Hacker News new | past | comments | ask | show | jobs | submit login
Advanced Denanonymization through Strava (steveloughran.blogspot.com)
141 points by dsr12 on Jan 30, 2018 | hide | past | favorite | 75 comments

This is neither advanced nor denanonymization (sic).

They basically pluck an interesting route from the hotmap (as per other people's recent discovery), pretend that they have also run/biked this route and Strava will show them names of others who run/biked the same way. That's clever, but that's not "advanced" by any means.

It's also not a deanonymization as there's really no option in Strava for public _anonymous_ sharing to begin with.

The best hacks always appear overly simple, or even slightly benign, once explained.

You could potentially use the hack the author explained with one of those possible black-sites in Africa to see who's deployed there. A little more research and you can find their home address in the states. Now, tell me an enterprising counter-intel or terrorist organization wouldn't want that info.

Unlike Facebook, Strava has no "real name" policy so you can be as anonymous as you want.

This doesn't really seem to be enough. The combination of home / work location and friends is likely enough to allow for the determination of identity, even if you use a fake name on the site.

It's easy to set privacy zones around home, work, or any other location. And you're not required to have any friends (followers). Activities can also be hidden from the public and made visible only to followers.

The author covered privacy zones and hidden activities. Neither are as secure as one would hope: privacy zones can be reverse-engineered fairly easily, and private activities can still be leaked.

Activities marked as "Private" Don't leak. But in "enhanced privacy" mode your activities can be seen via the segment leaderboards. In any declared privacy zone, you stay off those boards, irrespective of options, and (allegedly) heatmaps. So really, it's "slightly more advanced privacy"

You can also opt-out of segment leaderboards. With some work you can lock out your account so only your friends can see your routes, photos and stuff. Everything is well explained on Strava support webpage in section called "Privacy Settings".

Ya, I've always been wary of privacy zones' effectiveness, to the extent that I simply just keep the feature off.

This is a good example to bring up when people talk about a digital bill of rights. It fundamentally shouldn't be so easy to undermine individual privacy and military op sec, but when you allow private data to be shared recklessly, you get that.

Individual privacy is the issue.

Op sec is the military's problem.

I agree, but what I'm saying is that it's not at all "advanced deanonymization" skills that's a problem. It's the default standars way we share data is capable of undermining privacy, and even military op sec, quite easily, that needs to be changed.

Strava is opt-in, so I don't know what default standards you mean. You can track activities on other platforms that aren't designed to be social networks.

I think I haven't come to a conclusion about it, but I think it is more complicated than Strava just being opt-in.

This op-ed makes the argument that it is difficult for users and even the companies offering services to fully understand the impact of their privacy choices:


A sort of concrete scenario here would be the app asking the user before uploading an activity and whether the user wants the activity and segments to be visible on the public parts of the service. Strava probably doesn't want to introduce that friction into their product, but maybe that is a better balance than having a setting allowing users to opt out.

There is a pretty accessible and obvious checkbox on every activity to make it private if you wish.

Imagine every car accident was treated with the same attitude: "the car has breaks and a steering wheel so I don't know what your problem is."

People make mistakes, do things by accident. If the conequences are this bad, we should question the standards which led us to them.

It's too complex, and to keep a govt/ site secure, you'd need every person who runs round it to keep their info locked down. I think Strava will end up having specific "national-state privacy zones" where no runs ever appear in heatmaps and segments cannot be created

I wonder why Uber/Lyft/Waze don't have a feature like this for ridesharing. Seems like it would be useful to find commuters going on the same commute each day.

Announced just the other week: https://www.waze.com/carpool/

I think this is just a rebranding. Waze Rider (which is the same thing?) has been around for a good year now.

I'd say it's advanced in terms of "escalating heatmap information into identifying people running round a submarine base". Yes, you can (should!) use aliases there, at which point the people stay anonymous. Except: in the screenshot I have of that segment before I deleted it, only 2 of the 16 people don't use full names.

Strava is the first social network I want to be a part of. It promises to help me find activity partners that can help keep me motivated on the days where I'm finding it more difficult than usual to get on the pedals or put on the running shoes. Unlike most others, it might help me feel happier and healthier. I have to accept some loss of privacy for the sake of crawling out of a hole and having an automated system help me meet other folks.

And as he admits, you're far more likely to lose your bike to a combination of a moment of carelessness and an opportunistic thief than someone that's surveilling you through your social network activity.

