
Advanced Denanonymization through Strava - dsr12
http://steveloughran.blogspot.com/2018/01/advanced-denanonymization-through-strava.html
======
abcd_f
This is neither advanced nor denanonymization (sic).

They basically pluck an interesting route from the hotmap (as per other
people's recent discovery), pretend that they have also run/biked this route
and Strava will show them names of others who run/biked the same way. That's
clever, but that's not "advanced" by any means.

It's also not a deanonymization as there's really no option in Strava for
public _anonymous_ sharing to begin with.

~~~
dawhizkid
I wonder why Uber/Lyft/Waze don't have a feature like this for ridesharing.
Seems like it would be useful to find commuters going on the same commute each
day.

~~~
aw3c2
Announced just the other week:
[https://www.waze.com/carpool/](https://www.waze.com/carpool/)

~~~
kelnos
I think this is just a rebranding. Waze Rider (which is the same thing?) has
been around for a good year now.

------
thaumaturgy
Strava is the first social network I want to be a part of. It promises to help
me find activity partners that can help keep me motivated on the days where
I'm finding it more difficult than usual to get on the pedals or put on the
running shoes. Unlike most others, it might help me feel happier and
healthier. I have to accept some loss of privacy for the sake of crawling out
of a hole and having an automated system help me meet other folks.

And as he admits, you're far more likely to lose your bike to a combination of
a moment of carelessness and an opportunistic thief than someone that's
surveilling you through your social network activity.

It's a little ironic too that he's writing about the dangers of
deanonymization while providing enough information in his post to figure out
his Strava username and approximate location.

~~~
bringtheaction
I use Strava but I had no idea it's intended for meeting others.

Can you give more details on this? I can't find much in the app.

~~~
contender_x
find and join a running/cycling club in your area

------
taneq
This isn't even "deanonymization" in the sense of "performing statistical
inference to re-associate different pieces of data." It's "you ask the company
to give you personally identifiable data, and it does so."

~~~
loeg
Strava is a public-by-default social networking website that happens to focus
on athletics. Given that, it's no surprise some users happen to work in the
military (they're also on Facebook).

It seems like the various militaries need to do a better job of informing and
enforcing social media policy, including auditing websites like Strava. You
could also argue that Strava should be private by default, but I don't think
you'd have much success persuading them of that.

~~~
mxfh
The US did audits and actually issued 20000 + 2000 Fitbits at minimum in trial
programs.

Strava is the least of their problems. Despite all news articles in the last
day I didn't come a cross a single previously unknown site mentioned in any of
the stories. All those "experts" did, was showing known locations with a
novelty overlay.

The heatmap is the graphic and interactive part that makes the story
digestable, but there is no actual hard news in there. The story usually then
shifts to being able to track users across bases, which is nothing exclusive
to strava and mostly speculative when it comes to discovering actually secret
deployments.

In the case of HMNB Clyde, that place also exists on instagram, which I find
way more discerning, since by default geo-located pictures are even less
obvious than a share my GPS-Track of my sports activities as default setting.

[https://www.armytimes.com/news/your-
army/2015/07/27/20000-so...](https://www.armytimes.com/news/your-
army/2015/07/27/20000-soldiers-tapped-for-army-fitness-program-s-2nd-trial/)

~~~
gmueckl
Even the knowledge of exact guard patrol routes and possibly even timings
inside a known military base can be extremely helpful information for someone
planning an attack. Best part: you don't even have to place a scout in
physical proximity as preparation and risk discovery. So this is less than
ideal for military organizations.

~~~
stef25
You're totally right of course and I think it's pretty shocking that military
personnel aren't aware they are broadcasting their location out to the web.
Complete opsec failure.

~~~
fapjacks
They are, they just don't care. The State Dept will likely issue a ban on
their facilities which personnel will adhere to. Other military installations
like Special Forces bases or regular Army bases overseas probably will issue a
memorandum ("Be Vigilant!"), but I predict they won't stop using the devices.
State Department facilities are the only places that they try to hide from
others. Not that people and equipment are operating out of them (because
that's impossible), but that they are State Department facilities to begin
with.

------
jzzskijj
Strava has even a toggle "Include my anonymized public activity data in Strava
Metro and the Heatmaps" for controlling does location data from sport
activities end up into heatmaps or not.

