Anonymity is not enough in apps

You can set your privacy settings on apps so that personal data is not shared. But even anonymous data can threaten security.

Take the case of the fitness tracking app Strava. Their website tracks exercise routes of users and plots them on a map of the world. The routes show up as bright lines; the brighter they are, the more they are used. You can’t pick out individuals on the map because they are only sharing data anonymously. They are revealing in ways that were never intended.

In this Strava map of Kamloops, you can see familiar areas of the city that where people have been exercising. There’s the downtown grid, Rayleigh, and Sun Peaks on the upper right. Some areas are a bit mysterious, like in the lower left. I went to Google Maps to see if there is a community there but couldn’t find any. Someone, or group, exercises near Chuwhels Mountain above New Gold Afton Mine. Is there a camp that I don’t know of?

 Strava map

Australian student Nathan Ruser was doing some similar browsing, comparing exercise routes on Strava to Google Maps, when he came across exercise routes around U.S. military bases in Iran, Syria and Afghanistan. The Strava map revealed much more than the Google map did: it exposed troop movements. It probably never occurred to soldiers how much they were lighting up the base.

While the locations of the military bases are not exactly top secret, the movements of soldiers could compromise the operational security. The fitness app could highlight sensitive outposts and troops’ habitual routes during military drills and patrols. Ruser, who is also an analyst for the Institute for United Conflict Analysts, tweeted:

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away (January 27, 2018)”

Air Force Colonel John Thomas, a spokesman for U.S. Central Command, told the Washington Post that the military was looking into the implications of the Strava map.

It probably didn’t occur to soldiers that they were compromising base security by simply turning on the fitness tracker. After all, none of their personal information was being shared.

This way of thinking ignores the greater good according to Arvind Narayanan, a computer scientist at Princeton University.

“This assumes that my behaviour affects my privacy,” Narayanan told CBC Radio’s Spark, “but really I think what Strava story has shown is that it’s more than that. That’s when privacy becomes a collective issue (February 2, 2018).”

The privacy settings can be confusing. Someone going out for a run doesn’t want to spend time trying to figure out which boxes to check.

Beyond the actions of individuals and their privacy settings, there is the vulnerability of big corporations.

“Strava has been in the news but there are dozens of companies sitting on sensitive data. There’s not a lot of public oversight around these super sensitive databases about billions of people,” adds Narayanan.

Why you are safe on social media

When Virginia Champoux’s husband received a lung transplant, her social media usage jumped. “Facebook became her daily – often hourly – outlet for sharing the agonizing, surreal, and occasionally funny details of Jay’s struggle to survive,” writes Jonathan Kay in Walrus magazine (June, 2016).

FB privacy

She wrote about her husband’s struggle to live; the psychotic response to his medication; his penchant for ordering odd products online; his fight to digest solid foods. It seems there was nothing she wouldn’t share.

At first glance, Champoux seems to be a poster child for reckless social media. Not so. “I am meticulous in following certain rules. In general, my children are referred to by initials –never their full names. If I post pictures, they are only visible to my friends –never public. And I always ask other parents’ permission if I post a picture of their own children,” said the Montreal native.

More than that, she has carefully made Facebook lists which specify the breadth of her circles. Lists such as “Cancer” (only those who have suffered from it), “work,” “French” (some francophones are offended by her English posts), “close friends,” “B-list,” “D-list,” and the ultra elite “VVIP” list which is limited to the eight most important people in her life.

I was curious about what she shared publically on her Facebook site. So I looked her up (she was the only one listed). Sure enough, there are videos of Jay walking with a tree of IV bags and posts from the day of his death. I felt a bit voyeuristic but I wanted to see if Champoux had changed or deleted any of the posts since being featured in a national magazine. As far as I could tell, they were all there.

Not everyone would be so willing to share the most painful moments of their lives but that’s the point: for some grieving is private matter, for others it’s cathartic.

Privacy means “the right to be left alone.” That right has never been more challenged with the advent of technology and social media where the greatest volume personal thoughts are shared. It’s been a struggle. In 2011, Facebook was accused of deceiving users by leading us to believe that they were protecting our privacy while allowing access to our lives to third-party software developers.

Facebook responded by tightening security to allow as much or as little public access to your posts as you wish. The problem is that most people don’t use the privacy settings that Facebook provides –all the while complaining about loss of privacy.

Social media users have not kept up with the changes. Instead, they worry. According to a poll done in 2015, 64 per cent of Canadians are worried about how corporations treat their personal data. Of that group, only 13 per cent feel they have total control of their information.

Social media corporations respond to complaints because it’s in their best interest, Kay concludes. “The most remarkable aspect of this privacy revolution is that it is being powered primarily not by new laws, but by corporations acting in their own economic self-interest.”