see icon..... pretty much sums it all up.
All your base are belong to us: Strava exercise app maps military sites, reveals where spies jog
In November, exercise-tracking app Strava published a “heatmap” of user activity which it cheerily boasted comprised a billion activities, three trillion lat-long points, 13 trillion rasterized pixels and 10 TB of input data. It took a while, but late last week someone wondered “how many Strava users are members of the …
COMMENTS
-
-
-
Monday 29th January 2018 09:46 GMT Doctor Syntax
Re: Collect all the data, ignore users privacy...
" you can't blame the service."
Yes you can. You can blame them for not making the privacy setting default to something sensible. This amounts to an offence under GDPR.
I wonder how many fines its going to take until US manufacturers learn to do things right.
-
-
Monday 29th January 2018 11:04 GMT DavCrav
Re: Collect all the data, ignore users privacy...
""This amounts to an offence under GDPR"
I'm almost certain it won't."
I'd be surprised if it isn't already an offence under the current regulations. They are a processor of sensitive data (where someone is) under DPA, and they cannot just publish all that information in such a way that it can be deanonymized. Obviously showing you coming out of your house is not very anonymous. They might also be in trouble over various national security legislation. Arguably this is material of benefit to terrorists, and its publication would then be an offence under UK law. (Find any route that goes into a military base, for example, and then wait along it.)
-
Monday 29th January 2018 11:21 GMT Adam 52
Re: Collect all the data, ignore users privacy...
"They are a processor of sensitive data (where someone is) "
You can look up sensitive data on the ICO website:
https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
It doesn't include location.
Excluding home addresses *is* part of the Strava sign up process. And Strava's privacy policy explicitly acknowledges that people may be identified from aggregate data:
"If you make information or content publicly available on the Services, such information, even when aggregated, is capable of being publicly viewed and possibly associated with you"
There are plenty of bad boys in the industry, but Strava isn't one of them.
They have consent under current DPA for everything they do. They have consent under GDPR, although I don't think they need it (because storing location and deriving profiles from it is the whole reason for the service existing).
Need to go now, time for my daily catch-up with the GDPR lawyers.
-
Monday 29th January 2018 11:52 GMT SkippyBing
Re: Collect all the data, ignore users privacy...
'Excluding home addresses *is* part of the Strava sign up process.'
Very much this, what surprises me is how many people miss it. I compared my friends house in LA with mine, he is obviously the only person living on his street to use the app despite a reasonable number of people using it as part of their running route. My house in a small town in the UK has apparently never been lived in by someone who has Strava even though I ran about 5 times the distance he did last year.
What I did like was looking in Portsmouth harbour and seeing a feint outline of an aircraft carrier.
-
-
Monday 29th January 2018 18:12 GMT DavCrav
Re: Collect all the data, ignore users privacy...
"Does it have to comply with UK DPA / ICO requirements if it's a US company shipping the data straight to the US untouched. Seems unlikely. That kind of "our law applies everywhere" mentality is normally restricted to US gov."
It depends. Did the data originate in Nigeria? No. DId it originate in the UK? Yes. Processing UK citizens' data means you fall under the purview of the ICO, and UK law.
-
Tuesday 30th January 2018 16:02 GMT caffeine addict
Re: Collect all the data, ignore users privacy...
It depends. Did the data originate in Nigeria? No. DId it originate in the UK? Yes. Processing UK citizens' data means you fall under the purview of the ICO, and UK law.
This is very much not my field, but that's not my understanding, or the reading I get from (random fairly reliable website) ThomsonReuters https://uk.practicallaw.thomsonreuters.com/1-502-1544
The Data Protection Act (DPA) applies to data controllers that are either:
* Established in the UK and process the data in the context of that establishment.
* Not established in the UK or an EU member state, but use equipment in the UK for processing data (excluding where that data is only in transit).
-
Tuesday 30th January 2018 19:11 GMT DavCrav
Re: Collect all the data, ignore users privacy...
"Not established in the UK or an EU member state, but use equipment in the UK for processing data (excluding where that data is only in transit)."
Well there you go. Transit means passing through, not starting from. I'm not 'in transit' at Heathrow if I get off the bus there, it's if I'm on a connecting flight. The data originated in the UK, so it's covered. And of course the equipment is the smart watch/whatever.
-
-
-
-
-
-
-
-
Monday 29th January 2018 11:00 GMT DavCrav
Re: Collect all the data, ignore users privacy...
"There are all kinds of privacy setting the users could have employed. If they couldn't be bothered to switch any of them on you can't blame the service."
You mean: there is an option in the settings for us not to come around and shoot you in the face. If you couldn't be bothered to switch it on you cannot blame us.
-
-
Monday 29th January 2018 08:24 GMT Anonymous Coward
"consider consequences on multiple levels prior to publishing private data"
Or maybe consider consequences on multiple levels prior to collecting private data?
