Opt-Out Fitness Data Sharing Leads To Massive Military Locations Leak

People who exercise with fitness trackers have a digital record of their workouts. They do it for a wide range of reasons, from gathering serious medical data to simply satisfying curiosity. When fitness data includes GPS coordinates, it raises personal privacy concerns. But even with individual data removed, such data was still informative enough to spill the beans on secretive facilities around the world.

Strava is a fitness tracking service that gathers data from several different brands of fitness tracker — think Fitbit. It gives athletes a social media experience built around their fitness data: track progress against personal goals and challenge friends to keep each other fit. As expected of companies with personal data, their privacy policy promised to keep personal data secret. In the same privacy policy, they also reserved the right to use the data shared by users in an “aggregated and de-identified” form, a common practice for social media companies. One such use was to plot the GPS data of all their users in a global heatmap. These visualizations use over 6 trillion data points and can be compiled into a fascinating gallery, but there’s a downside.

This past weekend, [Nathan Ruser] announced on Twitter that Strava’s heatmap also managed to highlight exercise activity by military/intelligence personnel around the world, including some suspected but unannounced facilities. More worryingly, some of the mapped paths imply patrol and supply routes, knowledge security officers would prefer not to be shared with the entire world.

This is an extraordinary blunder which very succinctly illustrates a folly of Internet of Things. Strava’s anonymized data sharing obsfucated individuals, but didn’t manage to do the same for groups of individuals… like the fitness-minded active duty military personnel whose workout habits are clearly defined on these heat maps. The biggest contributor (besides wearing a tracking device in general) to this situation is that the data sharing is enabled by default and must be opted-out:

“You can opt-out of contributing your anonymized public activity data to Strava Metro and the Heatmap by unchecking the box in this section.” —Strava Blog, July 2017

We’ve seen individual fitness trackers hacked and we’ve seen people tracked through controlled domains before, but the global scope of [Nathan]’s discovery puts it in an entirely different class.

[via Washington Post]

Trailblazing Artisans Of Road Building

A lot of us take roads for granted, at least until they are icy or torn up by construction. The concept of creating fixed paths seems to be in our firmware. Finding the shortest distance to food or water and marking a trail to it from home base has always been its own reward.

Roads have come a long way from the simple paths beaten by man and beast. But the basic configuration of paved roads hasn’t changed all that much since the Roman empire. Whatever they’re made of, they need to be able to drain water and support heavy loads.

New issues arose as modes of transportation shifted in favor of the automobile. Road surfaces needed to provide friction against tires. But how did we get from the stone-paved roads of Rome to the asphalt and concrete roads of today?

Continue reading “Trailblazing Artisans Of Road Building”

How Hacker News Page Rankings Really Work

Page rankings are the secret sauce of websites that automatically aggregate user submissions. The basic formula used by Hacker News was published a few years back. But there are several pieces of the puzzle that are missing from that specification. [Ken Shirriff] recently published an analysis that digs deeper to expose the article penalization system used by Hacker News’ ranking engine.

One might assume that the user up and down votes are what determine a page’s lifespan on the front page. But it turns out that a complex penalization system makes a huge difference. It takes into account keywords, and domain names but also weighs controversy. It’s a bit amusing to note that this article on the topic was itself penalized, knocking it off of the front page.

You can get the full details of the system from his post, but we found his investigation methods to be equally interesting. He scraped two pages of the news feed every minute using Python and the Beautiful Soup package (a pretty common scraping practice). This data set allowed him to compare the known algorithm with actual results. What was left were a set of anomalies that contained enough sense for him to reverse engineer the unpublished formulas being used.