It's a little ironic too that he's writing about the dangers of deanonymization while providing enough information in his post to figure out his Strava username and approximate location.

Same here, I’ve been a premium member for many years, and a user for about five years. It’s one of the few services I happily pay for, along with Spotify and Netflix.

I have friends on there, and have added people I’ve seen on workouts. The latter is especially common with group bike rides. You get to know each other and people comment on each other’s workouts. If you have a bad workout, people will chime in and give support, same for a particularly good workout. Also neat to see where friends are running or new routes they’ve done lately. It’s also fun to try to get new course records, or KOMs if cycling (the running equivalent of a running course record). Strava has been in the news a lot in the years since I’ve been using it on fitness (running, cycling, triathlon) forums because occasionally someone will do something dangerous in an attempt to get a course record, like running red lights through a busy intersection, and blame strava. There has also been once or twice I did see theft of very expensive bikes in the news from strava data.

It isn’t what keeps me running, or cycling, but it’s a definite motivator. I’m happy to be a part of the community and happy to pay for premium, though I don’t use that many premium features. I do love the personal heat map premium feature though, it’s basically what this news article is about, but just your workouts. It makes me actively try to fill out more of the city on my heatmap.

I use Strava but I had no idea it's intended for meeting others.

Can you give more details on this? I can't find much in the app.

find and join a running/cycling club in your area

This isn't even "deanonymization" in the sense of "performing statistical inference to re-associate different pieces of data." It's "you ask the company to give you personally identifiable data, and it does so."

Strava is a public-by-default social networking website that happens to focus on athletics. Given that, it's no surprise some users happen to work in the military (they're also on Facebook).

It seems like the various militaries need to do a better job of informing and enforcing social media policy, including auditing websites like Strava. You could also argue that Strava should be private by default, but I don't think you'd have much success persuading them of that.

The US did audits and actually issued 20000 + 2000 Fitbits at minimum in trial programs.

Strava is the least of their problems. Despite all news articles in the last day I didn't come a cross a single previously unknown site mentioned in any of the stories. All those "experts" did, was showing known locations with a novelty overlay.

The heatmap is the graphic and interactive part that makes the story digestable, but there is no actual hard news in there. The story usually then shifts to being able to track users across bases, which is nothing exclusive to strava and mostly speculative when it comes to discovering actually secret deployments.

In the case of HMNB Clyde, that place also exists on instagram, which I find way more discerning, since by default geo-located pictures are even less obvious than a share my GPS-Track of my sports activities as default setting.


Even the knowledge of exact guard patrol routes and possibly even timings inside a known military base can be extremely helpful information for someone planning an attack. Best part: you don't even have to place a scout in physical proximity as preparation and risk discovery. So this is less than ideal for military organizations.

You're totally right of course and I think it's pretty shocking that military personnel aren't aware they are broadcasting their location out to the web. Complete opsec failure.

They are, they just don't care. The State Dept will likely issue a ban on their facilities which personnel will adhere to. Other military installations like Special Forces bases or regular Army bases overseas probably will issue a memorandum ("Be Vigilant!"), but I predict they won't stop using the devices. State Department facilities are the only places that they try to hide from others. Not that people and equipment are operating out of them (because that's impossible), but that they are State Department facilities to begin with.

These are most most certainly not patrol routes, but routes taken by people in their off duty time or in mandatory fitness time.

Well, a route taken regularly at 3 am is almost certainly not someone taking an off duty stroll. I do not know if you can readily figure that out from the data available through Strava. But if you can, this is bad.

How can you be so sure? Patrol shifts are normally rotated to prevent exactly that among other reasons, while someone having a regular non-patrol late shift (or early) and doing his exercise regularly at 3 am is also not unheard of.

I did do some guard duty. The bases I was at were dead silent in the middle of the night.

You might be able to, but even then it is more likely to be a person doing exercise on a device with the wrong time zone than it is to be someone on patrol.

To reiterate: Strava isn't always on. These are activities people have actively chosen to log. The chance of it being someone out on patrol is... not high.

Having to actively log the data is interesting. I agree with your conclusion there.

However, GPS is primarily a very high precision time signal, from which the current location is reconstructed. Basically, a properly designed software would do the proper time zone adjustment based on that, so the data should ideally be in local time everywhere without exception. Everything else would be a bug in my book.

OK, but that isn't how these devices work.

