So The Map Room has had a privacy policy (of sorts) for years, but since all the cool kids have been updating theirs in preparation for the European Union’s General Data Protection Regulation, I’ve gone and done the same. This policy, posted on my personal website, will apply to all the websites I own and operate: since they’re all one-person operations, and I’m the person in every case, it didn’t make sense to be repetitive. Also, said operations are likely too small, too inconsequential and too uncontroversial to invite scrutiny from European regulators, and anyway at the moment I don’t hold any personal data unless you comment or contact me via a web form. It seems politic to spell that out in detail, though.

Strava, Responding to Security Concerns, Disables Features

Strava has reportedly disabled certain features in the wake of the privacy and security issues raised last month, with users reporting that they can no longer create workout segments. In a statement given to The Verge, Strava said: “We are reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent.” [Canadian Cycling Magazine]

Previously: Strava Heat Map Reveals Soldiers’ LocationsNon-Anonymized Strava User Data Is Accessible.

Non-Anonymized Strava User Data Is Accessible

More on the privacy issues regarding Strava’s global heat map and its customer data. Now Wired UK is reporting that Strava’s data isn’t anonymous. Because you can compare your results with nearby users, all it takes is a local GPS tracklog—which can be created out of whole cloth, as Steve Loughran’s blog post demonstrates—to see detailed information about users. Wired UK:

By uploading an altered GPS file, it’s possible to de-anonymise the company’s data and show exactly who was exercising inside the walls of some of the world’s most top-secret facilities. Once someone makes a data request for a specific geographic location—a nuclear weapons facility, for example—it’s possible to view the names, running speeds, running routes and heart rates of anyone who shared their fitness data within that area.

The leaderboard for an area, the Guardian reports, can be extremely revealing. “The leaderboard for one 600m stretch outside an airbase in Afghanistan, for instance, reveals the full names of more than 50 service members who were stationed there, and the date they ran that stretch. One of the runners set his personal best on 20 January this year, meaning he is almost certainly still stationed there.”

Which makes the security issue regarding military personnel using fitness trackers even worse than simply the anonymous aggregate of the routes they take. Yes, this is very much an unintended and unforseen consequence of relatively innocuous social sharing bumping up against operational and personal security protocols; and it’s as much on military personnel to, you know, not use GPS-enabled devices that upload your location to a third-party server as it is on companies to have clear and effective privacy controls. This is very much the result of a whole lot of people not thinking things through.

Previously: Strava Heat Map Reveals Soldiers’ Locations.

Strava Heat Map Reveals Soldiers’ Locations

Strava is a mobile fitness tracking app that uses GPS data from phones and watches. It has access to a lot of data, and has been using that data to create a global heat map showing the paths taken by its cycling and running customers. The map’s most recent update, last November, aggregates user data through September 2017. But analyst Nathan Ruser noticed a problem: in places where local Strava use is low, the map can reveal the paths of people from wealthy western countries—for example, soldiers at U.S. military bases overseas, whether they’re patrolling or simply exercising. (U.S. troops are encouraged to use fitness trackers.) Which is to say, suddenly Strava is a security problem. Details at BBC News and the Washington Post.