Hope that once governments are bitten themselves hard by the data gathering frenzy, they'll reconsider the rules about data gathering... I wait for the first politician being shown "exercising" at his mistress house...
And, no, opt-out is not enough - people should at least have to opt-in to any data collection.
-
Monday 29th January 2018 08:34 GMT Adam 52
Re: "consider consequences on multiple levels prior to publishing private data"
"And, no, opt-out is not enough - people should at least have to opt-in to any data collection"
Strava is a data-collection site. That's what it does. You opt-in by uploading your stuff to jt, it doesn't magically track you without consent.
When I signed up the privacy zone was in the initial setup wizard, so it's a little deceptive for the article to call it off by default. It has to be off as far as it is, because Strava doesn't know where to put it unless you tell it.
Heatmap is just another example of it being really hard to anonymise through aggregation.
-
Monday 29th January 2018 08:58 GMT rmason
Re: "consider consequences on multiple levels prior to publishing private data"
@AC
absolute nonsense.
They purchased a device and service that is *SPECIFICALLY FOR* data gathering and sharing
Yes, if they purchased something random that was gathering this data, fine. That's not the case though. you seriously aren't suggesting they should have to opt in to make the device function as advertised?
Sorry, but this sort of attitude contributes to the issue. The onus is on the users to understand what they have purchased and use it correctly. The company are doing *exactly* what they say they'll do.
-
Monday 29th January 2018 15:09 GMT Anonymous Coward
"ervice that is *SPECIFICALLY FOR* data gathering and sharing"
As I see it promoted, it's for activity tracking and friend sharing, not to sharing with world + dogs.
It's still worrying that people are OK to share those data just to show theirs is longer... but we're in an era when you're a child until well into the forties.... I stopped such kind of behavior when I was eight or nine.
-
-
-
Monday 29th January 2018 18:12 GMT Anonymous Coward
Re: Collect all the data, ignore users privacy...
It's not PII though. The fuzzy line shows where some of the millions of users have been. The only reason you know a line to a front door is your friend is because YOU have Personally identifiable info on your friend, like where they live and the fact that they use Strava. Without that information it may just as easily be the postman or a stalker, and the heatmap gives you no more useful information than that. "privacy experts" are driving me insane at the moment, GDPR is like cat nip for dipshits.
-
Tuesday 30th January 2018 19:12 GMT DavCrav
Re: Collect all the data, ignore users privacy...
"It's not PII though. The fuzzy line shows where some of the millions of users have been. The only reason you know a line to a front door is your friend is because YOU have Personally identifiable info on your friend, like where they live and the fact that they use Strava."
I thought there were statements like 'it's not anonymous if it can be de-anonymized with extra information'.
-
-
Monday 29th January 2018 01:10 GMT Mayday
I've never understood
Why people use and publish results from apps such as this.
Every day I see on social media people posting their running/cycling etc details online. I can literally deduce their home address and what time they enter/leave from here. Even from people I don't know too well.
I'm not a nasty guy, but plenty of people are and they can use this info for not so nice purposes. Seems like common sense isn't too common.
-
Monday 29th January 2018 02:39 GMT A Non e-mouse
Re: I've never understood
The problem with Strava is by default it shares it with the world. If you're just sharing the data with your friends*, they probably already know where you live.
* This assumes that you only friend people who really are your friends, and not just any random Tom, Dick or Harry who ask to be your friend...
-
Monday 29th January 2018 08:59 GMT Anonymous Coward
Re: I've never understood
I've seen this with some female Facebook friends, and pointed out to them that it makes it easy to figure out where they live. Some care, and correct it, others say "it isn't that hard to find out where someone lives" and don't worry about it.
I suppose that's basically the same argument that you get against "security through obscurity".
-
Monday 29th January 2018 11:06 GMT Pascal Monett
@ DougS
You might remind your female friends of a basic difference : IRL, someone has to meet you, or at least be told about you, before they think of looking you up. I doubt that stalkers choose their victims by perusing the phone book. If they don't know your name, they can hardly look up your address and they'd have to follow you home before they can correlate an address to a name.
Publishing personal info and travel data on a social site removes that sleuthing requirement. The stalker can just peruse the activities, select a woman he likes and dive into her life. Finding the address is trivial at that point.
Security through obscurity works very well in real life. Do you know where US carrier fleets are at this time ? Hint : don't try finding out - that will land you in very hot water.
-
Monday 29th January 2018 15:26 GMT MonkeyCee
Re: @ DougS
"Do you know where US carrier fleets are at this time ? "
No.
But 30 seconds on google gives me: (from stratfor)
"Carrier Strike Groups
The USS Carl Vinson CSG is underway in the Pacific Ocean for a western Pacific deployment.
The USS Theodore Roosevelt CSG is underway in a deployment in the U.S. 5th Fleet area of responsibility supporting maritime security operations and conducting theater security cooperation efforts.
The USS John C. Stennis is underway in the Pacific Ocean for routine training.
