The Strava Leaks - podcast episode cover

The Strava Leaks

Oct 17, 20251 hr 1 min
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

The modern world is full of apps -- and we don't mean appetizers. Apps are tiny programs that can do countless neat, convenient things... often with a catch. As Ben, Matt and Noel discover in tonight's episode, some apps, even innocuous things for workouts and cycling, can lead to disastrous breaches of personal privacy and national security. This is the story of the Strava Leaks.

They don't want you to read our book.: https://static.macmillan.com/static/fib/stuff-you-should-read/

See omnystudio.com/listener for privacy information.

Transcript

Speaker 1

From UFOs to psychic powers and government conspiracies. History is riddled with unexplained events. You can turn back now or learn this stuff they don't want you to know. A production of iHeartRadio.

Speaker 2

Hello, welcome back to the show. My name is Matt, my name is Noah.

Speaker 3

They call me Ben. We're joined as always with our super producer Dylan the Tennessee pal Fagan. Most importantly, you are you. You are here. That makes this the stuff they don't want you to know. And gentlemen, the numbers came in. A lot of people are listening to the show on an app.

Speaker 2

Okay, yeah, makes sense. Sure, that's how Apple Podcasts was born once as an.

Speaker 3

iTunes Yes, yes, And I wanted to maybe pop the top on this one by by asking you, guys, what is your favorite or least favorite app? Not to be confused with appetizers. We're talking about the handy little programs that do all sorts of stuff. Is a game? An app? A game can be an app blatro Okay, yeah, yeah, your nuts for the Blastro. It's very good. It's a very good game. Highly recommend. Now there's some really good useful ones. You know.

Speaker 4

I found someone turned me onto a free sampleer app called sample Koala the other day, and it's just like you can record straight off your phone, put it on these little pads and then like sequence it and make all kinds of fun little beeps and boops right on your phones. I mean, apps are amazing, like they've come such a long way. And I mean I even remember in the earlier days there were some fantastic ones out there. So I'm I'm an app head, no question.

Speaker 2

What about you, mett L and L Hawaiian Barbecue, I don't. I just I'm looking at my phone and I'm just gonna name so your.

Speaker 3

Phone restaurant that has its own app? Or is it more like a concept?

Speaker 2

It's a it's a state of mind. Yeah no, but for real lately, one of my favorite apps on my phone is the Virgin Voyages app.

Speaker 3

It's so exciting.

Speaker 2

So you got.

Speaker 3

Yeah, I'm supposed to know, we're all supposed to have the app.

Speaker 5

You gotta check in, bro, you got to get the app.

Speaker 3

You gotta check in. I'll get the app. I'll get the app. Yeah, what is that? What are you referencing there?

Speaker 2

Now?

Speaker 3

Are you doing a bit? Are you doing a bit?

Speaker 2

Here?

Speaker 3

We're doing an organic mention.

Speaker 2

It's a really fun app where you can see all the stuff you're gonna do on your true crime voyage from October tenth of the fifteenth.

Speaker 3

Hey wait, we're going on that. Yeah, that's correct. We're going on an adventure on the high seas joined with the legendary Tennessee pal Dylan Fakean as well as our pure podcast Betrayal and Buried Bones. It's an event not to be missed. We're going to see a shipwreck too, but it won't be our ship important no.

Speaker 2

Yes, yes, now, guys, I just wanted to put that out there as a fun little thing, right, but also just to remind everyone that sometimes we put our locations and the times we're going to be in those locations on blast. We say it out loud, we put it in a schedule, it goes on a website, we do that. All kinds of other public figures do that. Just as a reminder before we get into this.

Speaker 4

You can track our private jet if you want, like, it's out there, is available.

Speaker 3

We're square times a million. That's the reality now.

Speaker 2

But the whole point is there there is a ton of public information about where certain people will be at what time that's out there, But then there are other times when you do not want those locations and times to be public.

Speaker 3

Yeah, thank you for saying that, Matt, because you know how I am about this stuff. It was really uncomfortable for me to tell people where we were going to be in advance. It's multiple days antithetical. Well, you know, it's a rage.

Speaker 4

We'll be within these three points of this thing called the Bermuda Triangle at any given time between the what.

Speaker 3

Is it, the tenth and the fifteenth. Yeah, it's a real trustful We hope it's worth it. Apps are amazing because they really can help you, you know, in a way. There are renaissance of learning new things. You can learn a new language, you can identify birds, mushrooms, stars. I know we're all big fans of the app Dark Skies, which is cool. We also figure out why your plants

are dying, you know, right, yeah, yeah, yeah. We also know that most of these apps are going to be free or relatively inexpensive or as we'll find something called freemium. A lot of them also have, to your point, Matt, and added somewhat hidden feature, which is they collect as much of your information as possible, including other activities outside of the app on the same phone. So if you were not careful, you can end up revealing much much more than you intended. Have you guys seen this new

show The Paper The Office spinoff? It's good. It's about a small.

Speaker 4

Newspaper like website based kind of newspaper, and one of the characters who is responsible for kind of maintaining the data collection aspects of it, which she argues kind of, you know, in a very dead pan way, is really more where the money comes from than anything else, and says, you know, so technically we're learning more about our readers than they're learning from us.

Speaker 3

That's a note so insightful that I would consider it now a parable. I can't wait to check out that show. We know that no matter how innocuous an app may seem, these little programs can do some sneaky things intentionally or sometimes the worst unintentionally. This is the story of a little app that a lot of our fellow conspiracy realist are aware of, Strava. This is the tale of the Strava leaks. And what better way to go to some

sponsors by saying always remember terms and conditions apply. Here are the facts, but first Yes.

