Checking the privacy settings of the apps on a smartphone or other device is a crucial step in enabling a user to control which elements of their private information are being monitored and released. If many settings are not turned off, they will automatically enable the app to collect and use personal data. A recent illustration of this potential problem can be seen in the now highly public Strava app-military information predicament, in which sensitive location data on military personnel around the world was found to be readily available online.
San Francisco-based Strava, which markets itself as a "social network for those who strive," is a fitness app that runs on smartphones and fitness-watches with GPS. One notable feature is a global heatmap. This map shows where every user who has not disabled the feature is, and where they are moving. The app has more than 27 million users and as of 2017, the company said its map contained more than 27 billion kilometers of data, intended to show popular routes and locations for jogging and other types of exercise and sport. An Australian student named Nathan Ruser noticed that the map was showing the location and movements of military personnel and announced this revelation in a tweet:
“Strava released their global heatmap. [A total of] 13 trillion GPS points from their users (turning off data sharing is an option) … It looks very pretty, but not amazing for Op-Sec. U.S. Bases are clearly identifiable and mappable.”
Strava users’ trails on the map show their locations at military facilities run by the U.S. and others in locations including Syria, Afghanistan, Iraq and Somalia. It also shows the routes they walk along and use to exercise.
“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” a representative for the U.S. military Central Command press office in Kuwait tells The Washington Post.
While Strava users can purposefully choose not to be on the heat map in their settings, this situation is an example of how making information access a default, rather than an opt-in, can lead to the unintended revelation of sensitive data. Many apps will access and/or collect location data, contacts, calendar information, photos and other content unless specifically instructed not to do so.
"These apps can track your location, and very often these companies are disclosing sensitive location information to third parties without users’ knowledge or consent," Sam Lester, consumer privacy fellow at the Electronic Privacy Information Center, tells USA Today.
Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy & Technology, encourages all smartphone and app users to explore their privacy settings. She also says of the tech companies, "It's important for them to be up front about what they're doing and to offer more controls, but I think there just needs to be better stewardship on the part of companies."
See more on the Strava privacy issue from CNN below: