Viewpoint: Strava issue highlights the best and worst of data sharing

The revelation that soldiers have been inadvertently giving away the location of military bases around the world through their use of the Strava app to track their runs sounds like something out of an episode of Black Mirror. Or as one of my friends put it: “you couldn’t make it up”.

The issue goes back to last November, when Strava published an updated version of its global heatmap. The updated map included 1bn activities from Strava users, with 3bn latitude and longitude points and 10 terabytes of raw input data.

But it was only over the weekend that a 20-year-old Australian student named Nathan Ruser realised that the map could be used to show the location of military bases around the world. This came down to the fact that the bases are usually in remote locations where you wouldn’t expect to see much human activity, so when you see a lot of fitness tracking taking place on Strava in one of these outposts, you can take an educated guess that it might be a military base. Soldiers and fitness, after all, go hand in hand.

Strava’s response came in the form of a blog post from CEO James Quarles a couple of days ago in which he said, among other things, that the company is reviewing features that were originally designed for athlete motivation and inspiration “to ensure that they cannot be compromised by people with bad intent”.

Perhaps more to the point, he said the company would continue to increase the awareness of its privacy and safety tools, and included a link to a post that details the privacy options available on Strava.

Keeping up with the tech
It’s often said that the law struggles to keep up with technology, which is one of the reasons why tech is often leveraged or even abused for commercial ends until the law catches up with it. To my mind, this Strava issue is part of an arguably bigger problem of society failing to keep up with technology.

The apps we have on our phone, the devices we use in our daily lives, the experiences they deliver – there is some really smart stuff going on, not a million miles from what you see in a typical episode of Black Mirror, in fact. And all too often we, as consumers, are sucked into it by the promise of how much more you can get from, say, an app, if you allow it track your movements. I’ve lost count of the number of apps I’ve installed on my phone that want permission to share my location and send me alerts or notifications, before I’ve even got past the homescreen on first open.

That’s fine, so long as the user knows what he or she is letting themselves in for. But alongside the enticement to share, for example, location, there should be an equally prominent and repeated reminder of what it’s being used for, and how to turn it off.

It would also be reassuring to think that most apps would have your personal data set to Private by default, leaving the onus on the user to set it to share with others only if they choose to do so. My suspicion is that many mobile users would be surprised to learn that many of their favourite apps come with privacy settings, or that they can change them

The imminent arrival of GDPR will hopefully bring the issue of data privacy and ownership into sharp relief, not just for the companies that trade so heavily in consumer data, but also for the people who generate it – that’s you, me and all the other consumers in the world.

Even Facebook is preparing for this new era of transparency by including a series of educational videos in users’ news feeds to help understand how they can control what information Facebook can use to show them ads, and how they can review and delete old posts.

The other point about the Strava issue is around how all this is managed in the workplace, especially when that workplace plays a key role in maintaining national security.  We’ve all heard plenty of talk over the last few years around Bring Your Own Device and the security implications that entails. This is not so much Bring Your Own Device as Bring Your Own Apps, and the implications are every bit as severe.

Should anyone in the military high command have seen this incident coming? It’s a moot point. Now it has been exposed though, those running the military and other institutions where security is a prime concern should recognise that Strava is just one of thousands of apps that encourage users to share their location and other data in return for getting more from the app.

It’s down to those who run these places to get to grips with the tech and ensure that by allowing those in their charge to share their personal information, they don’t compromise their own safety, or that of their colleagues or the wider public.