Speaker 2

On October twenty eighth, twenty twenty, guys, we put out our episode when We Become our Phones. This episode was all about the ways in which your phone is tracking your information and one of the primary things we talked about there was real time location data right yep. And then exactly four years, exactly to the day, four years after that episode came out, the French website and publication Lamond put out the thing we're going to be talking

about today. I just thought that was so strange, guys.

Speaker 4

Well, and if I'm not mistaken, like it hasn't always been the case that when you open a new app, it asks you allowed to track.

Speaker 3

Always only while using that only once.

Speaker 4

That's a relatively more recent development that is a direct result of the kinds of things that you're talking.

Speaker 3

And it also depends upon your country of origin as to what kind of privacy laws apply. And jent just once, I would love for us to correctly predict something good and fun. Why are we right about all the bad? Thank you for beeping me, Dylan, you know with the pandemic. I love the chronological cycle that you noted there, Matt, and I'm saying the word cycle on purpose because I got to talk about Strava and this is an episode based off of some news that you brought to a

strange news program. Maybe we get into it by just explaining what Strava is. Have you guys subscribed? Do you use it? I haven't. I mean I have been.

Speaker 4

Maybe I've mentioned really into biking a lot lately, but I have not gone down that particular rabbit hole. I kind of just, you know, use my Apple Watch to see how many calories I burned and what my elevation was. But it seems like Strava gets a lot more granular than that and uses geolocating to do so.

Speaker 2

Oh but this is really good. You use your phone and your Apple Watch to track your location in real time and your health fitness stuff. Right, that's what That's one of the big cool things that a phone can do, right, because your Apple Watch can actually track stuff about your body.

Speaker 3

Right. I am gonna diplomatically push back on the word cool in that. Well, it depends on your perspective.

Speaker 2

Well theoretically, right, all is how it works.

Speaker 3

Yes, So yeah, I'm into that aspect of it.

Speaker 2

Yeah.

Speaker 4

Yeah, it's something that works for me, and I'm very aware of what the potential fallout could be down the road. But it is one of those bargains with the devil that you make where it's like, for the privilege of having this information, I maybe am aware that it might be exploited one day.

Speaker 2

Well, but let's let's just talk about it that way, because it is helpful for you, Noel, and and I know a lot of people who use that kind of thing where it's it's usually directly connected either to your wrist or to something you wear in your chest.

Speaker 3

There's a version of it.

Speaker 2

And HM. So you're the these apps like Strava and whatever it is you're using, and the kind of the the stuff that's already inside the phones when when it comes to you, it's incredibly cool that we can that we can track ourselves in our body and how it's functioning for things like fitness right and and working out. Strava is one of those apps. Correct, Isn't that primarily what it is?

Speaker 3

Yes, it is.

Speaker 4

And it's also like people who are really into cycling and who are maybe even working towards competing in some larger event. Those stats are very important a because you can't like fake them, and it's it's very important that you have metrics to show that you've done the work to get to the thing and to like show to.

Speaker 3

Show your work.

Speaker 4

Basically, you know, while I'm certain there are ways to game it, there is a certain sense within the communities that rely on these things that you know, there is a certain amount of like what's the word benefit of the doubt?

Speaker 3

I guess that goes along with using them correctly. Yeah, yeah, you guys are righting to jump in here. Just for the basic definition. Strava is a social media platform meets wellness app. It was founded in two thousand and nine to track to earlier points and to a degree, to gamify physical exercise. It comes to us from some Harvard alums, some really smart guys named Michael Harvith, not Harvard associated, but that's cool, nominative determinism, and a guy named Mark Gainey,

two very very bright guys. Strava takes its name from the Swedish word strava with an umlaut over the first a, which means to strive. So they kind of pulled a Hogandau's situation because they're an American company, but they wanted, you know, they wanted that European Ikea esque feel, and like we were saying earlier, it first gains traction with cyclist and it's a free app, right, and I love that point you raised about competitive cycling. Now you can

see how the other folks are doing. Then it expands to runners. Now we can not just PLoP our ones and twos for a couple of miles and see our speed and elevation and stuff. We can also recommend roots or as they would call them, segments to one another, and we can now track other forms of exercise via Strava,

including indoor stuff. People love this. They're leaderboards. Strava has a version of likes, they're called kudos, and folks also rightly with validity, love being able to track their progress and.

Speaker 4

Just to say, another thing that Strava has is the ability to flag users who potentially are being dishonest about their runs.

Speaker 3

In you can flag people. You can't see who flagged you.

Speaker 4

There can be a complaint lies within the community, and there are apparently some tells as to whether or not someone is being dishonest about their run. You can kind of measure I believe the burned calories or the elevation whatever it might be with the distance and with like the amount of time moving, and you can sort of see if someone's duking the stats a.

Speaker 3

Little bit because there's so much information out there that can be leveraged and connected and Charlie Dade, you know, and I think we're that when we're going to see the idea about gitting up the numbers or goosing them, as we've been saying recently, that goes to a special case in Singapore. So what Drava is doing isn't entirely you know, unique.

Speaker 4

There are tons of other apps like my fitness Pal and different, maybe slightly less track track focused or distance focused apps, but there are other ones that are very, very similar to what Strava does. However, it is the one of the most popular ones, especially in like we were talking about the world that's cycling. By twenty twenty, just over ten years into the launch, Drava ad fifty million individual users with around three billion activities uploaded to

the app. It's also available in thirteen different languages.

Speaker 5

So yeah, amazing internet success story for sure.

