WASHINGTON – U.S. Senators Chris Coons (D-Del.) and Jeff Flake (R-Ariz.), co-chairs of the Judiciary Subcommittee on Privacy, Technology, and the Law, sent a letter to James Quarles, CEO of the fitness app Strava, regarding Strava’s privacy and data-security practices. Their letter comes after an Australian student and analyst confirmed that anyone with internet service could utilize the fitness app to locate users, including those at known and unknown U.S. military bases around the world.
The full letter can be found below:
Mr. James Quarles
Chief Executive Officer
500 3rd Street #110
San Francisco, CA 94107
February 14, 2018
Dear Mr. Quarles:
We write regarding Strava’s privacy and data-security practices in light of recent news reports indicating that the company publicly shares personal consumer data that may put its users at risk.
Strava collects geo-location information from personal fitness trackers and from its downloadable mobile app to reveal a user’s workout history, location, and movements. It then matches that information with biographical information, such as a user’s first and last name and profile picture, and makes all of it available to other app users.
Since November 2017, the company has shared online a comprehensive “heat map” of its users’ movements over the past two years. The heat map is available not only to other app users, but to the general public on the Internet. While Strava has explained that the heat map contains aggregated and anonymized location information, the data posted can be easily cross-referenced with other publicly available information to identify individual users. This information could jeopardize users’ personal safety in various ways, including revealing a user’s daily activities, frequented locations, and sensitive health information. The implications of making this information widely available could even impact national security by revealing the whereabouts of sensitive locations.
The increasing popularity of fitness tracking devices and other wearable technologies raises questions about the types of data they collect, store, and share, and the degree to which consumers control their personal information. Companies, like Strava, that offer services through these devices and technologies must address these concerns by following industry standards regarding privacy protection and by prioritizing data security within their corporate culture.
Unfortunately, it seems that Strava has failed to demonstrate that it takes these concerns seriously. In particular, Strava’s fitness app makes it very difficult to opt out of unwanted data-sharing. While the app’s services offer useful information to the user, it seems that many consumers are either confused by Strava’s opt-out provisions or simply unaware of what information is being tracked. To be meaningful, privacy terms and opt-out privacy requirements must be clear and understandable.
On January 29, 2018, you issued a response to questions of public safety associated with the heat map. Specifically, you stated: “In building [the fitness app], we respected activity and profile privacy selections, including the ability to opt out of heatmaps altogether… Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.”
You also included a list of action items that Strava is undertaking in response to what it has learned. These include “reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent,” “increas[ing] awareness of [Strava’s] privacy and safety tools,” and “simplifying [Strava’s] privacy and safety features to ensure [users] know how to control [their] own data.”
As Chairman and Ranking Member of the Judiciary Subcommittee on Privacy, Technology and the Law, we have a longstanding interest in the privacy and security of consumers’ personal data, including information collected by wearable, geo-location tracking technology.
We therefore request that Strava provide answers to the following questions:
We appreciate your prompt attention to this matter.