Source: I've used lots of them and it's a real pain in the ass.

Users can configure Strava so that activities are private by default.

I couldn't think of any other good title. It's going from a heatmap to identifying individuals, who, if they didn't use an alias, are now identified. And of the 16 people faster than me on that circuit, 14 used full names.

They posted their data as public so they could be found and identified anyway. Heatmap just speeds up the process by letting us know where to search.

Gave the map of the route to fake. Without that you'd need time to trace round buildings and training areas you see in satellite pics. Which is the kind of thing governments have the time to do (imagine mapmyride seeing an uptake in users in N Korea); I didn't.

Strava has even a toggle "Include my anonymized public activity data in Strava Metro and the Heatmaps" for controlling does location data from sport activities end up into heatmaps or not.

Interesting, that in media this "news" has been mostly about Strava doing something it openly says it does. There hasn't been much critique about military not educating their personnel not to publish the exact locations of military bases in Internet's sport services. If that is even a problem in their perspective.

It is not seen as a problem by the regular military. Kinda hard to hide tanks and artillery pieces and soldiers with iPads and C-130s flying into airfields from locals in countries where having a car is a luxury. Locals can get better information about the bases from people working on the bases, or from just watching them. There is basically nothing you can get from this heatmap that you couldn't get from really any local living near the place. It's the other non-military facilities that would care about this.

Yes, exactly. That's what I was referring to with "If that is even a problem in their perspective."

You're way off. The reason this "news" is news is not because Strava has done anything naughty, it's because people that are tasked with the national security (and often some secrets) of their respective nations have committed such an easily avoidable op-sec failure.

So you didn't read the last two sentences of what I wrote :)

That was mostly what I was replying to, but yes I didn't really read it. I originally read the paragraph as meaning some of the media coverage you had seen/read tried to somehow find fault with Strava. I re-read it, and I see what you meant now. I read a bit too much into the quotes.

Strava has trivial to use controls to shut down this type of data gathering. You simply define zones on the map as privacy zones and voila, any travel in those areas will simply not appear publicly, and will not be part of public heat maps or anything like that.

Of course, the original point of that is to avoid people knowing where you live to come steal your expensive bike. But it's useful for other reasons too.

This is a total nothingburger. He hasn't found any security vulnerabilities; Strava is working exactly as documented. And you could do the same thing in Garmin Connect (probably other athletic social networks as well).

And Garmin Connect still doesn't seem to offer anything like privacy zones, it's all or nothing worth them. If anything, Strava is the beacon of privacy on the field of social fitness tracking. Garmin's only redeeming quality is that their failure to get Connect to really get off the ground in terms of social (segments and the like) that there is little incentive to ever set anything public there.

In fact, I believe that their lack of gradual privacy controls was an important factor in the failure off Garmin's attempt to gobble up Strava's market (back when they introduced their own competitive segments with the Edge 1000, now they are happily cooperating).

Garmin Connect added privacy zones in April 2017. They work exactly the same way as in Strava.


I don't think Garmin Connect was really ever intended as a true Strava competitor. It's limited to just users of Garmin devices and intended to drive hardware sales through offering additional planning and analytics features.

> "Give us a list of secret sites you don't want us to cover".

This seems like a non-starter to me. If the gov't hands out an accurate list, they've given out the secret and it's no longer under their control, negating the whole point of having secret sites. If they pollute the list with random, bogus (but plausible) data to reduce it's utility for discovering secret gov't locations, it also reduces the utility for Strava as well, as now there's random swaths of land where nothing is logged, despite there being nothing there.

I have to say, part of this seems like an opsec failure on the part of the various militaries and government agencies. I would hope that whomever is in charge of security at a sensitive facility would recognize that modern phones are general purpose computers that are, amongst other things, location aware. If a facility's location or whom works there is sensitive info, the security officer should probably be forbidding phones from being operated while on site, or even being brought to the site in the first place.

I think it's really a shame that Strava is taking so much heat. The heatmap was a really cool visualization and also useful to find out where people are running and biking, generally. And, it was created from tracks that people willing uploaded and made public, even if they didn't fully understand the privacy implications.

But it's also frightening that this data, stored indefinitely, is effectively a mass surveillance system. I was contacted by local law enforcement who had gotten my email address from Strava via an "official legal process" because I had ridden my bike in an area around the time a homicide occurred.

Chew on that. The police or the government have access to your whereabouts, just because someone stored them.