Interesting, that in media this "news" has been mostly about Strava doing
something it openly says it does. There hasn't been much critique about
military not educating their personnel not to publish the exact locations of
military bases in Internet's sport services. If that is even a problem in
their perspective.

~~~
fapjacks
It is not seen as a problem by the regular military. Kinda hard to hide tanks
and artillery pieces and soldiers with iPads and C-130s flying into airfields
from locals in countries where having a car is a luxury. Locals can get better
information about the bases from people working on the bases, or from just
watching them. There is basically nothing you can get from this heatmap that
you couldn't get from really any local living near the place. It's the other
non-military facilities that would care about this.

~~~
jzzskijj
Yes, exactly. That's what I was referring to with "If that is even a problem
in their perspective."

------
ztjio
Strava has trivial to use controls to shut down this type of data gathering.
You simply define zones on the map as privacy zones and voila, any travel in
those areas will simply not appear publicly, and will not be part of public
heat maps or anything like that.

Of course, the original point of that is to avoid people knowing where you
live to come steal your expensive bike. But it's useful for other reasons too.

------
nradov
This is a total nothingburger. He hasn't found any security vulnerabilities;
Strava is working exactly as documented. And you could do the same thing in
Garmin Connect (probably other athletic social networks as well).

~~~
usrusr
And Garmin Connect still doesn't seem to offer anything like privacy zones,
it's all or nothing worth them. If anything, Strava is the beacon of privacy
on the field of social fitness tracking. Garmin's only redeeming quality is
that their failure to get Connect to really get off the ground in terms of
social (segments and the like) that there is little incentive to ever set
anything public there.

In fact, I believe that their lack of gradual privacy controls was an
important factor in the failure off Garmin's attempt to gobble up Strava's
market (back when they introduced their own competitive segments with the Edge
1000, now they are happily cooperating).

~~~
nradov
Garmin Connect added privacy zones in April 2017. They work exactly the same
way as in Strava.

[https://connect.garmin.com/modern/settings/privacySettings](https://connect.garmin.com/modern/settings/privacySettings)

I don't think Garmin Connect was really ever intended as a true Strava
competitor. It's limited to just users of Garmin devices and intended to drive
hardware sales through offering additional planning and analytics features.

------
korethr
> "Give us a list of secret sites you don't want us to cover".

This seems like a non-starter to me. If the gov't hands out an accurate list,
they've given out the secret and it's no longer under their control, negating
the whole point of having secret sites. If they pollute the list with random,
bogus (but plausible) data to reduce it's utility for discovering secret gov't
locations, it also reduces the utility for Strava as well, as now there's
random swaths of land where nothing is logged, despite there being nothing
there.

I have to say, part of this seems like an opsec failure on the part of the
various militaries and government agencies. I would hope that whomever is in
charge of security at a sensitive facility would recognize that modern phones
are general purpose computers that are, amongst other things, location aware.
If a facility's location or whom works there is sensitive info, the security
officer should probably be forbidding phones from being operated while on
site, or even being brought to the site in the first place.

------
throwawaystrava
I think it's really a shame that Strava is taking so much heat. The heatmap
was a really cool visualization and also useful to find out where people are
running and biking, generally. And, it was created from tracks that people
willing uploaded and made public, even if they didn't fully understand the
privacy implications.

But it's also frightening that this data, stored indefinitely, is effectively
a mass surveillance system. I was contacted by local law enforcement who had
gotten my email address from Strava via an "official legal process" because I
had ridden my bike in an area around the time a homicide occurred.

Chew on that. The police or the government have access to your whereabouts,
just because someone stored them.

~~~
dsfyu404ed
>I was contacted by local law enforcement who had gotten my email address from
Strava via an "official legal process" because I had ridden my bike in an area
around the time a homicide occurred.

If it makes you feel any better they probably filtered out all the "less
likely to murder people" demographics, went though everything they could dig
up on your and your friends/family looking for interesting things (e.g.
traumatic life events that could possibly give you a reason to murder someone)
before they bothered contacting you (and likely a handful other people). They
were only contacting you because you were one of their best leads based on
metadata and circumstantial evidence.

/s

~~~
contender_x
What's interesting is that they thought to look at Strava to see who had
ridden there during the time period of interest. You'd need to think "let's
see who cycled", and come up with a way of querying strava, such as demanding
the list of people who cycled there. If Strava gets checked, then except for
the special case of a witness saying "I saw someone suspicious on a bike",
they'd have already checked Waze, apple find friends, etc

------
adventist
Google and Apple and other map providers scrub some of their data by request
of the government. Will the government do something similar here? Kudos to
whomever found out that they could identify military stuff through this.

