Sharing your running and cycling routes is the whole point of using Strava - you can see whether you're the fastest in your neighbourhood at climbing that big hill, or take on a friend's favourite running route to see how you compare. But this weekend, Australian analyst Nathan Ruser pointed out that the app's heatmap of popular routes reveals, oops, data about military bases and the people who are stationed there.
Image from the Strava heat map. Does not include my house. As far as you know.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
This isn't just the military's problem. Many of us don't want randoms browsing our running routes, especially when they're close to home. Quartz reporter Rosie Spinks wrote last year of the difficulty she had locking down her Strava account. She thought her settings would hide her activity from strangers while allowing her to share with her friends, but Strava has several then-hidden privacy settings that meant she was still findable through various app features.
Strava wrote this blog post after she contacted them, which runs down all the ways to protect your privacy in the app. (We've contacted Strava to ask if this information is still current and complete. We're still waiting on a response, but the app seems to behave as described.)
Strava's Privacy Settings Get Pretty Granular, But There Are Tradeoffs
The bottom line seems to be that you have to tweak a bunch of settings to get any privacy, and some of them require tradeoffs where you can't use some of the app's functions, such as seeing where you stand compared to the fastest people to run a certain segment. When you sign up for Strava through the iPhone app, you aren't shown any privacy-related settings. You just create an account, grant location access (without which it can't track you at all), and then it prompts you to start a run or ride.
If you want to find the privacy settings, you'll have to go into either the Profile or More screen, then Settings, and then Privacy. There, you'll find five different switches that each allow you to make certain types of things private. One, "Private by Default", requires you to opt into sharing each run, rather than the other way around. Another, "Enhanced Privacy", only allows people you follow to see your photos, your last name, and the activities listed on your profile. But as Spinks found out, your name will still show up in other parts of the app. She has an updated guide to Strava's privacy settings here.
Hiding Your House
Strava's first recommendation for privacy is to create "privacy zones" around your home, workplace, or anywhere you don't want people snooping. (I also learned today that mountain bikers use privacy zones to hide their activity on illegal trails.) But these zones are a clumsy tool that don't really make your whereabouts all that secret.
First, you have to go through the Strava website to set up a privacy zone, but you can reach that through a link from the app if you know where to find it. (It's at the bottom of the privacy settings screen.) Then, you have to enter an address, and choose how big the zone should be. Your options range from a 200m radius up to 1km.
Those distances might be handy if you live in a densely populated area, but if you're on a country road there might only be a handful of houses within your privacy zone. Strava hides the portion of a run or ride that starts or ends in a privacy zone, but that means that your profile can end up with a bunch of short activities circling a 2km dead zone. For example, see if you can guess where I set the centre of my privacy zone here:
If you need an extra clue, Strava also shares photos I took at any point on the run, including the sign for the North Park Boat House, which is the spot I set as the centre of my dead zone. A stranger could also do some simple maths from just one of those routes to figure out how far down the road your house must be. This one looks like (and is) an out-and-back course, with mileage clearly listed:
Privacy zones are not, it turns out, all that private.
The most private solution, as you may have guessed, is not to use the app at all - or to keep every single run and ride private, making it useless as a social app. Other running apps don't have the same system of public leaderboards, but allow other types of sharing, including posting a map of your run to Facebook. That may seem more straightforward, until you start to wonder if you really trust all of your 300 Facebook friends with your house's location data. Your only option appears to be overthinking your privacy in one way or another, so, good luck with that.