I thought I had configured strava from the get go to protect my privacy. Turns out I missed a few settings they updated after my initial config. Thanks for bringing this to our attention.
App developers: "Let's add a privacy setting so people can protect their data." Also app developers: "Let's add 6 separate privacy settings for other features, have them bypass or ignore the main privacy setting(s), and enable them by default."
That was quite astonishing and highly informative. There is obviously no way to guess how many hidden settings may be required to turn off every privacy violating feature, and that's assuming they can all be turned off. It's no small challenge. Thank you for raising this issue. We are forever in your debt.😊
One thing that nearly caught me off guard was Apple. Their Health data is E2E encrypted, but NOT their Fitness data. That data is still being collected, but (according to Apple) “anonymised”, with some extra toggles for leaderboard functionality. I'm not sure if they're on by default, though.
@@NaomiBrockwellTV It does make you wonder if the courts would consider fitness data HIPAA protected data? I assume that is why Apple separates them out is in their minds it would violate HIPAA laws to release any health data. But isn't fitness data health data too? Very interesting subject.
@@NaomiBrockwellTV So, I've been doing a bit more reading. I can't find much information about the initial Summary Page. However, if you enable Activity Sharing and/or Fitness+, Apple will collect (and share) your data. In theory (would need to test), if you never enable those features and stick to the Summary page, no data would be sent. Also, on a related note, two privacy health apps that're worth checking out: Waistline (available on Android), one of my favourite privacy respecting Nutrition trackers, that's also open source; and FoodNoms (available on iOS), not as private as Waistline, but still (so far as I can find) the best option on Apple devices.
@@NaomiBrockwellTVThe same applies with GDPR for anyone in Europe or the UK. The fines are in the millions. The data shown to be shared in this video is in violation and the ICO in the UK should be contacted by anyone affected there. We need a few of these companies fined so it will be shown it will not be profitable to have default data sharing. You have to agree to it first.
anyone and everyone is completely vulnerable to involuntary bad opsec. it takes more work and effort to do anything today. there is a cost to privacy. sad truth.
What this actually shows is that despite them claiming that the privacy settings are on, the company is storing and databasing all the data anyway if the app is given permission.
Great video. It's funny I thought about it early this morning. I'll be happy to have a private fitness app. BTW I think it's the same situation regarding music apps. How do I keep my privacy when listening to music when I am running?
I used strava briefly until a fellow started guessing where I live and what job I do to be riding at the times I did and where I went. That was it for me. Creepy to say the least. Or at least he was one who spoke out. How many silent observers could there be?
Appreciate the deep dive into this and making people aware of how data can leak, but it is almost entirely out of date with respect to Strava. By default, your activities are only shared to "followers" and not posted to segments / public unless you actively change it. Also it hides / obfuscates the initial several hundred meters at the beginning and end of the activity, again by default unless you turn it off. Likely from some of the incidents you've mentioned they've moved from "public by default" to "friends / followers only by default". I think it's important to recognize where and when apps and systems have improved and responded in the face of criticism, as it helps understand how we can work to improve things.
This is scary. I always go into settings of apps or websites that I have newly signed up to, because I got burnt when I was starting to explore the interwebs many years ago, but it still happens to me that I overlook a setting, as they hide the really interesting ones often times or change stuff after a few years. You are right especially privacy breaching settings should be opt-in and not opt-out.
This is yet another reason I advocate for a Resource Based Economy. Our current social system is heavily focused on profit, not the health and well-being of its citizens.
Naomi, I watch another RU-vidr who is from Sweden. Apparently their laws are different there; she was looked up by one of her fans, and the person (a foreigner) showed up at her parents house looking for her. She ended up moving to another city, having to change jobs, etc. All because Swedish law says that people’s address is open or something like that. Crazy world!
After watching this video, well, I don't say this too often, but Strava (the company) needs to be closed down and the software needs to be shut down. GDPR is not an optional thing and this is a huge breach of privacy.
I'm an old guy but I was preaching this stuff from way back in the myspace/facebook days where everyone thought it was cool to share every aspect of their life with anyone and everyone. We've sleep walked right into mass surveillance.
14:46 "start supporting these products that better align with our values". Great! I'd love to! What are they? You forgot to mention the better alternatives.
Now I wonder if some of the vehicle driving/ riding apps might be a security risk. Thank God i didn't download a bike ride app that one happen to be Strada in the list
Achieving real app privacy is likely to be an uphill battle due to conflicting priorities. On the one hand, we want privacy. On the other hand we are accustomed to free apps. Development and hosting of apps is not free however, so if we aren't willing to pay for them, the companies have to earn their money via other means (i.e. selling the data they collect to those who deem it of high value). And then of course there are all those "Greater good's" which justify violating privacy, such as finding and removing malware, catching child-predators, stopping the spread of a dangerous virus, catching terrorists, etc... It may take an economic and social/political revolution of sorts to reclaim privacy.