------
nmeofthestate
I find it hilarious that this guy outlines his cloak-and-dagger tactics to
avoid people tracking down his bike via Strava, and then as an aside he
mentions the time his bike actually got nicked was when a drug addict accessed
it through an unlocked door. That never happened to Jason Bourne.

~~~
contender_x
I was pretty unhappy about, I can tell you. And yes, I mentioned that fact to
make clear that physical security comes first, and because I cherish the irony
myself.

In Bristol, most mountain bikers do cross the Bristol Suspension bridge on
their way home, same for a lot of the roadies. There's been a fair few cases
of people being followed back by some teenagers and then having their bike
stolen that night, so rather than go straight home (main roads), I just hit
the back streets to see that it's clear. And now I make sure that we haven't
left a set of keys out in the garden, even when the door is locked. Which was
a fact on its own: it's an implicit metric of how often people try breaking in
to an urban house here.

~~~
nmeofthestate
OK. I take back my smirking.

------
oe
> Here are some things Strava may reveal ...

These are all things I want to share and use Strava to do that. (Well maybe
not "When you are away from your house" but you could not turn on the live
beacon if that's a concern.)

~~~
contender_x
> maybe not "When you are away from your house" but you could not turn on the
> live beacon if that's a concern

people have schedules, their commute timetables reveal them. If I start
appearing on the logs as riding in in a different part of the world then I'm
away for longer. That info is visible to anyone you are in the same "club" as,
even if you have enhanced privacy enabled.

~~~
dracoXT
Don't join clubs with people you cant't trust. Post your rides with week delay
or make them public when you are back home from your trip. It is called
"enhanced" privacy mode for a reason and combined with other privacy settings
it can give you very good results.

~~~
contender_x
I like your reasoning

------
aj7
Russians and Chinese especially interested in who will become field agents and
who will become analysts. Want to hazard a guess on which overlaps more with
Strava?

------
z3t4
> Then go to various governments and say "Give us a list of secret sites ...

Or better teach people to turn their devices off.

------
titzer
Interesting tips in this article for the paranoid. But it's way easier to do
it old school: don't use a service that gobbles your data up, no matter how
free it is.

It'd be great if there were better "really free"\--noncentralized--
alternatives built on open source. Maybe there are.

~~~
contender_x
> don't use a service that gobbles your data up, no matter how free it is

we've conceded that option by living in a world where phones add GPS location
data to cameras, you use pay-by-phone over cash, oystercards for public
transport. I felt I was in control until I discovered a paragraph in the
manual of the used BMW we'd bought about how to turn flash off.

Think about that: we are building cars with flash embedded in a browser wired
op to a 3G+ modem and a car network bus whose vehicle motor data would be
sufficient to identify where you are driving round Bristol (speed, time
sitting at junctions, hill climbs inferred by RPM:speed), where you live,
which school you drive you children to...

------
MikeFro
I wonder what happened before the smart phone era. Didn't the armed personnel
phone back to their loved one to let them know they were ok? I am sure they
did it in a controlled environment. When you set up a base, should you not
take into account the parameters responsible for your safety? For, example,
register all the smart phones and impose strict rules for sharing data. Who
ever get anything out, should get the shaft or get discharged from the
service. And finally why would anyone upload their personal details to an
unknown source? Are people so silly?

------
zython
On a related note: You don't need to anonymize yourself if you only ride on
zwift.

------
fapjacks
This technique has since been disabled by Strava.

------
cup-of-tea
You could also just run next to people and ask them what their name is.

~~~
macintux
Can you do that everywhere across the globe, simultaneously?

------
sitkack
At this point Strava should pull all of its public data. All of these location
based services are wide open to attack, correlating across pairs of them,
scary.

~~~
rplnt
At what point? There was no change in the last maybe 3~4 years. Heatmap wasn't
kept that up to date, but that's about it. There are privacy settings you can
set (and the app is nagging you to do so) to avoid these problems. If it is a
problem.

