Just how much info are you sharing with your fitness app?
A fitness tracking app that posted a map with potentially sensitive information about its users is sparking concerns over how similar services protect personal data— and raising questions about what users can do to protect themselves.
Strava is among several apps and devices like Fitbit and Garmin that are part of the surging fitness tracker market. In most cases, the apps or devices keep tabs on basic health information such as steps taken, heart rate, or sleep.
But some of those apps could collect more, such as calendar or contact information depending on what permissions they request, said Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy & Technology.
“It’s important to dig into the settings of your phone or whatever device you’re using to see what has asked for access to these different types of data and whether or not you’re comfortable with that,” she said.
Checking defaults is key. Strava and similar apps including Runkeeper are more social than other fitness apps, allowing users to keep track of specific routes they use to run or bike. Because of this social nature, settings often default to public view instead of private.
Users can ask themselves, do I really want to share my jogging route with the entire Internet?
Strava, which describes itself as a “social network for those who strive,” works with most phones and GPS-enabled fitness watches. Since 2015, Strava has published a global heat map detailing the activity of its 27 million global users, based on their uploaded GPS data. The heatmaps let users find new exercise routes or discover the most popular in new locations.
They also may be giving away military secrets. Security experts over the weekend questioned whether the user-generated map could not only show the locations of military bases, but specific routes most heavily traveled as military personnel unintentionally shared their jogging paths and other routes. Strava’s own website, noted The Guardian, allowed users to find, via a leaderboard of competing runners, the names of service members who had raced one potential stretch outside an Afghan military base.
More: Strava fitness tracking map reveals military bases, movements in war zones
More: You’ve split from your fitness tracker. Can you get your data back?
More: Curb how Facebook, Google and Amazon use your personal data in a quick privacy clean-up
The San Francisco-based company said data used in the map was made anonymously and doesn’t include data “marked as private and user-defined privacy zones.”
According to Strava’s privacy policy, depending on how accounts were set up, information and content may be accessible to the public. Users can opt out of participating in heat maps via the privacy settings.
The Department of Defense said it was reviewing its policies on smartphones and wearable devices.
Some users have used the route tracking feature in other ways — to create works of art. For example, a father in Iowa honored the loss of his son to cancer by running routes that spelled out names of childhood cancer survivors.
More: The human Etch a Sketch: How an Iowa dad who lost his 3-year-old son to cancer found a unique way to honor other victims
Users credit the social feedback of such apps for helping them keep to their fitness goals. But fitness trackers and apps have been criticized for vague privacy policies.
In 2016, Open Effect — a Canadian non-profit group focused on research into how people’s personal data is handled — partnered with The Citizen Lab based at the University of Toronto to analyze fitness tracker privacy and security.
They found seven out of eight fitness tracking devices “emit persistent unique identifiers that can expose their wearers to long-term tracking of their location” if the device isn’t connected to a smartphone.
Sam Lester, consumer privacy fellow at the Electronic Privacy Information Center, said location tracking is among the chief concerns when using fitness trackers.
“These apps can track your location, and very often these companies are disclosing sensitive location information to third parties without users knowledge or consent,” said Lester.
Both Apple’s iOS and Google’s Android operating systems including privacy settings where users can manage how their location is used within apps. In some cases, apps will track your location whether the app is in use or not, while others only use location when you have the app open.
De Mooy said for now, it’s up to consumers to stay on top of how to handle their privacy when using tracking apps, but said companies should do more. “It’s important for them to be up front about what they’re doing and to offer more controls, but I think there just needs to be better stewardship on the part of companies.”
Follow Brett Molina on Twitter: @brettmolina23 .