Speaker 2

So let's talk about the mapping specifically, because I think really that's what sets apart Strava for a lot of other hundred apps. This concept of whenever you go out for a workout, whether there's biking, running, whatever, you can you have the option to track exactly where you go in real time and then build out a whole essentially a track of where you went starting point and an endpoint. It's not always in the same place, but sometimes it is that whole thing, that that feeling that users get

of sharing. Hey look at all the work I just put in. Check it out and it just happened. I just finished it. Or hey, look at the run I'm going on right now, right that there's something there's something so important in there that goes back to that when we become our phones episode about wanting to share that thing so that others recognize whatever it is that you're doing, and then you get direct and immediate feedback, like real time feedback sometimes about how awesome you are.

Speaker 3

It's really no absolutely the way you put it, I agree, it's it's the kind of the case of Strava is the kind of thing later Harvard grads are going to study in business school. This is how you do it right, They wrote the textbook. In this regard, we want to be clear or at least. I think it's important for us to say these apps can be extremely helpful to so many people because working out is not a one and done event. It takes time, dedication, routine, it takes discipline.

If you have a sedentary job, you might well find apps like this crucial to your routine because you can see and feel and to that earlier point you raised, Matt, share the result of your labor. It's a motivating factor. It is gamified. Last time I biked three miles, let's see if I can get four in around the same amount of time.

Speaker 4

Well, and I guess, just to Matt, you kind of already made this clear. But in this case, the tracking isn't like a byproduct. It is the products, and it is not a bug. It is absolutely a feature. And you can look at other people's profiles and you look at their routes as a way of like, oh, I might want to do that routes, not like necessarily as a way of stalking them per se.

Speaker 3

But of course there's the dark side of all of them. Yeah, Like I say, you share the segment share of the recommend.

Speaker 2

Yeah, let's say you're a biker and you're in a town that you're not used to being in, but you've got a bike, you have access to a bike, you want to go out for the day. It's way more helpful to see where people are going because we know how dangerous it is to be on a bike in a lot of places. You know, and maybe you don't understand how strenuous of a ride something is going to

be or where it's going to lead. Look at Strava. Hey, now I've got three or four potential routes I can take and it's going to be a great day.

Speaker 3

And Strava says, don't worry. This is relatively anonymous, relatively caveat asterisk. People loved this concept of the app, and it changed as it grew, which always happens. I believe was May of twenty twenty, really, as the pandemic lockdown's hitting fever pitch, the company updates its terms and con they get that freemium model going. They say, look, we've

been busting our hubs for everybody. We've been really flexing our calves to help out our fellow cyclist and people doing exercise, but we have not made a profit yet. We do so much stuff we gotta make Yeah, we got to make a little money, we got to pay the blood price. So because the US first, right, right, yeah, then you get the money, right And so they say, look, you can technically still use the app for free, but for the advanced features aka the things people love about Strava,

you're going to have to subscribe. So some of the stuff that was free is now only available with a paid subscription, and any new features we have are also going to only be available if you cough up some scheddar or scooch out some scratch or another fun word for paying money. Coughing up cheddar sounds scary. Coughing up cheddar sounds like a medical condition. Why don't we give the direct quote from Strava about this change.

Speaker 2

A few of our free features that are specially complex and expensive to maintain, like segment leader boards, will now become subscription features. See I'm doing it like the way? Yeah, make it sound like? Are you sweet?

Speaker 5

He's vaguely Swedish?

Speaker 2

Yeah, yeah, but not really. And from now on, more of our new feature development will be for all subscribers. We'll invest the most in the athletes who have invested in us.

Speaker 3

Right that last lines a banger? Also well done? I think on the on the recap there, Matt, I love the voice. I want to know more about this character.

Speaker 4

So can I just ask to if I, as a new user, want to get the free version, what does that mean for me?

Speaker 2

Now you get the base model?

Speaker 3

Son, Yeah, you get shamed. Are your fellow cyclists you invest You can't see the leader board? Bro? I forgot you can't.

Speaker 2

You gotta give? How are you going to invest in yourself?

Speaker 3

You don't invest in us, Bro, We invested the athletes who invest in us.

Speaker 2

If that's the site you gotta give, it's.

Speaker 3

The cycle of life. Okay. We can't afford the sound cube. So these moves are always going to be controversial among the user base. Mainly, these things are controversial because people don't dig it when something that was free becomes a regular, recurring cost. Right. That's a huge problem on the internet

and internet services in general. But Cyclist magazine was super into this because to that earlier point, cycling has been a huge part of Strava from the jump, and they even asked a fellow Strava user, a psychologist named Ben Dowman, to weigh in on this and his quote. Ben's quote is pretty fascinating. So uh, let's see who wants who wants to do a character voice for this Nolie, you got one. I'm gonna do sort of an ed game voice. From the outside.

Speaker 4

As a user myself, Strava's communication has been very parent child sorry.

Speaker 2

The show.

Speaker 4

He sounds like the old man from Family Guy. It's a choice.

Speaker 6

We have had free access to Strava's functions for a very long time, and now it feels like we are having our favorite toy taken away from us with no room for discussion on negotiation.

Speaker 2

You just gotta get no discussion or negotiation.

Speaker 5

Just give Look at Dildon, he gives yeah.

Speaker 3

He's a lot of people give you hit me in the cup City customers, but I mean yeah. People weren't super happy about it. Strava still soldiered on, and it maintained that despite the leaderboards the social aspects of the service, they did not have a side gig profiting off personal data. Specifically, Strava's then global marketing director Simon Klima stated, subscription has always been at the heart of Strava, making up the vast majority of our revenue. We do not sell personal

information before and we do not sell it now. It's reassuring to hear, and this is something we have to know, Like a lot of companies of this genre and size are still going to be pretty cagey about the specifics of their data how it's used internally, that those kind of stats are their secret sauce, right.

