The Washington PostDemocracy Dies in Darkness

Lawmakers demand answers about Strava ‘heat map’ revealing military sites

GPS tracking company Strava published an interactive map in Nov. 2017, showing where people have used fitness tracking devices. (Video: Patrick Martin/The Washington Post)

Congressional Democrats on Wednesday called on Strava, the maker of a popular fitness app, to explain why it published a global “heat map” online that inadvertently highlighted the locations of sensitive government facilities throughout the world by revealing the movements of millions of users.

Rep. Frank Pallone Jr. (N.J.), the top Democrat on the House Energy and Commerce Committee, demanded that Strava CEO James Quarles explain why it published the heat map, what privacy protections it offered users, how it secures data from hackers and whether the company has changed its policies since news of the heat map broke over the weekend.

“The increasing popularity of fitness trackers and other wearable technology has raised serious questions about the types of data they collect and share and the degree to which consumers control their own personal information,” said the letter, which eight committee Democrats co-signed. “The data these devices collect reveals users' precise locations, daily activities, and health information. … In this case, Strava made no attempt to secure information, and instead published location information on the Internet for anyone to see.”

Strava issued a statement Wednesday evening saying, “We’ve received a letter from the ranking member of the House Energy and Commerce Committee. We look forward to working with his staff in answering the letter’s questions.”

News reports on Strava, in The Washington Post and elsewhere, prompted a U.S. military review this week of the fitness devices and other telecommunications equipment that can broadcast the locations of users in sensitive locations. The news also underscored growing concerns about the privacy of fitness apps, as experts found ways to use the Strava app to find the names and photographs of individual users, along with the biking and jogging routes they used.

Such user data, along with military supply and convoy routes, is potentially valuable information to adversaries and those who might plan attacks on U.S. forces, experts said.

Previously, Strava has urged its users to review their privacy settings and said it was working with government and military officials to address concerns about the location of sensitive facilities.

The controversy also has highlighted concerns about ordinary users of fitness tracking devices and similar apps on smartphones, as well as the growing importance of location data generally to Silicon Valley.

Many tech companies collect the locations of their users and market this information in various ways, such as for targeting advertising to people near certain stores. Yet privacy experts say that the locations of individuals are among the most sensitive data sets, potentially showing where people live and work, and what groups or religious organizations they affiliate with. Relationships among people — including relationships that individuals may want to keep private — also can be revealed by location data.

The letter from congressional Democrats also indicates an interest in how privacy settings are established by default, meaning for users who don't alter them before using. Privacy experts have long warned that most people pay little attention to default settings and end up discovering that their data has been released only after it already has happened.

Elena Hernandez, spokeswoman for the full House committee, said, “Our Democratic colleagues did not ask us to join this letter. However, Energy and Commerce Republicans take data privacy issues seriously and will continue to closely monitor the situation with Strava.”