Running Circles Around Security – When Your Fitness Tracker Knows Too Much

How safe is your fitness tracker?

Strava, the fitness app beloved by runners and cyclists worldwide (over 125 million active users), has become a surprising security risk for military personnel and the protective teams of high-profile leaders.
Known for its social sharing features and expansive activity maps, Strava’s reach has inadvertently exposed sensitive locations and patterns, from military bases to the daily routines of security personnel guarding figures like Emmanuel Macron and Joe Biden.
Which is weird, because at the heart of Strava’s appeal is its ability to create a community for fitness enthusiasts willing to share this kind of data.
Users can track their exercise metrics, compare their progress with friends, and establish public routes.
Still, these same features reveal user locations and routines, creating a potential security breach when used by individuals in sensitive roles.

How did this all happen?

A striking example surfaced when an Australian student observed “glowing trails” over the Syrian desert on Strava’s activity map.
Further investigation revealed these trails represented routes frequently taken by military personnel, inadvertently highlighting the presence and layout of military installations.
More recently, Le Monde took these concerns to another level, noting that the bodyguards of global leaders are identifiable through their public posts on Strava.
The Pentagon and France’s Ministry of Armed Forces have down-played these risks, yet for years, fitness enthusiasts in sensitive positions have continued to share their activity publicly, despite protocols advising otherwise.

Who is responsible for privacy in this case?

Strava, on its end, has pledged to simplify privacy settings, but ultimately shifts responsibility to users, emphasizing that only publicly shared data appears on their maps.
This situation reveals a regulatory paradox regarding consumer data and location privacy.
Fitness apps like Strava generate revenue by collecting user data and often selling it to third parties, leaving sensitive information vulnerable to exploitation.
While consumers agree to data-sharing terms, they rarely understand the full implications, especially in professions requiring discretion.
The lack of government oversight around how apps manage and share location data has raised alarms among cybersecurity experts, who argue for stricter regulations to protect users from unintended exposure.
For the military and security agencies, the risks are complex.

Banning personal devices entirely might be unrealistic, highlighting the need for a balanced approach to safety and convenience.

Digital culture’s boundaries between public and private data are eroding.
Apps like Strava, initially designed for convenience and social sharing, now blur the lines of personal security.
The constant location tracking, while attractive to fitness buffs, exposes vulnerabilities that might not be fully appreciated until they’re exploited (like when might be a good time to rob your home).

For most users, this is a benign choice.

Strava’s security challenges are a reminder that digital tools enhance connectivity and community, but always require a level of awareness and caution – especially when personal safety and national security intersect.

Ultimately, for those in high-stakes roles, privacy settings alone may no longer be enough.

This is what Justine McIntyre and I discussed on CJAD 800 AM. Listen in right here.

Before you go… ThinkersOne is a new way for organizations to buy bite-sized and personalized thought leadership video content (live and recorded) from the best Thinkers in the world. If you’re looking to add excitement and big smarts to your meetings, corporate events, company off-sites, “lunch & learns” and beyond, check it out.