Speaker 2

Just like twenty three and meters. We're not going to use your person. Sorry, everything's fine, but it does make sense right where the subscription itself and the money coming in from that would be enough for a time, it would show enough growth and as more and more people who are using the app regularly start to give, then hey, the company is profitable. The problems come and they need more. So you either got to get more users, increase your price, or find another stream.

Speaker 3

Mmmmm yeah, because you got to get those year over year profits. This is so par for the course, and we got to say it. As a private entity, Strava is fully within its legal rights. But the second issue, the reason we're here tonight, it's not about what Strava intentionally may or may not do with user data. It's about the unintentional consequences the user security. What happens when things go pair shaped as our pals, Pete and Boss would say what happens when things go wrong? We talked

in the past. You know, another episode this reminds me of is an ongoing conversation we had about the idea of a world without secrets, a world in which social apps, hackers, the information age all combine and amalgamate to erode the concept of privacy and push every individual, willingly or not, into the public sphere. I believe, Matt it was you

earlier said the idea of being public figures. Right, We're looking at a world wherein everyone to some degree is a public figure, even if that's not what they want. It's another step in the rabbit hole. You know. Strava was and is a gold mine for sensitive information. We could argue it was inevitable. It was simply a matter of time before some of that information leaked.

Speaker 2

Oh yeah, because those public figures we're talking about, they don't want to be seen at all times. They want to be seen at the times they want to be seen, right, the profitable times, the times when they're out doing the official stuff. The thing we got to remember about people who have a lot of power or are are that public, they often have teams of people around them, wouldn't you say, guys.

Speaker 4

Oh gosh, you handlers, They would be called I guess. And also those appearances that you're talking about, they go to a great lengths often to make them seem natural and organic, but they are vetted.

Speaker 3

There's hair and makeup.

Speaker 4

There's all of these aspects that lead to the rollout of this very public event. And that's part of the reason that I mean, it's interesting because you have things like Twitter that sort of opened a lot of celebrity life up in a way that wasn't or at least

didn't seem so vetted and so polished. But now there's almost this backlash against that because the pendulum swung too far in that direction, right hmmm, I mean, you know what I mean, not backlash against that, but it's just like, I think we are back to a bit more of a time where it's a little bit more cautious. There's a little bit more caution going into some of these events and these sort of perceived public appearances.

Speaker 3

There is an intense on go social debate over what should or should not be behind the proverbial curtain. So again, was the strava gold mine just inevitably going to get leveraged. We'll learn more afterword from our sponsors. Here's where it gets crazy, all right. We talked about this in the strange news story you brought us bat earlier this year. Data from Strava has become a security concern, not once, but multiple times, and it's because it's part of an

economy of scale thing. Really, it's extremely popular with so many folks to your point about cyclist Noll, including celebrities, royalty, members of the world's security and military services. I think one example we had earlier a precedent for what happened with this company Strava, is you know the guys who send off well intentioned emails from their deployment at a nuclear sub I miss you, Grandma. We're right around Malta. Things are heating up. You know. That's that's a rough thing.

That's well intentioned, but it can tell too much information to the bad guys. Absolutely.

Speaker 2

Well. Yeah, when Facebook brought around its idea that hey, you can check in to a physical location wherever you go, and then imagine that the public figure themselves. Who if we're imagining an individual right that let's say President isn't going to go check in on Facebook when they go somewhere, right, not going to happen, but somebody in the entourage might somebody you know who's just a tertiary figure that's in there, or maybe even perhaps a security official, right, somebody who's

on staff as security. They might check in a little later after the gig's done.

Speaker 3

Or In November of twenty seventeen, Strava created a public global heat map and you can see all kinds of pictures of this. It collected two years of movement data from all the users around the world from twenty fifteen to twenty seventeen. And then just a few months later, it's January of twenty eighteen, and this awesome kid, Nathan. I hope it doesn't offend you if I call you a kid. He's twenty years old. He's an Australian international security student. His name is Nathan Ruser r User, and

he notices something bizarre. He's our first public Charlie Day in this situation. He says, hang on this heat map. It's not updating live, it's not real time information, but it is mapped military bases across the planet. Because people

are sharing their recommended roots, their segments. You know, they want their kudos, their likes, and you can see you can see as a result of this movement tracking you you can see the roots for everything from US bases in Syria and Afghanistan to the hm n B Clyde, which is the Royal Navy base that has the UK's nuclear arsenal. You can see it. We've got an example here from a US base in Afghanistan in the Hellman's Province. This comes directly from Strava's global heat map. Do you

want to describe what it looks like here? It looks like a line drawing and the brighter lines are the more well traveled roots.

Speaker 2

Yeah, it looks like a grid system of of you know, a small base. It's tough to know. Are these interior or exterior routes? Right? Are there any doors involved here? It does look exterior to me. And then it's got what looks like maybe a small airstrip or something that the person has run around in a bit of a more organic shape rather than the straight grid lines in the other parts.

Speaker 3

Yeah, maybe I like the airstrip idea met because maybe that's where you can get your quick quarter mile in. Do that a couple of times, and it's one of the brighter lines. So also want to shout out Nathan for keeping it so falcon it is interviews. He was talking with the BBC and he later said, look, I just looked at it and I thought, oh hell, this should not be here. This is not good. So I went and told the public.

Speaker 2

Well, let's talk about what this really means. So if you've got a map like this of a military structure, do you think this would be that helpful? Is somebody planning something?

Speaker 3

Oh yes, yeah, very helpful, thank you Strava.

