Our Apps Are Tracking Us 24 Hours a Day

army soldiers fitness trackers
The U.S. Department of Defense is evaluating further guidance of fitness trackers used in soldiers' physical fitness activities after reports of "heat maps" that can track soldiers' locations using data from the trackers were published online. U.S. Army Reserve photo by Master Sgt. Michel Sauret

You are being tracked. If you have a smartphone, if you're ever on the internet, if you've at any time punched your way through an online user agreement without thoroughly reading all 12,000 words of it, you're being tracked.

Maybe you feel a little uneasy about that. Maybe you try not to think about it. Maybe, really, you figure that it's not that big of a deal.


Maybe you ought to wake up.

"People don't know what's being given up here," says Joe Touch, who for 17 years was the director of the Postel Center for Experimental Networking at the University of Southern California's Information Sciences Institute. "People don't know what they're giving up, and they don't know what they're exposing because it doesn't come back and bite them immediately."

The latest example of people being tracked — literally tracked, as in every step — made headlines late January 2018 when an Australian student and analyst noted that Strava, a social networking site for athletes, had perhaps unwittingly given away the movement of certain people and, by doing so, highlighted roads on U.S. military bases throughout the world. Strava published a "heatmap" last year that tracks the movement of its members; some of them, using smartphone apps or wearable fitness devices to connect to the network, work out on U.S. military installations. The White House called Strava's map a "security risk." The Pentagon already has issued warnings to its personnel.

"We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad," Army Col. Robert Manning III said in a statement.

The irony: Strava users didn't need to share all that sensitive information. They could have tracked their workouts without letting the world know.

"It is important to note that GPS (as currently deployed) is a one-way signal that is locally integrated to compute position and time. There is absolutely no reason for a GPS receiver (which all devices are) to need to 'share' that information in order to function," Touch explains in a later email. "GPS devices that display maps need to download those maps, either during manufacture (as some of the older Magellan, Garmin and other devices of that era did) or on-demand. That can expose the user's location by indicating what maps are of interest ... systems that log those entries for future use are (IMO) doing so to monetize the information, not primarily to provide a user service."

The Strava scandal, as we all know, is just one example of our personal information being compromised. But it happens all the time. Whether it's hackers breaking into credit bureau Equifax last year to snag info on 143 million Americans, or the 40 million accounts hacked at Target in 2013, or the 500 million accounts breached in a Yahoo! hack in 2014, our information is out there to be had.

Sometimes, as was the case with Strava, there's nothing patently illegal about it. We often willingly, even as we don't completely understand the ramifications, hand over some of our most sensitive and valuable information. Social Security numbers. Dates of birth. Bank account numbers. Where we are. What we're doing.

The thinking from some, perhaps, is that everyone gathers information, and the chances of something truly useful being used for nefarious purposes are pretty remote. Or: What's the big deal?

"Privacy is irrecoverable," says Touch, now an independent consultant. "It is naive to believe that there is safety in numbers in exposing your individual privacy, i.e., that it is 'safe' because 'everyone else is doing it.' The danger is exactly when that assumption [becomes] incorrect."

Once it's out there, it's out there forever.


How to Keep Your Info Private

When privacy is compromised, whether it's a company knowing your every step or a hacker stealing your identity, there's usually plenty of fault to go around. Sometimes it's you just not paying close enough attention to your valuables.

"Some people are happy posting geo-tagged photos on vacation, or even blogging about their big trip while they're away — right up until they get robbed because thieves know they're out of town [see pleaserobme.com]," Touch says. "The big deal is that it's too easy to not think about the consequences until it's too late."


But sometimes — this may have been the case with Strava — you can be vigilant and still get caught with your guard down.

Those using the Strava service could have opted out of tracking (though that's kind of the point of the site) ... but it wouldn't have been easy. Strava has as many as seven different security steps to undertake to be completely under the radar. That's a lot to ask of anyone.

That's not unlike a lot of apps, though, which default to settings that allow the apps to gather as much information as possible rather than having the user opt in to that setting. Those 12,000-word user agreements, too, lay out the terms of what can and can't be gathered. But who reads them?

So what is Touch's main concern? What companies tell their consumers, he says. "Even if we require that they disclose what they collect (which should be legally required), they currently don't require opt-in nor are they required to have positive confirmation when they change the terms of service. If they can change the rules without consumers' active confirmation, then there is no point," Touch says in an email.

He says it's easy to tell consumers what they're giving away in terms of privacy, and to make them explicitly agree to changes in terms of service. "Make systems based on collected information stop working until we actively agree," Touch says. "Only then will we start to understand what's being taken from us."

If you don't want your personal business out there for everyone to gather, Touch has one simple rule: Don't give anyone any information that you wouldn't want on a billboard.