Strava Heatmaps: When anonymous data isn’t so anonymous

Data privacy is a complex challenge for everyone—users, companies, and even governments. And, that’s the case of Strava’s heatmaps which resurfaced recently after Le Monde reported that the app inadvertently exposed sensitive information about world leaders.

Turns out that Macron's bodyguards (as well as other world leaders) used the app to upload their workout results, revealing their locations and consequently, the locations of the people they are protecting.

While this is concerning enough, it also ties back to a well-known data privacy issue: Strava’s 2017 heatmap, which revealed the locations of military bases in Afghanistan and other regions.

This story highlights how even “anonymous” data isn’t always truly anonymous.

Let’s break down what happened, why it’s significant, and what lessons companies and users can learn from it.

How did Strava’s heatmap work?

The heatmap feature aggregated GPS data from Strava users to showcase the most popular workout routes globally. At first glance, it seems harmless. The data is anonymised, meaning individual user names aren’t directly shared.

But here’s the twist: anonymity can often be misleading. Just by examining the heatmap, one can zoom in on a specific segment and view a leaderboard for that route, complete with usernames. With additional publicly available data (like Facebook or IG posts), identifying individuals may become surprisingly easy.

This issue underscores a key question: When is data truly anonymous?

Why “anonymised” data can still be risky

Under the GDPR, anonymised data is no longer subject to strict processing rules. However, determining whether data is genuinely anonymous is a real challenge.

It’s not just about removing names or identifiers; it’s about ensuring that the data cannot be cross-referenced with other information to re-identify individuals.

Needless to say that this is incredibly hard to guarantee. To ensure that you (as a startup or company) must carefully assess:

1. The risk of re-identification: Could someone combine the dataset with other public or private data to single out individuals?
2. The size of the dataset: Small sample sizes make it easier to identify individuals, especially when combined with additional context.

The challenge lies in determining when data is truly anonymous.

Even if names or direct identifiers are removed, companies must consider whether their data could be cross-referenced with other publicly available datasets to re-identify individuals. This is where things get tricky.

For businesses, it’s incredibly hard—if not impossible—to guarantee that no external dataset exists that could make re-identification possible. This is why companies should focus on publishing aggregated data and conducting thorough anonymisation assessments. These assessments estimate the risk of re-identification and help ensure privacy safeguards are in place. 🛡️

In Strava’s case, re-identifying individuals didn’t require much effort. By selecting a segment on the heatmap, anyone could access the “leaderboard” for that route, which displayed usernames. Combining this with publicly shared social media posts and pinpointing individuals became surprisingly easy.

This risk becomes even greater when datasets have small sample sizes, making individuals in certain areas more identifiable.

Did Strava do anything wrong? It’s hard to say. The heatmap was released in 2017 before GDPR came into force, so the regulatory landscape was different - with small cohorts and accessible leaderboards, the risk of re-identification was clear.

And opened a potential national security issue for the US.

The big question: Did Strava do anything wrong?

Determining whether Strava violated privacy standards is tricky.

First, the heatmap was released in 2017—before the GDPR came into effect. Back then, the rules were less stringent, and companies weren’t as aware of privacy risks as they are now.

However, the case highlights the importance of foresight. Strava could have mitigated risks by implementing stricter anonymisation practices and larger cohort sizes.

In today’s regulatory environment, such oversights could lead to significant penalties and reputational damage (aka you may lose tons of customers and close your business).

Lessons for companies and app providers

Strava’s heatmap mishap offers valuable lessons for businesses handling user data. Here’s what companies should consider to avoid similar pitfalls:

1. Understand that anonymisation is still data processing ⚙️

Anonymising data requires a valid legal basis. It’s not a loophole that exempts companies from GDPR compliance. Sensitive data, like location information, often requires additional scrutiny. For features like heatmaps, offering an opt-in or opt-out mechanism ensures user consent and transparency.

2. Use aggregated data and large cohorts 📊

Publishing data from small samples increases the risk of re-identification. Ensure cohort sizes are large enough to obscure individual contributions. Otherwise, aggregation and randomisation fail, and users can be singled out.

3. Conduct and document an anonymisation assessment 📝

Before publishing any dataset, conduct a formal anonymisation assessment. This includes evaluating the likelihood of re-identification and the safeguards in place. Should a data breach occur, this documentation will be critical for defending your practices.

4. Train your team on data security 🛡️

Data privacy isn’t just about technology; it’s about people, too. Ensure employees are trained to understand privacy risks, especially if your organization handles sensitive information.

Strava’s case serves as a reminder that even well-intentioned features can backfire without proper safeguards.

Lessons for users: protecting your privacy

While companies bear the primary responsibility for data protection, users also play a role in safeguarding their own information. Here are some tips:

1. Be mindful of what you share online 🌍

Think twice before sharing location-based data publicly. Does everyone need to see it, or would sharing it with close friends suffice? Adjust your app settings accordingly.

2. Pay attention to privacy policy updates 📩

We know—nobody reads privacy policies. But when you receive an email about changes, take a moment to look for expert analyses online. These updates can include new data-sharing practices that impact your privacy.

3. Consider work-related privacy risks 💼

When travelling for business or working on sensitive projects, be extra cautious about sharing location or activity data. Your information could inadvertently expose organizational vulnerabilities.

By staying informed and proactive, users can better navigate the complex landscape of data privacy.

Conclusion: Navigating the challenges of data privacy 🚀

The Strava heatmap saga shows just how challenging data privacy can be. Even anonymised data can become a liability if not handled carefully.

For companies, this means prioritizing robust anonymisation assessments, transparent user consent mechanisms, and comprehensive staff training. For users, it’s about staying vigilant and mindful of the information we share online.

Need help figuring it out? We’re here to help! 🙋

Chino.io is the one-stop shop for solving all privacy and security compliance aspects. As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.