Energy and Commerce Committee Democrats sent a letter to Strava today requesting a briefing on the company’s data and security practices in light of reports that the company has publicly shared personal information that put its users at risk. Security analysts have raised the possibility that Strava’s information sharing may have exposed the identities and locations of personnel at military sites and other sensitive areas. Committee Democrats want to know how Strava decided to publish the heat map, whether it notified consumers that their information would be included, and if Strava is making any changes to its privacy or data security practices in response to the incident.
The letter to Strava was signed by Ranking Member Frank Pallone, Jr. (D-NJ), Digital Commerce and Consumer Protection Ranking Member Jan Schakowsky (D-IL), Oversight and Investigations Ranking Member Diana DeGette (D-CO), Rep. Jerry McNerney (D-CA), Rep. Peter Welch (D-VT), Rep. Ben Ray Luján (D-NM), Rep. Yvette Clarke (D-NY), Rep. Tony Cárdenas (D-CA), and Rep. Debbie Dingell (D-MI).
Strava, a GPS tracking company, collects data from wearable fitness trackers and from its mobile app on users’ workouts, locations, and movements. The information collected is so precise that Strava can determine whether a user is traveling on foot, by bicycle, or in a vehicle. Since November 2017, the company has publicly shared online an interactive heat map of its users’ movements over the past two years. In recent days, news reports have called attention to the various ways this information could jeopardize individuals’ personal safety and U.S. national security.
“The increasing popularity of fitness trackers and other wearable technology has raised serious questions about the types of data they collect and share and the degree to which consumers control their own personal information," the Democrats wrote in their letter to Strava. “The data these devices collect reveals users’ precise locations, daily activities, and health information. Most consumer technology companies, however, are not required to set baseline privacy standards or ensure that users’ information is secured."
The Democrats continued, “The Committee on Energy and Commerce has a longstanding interest in the privacy and security of consumers’ personal information, including information collected by wearable technology. We therefore request that Strava provide a briefing to Committee and Member staff."
During the briefing the Energy and Commerce Democrats are requesting answers to a series of questions, including:
* How did Strava decide to publish the heat map online?
* Was Strava aware that the information in the heat map could be de-anonymized to identify individual users?
* Did Strava take any efforts to mitigate safety risks to its users before publishing the heat map?
* Before the heat map was published in November 2017, were users given any notice that their information would be included?
* What are the default privacy settings for Strava accounts? Was it a default setting to share location information to the global heat map?
* What types of data does Strava provide to third parties? What kinds of entities have access to this data, and what do they use it for?