The USS Gerald R. Ford is underway in the Atlantic Ocean conducting test and evaluation operations.
Amphibious Ready Groups/Marine Expeditionary Units
The USS America ARG is underway in the Pacific Ocean returning to its homeport.
The USS Essex is underway in the Pacific Ocean for routine operations.
The USS Bonhomme Richard is underway in the U.S. 7th Fleet area of responsibility conducting routine training."
I await my hot water....
-
Monday 29th January 2018 17:54 GMT Anonymous Coward
Re: @ DougS
If you want to know where carrier battlegroups are going to be, even if it's changing from day to day, in the future just ask the prostitutes. They always know. Hell, I've asked them before. Spent 7 years straigt serving on the same tincan (destroyer) and that's one tip most sailors know.
-
-
-
Monday 29th January 2018 09:02 GMT rmason
Re: I've never understood
@Mayday
to show off, they think it makes them better than those who don't do(insert activity here).
You know, same deal as the couples who you know are always at each others throats, but social media is just lovey dovey "look at us" stuff.
Same deal, it's to appear good on the internet.
-
Monday 29th January 2018 13:19 GMT Platypus
Re: I've never understood
There are basically two reasons. One is that competition is a strong motivator. For a lot of people, including me, leaderboards can motivate people to go out more, or to push faster/further than they might have otherwise. Another is helping to cheer each other on. I have three friends on MapMyRun, I know that the encouragement I get from them is helpful when I'm not doing so well and I certainly hope it works the other way too.
That said, there are good and bad ways to share this data. For example, on MMR those three friends are the only ones who get to see exactly where I've gone, or whether I've gone at all on runs that don't earn me a place on a leaderboard. All anyone else sees is first name, last initial, time on that segment, and date. I *could* open up full sharing, but it's not a default. No heatmaps or anything like that, though I've kind of wished for that as a way to help people find routes worth trying. Overall, I'm pretty comfortable with MMR's approach. If I used Strava, I think I'd be a bit less comfortable.
-
-
Monday 29th January 2018 01:54 GMT Notas Badoff
Revealing state secrets
Well now, that's going to restrict their movements, what with some countries jailing people for mentioning even commonly-known facts, as "revealing state secrets". Hotel California, anyone?
-
-
Monday 29th January 2018 02:30 GMT Sampler
Re: Fail!
In defence, as someone who uses said app and has bought a watch specifically for the task of GPS tracking running & cycling (and swimming, but, it transpires GPS doesn't penetrate water that well, a mere seconds thought beforehand would've made the counter assumption obvious I guess).
It's not so much for it to tell you when to exercise, but to monitor progress, am I getting faster, slower, about the same? Where are those gains being made?
I also suffer from a terrible memory ("the worst case of sleep apnoea in someone of your age and build" means I literally spend half my time sleeping not breathing, so I never hit L3 sleep) so it's useful for tracking when I've been, how much I've done this month and should I do more. I admit my reasoning here is fairly individual.
Plus, as a nerd, who doesn't enjoy an abundance of stats?
-
Monday 29th January 2018 07:08 GMT big_D
Re: Fail!
That is fine, if you are keeping the data for yourself. But the apps all seem to insist on uploading all the data to their cloud.
I have a Fitbit, but I never activate the GPS when I go out exercising. I track how far I've been, but not where... And to be honest, now that I walk about 6KM to work and back every day, I'm rethinking the need for having the Fitbit at all.
-
Monday 29th January 2018 11:17 GMT Anonymous Coward
"but I never activate the GPS "
GPS itself is no harm - it only receives, doesn't transmit. It's what the device do with the data the problem. I do use GPS devices to track where I've been and the places and times where I took photos, so I can return them if there's a good reason for.
Just I download them to my computer only, and the data never leave it (of course, the photos with geoloc data are never uploaded to any site or cloud service...)
The day those devices start to attempt to upload them to whatever cloudy destination, I'll stop using them.
I don't really want someone could track where I'm while carrying several thousands $$$ of equipment...
Just, too many apps use the "mine is longer than yours" human weakness to lure people into sharing what they shouldn't.
-
-
Monday 29th January 2018 07:36 GMT Teiwaz
Re: Fail!
Plus, as a nerd, who doesn't enjoy an abundance of stats?
I'm going to crush your nerd pride here.
The Gov'ment likes stats too. By 'like', We're well into serious BDSM style stalker levels of 'like'. What for, I'm not sure, they think it helps make right decisions, but often the opposite seems true.
-
Tuesday 30th January 2018 14:33 GMT dave 76
Re: Fail!
"In defence, as someone who uses said app and has bought a watch specifically for the task of GPS tracking running & cycling (and swimming, but, it transpires GPS doesn't penetrate water that well, a mere seconds thought beforehand would've made the counter assumption obvious I guess)."
Put the watch under your swim cap and it should work while swimming.
-
-