I knew they changed the default to not show the first 1/8 mile of your activity but that apparently is not done for historical activity. You have to go to Edit Past Activities to change historical data.
Its not only Strava to blame. Jack doesn't really know how his runs ended up on strava , and he obviously didn't check afterwards. Many sports watch platforms offer the possibility to synchronize activities to other platforms, and that is most likely the way Jack's runs ended up on strava. So don't just connect accounts without thinking about consequences. And like on every social network you have to do your homework about the privacy settings, especially if things can get shared to the public. And for that leader board thingy, you actually have to set your activity to public to appear on it. How about actually showing the privacy settings and giving recommendations, or doing a video on connecting accounts and sharing data with 3rd party services?
Question for additional exploration - even if a user sets everything to "private" - A) Does the data still get uploaded? B) Does it still get sold to data brokers?
We need an open source revolution. 'Revolution' might be too strong of a word, but you get the idea. We need a new wave of open-source suits and they need to become mainstream.
By default I haven't trusted these fitness or step counter trackers, for the exact reason explained here, as well as not really feeling the need to keep track of anything. I've seen people share their 'step count' or have people ask how much mine is, to which I always reply "I donno, enough."
Hey, I know you said this would be a series probably, but like my privacy is still on the line, what are some privacy respecting fitness trackers that you would recommend. Just a few options.
👍🏻 nice video i started using apple watch recently for fitness , already keeping privacy in mind ,reviewed privacy settings , did not install any 3rd party fitness app on watch or phone i see what more i can do
Thank you very much Naomi. My iPhone activity app stopped collating my workouts and after failing to reconnect it I also realised it wasn’t that important. After working out I look at my Apple Watch and then move on with my life.My workout log app does only that. It contains the details of each workout
Mahalo for bringing back a news story to my attention. I was viewing a news story wherein a load of fitness trackers was overlaid on a Google Map of a military installation. I was at the installation in the article! I was there...and I looked around at the people around me. CAH-reepy! No more fitness trackers for me! I wasn't aware that active-duty military were banned from using GPS and fitness trackers. Sounds like a great idea. That article stopped ME from using my Apple Watch and taking along a smartphone. Problem solved(?). Mahalo, Naomi!❤
Interesting, I thought it was private by default. Or maybe I put it on private. I never had the Flyby thing happen to me. I think all features should be turned as private by default. There should be laws for this. But I did not know it was a thing, maybe a new feature. Not used Strava to record in years, just sync to Strava via Trailforks, but it no longer syncs private ride log, only public ones. But the way I have it setups it's private on Strave until I make it public. But might not bother to import it to Strava, I'm not sure if it sill syncs last time I had to do it manually. I always check anyway. I always ride to a public area and start my public ride from there and ed it somewhere public too. So all my rides from and to my home private. I don't use Strava anymore to record. I use Trailforks, as it's a map, maps for multiple types of activities, shows trails can see if it suits the skill level, Strava is just a fitness tracked with sosial aspect. 4:00 Great news they did. The thing I like about Trailforks when it comes to privacy is there's a toggle thing I click to make it public if I want to. But Strava does this too.At least It did. I think. But that does not matter if all other features have to be turned on or off separately somewhere in the profile.
I'd love to have my sports watch synchronise its data to a local database and do all processing locally, but that's not likely to happen soon. Even though i've paid quite a bit of money for the hardware, it's probably also not enough to cover the cost of storing and hosting this data. I'm sure it's being shared no matter what i choose.
This is why I don’t touch those apps or products at all. It’s better to just load a map, figure out how far things are, and then use that as a basis for estimating other distances. You can also use time and speed to figure out distance, again by approximation. Exercise your brain too!
"If you didn't pay for the product' you are the product" Considering how much Garmin charges for their fitness watches, I'm hopeful that they don't have to resort to selling user data for profits.
Good on Jack for being so honest about an instance of surprisingly bad opsec. Anybody can be duped, even experts, although I'll speculate Jack is pretending here. [edit: ... for good communication reasons.]
Fitness trackers are one of the most dystopian apps that exist. Indiscriminately sharing our biometric data is a one way ticket to the orwell train. I have never, and will never use these tools. Studies also suggest that they lead to anxiety, body dysmorphia and obsessive behaviora. Hard pass for me.