[Updated] Strava Heatmaps might be giving away more information than you think

Strava’s Global Heatmap may be giving away more personal information than the social fitness platform claims or even realizes. A group of researchers recently showed in a new paper that the anonymously aggregated data presented in Heatmaps can be effectively used to uncover individual identities, personal information and activity patterns. This is possible, the researchers say, even if your Strava profile is private.

More disturbingly, they showed how the information gathered from the supposedly anonymous feature could be used by a stalker or other assailant to plan a personal attack.

RELATED: Strava’s Heatmap may reveal the location of secret military bases

De-anonymizing aggregated information: How Global Heatmaps can identify individuals

This new research is interesting because it shows that while Strava is taking steps to protect users’ privacy, those steps are not as effective as users might think. Crucially, the platform’s options for increased privacy don’t actually seem to improve privacy in regard to the Heatmap function.

“While the data on the Strava Heatmap is not tied to specific users, the data can be combined with other data sources within the Strava platform to de-anonymize the heat,” the researchers explain. “This de-anonymized heat can then be used to identify the home address of Strava users. This contradicts Strava’s … privacy claims.”

The paper goes into more detail about the exact ways they were able to use the aggregated data to pull out specific personal information, like their home address, and what can be done with that information.

RELATED: Should you make your Strava account private?

“In addition to contradicting the privacy claims made on registration for the Heatmap, the matching of a Strava user to a home address can build a complete profile of an individual, including their workout habits and the paths they frequently travel on. This information can be used for stalking or other invasions of the privacy of individuals.”

Some Strava users have reported the app being used in bike thefts, though Strava denies that claim.

RELATED: Thieves allegedly use Strava to identify and steal cyclist’s $21,000 bike collection

Privacy settings can cause confusion about what is not shared, and what is

Strava has a long history of unexpected privacy problems and, for the most part, trying to fix those problems. Part of what this research points out is that how changing those privacy settings impacts how your data is used isn’t always clear.

For instance, Strava allows you to set exclusion zones around a home address or the first and last part of an activity. If your activity is public, other users won’t see that data. But it looks like that data is still being used, anonymized, in the aggregated Heatmaps data. “Since the data is anonymized, Strava does not apply the same hidden zone feature that is standard for shared activities. Per Strava, ‘data within hidden zones of activities that are shared with ”Followers” or ”Everyone” will now be used in de-identified aggregated data.”‘

That means that, even if your profile is private, your data could still be used for Heatmaps.

Simple steps to protect your information

The researchers suggest several ways in which Strava could address this privacy weakness on the platform’s backend. But if you are concerned about your own information getting out there, there are several simple ways you can protect yourself.

The easiest is, of course, to not use Strava.

Short of that, you can also opt out of Heatmaps entirely (though Strava does include a lengthy message requesting you not to do so, so that your data can be used to help “community-powered features”). Head to Settings > Privacy Controls and un-check “Contribute your activity data to de-identified, aggregate data sets.”

RELATED: Strava turns off flyby feature

If you do want to stay on the social platform, there are a few more easy ways to keep your information private. The first is to not start or end activities at your house. If you’re in an area with any other Strava users, this step should go a significant way towards obfuscating your home address and your habits.

Strava also suggested, in response to road.cc‘s initial story on this research, that “users can set their default their Activity Visibility to be only to themselves (Only You) for any given activity.”

History of privacy concerns

As mentioned, this isn’t the first time Strava has unintentionally created privacy problems. Most spectacularly, in 2018 an Australian researcher discovered that Heatmaps was inadvertently exposing the location and layout of secret military bases around the world.

Strava was also pressured into creating privacy zones around home addresses, later updating that function to exclude the start and end of any activity, and turning off Flyby as a default feature. The platform eventually allowed users to block other users.

Update: Strava’s reply [June 20, 2023]

In a statement to Canadian Cycling Magazine, Strava added further clarification to how it deals with user data, and how users can control how it is used.

“The safety and privacy of our community is our highest priority. We’ve long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with.

Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.

The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (`Only You`) for any given activity.

We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava. This includes simplifying our Privacy Policy with our Privacy Label at the top.”