Israeli researchers have revealed how some features of the popular Strava app designed to measure athletic activity via GPS allowed suspects to spy on Israeli army personnel. This included tracking their movements around secret bases across the country. Specifically, the information concerned 100 people at six bases, including one near Israel’s Dimona atomic centre.
Achiya Schatz, CEO of FakeReporter, the company that uncovered the surveillance, said in a statement sent to Insider that the surveillance group alerted Israeli security forces as soon as it became aware of the security breach. Data on individuals serving at the Israeli Air Force, military intelligence and army bases were revealed.
Since 2009, Strava has been publishing a heat map showing every activity ever recorded, representing more than 3 trillion data points. What makes this app popular among users is precisely that it encourages ‘friendly competition’ by highlighting a short section of a route as a ‘segment’ and recording the time it takes to run it, which is then ranked against all other runners. All times, along with personal details such as photos, home addresses and the identities of users who have run the same segments, are then published in the Strava app’s results table. Although the company has made significant updates to privacy settings in the past, users and their data could still be publicly revealed even if their profiles were set to “private”.
These issues are not new, however, as the company has encountered privacy problems in the past. In 2018, heat map data was released showing the location of classified US military bases in Syria and Afghanistan. At the time, Strava said in response that its privacy features would be reviewed to ensure they “cannot be compromised by people with malicious intent” and put measures in place to allow users to tighten their privacy settings. But these have now proved inadequate.
Thus, despite Strava’s stated efforts, the app’s persistent security flaws continue to raise concerns about its users’ privacy, as the company appears to be only hesitantly working to implement higher security settings. This is because such features could make its technology less attractive, which would ultimately mean fewer users.
The Strava case raises the question regarding the dilemma between technological innovation and privacy protection. As Forbes reports, “Strava apparently prefers to leave the responsibility for privacy to users.” But a large part of the population lacks awareness and education in this area. Moreover, cases from Israel and the US suggest that this even applies to members of the armed forces or intelligence services, where leaks of personal information can lead to threats to life or national security.
Photo credit: Heat map Strava.com