#BlackLivesMatter Support the Equal Justice Initiative.

Big Leaky Data, Strava and Me

Monday, January 29th 2018

I’ve been working on a project lately that makes use of Strava’s API for tracking and recording your workouts. The project is called Routey lets you create high-quality prints of your runs and activities. If you’re a runner, or know a serious runner, I’d suggest giving it a look. They make great gifts!

When I saw Strava pop up in my Google News feed yesterday my first thought was it must’ve been algorithmically catering the stories based on my search history, scouring their API documentation and other things. It turns out it was not! They were legitimately in the news for an interesting reason: someone figured out you can track the habits of military personnel and suss out the location of military bases by playing with their heatmap feature.

The old adage is that no press is bad press, but I feel a bit bad for Strava in this case with the ensuing conversation that’s emerged. Most articles I’ve read correctly absolve Strava of fault here, but it’s probably not the kind of press their marketing team would intentionally seek.

This got me thinking about the way big data leaks our evolving concept of privacy. I made a quick list off the top of my head of some of the privacy-compromising ways our data can leak:

  • Strava accidentally reveals the locations of bases and patterns of troops.
  • Twitter will let you see the non-prviate half of a conversation with a private account.
  • This is old, but G Suite (back when it was Google Apps) used to show the number of users using Google Apps at a particular account if you tried to sign up for the service with a domain that was already using it. I tried this with Obama.com in 2008 during the election.
  • Reverse-image searches and facial recognition is so good now that your anonymity on dating websites is as good as gone if you reuse the same photos anywhere else.
  • GPS data is attached to the photos we take on our smartphones. Apple’s Messages (for example) removes this metadata if you send someone a photo through text, but that wasn’t always the case and won’t protect you if you upload the image or email it to someone.
  • You can use the ambient light sensor to extract browser history or (potentially) steal other data.
  • With a service like AirDrop turned on so anyone can share with you, people will see whatever name you’ve assigned to your phone and the accompanying photo you’ve given yourself.
  • Older version of the previous: You can sometimes see the names of other computers connected to the same wifi network as you. Seems less frequent these days, but was definitely common at one point.
  • Your device has a unique identifier (UUID) that gets broadcast to the entire network when it connects. Someone could watch for this ID joining and leaving the network and figure out someone’s patterns over time.
  • We advertise our names, nicknames and possible place of employment in our email address.
  • The digital home assistant market is literally putting an microphone in your home that eavesdrops on your conversations and broadcasts them to private companies. No matter how well intentioned or how many safeguards these companies put in place, it’s an invasion of privacy.
  • Slightly related to the last, regardless of what you think of them or what they say they do with the data, the companies that manage the software on our phones know our locations. Like the previous example, most are well intentioned and take steps to scrub the data or keep this from leaking,
  • Did you turn on a location sharing featured like Find my Friends with your friends and forget about it? I’ve done that.
  • If someone knows your address they can probably see what the front of your home looks like on Google Streetview. They might even be able to figure out what make or model of car you own baed on whats parked outside.
  • Old school: Foursquare location checkins were the original treasure trove of knowing where people were and when they weren’t at home. I remember articles back in 2010 talking about the privacy implications of the “check-in.”
  • I remembered this great article by Kieran Healy about hypothetically using metadata to find Paul Revere.

Some or many of these things probably seem obvious and therefore not a big deal. That our email addresses can tell other people things about us, for example, or perhaps even the privacy implications of our digital home assistants always listening to us. These things might seem like common sense to many.

But I think the obviousness of these things is relative and speaks to how we’ve changed our perspectives around what constitutes reasonable privacy. That’s going to change again gong forward, probably in drastic fashion, as things get more technologically advanced. I mean this in a completely non-fatalist way, but it’s inevitable and I think fighting it’s going to be ultimately futile. We’re sacrificing privacy for convenience of some measure, and whatever we consider “privacy” is going to lose that battle ten times out of ten.

It sounds dark, but privacy — at least as it’s defined today — is dead. Watching this change over the course of your life is a bit unsettling, but I’m not sure it can be fought. I’m not sure it needs to be fought, either. What constitutes an invasion of privacy today is going to be the norm for the next generation. We just need to stay on top of maintaining general awareness and education surrounding these things.