
Addressing the recent attention focused on Strava and our global heatmap - avitzurel
https://blog.strava.com/press/a-letter-to-the-strava-community/
======
tjr225
Earlier this week when this broke I thought it was merely a curious funny
coincidence.

I was later walking the dogs with my wife when she told me her mother was
shocked that Strava was giving away the location of military bases. This was
when I first became aware of Strava as a controversy.

So crazy how uninformed a populace can be. How is it Stravas fault that people
use their software? If I logged onto Facebook and posted th location of a
secret military base would it be Facebooks fault that I posted it?

Anyway, I have been an almost daily user of Strava for years- it's the best at
what it does.

~~~
mattmanser
How are you so comfortable that the idea that information should just be
shared willy-nilly?

That no human has to step in and check and maybe sometimes go, hmm, that's
actually not a good idea to do that.

Computers are super-stupid, literal automatons being allowed to do whatever
because Silicon Valley makes more money if it doesn't have to curate anything.

Normal humans expect computers to be a bit like humans. Have some common
sense. Not have a god view. Forget stuff that happened 5 years ago, or at
least be pretty hazy about it. Definitely not remember stuff from 20 years
ago. Not, and this is totally crazy I know, record every voice search you've
ever done in some creepy vault somewhere where it's used to sell you shit. Not
be able to track you every movement from the time you leave your work, to when
you go sleep with your bit-on-the-side, to where you go buy your drugs, to
when you go back to your boyfriend.

We know they're not. Normal people don't, or at least haven't really thought
the consequences through.

I find your view more disturbing and odd than your in-law's.

~~~
jlg23
> How are you so comfortable that the idea that information should just be
> shared willy-nilly?

It actually is a _feature_. The problem is that not every feature is for
everyone. When you are working in a security sensitive environment (or just
like to have your privacy), you should be aware of risks and act accordingly.

> Normal humans expect computers to be a bit like humans.

This is about product design, not computer or software architecture.

The one lesson "normal humans" (whatever that means to you) should learn is
that every bit of data can help to identify them.

~~~
killjoywashere
> When you are working in a security sensitive environment

Transferring this burden to the individual could very well lead, quickly, to
no one wanting to take sensitive positions. Which would be a societal
catastrophe of epic proportions.

~~~
jlg23
I'll agree the moment we don't let the same people walk around with loaded
guns.

~~~
killjoywashere
People like doctors, lawyers, engineers, and priests?

------
nocoder
Blaming strava is absurd. I am a strava user and privacy setting on all my
runs by default is that routes are hidden. I have to manually go and edit the
run to make it visible to public. As long as strava used the data available
publicly I don't see as their fault. It is ridiculous to blame them. I find
the privacy setting on strava clearer than any other social network but if
military personnel for the sake of vanity end up posting their run publicly
then there is anything strava can do. Even without the routes data released by
strava, I can simply hover over iraq or Syria and see the running or cycling
routes. This feature actually has been of great use to me while traveling.

~~~
mns
As a Strava user, I have to agree with you here and just say that a lot of the
outrage seems to come from people that never used the service. I’ve been using
Strava for a couple of years already, and I must say that they are one of the
most privacy concerned services out there. At one point I was getting annoyed
already at them constantly publishing tips on how to change your privacy
settings to stay secure and to make sure that others can’t find out your
location and that you know the implications of all the new features that they
pushed forward (like flybys, home/starting point and others).

What I find absurd here is the fact that people working in the military or
other privacy sensitive fields would actually use a public social network to
constantly publish updates on your activities and your precise location. I’m
just a random guy that runs and bikes and still don’t let my activities public
or only share some with friends. I still find it weird to blame Strava here
for something that is so obvious. No matter what platform you use, be it you
personal site, Facebook or others, you just don’t share certain things when
you know you work in a certain environment.

------
jupiter90000
Smartphone user: "All my apps can collect all my data, I have nothing to hide,
my life is an open book"

* sees collected data *

Smartphone user: "How did they do this to me"

------
StringyBob
Well I think the heatmap is the best thing from strava. I wish it was
embedded/viewable in the strava ios app to to browse running routes -
particularly when I'm in a new place. I've also discovered a load of footpaths
near me just by browsing it on the website.

------
drharby
Vet here

We get OpSec briefing shoved down our throats down so much that im putting
this one on the DoD and the base's risk management policy.

Guys srsly wth

------
semi-extrinsic
What I've yet to see is anyone commenting on how secret these "secret"
military bases really are. I have a feeling, based on the amount of attention
this is getting in mainstream media, that the militaries involved aren't too
concerned. Also, any nation state with access to satellite intel presumably
already knows about all of these.

