Now that the dust has settled a bit on the Strava heatmap privacy story, what lessons can we learn? I was interviewed about this on CBC radio. Here are the highlights. cbc.ca/radio/spark/38…
If we’re worried about state actors getting this information, they’re not limited to looking at public websites. Dozens of companies have incredibly sensitive, fine-grained location data on millions of individuals. These are juicy targets for coercion or hacking.
The Strava heatmap is a symptom of a bigger problem. Let’s use it as a trigger for a conversation about the deeper issues that it hints at, one of which is the lack of public oversight of how companies collect and use sensitive data.
When data is taken out of context, when data from multiple users is combined, and when algorithms process data to infer facts that aren’t directly disclosed, privacy issues are exacerbated.
Tech companies frame privacy as an issue for individual users to figure out. For example, Strava’s response has been to point people to the site's privacy controls and opt-outs. But of course that doesn’t solve the problem, because everyone’s behavior affects everyone else.
Zeynep Tufekci argues powerfully that privacy is better thought of as a public good like air quality or safe drinking water. The framing of privacy in terms of individual negotiation breaks down here (and in many, many other cases).
Besides, Strava’s privacy controls can be confusing. For example, "Privacy Zones" allow you to hide your activities that lie in a circle around your house. But if I grey out a circle around my house, isn’t my house just the center of that circle?! So haven’t I revealed it anyway?
Maybe not, but the point is, I couldn’t figure it out. And I’m supposed to be a privacy expert. The typical user, who might be a runner excited about sharing their routes fellow athletes, isn’t invested in mastering these privacy features and their implications.
Many Strava users use fake names. Can they be de-anonymized by cross-referencing their location traces with profiles on other social media platforms? This kind of question is the topic of research papers. It just isn’t reasonable to expect users to figure it out.
Strava first released the heatmap in 2014. In Nov 2017 they released an updated, more detailed version. But it was a chance finding by @Nrg8000 a week ago that made this a major story. That makes me wonder: how many other such privacy fails have we never heard about?
On the other hand, wouldn’t it be great if there were organizations with the resources and the incentives to systematically analyze products for privacy impact, and alert the public when there is a screw-up?
In a previous thread I discussed why this isn’t happening in the context of third-party online tracking. But it's a broad problem. We need more tech-focused public interest organizations.
The wrong lesson here is that companies shouldn’t release products like the Strava heatmap because of the potential PR backlash. The right lesson is that privacy should be integrated into every stage of the product design, and involves a lot more than anonymity and opt-out.
Finally, and most importantly, I should take voice training lessons or something to learn to speak more like the radio host, @nora3000... I sound like a robot in comparison 😃
