KU Leuven scientists retrieve privacy-sensitive data from Strava users

Spread the love

Scientists from KU Leuven have succeeded in identifying privacy-sensitive locations in the endpoint privacy zones of the Strava app. They did this by analyzing publicly shared data.

The researchers have Reportedly Analyzed 1.4 million activities on Strava’s platform. In 85 percent of the cases, they were able to discover the hidden locations that users hide through the so-called endpoint privacy zones. Via these endpoint privacy zones, the first and last 200 meters of a traveled route are automatically hidden from other users. As a result, no privacy-sensitive locations, such as the home address or a workplace, would be shared.

But on the basis of metadata, the researchers were able to identify these privacy-sensitive locations. The metadata includes the distance traveled by a Strava user, the route followed and the location at which a Strava user enters or exits the endpoint privacy zone. In combination with a street map, according to researchers, this data can even reveal your point of departure or arrival.

“The endpoint privacy zones give a false sense of security,” says Karel Dhondt, one of the researchers at KU Leuven, at the VRT. “Users should be aware that their location data is never truly private,” it sounds. “Thieves can see who owns the nicest and most expensive bikes through the app and by bypassing the privacy zone they know where to find them. It can also open the door for stalkers and other people with bad intentions.”

Dhondt and his team also researched the sports apps Komoot and Garmin Connect, but most of the problems were reported to have occurred with Strava. In a few weeks, the researchers have an appointment with Strava’s developers in Los Angeles and may work together to fix the vulnerability. In the meantime, Dhondt already has some tips for the company. For example, Strava would do well to hide the distance you travel within the hidden zone, or leave it out altogether. According to the man, Strava should also provide more variation in the shape and size of such an endpoint privacy zone.

Dhondt recommends that Strava users set up the endpoint privacy zone first, and then make it large enough. To rule out even more risks, Dhondt also recommends alternating departure and arrival locations during a session on Strava. The researchers also have a website developed with which Strava users should be able to process their running and cycling data in a privacy-friendly way. The distances are stored in less detail via this website.

It’s not the first time Strava has been in the news for privacy reasons. Earlier this year, a new way of leaking Israeli military location data was discovered. In 2018, security firm Wandera suggested that the endpoint privacy zone actually makes it easier to find out users’ home or work locations.

Strava is a fitness app that allows users to track their sports performance such as cycling and running. The company profiles itself as a social network for athletes and in 2021 had worldwide estimated 95 million users.

Update11:10am: Added information about what Strava is and how many users the service would have worldwide.

You might also like