Strava is a hugely popular, and really nicely featured, running and cycling app. It’s my pick for the best running app, despite its flaws. But it’s always had serious privacy issues, including the one just reported by French newspaper Le Monde—it allegedly revealed the locations of world leaders via their bodyguards’ Strava accounts.
The data goes beyond “the President is in Washington, D.C.” or “the President is in the White House.” Le Monde reports that it found “hotels and meeting places, often undisclosed to the public,” and noticed Vladimir Putin’s bodyguards frequenting the areas around two mansions that Putin has denied are his. The data also pointed to the whereabouts of Melania Trump, Jill Biden, and secret service agents working at the location of Donald Trump’s two recent assassination attempts.
How Strava reveals users’ locations
Strava has an extensive set of mapping tools, which are powered by the data in its global heatmap. This is basically a map of the world with people’s running and cycling routes highlighted. If you, personally, right now, go out for a jog around the block, and track it with Strava (or with an app that syncs to Strava), the roads you jogged on get a little bit brighter on that heatmap.
You can see the global heatmap here, although you’ll need a premium Strava subscription to view street-level data. (And, yes, it’s little bit fucked up that free users can add to the heatmap but not be able to see how their own data shows up to the world.)
The heatmap (and other location-based data, like Segments) aren’t very intrusive if you’re looking at a popular park or trail. But zoom out to the countryside, or the suburbs, and you’ll notice some bright roads on the heatmap in very specific places. A loop around a certain housing development, or a military base.
And how does that reveal the whereabouts of a specific, named person? Well, it’s very similar to how I used the weekly version of the heatmap to find the name and home address of a stranger based on semi-public Strava data. In my mini investigation—which took mere minutes—I found an unpopular route, looked for Segments along that route, found a person who had run it repeatedly, and looked at that person’s other running data. Combine that Strava data with other public information (in my case, county real estate records) and pretty soon I had worked my way from a line on a map to a person’s full name and home address.
A creative investigator or stalker could come up with plenty more ways to use this data. Not everybody uses their real names or photos on Strava, but many do. And if a Strava account is always in the same place as the President, you can start to connect a few dots.
Why people use Strava anyway
Every time Strava privacy issues crop up in the news, there are people wondering why anybody wants to broadcast their location at all, or share their runs or their cycling routes. A big part of the reason is the same impulse that leads us to document our lives on TikTok or Facebook or anything else, the same reason we’ll randomly send a photo to a group chat about something cute our pet did. We like to share things with friends or people who might become friends.
In Strava’s case, there’s more. You need to share the location of your runs (or cycling routes) to compete on the leaderboards it calls Segments. A Segment is a bit of road or trail, and you can get a CR (course record) or KOM/QOM (king or queen of the mountain) recognition for being the fastest person to cover that distance. There is also a Local Legend title for the person who has done that Segment the most times in the past 90 days. You have to actually get out into the world and physically go to that location to earn your title, which many people (including myself!) find motivating.
What you can do to preserve your privacy while using Strava
Strava has tons of privacy controls—maybe too many—to allow you to decide how much information you want to keep private. While it may be tempting to lock everything down, that leaves you out of the friendly competitions you may have on Segments, and can keep friends from finding you or following your training. It’s up to you how you feel about any or all of this, so here are the settings to check.
First, to find these, go into the Strava app, select You, and tap the settings gear. Then tap Privacy Controls. Fortunately, each setting has a pretty good explanation of what it does, so read those carefully. If you’re doing this on the web interface, make sure to hit “save” after each change.
To keep your activities from adding to the global or weekly heatmaps, tap Aggregated Data Usage and turn off the toggle or checkbox that says “Contribute your activity data to de-identified, aggregate data sets.” They may be de-identified in theory, but we’ve seen that they’re not really anonymous.
To keep people from seeing your photos and personal information, restrict Profile Page to Followers. As Strava points out, “Parts of your profile page will always be publicly available.” In my tests, this seems to mean your name and profile pic.
To keep people from seeing where you run or cycle, restrict Activities to Followers or Only You. This also means you won’t be able to compete on any Segments.
To hide your house (or any other location you’d like to keep confidential), tap Map Visibility and select the option that allows you to hide the start and end of activities that occur from a specific address. You can also hide the start and end of activities no matter where they happen.
There are more privacy settings, and we have a rundown of them here.
