Anonymity is not enough in apps

You can set your privacy settings on apps so that personal data is not shared. But even anonymous data can threaten security.

Take the case of the fitness tracking app Strava. Their website tracks exercise routes of users and plots them on a map of the world. The routes show up as bright lines; the brighter they are, the more they are used. You can’t pick out individuals on the map because they are only sharing data anonymously. They are revealing in ways that were never intended.

In this Strava map of Kamloops, you can see familiar areas of the city that where people have been exercising. There’s the downtown grid, Rayleigh, and Sun Peaks on the upper right. Some areas are a bit mysterious, like in the lower left. I went to Google Maps to see if there is a community there but couldn’t find any. Someone, or group, exercises near Chuwhels Mountain above New Gold Afton Mine. Is there a camp that I don’t know of?

 Strava map

Australian student Nathan Ruser was doing some similar browsing, comparing exercise routes on Strava to Google Maps, when he came across exercise routes around U.S. military bases in Iran, Syria and Afghanistan. The Strava map revealed much more than the Google map did: it exposed troop movements. It probably never occurred to soldiers how much they were lighting up the base.

While the locations of the military bases are not exactly top secret, the movements of soldiers could compromise the operational security. The fitness app could highlight sensitive outposts and troops’ habitual routes during military drills and patrols. Ruser, who is also an analyst for the Institute for United Conflict Analysts, tweeted:

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away (January 27, 2018)”

Air Force Colonel John Thomas, a spokesman for U.S. Central Command, told the Washington Post that the military was looking into the implications of the Strava map.

It probably didn’t occur to soldiers that they were compromising base security by simply turning on the fitness tracker. After all, none of their personal information was being shared.

This way of thinking ignores the greater good according to Arvind Narayanan, a computer scientist at Princeton University.

“This assumes that my behaviour affects my privacy,” Narayanan told CBC Radio’s Spark, “but really I think what Strava story has shown is that it’s more than that. That’s when privacy becomes a collective issue (February 2, 2018).”

The privacy settings can be confusing. Someone going out for a run doesn’t want to spend time trying to figure out which boxes to check.

Beyond the actions of individuals and their privacy settings, there is the vulnerability of big corporations.

“Strava has been in the news but there are dozens of companies sitting on sensitive data. There’s not a lot of public oversight around these super sensitive databases about billions of people,” adds Narayanan.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.