Internet of Things Privacy Fallout, Now in Heat Map Form
App and website developer Strava, which bills itself as “the social network for athletes,” has landed in hot water after publishing a global heat map that shows where and how often users travel on specific routes while recording their workouts via the company’s app, which runs on smartphones and wearables.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Strava’s heat map, titled “where we play,” highlights routes for those ranging from hikers on the Camino de Santiago pilgrimage trail in Spain to kiteboarders in Mexico.
But many active U.S. and NATO military personnel – often necessarily obsessive about their fitness – are avid users too, especially when they’re stationed overseas. And the “big data” amassed and published by the San Francisco firm appears to have revealed the existence – and layouts – of a secret CIA annex at the airport in Mogadishu, Somalia, as well as a cycling route around the highly classified U.S. Air Force facility known as Area 51, among other locations.
Clearly, Strava’s privacy settings are not meeting the needs of some of its millions of users, or organizations for which they might work.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps says in a statement.
Strava has responded to ongoing criticism of its heat map by saying it’s only an aggregate view. “Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform,” Strava says in a statement. “It excludes activities that have been marked as private and user-defined privacy zones.”
The company has also promised to help users better restrict private information by showing users how they can opt out of specific privacy settings. “We are committed to helping people better understand our settings to give them control over what they share,” Strava says in a statement. It’s also pointed to a 2017 blog post that describes seven privacy steps users can take. Of course, settings that provide maximum privacy levels are not active by default.
Criticism of Strava’s heat map has continued to increase, leading Strava CEO James Quarles to respond on Monday by promising to review all features as well as work “with military and government officials to address potentially sensitive data.”
In the meantime, routes uploaded to Strava can be viewed via its website, allowing anyone who accesses the site to amass names of individuals, including active members of the military serving abroad.
Fallout: Surveillance Capitalism
As the operational security expert known as “the Grugq” notes, who would have ever thought that “surveillance capitalism” – monetizing data acquired through surveillance – would have led to secret military bases being exposed?
It is a strange world where secret military bases are exposed due to OPSEC failure to opt-out of publicly sharing fitness tracking info. pic.twitter.com/13fKDMJhPl
— the grugq (@thegrugq) January 28, 2018
“None of this surprises me,” David Stubley, head of Edinburgh, Scotland-based incident response and penetration testing firm 7 Elements, tells Information Security Media Group. “This clearly is an advertising route for Strava, because it shows the global use of their product. I can’t see another practical application.”
Stubley is a runner who uses Strava, although he’s tried to use it in a manner that keeps his personal details private.
“It is becoming ubiquitous in the way we do our sporting activities these days,” he says. “I’ve taken personal steps to not disclose my information publicly, and I have a privacy shield that stops it recording and displaying exactly where I start or stop my activity. … But has Strava’s data aggregation – this big data that they’ve put together – done away with that?”
Remember – make informed decisions on how your data is used. If you don’t want to share data, review your profile and uncheck the box. #stravaheatmap pic.twitter.com/l0u7nhv4G8
— David Stubley (@DavidStubley) January 30, 2018
Failure: ‘Informed Consent’
The Strava debacle shows that the “informed consent” model of privacy – widespread in the United States in particular – does not work, because companies are not able to reliably inform users of all the threats and risks they might face by using the service, says privacy expert Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina.
“Data privacy is not like a consumer good, where you click ‘I accept’ and all is well,” Tufekci write in the New York Times. “Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.”
With enough data, all data is “personally-identifiable” data. With enough data, machine learning can suss out undisclosed traits. When combined, data can reveal things beyond anyone imagined. Informed consent is not a workable model &emdash; let alone “click accept” tiny font legalese.
— zeynep tufekci (@zeynep) January 30, 2018
Tufekci, however, does not blame Strava for this debacle, saying it’s unlikely the firm could have ever predicted what this data, in aggregate, might reveal.
Certainly, its description of features didn’t reveal that aggregate data might reveal sensitive military installations. Rather, Strava’s privacy settings help page emphasizes the supposed benefits of sharing fitness and tracking information.
Tracking: Second Hand
Many organizations, including the military, have clear policies about smartphones and wearables. The U.S. Marines, for example, in 2016 banned “personal wearable fitness devices … if they contain cellular or WiFi, photographic, video capture/recording, microphone, or audio recording capabilities,” and says such devices remain prohibited even if “cellular, camera, or video capability” has been disabled. That’s no surprise, because malware can be used to remotely and silently activate such features even if they have been disabled.
One challenge for many organizations that don’t want to reveal or highlight the existence of their facilities, however, may be that Strava-compatible sport watches and “smart watches” – including devices sold by Apple, Fitbit, Garmin, Polar, Suunto and TomTom – look innocuous. Such devices may record GPS coordinates and only later transfer them to Strava’s site after a workout, when the wearable synchronizes with a smartphone or desktop.
“I’ve been in restricted environments where you decant all of your smartphones immediately upon entering,” Stubley says. “The problem here, however, is it’s not those types of devices directly. I could leave my smartphone at home, wear the smart watch, and it passively records everywhere I go and only gets transferred later.”
Still Live: Heat Map
Despite the debate and reveals, Strava’s heat map remains live, notes Stephen Cobb, a senior security researcher at cybersecurity firm ESET.
What surprises me the most about the Strava Heat Map is that they haven’t taken it down. Here’s the super secret Five Eyes spy satellite downlink station in the middle of the Australian desert… pic.twitter.com/n7LLjGLyPu
— Stephen Cobb (@zcobb) January 30, 2018
But removing it now would be pointless, security experts say. That’s because the data has been archived on code-sharing site GitHub.
This big data set will remain active for the world to see.
Meanwhile, researchers – including journalists at investigative site Bellingcat – have been continuing to review the data and cross-reference it with other open source information.
Who knows what else the aggregate fitness data might reveal?