Speaker 2

But don't we all have like Google maps and things, and if somebody wanted to cause harm at a military base, you can find a military base, look at it from above and see pretty much this, right.

Speaker 3

Yeah, it's not like world governments and terrorists don't already know where all the bases are. Even black sites get clocked eventually. Shout out to our previous episodes on that and like you're saying, there, Matt, sattech can provide clear pictures of any exposed compound, right, Okay, yeah, so Strava's

heat map is an added benefit. These they're the sprinkles on the sandwich, right Because it displays levels of activity via increasing light, which reveals which of those military buildings are the most frequented, and it also tells you the roots that soldiers would take in and around the compound. The location data can extend beyond the base too, which means you can see the commonly used exercise roots or regularly patrolled roads. Because a lot of people probably did

the thing, so many other folks do. They just clicked yes on the terms and conditions and they never checked their privacy settings.

Speaker 2

Oh dude, or maybe someone turns it on, like puts the walk on. I'm just going for a walk, right, but it's part of my exercise, so I'm gonna bank it now. I'm just walking through the facility. But that makes sense in my head, I'm thinking all exterior, But no, that would that would totally check out. You could walk into the most sensitive parts and now they've got a map on how to get to.

Speaker 3

Them, as long as you can bring your phone right or but then they've got the watch situation as well, Like there's a way you know, when you click.

Speaker 4

The watch for a workout, you can do an indoor walk or an outdoor walk or whatever. The type of activity might be, and people that are really into like making sure they're banking that stuff. To your point, Matt, they're always gonna put that in it in there and make sure that it's counting that down. So you know that for that period of time when you're on the move in a certain indoor facility, that's a pretty easy thing to identify, you know what that durn frames.

Speaker 3

And if you can't have the phone, then you obviously can't have the smart watch either. Yes, it's definitely and it also shows us another advantage that doesn't really fix the problem, because if you've got the map of everything else, you've got the heat map of the rest of the place. You know where the black hole is right, you know

where the skiff is or whatever other sensitive stuff. So if someone is a bad actor, a bad guy, they've got to be in their bonnet, they get a badger in their bag, they want to attack something, Strava's heat map could accidentally give them the chance to plan the perfect aggression, you know, knowing how to get in, where to go immediately, where to hit with maximum impact, and then how to ghost out successfully afterwards. Strava potentially gave

some really bad guys for really awesome gifts. Wow.

Speaker 2

Yeah, and it's not just the military basis, right, because you have to imagine this could be any building anywhere, even let's say a chateau somewhere in the mountains out.

Speaker 5

Right, perhaps a chalet in Switzerland.

Speaker 3

Yeah, this is a true story, this the Swedes.

Speaker 2

Yeah, but yeah, like, but it's weird to think of it that way because it could also be maps, if you're in a mountainous region, maps to get to that place, right, and then you could see an alternate way to get to that facility or that even again, just that house that is not marked by people walking on it regularly, exactly.

Speaker 3

And this is why our pal Nathan went public with this quickly. Just like a white hat hacker, which he says he's not. He's connecting dots and he realized that if he was connecting these, someone else probably was doing the same thing or had. And to their credits, Strava

responded very quickly. Their CEO, James Quarrels said Strava is committed to working with military and government officials to address these concerns, and then additionally said we're going to simplify our privacy features so that the end user has a better understanding, a more clear understanding of what they are or are not publicizing to the world at large. But at this point, the horse has left the lamp, the jen is out of the barn, the badger's out of

the bag. More Shenanigans are on the way. We've got so many more examples to get to. Should we take a break for a word from our sponsors here, because I know we're all darkly fascinated by how many things went wrong? I think we must, and we've returned. In a similar case to the Afghanistan stuff and to the Royal Navy stuff. Military bases in Israel fell to a similar security vulnerability, but it was different because this goes to Nol's earlier point about hacking stuff right or acting

in bad faith. I wasn't aware of this. You can upload fake roots or segments suggested roots to a region, and then when you upload that, if people engage in, if they use it right a route that you have never actually run. You're just laying out this thing as an if. Then if a local user decides to take this track, you, the segment poster can learn earned the identities or past routes of those users. Who fell for your your fake trail, your fake grift.

Speaker 5

Oh snap, I didn't know you could do that.

Speaker 2

You know, well, if that's intense and that seems like the route that would be taken. But I didn't think about. Let's say you're targeting some public official, right and you know that they live because they're a public official in some around some area close by to this one place. You could physically, using the app, go and run near that area. Just create those things as well. But I didn't even know you could upload a fake one.

Speaker 3

You could just dumb me up a fake one.

Speaker 5

Yeah, that's insane.

Speaker 3

Here's my daily run to the best swimming area in Diego, Garcia.

Speaker 2

Because you could correlate users who use it, I'm saying you can. You can find the identities of people that may actually be in the facility or connected to the public official your targeting, even.

Speaker 3

If they've maxed out their privacy settings.

Speaker 2

Jesus.

Speaker 3

But like Strava's not canceled.

Speaker 4

I mean people are still using it, Like this didn't tank My companys and millions of people fascinating that a scandal to the of this magnitude isn't enough to you know, topple an organization like this, I think because many folks kind of look at it the way I do, where it's like occasionally there's going to be some things that go wrong and it's still worth it to me, you know, for the benefits that I get from it.

Speaker 3

To take that risk, I would have I would have shout out all of us. All you guys all are fellow conspiracy realist who are getting in their Strava time right now as you're listening to the show, Thanks for letting us ride along with you. Don't don't hang up on Strava yet, but you got to hear some more stuff. I just think this is an interesting experience for those of us who are, you know, running treadmiller in the streets or or on a bike or a stationary bike, doing whatever you're doing.