>I was contacted by local law enforcement who had gotten my email address from Strava via an "official legal process" because I had ridden my bike in an area around the time a homicide occurred.

If it makes you feel any better they probably filtered out all the "less likely to murder people" demographics, went though everything they could dig up on your and your friends/family looking for interesting things (e.g. traumatic life events that could possibly give you a reason to murder someone) before they bothered contacting you (and likely a handful other people). They were only contacting you because you were one of their best leads based on metadata and circumstantial evidence.


What's interesting is that they thought to look at Strava to see who had ridden there during the time period of interest. You'd need to think "let's see who cycled", and come up with a way of querying strava, such as demanding the list of people who cycled there. If Strava gets checked, then except for the special case of a witness saying "I saw someone suspicious on a bike", they'd have already checked Waze, apple find friends, etc

Google and Apple and other map providers scrub some of their data by request of the government. Will the government do something similar here? Kudos to whomever found out that they could identify military stuff through this.

I find it hilarious that this guy outlines his cloak-and-dagger tactics to avoid people tracking down his bike via Strava, and then as an aside he mentions the time his bike actually got nicked was when a drug addict accessed it through an unlocked door. That never happened to Jason Bourne.

I was pretty unhappy about, I can tell you. And yes, I mentioned that fact to make clear that physical security comes first, and because I cherish the irony myself.

In Bristol, most mountain bikers do cross the Bristol Suspension bridge on their way home, same for a lot of the roadies. There's been a fair few cases of people being followed back by some teenagers and then having their bike stolen that night, so rather than go straight home (main roads), I just hit the back streets to see that it's clear. And now I make sure that we haven't left a set of keys out in the garden, even when the door is locked. Which was a fact on its own: it's an implicit metric of how often people try breaking in to an urban house here.

OK. I take back my smirking.

> Here are some things Strava may reveal ...

These are all things I want to share and use Strava to do that. (Well maybe not "When you are away from your house" but you could not turn on the live beacon if that's a concern.)

> maybe not "When you are away from your house" but you could not turn on the live beacon if that's a concern

people have schedules, their commute timetables reveal them. If I start appearing on the logs as riding in in a different part of the world then I'm away for longer. That info is visible to anyone you are in the same "club" as, even if you have enhanced privacy enabled.

Don't join clubs with people you cant't trust. Post your rides with week delay or make them public when you are back home from your trip. It is called "enhanced" privacy mode for a reason and combined with other privacy settings it can give you very good results.

I like your reasoning

Russians and Chinese especially interested in who will become field agents and who will become analysts. Want to hazard a guess on which overlaps more with Strava?

> Then go to various governments and say "Give us a list of secret sites ...

Or better teach people to turn their devices off.

Interesting tips in this article for the paranoid. But it's way easier to do it old school: don't use a service that gobbles your data up, no matter how free it is.

It'd be great if there were better "really free"--noncentralized--alternatives built on open source. Maybe there are.

> don't use a service that gobbles your data up, no matter how free it is

we've conceded that option by living in a world where phones add GPS location data to cameras, you use pay-by-phone over cash, oystercards for public transport. I felt I was in control until I discovered a paragraph in the manual of the used BMW we'd bought about how to turn flash off.

Think about that: we are building cars with flash embedded in a browser wired op to a 3G+ modem and a car network bus whose vehicle motor data would be sufficient to identify where you are driving round Bristol (speed, time sitting at junctions, hill climbs inferred by RPM:speed), where you live, which school you drive you children to...

I wonder what happened before the smart phone era. Didn't the armed personnel phone back to their loved one to let them know they were ok? I am sure they did it in a controlled environment. When you set up a base, should you not take into account the parameters responsible for your safety? For, example, register all the smart phones and impose strict rules for sharing data. Who ever get anything out, should get the shaft or get discharged from the service. And finally why would anyone upload their personal details to an unknown source? Are people so silly?

On a related note: You don't need to anonymize yourself if you only ride on zwift.

This technique has since been disabled by Strava.

You could also just run next to people and ask them what their name is.

Can you do that everywhere across the globe, simultaneously?

At this point Strava should pull all of its public data. All of these location based services are wide open to attack, correlating across pairs of them, scary.

At what point? There was no change in the last maybe 3~4 years. Heatmap wasn't kept that up to date, but that's about it. There are privacy settings you can set (and the app is nagging you to do so) to avoid these problems. If it is a problem.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact