Strava and beyond: What fitness apps teach us about the value of privacy

Following the incident involving the tragic death of former Russian submarine captain Stanislav Rzhitsky, 42, who was fatally shot by an elusive gunman on a rainy day in a deserted Krasnodar park, concerns regarding privacy have once again come to the forefront. The unsettling fact that the captain was being tracked while running through the fitness app Strava prompts us to reflect on the significance of maintaining our privacy. While it may not be relevant to our own circumstances, such as being a former submarine captain or being linked to any suspicious activities, the incident compels us to consider the broader implications and reevaluate our approach to privacy. 

Using Strava can inadvertently provide thieves with information about your valuable bicycle and its whereabouts. Cyclists who extensively share details about their bike's brand and model on the popular app unknowingly make it easier for burglars to identify potential targets. This is particularly concerning as users often begin recording their routes directly from their homes. Moreover, sharing your running activities can pose a significant security risk, especially in sensitive locations like a secret base in Helmand Province, Afghanistan. In such cases, soldiers who track their running activities inadvertently disclose the position of the secret base to other Strava users.  

Routes publicly shared by fitness apps users often start directly from their homes

The situation worsens due to the failure to learn from these past incidents. Despite Strava's efforts to anonymize the start and end of activities, there remains a security vulnerability that allowed suspicious individuals to identify and monitor security personnel working at secretive bases in Israel several years after the Afghanistan incident. The flaw allowed users to gain access to the identities and previous routes of others in the vicinity, despite having the most stringent privacy settings. Approximately 100 individuals who engaged in physical activity at six Israeli bases had their information visible as a result.  

Mind your privacy  

After examining the criminal exploitation of data obtained through a basic fitness application, various conclusions can be drawn. Those who oppose sports may advocate for discontinuing physical activity altogether. Individuals concerned about privacy and social interaction may advocate for ceasing the sharing of personal fitness data. Purists may suggest focusing solely on running without becoming overly reliant on metrics and data tracking.  

However, what if your intention is solely to share your progress with friends in order to receive positive social support that helps you stay motivated in your training goals? How can you track your fitness progress while still maintaining your desired level of privacy? Additionally, if you work with Big Data, what recommendations can you offer users to safeguard their privacy?  

Cybersecurity is not a question of “if” but rather “when” organizations will face attacks

The era of people being fearful about using their credit cards online is definitely in the past. In fact, nowadays, making payments through a mobile device with facial recognition technology is even safer than using a physical card. However, as one problem gets resolved, a new one inevitably arises. In 2017, Katherine Kearns from NCC Group issued a warning, emphasizing that cybersecurity was not a question of "if" but rather "when" organizations would face attacks.  

Prior to my time at ESADE, I was employed at Telefonica, and I vividly recall being in a meeting with Telefonica CEO Jose Maria Alvarez-Pallete on May 12, 2017, when news of the Wannacry ransomware attack broke. This attack had a widespread impact, affecting 230,000 computers and numerous companies across various countries.  

Although Telefonica experienced some impact, it was not as severe as the repercussions witnessed by the UK NHS National Health System, which suffered disruptions to its computers, MRI scanners, and blood-storage refrigerators. Thankfully, this incident served as a catalyst for improving the security measures and resilience of companies, enabling them to defend against such attacks while maintaining their operations.  

However, as demonstrated by the emergence of new tactics like Wannacry, both large-scale criminal activities and small-scale user vulnerabilities persist. Therefore, it is crucial to remain conscious of the information we disclose in the digital realm and understand the potential risks associated with sharing our digital data.  

Voluntarily overexposed

The mere act of browsing through your social media profiles can result in the misuse of your data. As evidenced by a 2018 survey conducted by CareerBuilder, more than 50 per cent of employers encountered content on social media that dissuaded them from considering certain candidates for employment. Furthermore, approximately 70 per cent of employers employ social media platforms to assess potential hires, and around 43 per cent utilize social media to keep tabs on their current employees.  

These findings serve as compelling proof of the substantial impact that our digital footprints from online activities have on our everyday lives. Furthermore, on a deeper level, the utilization of social media implies that individuals' attempts to present themselves in an edited manner and seek validation from their peers are driven by underlying feelings of low self-esteem and insecurity. This creates a harmful cycle wherein insecurity reduces the likelihood of being hired, consequently amplifying the existing insecurity due to limited job prospects.  

Overexposing yourself on social media can seriously harm your chances of being hired

As someone who abstains from using social media platforms, including WhatsApp, and only maintains a LinkedIn profile for professional purposes, I find myself in a dilemma. While I prefer not to engage extensively online, I realize the importance of sharing information and participating in social interactions. It feels similar to attending a party and remaining silent, which could lead others to avoid me. In order to establish an identity and foster social connections, having some online presence becomes necessary. It would raise suspicions, even regarding my PhD title, if my students were to search for my name online and find no information.  

Maintain your privacy and approach sharing personal information with a touch of skepticism, even if you have nothing to hide. This advice holds true especially when it comes to divulging details about your daily life, including activities such as running and socializing.  

I would like to express my gratitude to Rocco Cirací for generously sharing his ideas and content both during our class sessions and online, as they served as a catalyst for the creation of this article.