In the wake of the Strava heat map fiasco, many fitness tracking app providers are likely now reviewing their own user privacy-setting protocols. If they are smart, they are also reviewing their data security systems, designed to protect their users’ personal data and information.
The Strava case, which resulted in the exposing of U.S. military base locations around the world, showed that many sides might be to blame for releasing too much information on the app. But the Strava story also brings up some tough questions about how much information users really should be revealing, and also how safe these companies are keeping that information.
One fitness app Runkeeper, that, like Strava, allows users to track their runs via GPS and measure their progress over time, already has certain precautions in place to protect their users sensitive location information from unwanted view. “When you create an account with Runkeeper, the location information defaults to ‘in-app friends’ only,” said Erica Bellinger, consumer P.R. and digital specialist at Runkeeper. “The user can then choose to keep it that way, or make it public (i.e. viewable to everyone) or keep it completely private in the activity settings tab of the app,” she said. “We treat location data as private unless the user has specifically selected the public setting.”
The problem, however, is that these days, no shared information is ever completely private. “The biggest risk these types of companies face is around their data getting lost, or someone breaking into their system and stealing the data in an unauthorized manner,” said Ken Talanian, director of software research at Evercore ISI and specialist in cybersecurity. Most companies do put best practices security systems in place to protect their users information, but they are no match for high-level hackers that are determined to break through. “The biggest issue is that by using these apps you are creating data that could be used against you, or in the Strava case, against the U.S. military,” Talanian said.
While most hackers probably don’t care that you just beat your best 5K run time this morning, it’s the other information these apps may hold, such as your location each morning, your health records or your banking information that could create problems, if it were to get in the wrong hands. “It’s forcing people to think about the ramifications of sharing all this information,” said Talanian.
The recent hack into credit reporting company Equifax’s system—due to its failure to patch a software vulnerability—is another case in point. The hack lead to the personal, identifiable information of more than 145 million consumers being compromised, including Social Security numbers, birth dates and driver’s license numbers. “It may take a sophisticated adversary to get into a system that is even moderately protected, but when it comes to hackers in China, Russia, North Korea and Iran, they all have the capability to get into these systems,” Talanian said.
In Europe, some steps are already to being taken to push companies to beef up the security of their data. In May, the General Data Protection Regulation (G.D.P.R.) will go into effect. Put forth by the European Parliament, the Council of the European Union and the European Commission, the regulation requires businesses to protect the personal data and privacy of E.U. citizens for transactions that occur within E.U. member states. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for a person’s name, address and Social Security number.
“In many ways, it puts the onus on the companies rather than the users to make sure the data is secure and safe,” said Talanian. U.S. companies operating in Europe will also have to comply with these regulations, and the price for not doing so is steep. The G.D.P.R. allows for penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
“Even though it’s an E.U. regulation, the target may be larger consumer facings companies when it’s finally implemented,” said Talanian. “It’s early on, so we don’t know how it will manifest, but my guess is that you will see some multinational companies operating in Europe being fined for a data breach.
From a security perspective, that’s a good thing. “It’s a wake up call for folks to get a little more control over their environments, if they have not been proactive about it,” Talanian said. These days, not only do the gatherers of date need to be on high alert, but sharers need to take more control, too, looking into what type of information is being stored by apps, understanding if that data is public and adjusting privacy settings accordingly.