You can run, but can you hide?
Fitness enthusiasts have embraced mobile apps to track their workouts. Using GPS on a mobile phone, it is easier than ever to not only determine how far a run is, but also to log the exact route. Sharing workouts has also become popular, thanks to sites like Strava and Garmin Connect. It gives runners accountability and a sense of community, and the sites often include leaderboards. Like most social media outlets, its users have the option of who gets to see that information.
But those who post and share those routes are at a security risk, researchers at the University of Illinois at Urbana-Champaign found. Thanks to their work, however, sites like Strava and Garmin Connect are modifying their service to further protect their users.
For many runners, routes start and end at their home, so logging the route of a run makes it easy for anyone to know a runners’ home address or other private location. Realizing that fact, Strava has for some time given users a chance to blur those spots using Endpoint Privacy Zones (EPZs), which block fitness activity that occurs within a certain distance of sensitive locations like home or work places.
In theory, viewers would only know that the route started within a certain radius, but not exactly where. However, students in the lab of Adam Bates, professor of computer science, surmised that closing the loop to find the exact point was a matter of applying a little geometry.
“This attack isn’t sophisticated — it’s the kind of problem that high schoolers regularly solve in their geometry class,” Bates explained. “If I give you a couple of points that fall along the boundary of a circle and tell you what the radius of that circle is, it’s actually a simple geometry problem to find out where the center of the circle is. The center of the circle is the person’s home.”
Bates’ team, which includes Wajih Ul Hassan and Saad Hussain, investigated this issue by analyzing 23 million public Strava posts from 3 million unique users. From there, they created an algorithm to solve the geometry problem of where home base is for those 3 million people. They will present their findings at the 27th Usenix Security Symposium
Using the algorithm, the team discovered that despite using the EPZ, runners’ homes could be pinpointed within a few meters with 84 percent certainty. However, when considering only active users who had logged at least three routes per month, that certainty ballooned to 95.1 percent.
“In effect, everyone that is thinking they are protecting their home with this privacy zone mechanism is in fact still at risk of having their location broadcast to the Internet,” Bates concluded. “We spend a lot of time talking about the privacy risks of social media. The difference between fitness apps, which are effectively social networks, and what is often thought of as traditional social sites is that instead of sharing your shopping habits or what you had for dinner, you are sharing your whereabouts. This is dangerous information in the hands of someone who wants to do you harm.”
Having reached the conclusion and eager to help protect people’s privacy, Bates contacted Strava and Garmin Connect to share his team’s results and have been working with them on modifications that would better protect its customers.
Both companies are incorporating one or more additional layers of protection thanks to the Bates’ research. For instance, instead of an EPZ always being at the center of the circle, they are giving users the option of applying a random offset to that it would be equally likely that that location fell anywhere along the route.
“It’s a surprisingly elegant solution,” Bates said. “When we were talking to these companies, they were very interested and serious about addressing the problem. They have been great to work with. They were really interested in finding solutions that would keep their users safe while not affecting the user experience of the service.”
Bates warns even this fix does not completely rule out the possibility that a someone could guess a user’s location, but it does make it less likely. In fact, even when implementing the new EPZ mechanism, Bates’ team looked at the slope of entry into the EPZ and then guessed that the spot where all the slopes intersected was the user’s home location. In that scenario, they were right about 45 percent of the time.
“When considering the risk of someone entering your home, 45 percent is a world of difference compared to 95 percent,” Bates said. “Initially, we put together a pretty naïve algorithm that was based on linear interpolation. We’ve helped to mitigate this problem, but there remains an intrinsic risk in sharing location data online; I’d advise athletes to weigh these risks before they post and to take additional steps to ensure their safety – like setting your profile to ‘private’ and not posting activities that might occur in isolated or dangerous areas, especially when exercising alone.
“One of the things we are interested in going forward is the effectiveness of these new mechanisms,” he added. “The state-of-the-art isn’t perfect, so we’re planning to revisit some of these ideas now that these new privacy mechanisms have been implemented. We’re curious to see if this is something a random person just eyeballing a map could figure out or would it take a computer scientist with a PhD to do so.”