Fitness app that revealed military bases highlights bigger privacy issues

Fitness app reveals military info
Fitness app reveals military info

Fitness tracking app Strava wanted to show how people use its app all over the world.

In November, it created an interactive heat map that displayed one billion activity data points -- like running and cycling -- made public by users.

But over the weekend, observers noticed that Strava's map may have inadvertently revealed sensitive U.S. military locations and personnel at bases in countries around the world.

The controversy around Strava demonstrates a common issue with the relationship between tech companies and their users: People casually using an app often don't understand what companies do with their data or how to properly protect it.

"Before people can even have a basic level of protection of some kinds of data, they have to wade through these lengthy privacy policies, or find the setting, or even have some awareness that potentially sensitive information is going to get out there," said Michelle De Mooy, director of the Privacy & Data project at the Center for Democracy and Technology.

Strava has three levels of privacy in its app: Users can treat it like Twitter and publicly share their activity data for anyone to see; they can choose to let only certain people see their activity; or they can make their activity completely private. The default option is to share personal activity data publicly.

In a November blog post announcing the heat map, Strava data engineer Drew Robb said the company respected privacy rules when it created the map and only published public data. Strava did not respond to specific questions about user data, but told CNN in a statement earlier Monday it is "committed to helping people better understand our settings to give them control over what they share."

Tech firms revealing user data without anticipating the consequences is not uncommon. Companies assume it may be interesting to reveal user statistics, but receive backlash when people feel uncomfortable with the information exposed.

"What they fail to understand is that data represents people and people's preferences," De Mooy said. "Every tech platform is dealing with this unintended consequences problem, and it's partly because of the misalignment between expectation and intention, and what they're doing."

Related: US military reviewing security practices after fitness app reveals sensitive info

In December, Netflix (NFLX) tweeted a joke about 53 people who watched its holiday film "A Christmas Prince" once a day for 18 days. Some people criticized the tweet as inconsiderate. The tweet also reminded users that the video streaming company has massive amounts of data on people it could access at any time for any reason -- including poking fun at them.

In 2014, Jawbone -- a now-defunct fitness tracker -- published users' sleep data following an earthquake in Northern California. People saw their anonymized personal information become a data point in a major public event, and some felt uncomfortable when data collected in their bedrooms became part of a study looking at sleep data during the natural disaster.

In 2011, Fitbit exposed the self-reported sexual activity data of some users through profiles that were public by default. Fitbit changed its sharing options after the incident to make a private profile the default.

Many apps also sell personal data to third-party companies. This practice is common, though the general public is often unaware of their app's policies regarding data brokering. These types of sales are legal if disclosed, but users might not see the disclosures in lengthy privacy statements.

The U.S. Central Command told CNN on Monday it is looking into refining its smartphone and wearable device policies following the Strava revelations.

White House cybersecurity coordinator Rob Joyce tweeted on Monday that the Strava heat map highlights the risks of big data analytics.

"It goes well beyond fitness trackers. Security and OPSEC need to be considered in our new reality," he said in a tweet. "While policy evolution is needed, it is important to make good security policy balanced by not over reacting too."

People who are concerned about privacy should read apps' privacy policies and check the types of information that apps ask to collect, including permissions regarding a phone or tablet's camera, calendar and contact list. Social apps are often public by default, De Mooy said, and people must manually change their settings to be private.

"If you are a person with sensitive information -- whether that is your immigration status, gender, politics, or sexual orientation -- you may want to consider that once you're using a bunch of different apps, that information is probably getting compiled about you," De Mooy said.

CNNMoney Sponsors