Speaker 2

Especially those people using Garman Connect right now. Yeah, because that those folks are getting sued by Strava, and Strava is saying, hey, you can't make any more stuff Garmin because you're using our heat map stuff.

Speaker 3

Yeah you're using it, yeah, our heat maps and for the people and maybe the terrorist and maybe the talkers. But so twenty twenty three and please, please please keep your Strava going as you're listening, folks. Twenty twenty three was also a tough year for Strava because people found heat map data could reveal the home addresses of active

users in remote areas. And there's a there's a paper you can read about this online for free for now from some three very smart people in the Carolinas, and they walk through the process, which gets a little bit complicated, but it's still disturbing, especially because a lot of people who live in remote areas are doing so on purpose because they don't want to be identified, doxed and hunted down. You know.

Speaker 2

Yeah, let's go over the timeline again quickly, guys, just so we understand how much stuff has really is accumulating right here for Strava. Right nine, we said is when it gets created. Twenty seventeen is the first big scandal. Twenty twenty two is the thing where the Israel bases get revealed. Now we're in twenty twenty three and we're figuring out, oh God, anybody and everybody is going to get revealed here. Surely there's not more.

Speaker 3

Oh surely there is, right that? I mean?

Speaker 5

Yeah?

Speaker 3

Then then same year Strava was used to identify a native of Raleigh, North Carolina who lit a Trump one lawn sign on fire. So you know, like we've all seen political yard signs, this guy lit what up.

Speaker 2

And like the Strava route put him.

Speaker 3

The Strava route put him, They got him, he got popped, he got jammed up. We're not saying it's right to burn stuffed out.

Speaker 4

No, And I do think it's worth mentioning in this conversation. Some other kind of examples of this, like ring cameras that are you know, app connected, and there are various kind of murky layers to the privacy surrounding them, and like to what degree can authorities essentially co opt your ring feed in ways that could even potentially compromise you if you've done something wrong. The key there being if

you've done something wrong. Because I always say that I really don't care too much whether these companies are tracking me because I'm not out there breaking the lawn and burning down Trump.

Speaker 3

Signs and things.

Speaker 2

You know, well, it's just on who you're hanging with.

Speaker 4

Absolutely true, and I hear you're app There's no question that I hear you.

Speaker 3

Guys. The the Kevin Bacon rule of Hoover and intelligence is like you said, Matt, I think that's a concern, and Noel to your point, while I hear you on that, one of the one of the bigger concerns is what if something becomes wrong later.

Speaker 4

That's also very, very true, and I completely understand, especially in the world we're living and now, associations could come back to haunt you various things. Any you know how granular is it going to get in terms of like where were you at this particular time, did you go to a place that is now a known whatever?

Speaker 3

Like, guys, let's think about Ice And that's exactly right.

Speaker 5

That's a huge concern. Yeah, Ice and Strava apps, Ice and Strava apps.

Speaker 2

We you know exactly where this guy runs. We'll just put a van strategically located.

Speaker 3

It's so hairy man.

Speaker 2

Can we get to the public figures thing? Because this is I think we're getting into the territory where the really maybe scary stuff. This is all scary stuff, but this is like just the fact that right now you can go to a website called rollcall dot com and you can look at President Donald Trump's calendar, the official public calendar. There are a bunch of places online where

you could find that public calendar. I think white House dot gov has a version of it deep in there somewhere you can see what the official scheduled events are for the President of the United States. Right, you can see the same thing for let's say Emmanuel Macron, the president of France.

Speaker 3

Justin Trudeau back in the day.

Speaker 2

Yeah, most of these extremely public figures, especially government officials, are gonna have some kind of public facing schedule of events, including times. So it's not just on this day we're doing that. It's this is at nineteen hundred hours, we're going to be.

Speaker 3

Here Atlanta three pm. We're going to celebrate National Route to Bega Day, and the Vice President is going to be in attendance from three fifteen to three forty five exactly.

Speaker 2

Well today, just to use this exact thing on Elisi E l y see dot FR, I can see that Emmanuel Mcron at sixteen hundred hours today on October sixth, is going to be having a meeting with the Council of Ministers. That's happening today. But what we don't know is what's happening immediately after that, where the president is going to go right, we don't know that part.

Speaker 3

We don't until we lead Dodd Strava. In October of twenty twenty four, journalists at Lemones but we can't say enough good stuff about them. They discovered that Strava had exposed unknowingly the locations and activities of world leaders because of their security teams. The folks who travel with big name political figures like US presidents or Manuel Macron or Justin Trudeau. You know, those guys tend to be in

pretty good shape. And when they're not at work, they're working out because they got to be ready.

Speaker 2

We're saying the security teams, right.

Speaker 3

The security teams were logging their stuff.

Speaker 4

Yeah, that was used to then track the proximity to the public figure they were in charge.

Speaker 3

Of, right, one hundred percent. Yes, you're correct, And so, as Matt mentioned in our earlier Strange News program, Strava fitness data also revealed private locations of people who, yeah, I guess they're public figures. They're more like high value targets, the Swedish royal family. And this all came from the security teams who were like, all right, I've got you know, I've got Dylan on the next shift. So I got

to get my steps in. You know, I'm gonna take a run, I'm gonna move some weights, and taking the run or taking the bike is really where you get that that crunchy corner brownie of opset.

Speaker 2

Yeah, well yeah, but what we're talking about the King and queen, right, the King and queen and where they personally vacation, so behind.

Speaker 3

The curtain the stuff I don't want you to know.