So if "secret" means "not listed on Wikipedia", I'm afraid only more arguments
in favor of surveillance will come of this.

~~~
bpchaps
The problem doesn't begin, nor end at identifying military bases. There's a
much a larger problem going on here where individuals' privacy is being waved
around for what amounts to PR.

~~~
TallGuyShort
By PR, are you referring to the media publicizing this for dramatic effect, or
Strava implementing social features? There are lots of shady ways companies
try to go viral, but given how much individuals clearly want to share this
data, I'm not sure blaming Strava for facilitating that sharing is very fair
or accurate.

~~~
bpchaps
I don't think they're publicizing this for dramatic effect - just that they
are painfully careless with the data that they keep. Whether the tools are
useful and whether people want to use them carelessly isn't the point. A bit
(a lot) more discretion would be appreciated from Strava.

As far as I'm concerned, this is an industry norm, so my problem isn't so much
with Strava, but the dangerous cultures that surround massive data collection
operations.

Disclaimer: I work in adtech. Opinions are my own.

------
snowwolf
I find it interesting that a lot of people seem to feel that this isn't
Strava's fault, but the fault of the users who didn't manage their privacy
settings correctly. Having done a lot recently related to GDPR in the EU I've
been coming around to the way of thinking that has influenced this law.

We as technologists need to start taking some responsibility for our users
privacy. Firstly, just because you can collect the data doesn't mean you
should. There is this general idea that we should collect and store as much
data as we can, just in case we can find a use for it. The problem is that
firstly even if we claim to be only using/exposing 'anonymised' data, as this
Strava situation shows, it is very hard to truly anonymise data. Secondly, the
raw data is still stored somewhere and in the event of a data breach it
doesn't matter what a users privacy setting was if you were still collecting
and storing the data.

~~~
d1zzy
So if you want to start a new social network site to allow people to publicly
share fitness information and routes used by runners, swimmers and cyclists,
how would you go about it that would be different from what Strava already
does?

Strava doesn't collect the data because it can, it's doing so because that's
the service it provides. This isn't a case of installing some generic
Messenger app and discovering that it also collects and sends to their servers
the list of local wifi networks (for which there may be a valid technical
reason but it would otherwise be surprising as it's removed from the main
objective which is to send messages), it's more like installing a forum app
and discovering that your post on the forums can be read by anyone else that
accesses the same forum... I get that not all people have the same
understanding of how an Internet forum works but that doesn't mean that it's
always the website's fault here.

------
ipunchghosts
I love using the heatmap tool especially the one that shows the differences
from 1 year to the next. As a MTB'er, I see the routes that people stop using
because of downed trees and other obstacles. Helps prioritize where trail
cleaning must be done.

------
bpchaps
If anyone from Strava is watching this thread - is there any way to delete a
user's information from these heat maps? I ask, because I'm not seeing
anything in any of the suggested links. If so, how can I request my own
records be completely deleted?

~~~
jcdavis
Not a strava employee, but under
[https://www.strava.com/settings/privacy](https://www.strava.com/settings/privacy)
There is a setting to disable your activity data from being incorporated into
the heatmaps, which I would assume (hopefully) is retroactive at some point -
not sure how frequently those maps are regenerated

~~~
bpchaps
Heh. You know what they say about assumptions.. :\

------
mastax
I wasn't aware that people were blaming Strava for this. I think it's pretty
clear that the purpose of strava as a social network for runners is to share
your run data with others, or at least to benefit from others data. I'd need
these answers before I could judge how culpable they are:

1) Does Strava present the user with privacy settings and properly explain
what they do? (i.e. they don't have to dig in settings to even know that they
exist)

2) Is data set to 'private' omitted from anonymized aggregate statistics like
the heatmap?

If the answer to both is 'yes', then I don't understand what the fuss is
about.

------
abalone
I’m on team Blame Strava. When you have an obvious comprehension failure by
large numbers of users, it’s a UX design bug. Don’t blame the users.

