Worried about Strava? It’s not the only app mapping our every move

It was a great PR move: in November fitness tracking company Strava launched an updated global heatmap that visualised all the location data that its users had been collectively broadcasting, revealing popular running spots around the world. It is a fascinating visual, but it accidentally pinpointed the location and layout of secret military bases where fitness-conscious soldiers had been running around with their fitness trackers or phones. Whoops.

The unexpected ways in which our personal data leaks out into the world range from the mildly amusing to the downright terrifying. Pornhub is notorious for its eye-catching data visualisations of the pornographic proclivities of people in different locations and during different political events. The Strava incident involved information that users themselves made public, but such data is also vulnerable to hacking.

In 2016 a security researcher in Japan discovered that it was perfectly possible to determine a person’s exact location through exploiting weaknesses in the gay dating app, Grindr. In 2010 Foursquare, the social service that encouraged its users to “check in” at popular locations, made the fairly consequential error of publicly broadcasting all of that data by accident. These incidents reveal what can happen when we feed our location data and private information into huge anonymised banks.

Many free apps ask for access to private information that they really do not need in order to provide the function they advertise. We’ve all had the experience of downloading, say, an alarm-clock app and suddenly being asked to give the thing access to your call data, location, media, phone storage and whatever else it can access – information that is then usually anonymised and sold, for advertising purposes. Popular services such as Facebook, Google, Tripadvisor and Groupon are at least more likely to keep such information secure and be less vulnerable to hackers, but they still like to keep tabs on where we are.

Our personal data is the trade-off for these exceptionally useful free services. Unfortunately there is no option to pay, say, Google Maps a fee instead, so we’re either stuck looking at static paper maps like a 1990s backpacker or telling an anonymous data bank where we are at all times of the day and night. It would be reasonable to expect that apps and services only transmit information on our data when we’re actively using them, but in fact it happens far more often. A 2015 study by Carnegie Mellon University found that apps such as Facebook were pinging location data back to their developers thousands of times a week.

The study also found that once people were made aware of the scale of data-sharing they became much more reluctant to use the services in question. When you tap “Allow this app to access location data?”, you don’t think you’re giving consent to being constantly monitored. But that is exactly what is happening. Often users are broadcasting their data and giving consent for companies to use it however they want, without even being aware of doing so.

As Strava has pointed out in the wake of this latest incident, there is an opt-out function that will prevent it from publicly broadcasting your location. This is how most apps work: rather than approving access to your data, you have to opt out once you’ve signed up. This option is always hidden behind a few menus.

In its latest statement, Strava claims that it is “committed to helping people better understand our settings to give them control over what they share” – a message often echoed by social media companies. Companies such as Google and Facebook are understandably cagey about how many people actually use these privacy features. When this data is the entire business model of these companies, what motivation do they really have to stop collecting it?

Here’s something for you to try. Are you one of the billion people who use Google Maps? Launch the app on your phone, tap the menu icon (three horizontal lines), then tap “Your Timeline”. Unless you have specifically turned off Google’s access to your location data – which few of us have – you will now see a map of your exact movements, every single day, stretching back for as long as you have been walking around with your phone. You can use the calendar view to see exactly where you have been on a given day. If this horrifies you, you are not alone.

Towards the end of my first pregnancy, in 2016, instead of cleaning out all the cupboards in the house like a normal person, I became briefly obsessed with infosec (information security), researching virtual private networks (VPNs), private browsers and all manner of other things that might help me keep my internet activities to myself. Newly incensed by the passing of the “snooper’s charter”, which obliges my internet service provider to keep all my data and theoretically allows pretty much any arm of the government or police services to access it for any reason, I locked down as much as I could. I asked Google Maps to delete all my location history and prohibited it from storing any more. I can’t use some of the app’s most useful features now, such as saved addresses, but I can still use it to find where I need to go. The convenience of occasional alerts about my usual route to work did not seem like a fair trade-off for Google keeping hold of a map of my exact movements for all of my life.

Next time an app asks for access to your location data, think about saying no. It’s easy to be blase about giving services access to all manner of personal information when all it takes is a tap.