Thoughts on the Strava Heat Map and How to Secure the IoT

The topic du jour in the privacy and security space this week has been the recent news that a heat map published by the fitness tracking app provider Strava disclosed the location of secret military bases around the world. This Wired piece has all the unpleasant details. Having spent a stretch of my career working in the military cybersecurity community, I have a strong sense of how a disclosure of this nature will be concerning to many national security officials. It’s also a good opportunity to talk about "private by default," which seems to be the crux of this particular problem.


Decision makers at Strava obviously didn’t intend to divulge classified information when it published its heat map, while at the same time, the military personnel tracking their exercise routines did not intend to disclose their locations to anyone with an internet connection. The root of the problem here is that default settings on so many digital devices and apps are to share data unfettered back to the cloud, and in many cases this default is not obvious nor is it easy to change. There’s a lot of value to be had as devices generate and share data, but the lack of default privacy controls we’re seeing uncovered by events such as this is unacceptable.


The military people who used these trackers could have changed their privacy settings to opt-out, but that really should have been the default setting on their apps to begin with. Then, to share their personal data, they’d have to opt-in. To be clear, this isn’t simply a device / app issue. Especially as the growth of the IoT accelerates the number of devices pumping data back to the cloud, the potential for privacy violations will spread. Disclosing the location of military bases to the public isn’t a new thing – Google Maps with satellite imagery has been doing so for years now. What was new with the Strava incident is that the daily movements of individual soldiers or military personnel got divulged. As the IoT spreads through our homes, workplaces, cars, etc., the potential for similar incidents explodes exponentially.


For these reasons, at ForgeRock we firmly believe all IoT ecosystems need to start private (and secure) by default, and require the user actively open up permissions to share their data, not the other way around. Device and app developers should be looking for ways to strengthen the identity protections in their offerings. All digital products that collect or share information about a person should incorporate a data protection interface or dashboard that leads users to set appropriate privacy settings upon initial set up, so awareness of and control over sensitive data is established as an important factor of use from the get go. If and when the user decides to disable sharing, or revoke previously shared data, there should be an easy way to effectuate that change also.


Unfortunately, we’re likely to continue seeing these kinds of data exposure incidents as the IoT continues to build out. The good news, however, is that we’re beginning to see tools and methods to solve these challenges coming into the marketplace.