It’s pretty clear why in this case. The privacy settings are overcomplicated
and misleading. It’s not intuitive at all that turning on “enhanced privacy”
still includes you in route leaderboards and the heatmap, which you might not
even know is a thing. This was bad design.

~~~
flukus
I don't blame strava for this incident because it's obvious that your
information is being sent to them and there must be some onus on users, maybe
there should even be some pain until the message sinks in.

What isn't obvious is if they are retaining the information or who they are
sharing it with, etc. For my non-social uses there is no reason that the data
really needs to leave my phone but it does anyway. We need much better
consumer laws here and these things need to be made obvious and with explicit
permission given by the user for each step.

In any case, I've found tech like this is more of a distraction and offers no
real value. I'm a lot happier now that I've deleted strava, stopped using
fitbit, removed my bike computer and gone back to basics. It feels like I can
just go for a bike ride again without having to start recording and analyze
all the feedback. It's like that feeling when you throw out all those kitchen
gadgets you never used.

------
sulam
I don't use Strava, so pardon the ignorant question -- is the default for your
data to be public?

If so, then I completely blame them for this. If not, then this is clearly a
user error.

~~~
rypskar
The main selling point for Strava when it was introduced was to share the
information to compete with any other person also using Strava. When first
setting it up, at least when I did it years ago, is to set a privacy sector
for which areas to not upload detailed route for. So in this case I would say
it is the users fault to not understand that areas not set to private will be
public available when you select to share your workout. The public available
data to compete with others and the large userbase is the one reason to use
Strava instead of any other fitness tracker

------
NickBusey
This is one of those 'good problems to have'.

"Sorry we have SO MANY users that it shows the location of, well, everything."

~~~
avitzurel
I don't see why this is Strava's problem, to be honest.

The military, CIA should have a clear policy to disable all location services,
on all devices at all times.

If you're not supposed to be somewhere and you go for a run on Strava, it's
pretty much your fault.

~~~
dawhizkid
I am not an active Strava user but from what I've read the company engaged in
some dark UX patterns that made it really confusing (unclear if purposefully
confusing) to understand what you were sharing. The most egregious sound like
the privacy setting on native mobile are more limited than on web , which is a
problem considering how many users probably ever only use the app on mobile.

~~~
anfedorov
I'm a quasi-active user and never realized my updates were public beyond the
people who followed me. It has absolutely no UI indicating it the way, e.g.
Facebook does, and does not show me any activity of people whom I do not
follow.

Doesn't look like they're actually public, though?
[https://www.strava.com/athletes/22230419](https://www.strava.com/athletes/22230419)

~~~
TallGuyShort
Updates are _effectively_ public because once they're collected by a third-
party and / or shared with anyone, it's now out of your control. But my
understanding (in which I'm not certain) is that the controversy is the
heatmap feature, and that your name wouldn't show up in this proof-of-concept
attack unless you had opted into that specific feature.

~~~
anfedorov
I get what the controversy is about, but I don't get how this is OK from
Strava's PoV — none of my runs are "public" in the sense that I think of it —
they're not on the website that's my "profile" and they're not visible to
people who are not following me in the app...

------
isubkhankulov
this whole thing must be great PR for Strava. they've basically become a
household name overnight.

------
mcguire
Out of curiosity, for those who feel Strava is blameless, how would feel if
the US government were collecting this information?

~~~
rypskar
Stravas main objective is to share information about workouts by tracking
where you have been between you start and stop the workout, how could they do
that without collecting the route for the workout? The users select when to
start and stop the tracking.

I like privacy and think GDPR could clean up some of the mess online, but I
don't even see that this tracking done by Strava is in any conflict with the
law

------
shkkmo
I see a lot of people talking about how it is unfair to blame Strava for this.

That is BS. When you make anonymized data available publicly, you ABSOLUTELY
bear a responsibility to making sure that your anonymized data is actually
anonymous.

> However, we learned over the weekend that Strava members in the military,
> humanitarian workers and others living abroad may have shared their location
> in areas without other activity density and, in doing so, inadvertently
> increased awareness of sensitive locations.

Strava absolutely needs to be held to account for not filtering out anonymous
data from regions that don't have other activity density. This should be a
legal responsibility .(Currently I think the FTC can bring legal action for
violating a privacy policy, but this is the only legal enforcement route?)

Strava also has a ethical responsibility to block data from sensitive area
(such as military bases).

~~~
UncleEntity
> Strava also has a ethical responsibility to block data from sensitive area
> (such as military bases).

How are they supposed to know if they're displaying data for a secret base if
the information to determine it actually is secret is, umm...secret?

I blame the joes -- they should know better than to share their location data
because it's not a good idea for countless reasons. Back when I was deployed
with the 82nd Airborne such a thing would be inconceivable.

~~~
shkkmo
> How are they supposed to know if they're displaying data for a secret base
> if the information to determine it actually is secret is, umm...secret?

This isn't about hiding secret bases, censoring a region from the data they
release will obviously leave a blind spot. This is about not exposing the
activity data of sensitive regions.

