THINK OF YOUR fitness tracker like a personal trainer—one that happens to live on your smartphone. There are things you want it to do, like monitor your heart rate, your pace, the time it took for you to complete your last sprint, and whether your sprints are getting faster over time. And then there are things you don't particularly want it to do, like stalk your every move and follow you home at night.
With fitness apps that hoover up more and more data, it can be hard to split the difference. Consider Strava. The fitness app, which shares running and cycling routes on its social network, came under fire this week after releasing a heatmap that showed the global activity of its millions of users. The map revealed more than just where people like to jog. By looking at the data, you could find the borders of secret military outposts, as well as track patrol routes of soldiers at those bases. As a national security issue the implications are huge. It should also be a reminder to consumers that data collected by fitness apps reveal a lot about you and how you move about the world. And that data doesn’t always stay on your phone.
Strava sells itself as an activity tracker turned social network: You can see the most popular bike paths among other Strava cyclists, follow your friends’ running routes, or log your team 5K as a group exercise. It’s almost integral to the app that you share your location data in order to get the most out of it. And that comes with a privacy trade-off.
Right out of the box, Strava is configured to upload all of your activity to the Strava feed. That means that if you do nothing, the app automatically shares your fitness data with the rest of the Strava community, enabling others to follow your jogging route, “give kudos” on your sprint, or even see your full name and photo if they happen to be exercising nearby. Similar apps, like MapMyRun and Nike + RunClub, work the same way, automatically sharing users' activity stats unless they deliberately opt out. Those features can be nice—they're designed to make the app feel like a digital community, not just an exercise log. But they can also expose more information than you’d expect.
Consider, for example, Strava's “FlyBy” feature, which shows who you’ve passed on a bike ride or a run. It’s supposed to offer more granular performance data and also to connect Strava users IRL by pointing them out to others when they cross paths. But it also shows users full names and their entire route, even if you only passed them for a moment. You could then find that user’s public data on the app, searching the routes they habitually take. By searching a user's regular routes, you could easily figure out where they live, work, or how to track them down in the real world.
Creeped out yet? Consider, also, that it’s possible to de-anonymize some of Strava’s data by making a request to the company’s API. And Strava doesn’t make any promises about what it won’t do with your data. In the past, it’s sold its location data to cities looking to parlay information about where cyclists bike to create better bike lanes. Mostly harmless, sure, but Strava has the potential to sell your data elsewhere too.
If you’re concerned about keeping your location private, you can manually opt out from many of Strava’s sharing features by opening Settings → Privacy on the app, then toggling off individual features. You can disable sharing activity, hide your activity from leaderboards, or make activity information visible only to your followers and the people you follow. Confusingly, the app includes a feature called “Enhanced Privacy,” which hides some activity but keeps your data public on leaderboards, during FlyBys, and during group activity. For the most heightened privacy, you’ll need to individually change the settings for activity, group activity, leaderboards, and FlyBys.
Of course, disabling all those sharing features neuters the app and its promise to be a network for athletes. So if you want to tap into Strava's social features without giving up too much of your personal information, you can create Privacy Zones within the app. This hides certain parts of your route—say, your home address, from where you begin and end your runs—which makes it harder for weirdos to follow you home after a jog. You can do this by heading to Settings → Privacy → Create Privacy Zone.
Since the data collected on apps like these is particularly sensitive—including personal information about health and location—it's worth reviewing the privacy policies for all of the fitness apps you regularly use to see how your data might be used. And if you're, say, working on a top-secret military base and not prepared to show your location at all, it might be time to ditch the fitness tracking apps altogether.