, even after I did set my profile to private, this first run was still public. I had to go back into the page for that individual run and set that to private.
I then realised that, although Strava had been prompting me to "follow" a curated list of Facebook friends on the app, there was no need: clicking on their profiles revealed most had not adjusted the default (lack of) privacy settings at all.
Contacting some of these people since, most didn't know this information was available to anyone who stumbled on their page. The woman who runs on Mondays and Wednesdays has now completely locked down her profile.
Ms McLean says it is more common for apps to be "public by default" than most realise, a move which she thinks is irresponsible.
"A hundred per cent private should be the default, and if you want to share it's a conscious decision to share. rather than the assumption that people are willing to share, and if they have to Google for hours to figure out how to make it completely private," she says.
Initial concerns about Strava were largely related to reckless cycling and overly-competitive working out, but now users are wondering if a fitness social network is actually a good idea.
The conversation about this has been happening in the US, where Strava was first launched in 2009, for a few years now. In a 2018 Wired article, writer Elizabeth Barber recounts how she watched her boyfriend meet a woman who eventually became a love interest on Strava. A year earlier, after becoming alarmed when male strangers on Strava kept "liking" her runs to and from her apartment, Rosie Spinks wrote for Quartz that "privacy settings are a feminist issue".
Strava has responded to this (largely after the US army issue), to a point. You can now set a privacy zone on the app, so a certain portion of your run (i.e. the first 200m from your house), is visible only to you.
But Ms McLean says the safest way to use Strava is to remove the social element altogether.
Strava didn't automatically know who my Facebook friends were. When I joined, I was presented with the option to sign in through Facebook, or my Google account, or – sitting quietly towards the bottom – with an email account. I knew the latter would mean I would have to remember another password, and click through a confirmation email, so I went through Facebook without even thinking.
The permissions I gave Strava looked just like those you would give a dating app: access to your basic info and contacts, but no ability to post. Once I was confident my Facebook profile wouldn't be flooded with the times of my abysmally slow trots, I signed up.
"The number one piece of advice for everyone is you should not ever log into an app through Facebook," she says.
"People do it because it's quick and easy, but it's also not safe: you are diluting Facebook's safety settings by letting that app in."
Source: Read Full Article