Speaker 2

You're not supposed to know that at all. And the security person is just as you said, doing something innocent, trying to get some exercise when he's not he or she is not officially on duty. And that single act allowed Leamond and anybody else who was interested to go, oh, they must be up there at that giant mansion slash castle the.

Speaker 3

People. So okay, we gotta be fair, all right, this is it, Dylan. I'm say I'm cursing so much in this episode. Please beat me here. This is a huge gup. This is like a bad thing to happen. And Strava, in their defense, absolutely did not tend this. They played

no active, knowing role in setting up possible attacks. They're just a successful business that is already doing the thing adolescent businesses do, which is you expand you acquire competitors other companies, you make more features, you get more money. You're about that bag. That's what Strava is doing. And Strava has made multiple public statements for each of these

reported incidents. In the case that we mentioned earlier, doxing people in remote locations, they came out with a pretty strident public statement, which I suggest we read just in the interest of objectivity and fairness.

Speaker 4

For sure, the safety and privacy of our community is our highest priority. We've long had a suite of privacy controls, including map visibility controls that give users control over what they share and who it's shared with.

Speaker 3

And it continues. They say Strava does not track users or share data without their permission. When users share their aggregated de identified data with the heat map and Strava Metro, they contribute to a one of a kind data set that helps urban planners as they develop better infrastructure from people on foot and bikes, and makes it easy to plan routes with the knowledge of the community. This interview is over, y'all.

Speaker 4

Really, I know, urban planners, I mean yeah, I mean we need we need some more sidewalk over here.

Speaker 2

We need some over there.

Speaker 5

True, that's all true, but it's a little bit of a reach.

Speaker 3

It's like, I get it. I'm just saying, it's like that DMZ video about how the Korean War is great for birds. It seems to be missing the root of me of the matter. Yes, sir, just so. It's the wrong vegetable and wrong badger in the bag here, and I love that. We also notice something sneaky. Putting the onus on the consumer always always tail as old as time, classic pr move.

Speaker 2

We didn't expect those security personnel to share their stuff? Silly?

Speaker 3

Oh secret service? Am I right? What else? What else they're playing? Food? Oh jesus h. Anyway, it seems it does seem that Strava. I don't know what you guys think, but it seems that Strava is making good faith efforts to mitigate the security risk here, but they're doing so while still ensuring the success and growth of the company, more users, more subscription fees year over year. Capitalism pays the blood price, you know, and tries not to end up in the stone chair. So will these two goals

ever become mutually exclusive? Will the promise or the drive the necessity of profit on the horizon. Will it get them to cut corners on the security concerns and put the put the responsibility and accountability even more on the end user. I don't know.

Speaker 2

I don't know, man. The private vacationing area for the royal family is one thing, because they're not going to be there that often, right, They're just going to be hanging out there for a couple of weeks and.

Speaker 3

A year maybe, and they own tons of places that they barely visit.

Speaker 2

Yeah yeah, yeah, yeah yeah, And there's going to be a ton of security there hence all the running, right and on all the folks who are currently off duty

because they're way more on duty. But when you imagine the location of someone's personal domicile, their house where they live, the address where one of these people lives, like the Prime Minister of Sweden's private address where you go home and try and sleep sometimes after doing a bunch of work, imagine that that location becomes at risk because not only is it information about physically where it is, what the address is so someone can just get there, you've also

now got routes that security personnel take around that house, right, And that's where somebody who just has ill will but doesn't have a lot of planning. It's not going to be crazy helpful for This is only really helpful for the people that you know, imagine a serial killer that's extremely organized, somebody who is focused and is going to use that data for bad things. That's the actually dangerous person or group of people, and this is what helps them.

Speaker 3

Yeah, this is tasty, tasty stuff. It also, you know, it doesn't take a state sponsored hacker, It doesn't take any of that amazing secret in sa tech to gather this information. You just have to be determined and have the time and an Internet connection. That is the frightening part. Anybody with enough time to connect the dots could have arrived at similar conclusions as soon as the heat map hit, and probably well before that if they were active in

if they were active on Strava. And that's why our pal, the kind of the hero of the story, Nathan Russer, moved so quickly to report this to the public. I think one thing that may be reassuring for us to share fellow conspiracy realists, especially folks on Strava. Right now, as of this moment, as of this recording Monday, October sixth.

There have been no verified attacks that have been proven to have leveraged data from Strava or data whatever, Tomato tomatow, But it does seem there's a storm on the horizon because Strava is not unique. There are other like one of us was saying earlier, there are other things that track and share in much the same manner. Countless apps are taken your information to do similar stuff, and once they get big enough, economy of scale kicks in. You

can make another world map. That's right. I aggregate all that stuff together.

Speaker 2

It's and then but then you see the state of the world in so many countries right now. Guys. I haven't been looking closely at France at all, but because of Lamond in this episode, I ended up just, oh, well, what's going on in France right now? Like politically and all that good stuff. And then you see, you know, another prime minister that was appointed for only a year just resigned, like literally I think today or the past

couple of days. There's there's kind of chaos happening and changing of guard happening across the world, but in not normal ways that we would see in democracies right.

Speaker 3

Right, not the peaceful passage of power.

Speaker 2

It's happening all over the place. And then you just imagine this kind of information is out there, and it doesn't take long to see the motivations that someone might have to take act Like we've been describing today.

Speaker 3

Right, the barriers are much lower now you can get touched, folks. It's just true.

Speaker 2

It's scary, man, because it speaks to just a larger kind of state of chaos that we're entering.

