How Strava Could Get A President Killed

Strava, the beloved app among runners, cyclists, and endurance athletes alike, has skyrocketed in popularity over the last few years (we have the current running boom to blame for that). The app is renowned for kudos, community, and “Strava or it didn’t happen,” but despite the thrill of getting on a segment leaderboard, or even a crown, Strava doesn’t come without its downfalls.

The app’s most significant red flag? Safety… or lack thereof.

More recently, Strava has come under fire for a number of gaps in their safety features. At first thought, it may be a bit hard to think what could be so wrong with such a harmless app for runners to share their daily jaunts. Here, we’ve outlined the main safety issues raised over Strava:

1. Location Tracking and Real-Time Updates: Strava records exact GPS locations, which can expose users’ regular routes, start/stop points (often their homes), and even allow people to know when they’re out training—potentially leaving homes vulnerable.
2. Privacy Settings and Public Data: Even though Strava has privacy settings, they’re not always straightforward. If users don’t adjust these settings carefully, their routes, locations, and times can be viewed by the public or anyone within their network. Some segments can still be visible in public leaderboards, regardless of settings.
3. Segment Competition: The platform encourages users to compete on public segments, which can push some to prioritize speed or performance over safe behavior, especially on segments located in high-traffic areas, steep descents, or other risky spots.
4. Heatmaps and Aggregated Data: Strava’s heatmaps aggregate public activity data and display popular routes globally. While it’s anonymized, it has revealed the presence of people in sensitive or secure locations, even military bases. This creates a safety and privacy risk for users in high-security environments.
5. Geotagged Photos and Other Media: If users share photos or videos with geotags, this can reveal their exact location at specific times. Depending on privacy settings, this can be visible to friends, followers, or the public.
6. Inadvertent Group Identification: Strava can identify if someone was running or cycling with other users and may display this information publicly, creating unintended group visibility, which can compromise individual privacy, especially if the individuals were training together without intending to reveal that association.
7. Security Vulnerabilities: If users connect Strava to other third-party apps, they might inadvertently allow additional tracking and data sharing that could compromise their privacy further.

Now these security risks aren’t just limited to everyday Joe’s like you and me. The safety issues found within the Strava app have had wide-reaching effects, even reaching as high as the military and high-profile individuals.

For years, military personnel, security teams for high-profile leaders, and intelligence agents have unwittingly revealed sensitive data through their use of the exercise app Strava. Despite the discretion required in these roles, the platform’s public activity-sharing features have repeatedly exposed personal and mission-related details, compromising the safety of these individuals and those they protect.

A recent investigation by Le Monde has brought attention to Strava’s recurring privacy issues, highlighting that security personnel for leaders like Emmanuel Macron and Vladimir Putin, as well as some U.S. presidents, can be traced on the app.

The issue first drew public concern in 2018 when Strava released an “activity map” that visualized users’ workout routes globally. The map’s brightly lit paths indicated popular exercise routes in urban areas but revealed more concerning patterns in remote regions like the Syrian desert. This anomaly was due to military personnel unintentionally making their movements visible to anyone viewing the map, effectively disclosing the presence and layout of global military installations.

As military bodies reacted, including the Pentagon and France’s Ministry of the Armed Forces, Strava put the responsibility on users, pointing out that only publicly shared activities appeared on the map. The app promised to improve privacy settings to help users control what they share.

Subsequent investigations by Le Canard enchaîné and Le Télégramme uncovered even more alarming findings. Without the need for the anonymous activity map, it became possible to identify intelligence agents and soldiers by name on Strava, including those from the DGSE (French foreign intelligence) and DGSI (domestic intelligence).

Analysis of publicly available user profiles has allowed people to track personnel stationed at sensitive sites like the Ile Longue nuclear submarine base, revealing not only their routines but also personal details such as home addresses, regular habits, and even, on some occasions, information about family members accompanying them on workouts.