WASHINGTON – U.S. Senators Chris Coons (D-Del.) and Jeff Flake (R-Ariz.), co-chairs of the Judiciary Subcommittee on Privacy, Technology, and the Law, sent a letter to James Quarles, CEO of the fitness app Strava, regarding Strava’s privacy and data-security practices. Their letter comes after an Australian student and analyst confirmed that anyone with internet service could utilize the fitness app to locate users, including those at known and unknown U.S. military bases around the world. 

The full letter can be found below:

Mr. James Quarles

Chief Executive Officer

Strava, Inc. 

500 3rd Street #110

San Francisco, CA 94107

February 14, 2018

Dear Mr. Quarles:

We write regarding Strava’s privacy and data-security practices in light of recent news reports indicating that the company publicly shares personal consumer data that may put its users at risk. 

Strava collects geo-location information from personal fitness trackers and from its downloadable mobile app to reveal a user’s workout history, location, and movements. It then matches that information with biographical information, such as a user’s first and last name and profile picture, and makes all of it available to other app users.

Since November 2017, the company has shared online a comprehensive “heat map” of its users’ movements over the past two years. The heat map is available not only to other app users, but to the general public on the Internet. While Strava has explained that the heat map contains aggregated and anonymized location information, the data posted can be easily cross-referenced with other publicly available information to identify individual users. This information could jeopardize users’ personal safety in various ways, including revealing a user’s daily activities, frequented locations, and sensitive health information. The implications of making this information widely available could even impact national security by revealing the whereabouts of sensitive locations.  

The increasing popularity of fitness tracking devices and other wearable technologies raises questions about the types of data they collect, store, and share, and the degree to which consumers control their personal information. Companies, like Strava, that offer services through these devices and technologies must address these concerns by following industry standards regarding privacy protection and by prioritizing data security within their corporate culture. 

Unfortunately, it seems that Strava has failed to demonstrate that it takes these concerns seriously. In particular, Strava’s fitness app makes it very difficult to opt out of unwanted data-sharing.  While the app’s services offer useful information to the user, it seems that many consumers are either confused by Strava’s opt-out provisions or simply unaware of what information is being tracked. To be meaningful, privacy terms and opt-out privacy requirements must be clear and understandable.  

On January 29, 2018, you issued a response to questions of public safety associated with the heat map. Specifically, you stated: “In building [the fitness app], we respected activity and profile privacy selections, including the ability to opt out of heatmaps altogether… Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.” 

You also included a list of action items that Strava is undertaking in response to what it has learned. These include “reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent,” “increas[ing] awareness of [Strava’s] privacy and safety tools,” and “simplifying [Strava’s] privacy and safety features to ensure [users] know how to control [their] own data.”

As Chairman and Ranking Member of the Judiciary Subcommittee on Privacy, Technology and the Law, we have a longstanding interest in the privacy and security of consumers’ personal data, including information collected by wearable, geo-location tracking technology.   

We therefore request that Strava provide answers to the following questions:

  1. Please identify Strava’s privacy terms and policies for use of its fitness tracking application as communicated to the consumer at the time of purchase or download.  
  1. Please provide a comprehensive list of the actions Strava took while creating and maintaining its fitness tracking app that “respected activity and profile privacy selections” of its users.
  1. In light of Strava’s commitment to “understand [its] responsibility related to the data [users] share with [it],” please describe how Strava collects, stores, and shares consumer data. 
    1. To what extent does Strava’s business model rely on collecting and sharing data with third-party GPS location service providers?
    1. To what extent does Strava’s business model rely on collecting and sharing data with device manufacturers or software application developers? 
    1. What protections, if any, does Strava have in place to protect the data it collects, stores, and shares?
  1. Is Strava’s fitness tracking app able to operate without a third-party GPS location service provider?
    1. If so, does Strava operate its own GPS location service? 
    1. If not, please identify any and all third-party GPS location service providers that Strava uses to maintain its fitness tracking app. 
  1. What steps, if any, has Strava taken in fulfilling its commitment to implement the following relevant action items:
    1. Reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent;
    1. Increasing public awareness of the company’s privacy and safety tools; and 
    1. Simplifying the company’s privacy and safety features to ensure consumers know how to control their data.
  1. Please describe the different privacy settings Strava currently offers to consumers who use its fitness tracking app, including the actions the user must take to opt-out of each data-sharing opportunity and the information that is made public under each setting.   

We appreciate your prompt attention to this matter.