Speaker 3

Yes, absolutely, it's a storm on the horizon by all all metrics we can tell, and by now obviously in this brave new world, we should each carry a healthy skepticism, if not outright paranoia about apps in general, especially things linked to your mobile devices, those obscure terms and conditions about how your stuff gets recorded, stored, and shared. I know we're all fans of, you know, very specific ways

of learning. We're fans of very specific apps as a result, and Noel, thank you again for hipping me to Dark Skies for a great primer on this of stuff on Strava in particular. In the larger issue, do check out Undercode Testing's article how Strava data leaks are endangering world leaders a cybersecurity wake up call. The issue is real. I mean, these things are so convenient, that's true. But I think we can argue in this case the convenience itself is becoming the conspiracy.

Speaker 2

Yeah.

Speaker 4

Sure, yeah, But I guess just to bring up what I mentioned earlier about like this is not have we seen a market decrease in subscribers to the service as a result of this news.

Speaker 3

I don't think so. No. Similar to the hit they took with the move to a subscription model, they encountered a dip, but it's still like it's similar to Facebook. People are just going to be sandboxed in. They're going to be using it. You're, as you said, you're a competitive biker. Maybe like I'm, I'm a competitive biker. I'm gearing up to really do some stuff. Then I need those stats. I need that context, and that's what people are doing well.

Speaker 4

And again I'm not maybe I am willfully putting on blinders to some of this stuff, But as soon as we get done recording this, I'm going to download that. I mean, I'm into it, I think, and I don't necessarily see a willful effort to like defraud their users. I think what we're talking about is a bigger picture issue with tracking, a bigger picture issue with what this stuff can be.

Speaker 3

Used for by these bad actors.

Speaker 4

Yes, by the way, yeah, whoa, Well they can become buddies.

Speaker 3

Is that a thing? Are you? Are you Strava buddies?

Speaker 2

You should be? Can I tell you this, guys, I've never once turned on the fitness tracking on my phone occasion.

Speaker 3

Yeah, yeah, okay.

Speaker 2

Location tracking, yes, one hundred percent. But I've never once turned the other stuff on. But there was a time when I would turn off location services unless I absolutely needed it, and like I was gonna take use Google Maps for something, right right, But I've stopped doing that now because.

Speaker 3

It hasn't it yeah, the.

Speaker 2

Way that things require it now. So then it just made me feel so complacent about like, fine, I'll freaking leave it on. Yeah, Like that is the thing that is really scary.

Speaker 3

It's also Yeah, the strangest breaches of privacy or the strangest things in general become normalized so quickly. That's an amazing thing about humanity. It's also a very frightening thing about the human experiment, and we have to remember it will become increasingly inconvenient to hold the line on your personal information. And I know we're all very we all have principles about that us listening along right now too. But there's a prime movement to erod that sense of

privacy in personhood. That's what's happening. They can convenience is the conspiracy. That's the stuff they don't want you to know. You can find us on the iHeartRadio app. By the way, promise trick you that much. Terms and conditions apply. We can't wait to hear your thoughts, folks. Thanks so much for tuning in. Thanks as always to our super producer, the real star of the show, Dylan, the Tennessee pal Fake and Dylan. Before we before we throw to some CTAs, how do we do man?

Speaker 7

Excellent, excellent job. I've had some experience with Strava.

Speaker 5

Oh can you tell us?

Speaker 7

I was using it for biking for a while. The thing that got me should have been the privacy concerns, but it was when they made their feed non chronological.

Speaker 3

Got it the algorithm?

Speaker 7

Oh yeah, I wanted to see the most interesting stuff first.

Speaker 2

Oh my god, dude, you know what got me about Strava. It is recently I don't know if you guys know this, but there's a company out there called Garmin, and back in nineteen ninety one they gave us this thing called a GPS you could use in your boats and your cars and everything else, and incredible.

Speaker 3

It saved us in the national radio quiet zone. That's right.

Speaker 2

Yeah, see a garment man. Well, Strava has come out and they are suing the pants off a garment because Garmin makes their own stuff, as we alluded to earlier, specifically their own hardware like a watch, so you're it's supposed to be able to do the same things. And Strava is saying, hey, you are patent infringing us and you are now sued.

Speaker 3

Oh no, that's a reach. That feels like you're shaking our stuff. Yeah, that's like walking into a sports game and seeing somebody else with a baseball cap and saying, you piece of crap. I'm the one who wears baseball hats.

I'm gonna sue you. I mean, it is true, but you know, tech and patents are already such a sticky wicket and that might be a show for another day if you want to learn more about patent law out our surprisingly not boring series on Ridiculous History where we talk all about ips and patents and if you want to make our day, fellow conspiracy realist, we would love to hear your thoughts, especially Strava users and especially people who object to Strava. Find us online, call us on

the phone. You can send us an email. You sure can.

Speaker 4

You can find ut the handle Conspiracy Stuff where we exist on Facebook with our Facebook group Here's where it gets crazy, on x FKA, Twitter and on YouTube with video content galore for your perusing enjoyment on Instagram and TikTok.

Speaker 3

However, we're Conspiracy Stuff Show.

Speaker 2

We have a phone number. It is one eight three three STDWYTK. Before you call, turn those letters into numbers. That's just a pro tip. When you do call, give yourself a cool nickname and let us know if we can use your name and message on the air. If you would like to send us a message via email, oh you can do that.

Speaker 3

We are the entities that read each piece of correspondence. Be well aware, yet unafraid. Sometimes the void writes back. Actually we're writing back now to personally thank everybody who reached out with such kind words post snuff Film episode so if you wrote to us about that, keep your eyes on the email. We will be with you very soon. Join us out here in the dark conspiracy at iHeartRadio dot com.

Speaker 2

Stuff they Don't want you to Know is a production of iHeartRadio. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android