They basically pluck an interesting route from the hotmap (as per other people's recent discovery), pretend that they have also run/biked this route and Strava will show them names of others who run/biked the same way. That's clever, but that's not "advanced" by any means.
It's also not a deanonymization as there's really no option in Strava for public _anonymous_ sharing to begin with.
You could potentially use the hack the author explained with one of those possible black-sites in Africa to see who's deployed there. A little more research and you can find their home address in the states. Now, tell me an enterprising counter-intel or terrorist organization wouldn't want that info.
Op sec is the military's problem.
This op-ed makes the argument that it is difficult for users and even the companies offering services to fully understand the impact of their privacy choices:
A sort of concrete scenario here would be the app asking the user before uploading an activity and whether the user wants the activity and segments to be visible on the public parts of the service. Strava probably doesn't want to introduce that friction into their product, but maybe that is a better balance than having a setting allowing users to opt out.
People make mistakes, do things by accident. If the conequences are this bad, we should question the standards which led us to them.
And as he admits, you're far more likely to lose your bike to a combination of a moment of carelessness and an opportunistic thief than someone that's surveilling you through your social network activity.
It's a little ironic too that he's writing about the dangers of deanonymization while providing enough information in his post to figure out his Strava username and approximate location.
I have friends on there, and have added people I’ve seen on workouts. The latter is especially common with group bike rides. You get to know each other and people comment on each other’s workouts. If you have a bad workout, people will chime in and give support, same for a particularly good workout. Also neat to see where friends are running or new routes they’ve done lately. It’s also fun to try to get new course records, or KOMs if cycling (the running equivalent of a running course record). Strava has been in the news a lot in the years since I’ve been using it on fitness (running, cycling, triathlon) forums because occasionally someone will do something dangerous in an attempt to get a course record, like running red lights through a busy intersection, and blame strava. There has also been once or twice I did see theft of very expensive bikes in the news from strava data.
It isn’t what keeps me running, or cycling, but it’s a definite motivator. I’m happy to be a part of the community and happy to pay for premium, though I don’t use that many premium features. I do love the personal heat map premium feature though, it’s basically what this news article is about, but just your workouts. It makes me actively try to fill out more of the city on my heatmap.
Can you give more details on this? I can't find much in the app.
It seems like the various militaries need to do a better job of informing and enforcing social media policy, including auditing websites like Strava. You could also argue that Strava should be private by default, but I don't think you'd have much success persuading them of that.
Strava is the least of their problems. Despite all news articles in the last day I didn't come a cross a single previously unknown site mentioned in any of the stories. All those "experts" did, was showing known locations with a novelty overlay.
The heatmap is the graphic and interactive part that makes the story digestable, but there is no actual hard news in there. The story usually then shifts to being able to track users across bases, which is nothing exclusive to strava and mostly speculative when it comes to discovering actually secret deployments.
In the case of HMNB Clyde, that place also exists on instagram, which I find way more discerning, since by default geo-located pictures are even less obvious than a share my GPS-Track of my sports activities as default setting.
To reiterate: Strava isn't always on. These are activities people have actively chosen to log. The chance of it being someone out on patrol is... not high.
However, GPS is primarily a very high precision time signal, from which the current location is reconstructed. Basically, a properly designed software would do the proper time zone adjustment based on that, so the data should ideally be in local time everywhere without exception. Everything else would be a bug in my book.
Source: I've used lots of them and it's a real pain in the ass.
Interesting, that in media this "news" has been mostly about Strava doing something it openly says it does. There hasn't been much critique about military not educating their personnel not to publish the exact locations of military bases in Internet's sport services. If that is even a problem in their perspective.
Of course, the original point of that is to avoid people knowing where you live to come steal your expensive bike. But it's useful for other reasons too.
In fact, I believe that their lack of gradual privacy controls was an important factor in the failure off Garmin's attempt to gobble up Strava's market (back when they introduced their own competitive segments with the Edge 1000, now they are happily cooperating).
I don't think Garmin Connect was really ever intended as a true Strava competitor. It's limited to just users of Garmin devices and intended to drive hardware sales through offering additional planning and analytics features.
This seems like a non-starter to me. If the gov't hands out an accurate list, they've given out the secret and it's no longer under their control, negating the whole point of having secret sites. If they pollute the list with random, bogus (but plausible) data to reduce it's utility for discovering secret gov't locations, it also reduces the utility for Strava as well, as now there's random swaths of land where nothing is logged, despite there being nothing there.
I have to say, part of this seems like an opsec failure on the part of the various militaries and government agencies. I would hope that whomever is in charge of security at a sensitive facility would recognize that modern phones are general purpose computers that are, amongst other things, location aware. If a facility's location or whom works there is sensitive info, the security officer should probably be forbidding phones from being operated while on site, or even being brought to the site in the first place.
But it's also frightening that this data, stored indefinitely, is effectively a mass surveillance system. I was contacted by local law enforcement who had gotten my email address from Strava via an "official legal process" because I had ridden my bike in an area around the time a homicide occurred.
Chew on that. The police or the government have access to your whereabouts, just because someone stored them.
If it makes you feel any better they probably filtered out all the "less likely to murder people" demographics, went though everything they could dig up on your and your friends/family looking for interesting things (e.g. traumatic life events that could possibly give you a reason to murder someone) before they bothered contacting you (and likely a handful other people). They were only contacting you because you were one of their best leads based on metadata and circumstantial evidence.
In Bristol, most mountain bikers do cross the Bristol Suspension bridge on their way home, same for a lot of the roadies. There's been a fair few cases of people being followed back by some teenagers and then having their bike stolen that night, so rather than go straight home (main roads), I just hit the back streets to see that it's clear. And now I make sure that we haven't left a set of keys out in the garden, even when the door is locked. Which was a fact on its own: it's an implicit metric of how often people try breaking in to an urban house here.
These are all things I want to share and use Strava to do that. (Well maybe not "When you are away from your house" but you could not turn on the live beacon if that's a concern.)
people have schedules, their commute timetables reveal them. If I start appearing on the logs as riding in in a different part of the world then I'm away for longer. That info is visible to anyone you are in the same "club" as, even if you have enhanced privacy enabled.
Or better teach people to turn their devices off.
It'd be great if there were better "really free"--noncentralized--alternatives built on open source. Maybe there are.
we've conceded that option by living in a world where phones add GPS location data to cameras, you use pay-by-phone over cash, oystercards for public transport. I felt I was in control until I discovered a paragraph in the manual of the used BMW we'd bought about how to turn flash off.
Think about that: we are building cars with flash embedded in a browser wired op to a 3G+ modem and a car network bus whose vehicle motor data would be sufficient to identify where you are driving round Bristol (speed, time sitting at junctions, hill climbs inferred by RPM:speed), where you live, which school you drive you children to...