Strava “API” and privacy leaks.

I previously had some pages which used the Strava API to do useful things for me, the one I used most was seeing who rode climbs together, it simply used the API to see everyone who rode a segment and then tracked their start times so you could see who was riding with who. It was also really useful to see changes in time between groups in a race. ie the break started a lap 2 minutes ahead and then next lap only 1 minute.

Strava killed their previous API though, and despite an initial promise from them for me to have access to their new API if I agreed to remove their embarrasing GPX export service which revealed the private zones of peoples rides, I never got access, they just stopped emailing. (The privacy flaw was in their export, not in anything I did…).

I’m stuck here now without access to the useful features, so I’ve started looking for a replacement. I don’t have access to their new APIs, and in fact I don’t think I’d bother investing the time in them anyway, once bitten… But I started looking at the services they use to populate the pages themselves. An immediate thing hits me, their page API allows access to private activities.

Accessing private activities

Here’s a private run of mine, you won’t be able to see it, however here’s a JSON file of the exact run. So as long as you know the ID of a users ride, you can get all the info about it. It also completely ignores the privacy zones you have configured when exporting a private ride. A public version the same as the last run this has a privacy zone (it’s only hiding a sports club which is the start for these races, it’s not my house!) and you can see from exporting this one that the points within the privacy zone are reset to 0,0 rather than the actual lat/lon. Yet on the fully private activity, those same points were available, private activities actually provide more risk to revealing your location than public ones.

Private rides are just security through obscurity, and the ID’s aren’t even that obscure, don’t give Strava data that you actually want private.

Distances within privacy zones are provided

Another privacy flaw here is that while the lat/lon’s on public rides in your privacy zone are hidden, the distances you travel for each of those points in the private zone are not, so it’s a pretty easy algorithm to get back to very close to the start of your ride/run unless you do some laps inside your zone or something similar to obfuscate it. Altitude is also provided for the points within the zone, so that may reveal more for those of you who don’t live in flat lands.

Strava Lack of time?

Strava have repeatedly said their reason for not supporting old API’s or for providing access to the new API is lack of time. I guess I can now believe this, as they don’t even appear to have the time to invest in even basic honouring of their privacy assurances. I did try emailing them before publishing this, and then tried twitter but still no response.

3 Responses to “Strava “API” and privacy leaks.”

  1. Jasper Says:

    I pay Strava for their service. I also use veloviewer, and other interfaces to Strava. I won’t be paying up again next year if they don’t invest some time in the APIs. The privacy thing is another matter entirely. That is just idiotic.

  2. Maui Toa Says:

    I had brought this exact issue up (generated a ticket) a few months back regarding privacy on Strava and their API and was told they would address it in V3, which they obviously have not. Believe it or not, Strava has developed a new cadre of creeps aka Strava Stalkers and the fact that our “private” rides are up for view has me close to hitting the delete button on my account. “Blocking” riders doesn’t work as they can join a group you ride with and still follow you. WTF?
    It’s a bummer they have yet to even comply with their own privacy statement.

  3. heltonbiker Says:

    New url for streams is like this: http://app.strava.com/activities/68810829/streams

Leave a Reply