I am not an active Strava user but from what I've read the company engaged in some dark UX patterns that made it really confusing (unclear if purposefully confusing) to understand what you were sharing. The most egregious sound like the privacy setting on native mobile are more limited than on web , which is a problem considering how many users probably ever only use the app on mobile.
I'm a quasi-active user and never realized my updates were public beyond the people who followed me. It has absolutely no UI indicating it the way, e.g. Facebook does, and does not show me any activity of people whom I do not follow.
Updates are effectively public because once they're collected by a third-party and / or shared with anyone, it's now out of your control. But my understanding (in which I'm not certain) is that the controversy is the heatmap feature, and that your name wouldn't show up in this proof-of-concept attack unless you had opted into that specific feature.
I'm assuming you're looking from another browser, in which case if you are logged out you cannot. However I, a random logged in strava user, can see at least some of your activities (Last Sept 3)
That is easy to change, but again there is the opt-int vs opt-out discussion.
I use it, and it's really clear you're sharing your location, speed, and heartrate data with Strava and other users. There is a Facebook-like newsfeed that shows where your friends have been working out. You can see who else runs your routes and how fast they are. Sharing this data is really the purpose of the app.
If you purposely disengaged from this social part of the app and were trying to use it as a simple stopwatch and mileage logger then uploading data may seem weird. But that's not the clearly intended purpose of the app.
Yes, but you probably don't represent the average Strava user. Clearly there are many who are sharing publicly who don't realize it for some reason. Design, IMO, is part of the reason.
Strava overtly markets itself as a social network. It doesn't open with, "use me - I'm an app to help you track your workout plan", it opens with, "use me - I'll share your workouts with your friends." The sharing of data is the primary feature and it's right there in the title of their website. If you use the app and think sharing is an anti-pattern, I'm concerned about your presence near nuclear weapons for reasons other than privacy.
The app makes it pretty obvious and easy to control whether your profile is private or public, and if it's public, you can easily hide any activity. They've even got a "privacy screen" feature where you can set a geofence, and activities that start or end within the geofence are automatically made private.
And in some respects, it's far more practical for a company to adopt commonsense policies of not sharing locations publicly by default in war zones than for everyone active in that area to audit all their staff's smartphones; possibly the military have the resources and responsibility to do this but aid agencies don't.
(it's also very much in their interests not to have "delete Strava" as the first recommendation given to anyone starting a sensitive job)
You’re not supposed to be using a device which logs and beams your GPS coördinates when deployed. The fact that this is widespread means superiors failed to communicate and enforce some very basic rules.
This also reveals dead-zones where people aren't feeding Strava data. So it is possible to look for the lack of data as well. (Remember the possible CIA site, it has a line around the border, but nothing inside it, because no electronics allowed inside...)
The down votes I got on this are interesting... I was simply saying they are a victim of their own success, and this is usually a Good Thing in business.
Earlier this week when this broke I thought it was merely a curious funny coincidence.
I was later walking the dogs with my wife when she told me her mother was shocked that Strava was giving away the location of military bases. This was when I first became aware of Strava as a controversy.
So crazy how uninformed a populace can be. How is it Stravas fault that people use their software? If I logged onto Facebook and posted th location of a secret military base would it be Facebooks fault that I posted it?
Anyway, I have been an almost daily user of Strava for years- it's the best at what it does.
> Strava was giving away the location of military bases
I'm not sure how to evaluate the risk here.
I'm sure the location of these bases are already known by other governments through various other means. But maybe they can gather some insight into the level of activity at a base, particularly if they monitor strava data over time.
OTOH, this info might be interesting to low-level adversaries (terrorists, ...) to find "weaker bases" which might be easier to attack.
I don't think the danger is in the presence or even size of the base, because as you say other governments are probably already aware of most of them, and you can get a sense of the activity level through simple direct surveillance anyway.
The big threat I see here is the names. Want to infiltrate a base? Get the name of someone who has access to the areas you want, find them on Facebook, get pictures of their family and children, learn about their habits, and <creativity>use that information</creativity> and now you've infiltrated the base.
You’ll be surprised by how many bases are unknown, or that their current status is unknown as the activity level changes all the time and most armies have “temporary” and permanent bases and unless were talking about FOBs in a war zone the temporary part refers more to when and how well they are manned rather than the temporary nature of the base infrastructure.
Units shift bases all the time for various reason from simple rotation to specific operational needs.
This is a huge leak since it provides you a source for both collaborating intelligence you already have and gaining new intelligence.
Names of individual people might not be nearly as important especially for other nation states but through this data not only that the location is revealed but also the level of activity and through the personal information what is more valuable as far as intelligence goes who is deployed and here we aren’t talking about individuals but rather units.
This is huge, the level of activity in the base increases? Likely an influx of personnel which means that you’ve shifted your operational envelope to this area.
2 new support units and a SAR airwing we’re deployed to a base? Looks like some special operation is cooking.
Looks like a lot of army nerds are being deployed to this base might be setting up a SIGINT operation....
Heck the activity level alone is invaluable since it provide you with a signal which allows you to direct other sources of intelligence collection to a base that might otherwise would not have been noticed.
I can tell you that during specific operations when we would work out of hours or there would’ve be an increase in personnel an order would go out that would prohibit people from parking their car overnight and other controls would be set in place so no unusual activity that can be easily remotely picked up would be noticed.
On a non state actor level this as things like on the level of AQAP for example then the routines that can be gathered from the activity are more important, you know when people get up when they run and hitting a large group of soldiers on their morning run might be a juicy target.
How are you so comfortable that the idea that information should just be shared willy-nilly?
That no human has to step in and check and maybe sometimes go, hmm, that's actually not a good idea to do that.
Computers are super-stupid, literal automatons being allowed to do whatever because Silicon Valley makes more money if it doesn't have to curate anything.
Normal humans expect computers to be a bit like humans. Have some common sense. Not have a god view. Forget stuff that happened 5 years ago, or at least be pretty hazy about it. Definitely not remember stuff from 20 years ago. Not, and this is totally crazy I know, record every voice search you've ever done in some creepy vault somewhere where it's used to sell you shit. Not be able to track you every movement from the time you leave your work, to when you go sleep with your bit-on-the-side, to where you go buy your drugs, to when you go back to your boyfriend.
We know they're not. Normal people don't, or at least haven't really thought the consequences through.
I find your view more disturbing and odd than your in-law's.
> How are you so comfortable that the idea that information should just be shared willy-nilly?
It actually is a feature. The problem is that not every feature is for everyone. When you are working in a security sensitive environment (or just like to have your privacy), you should be aware of risks and act accordingly.
> Normal humans expect computers to be a bit like humans.
This is about product design, not computer or software architecture.
The one lesson "normal humans" (whatever that means to you) should learn is that every bit of data can help to identify them.
> When you are working in a security sensitive environment
Transferring this burden to the individual could very well lead, quickly, to no one wanting to take sensitive positions. Which would be a societal catastrophe of epic proportions.
The software here(strava) makes it incredibly easy to not share any information at all. The entire point of the application is to track and share fitness activities and I have chosen very deliberately to use it to do so. You have no idea what else i choose to share aside from my fitness activities.
How do you propose that Strava (or any other company) muster the manpower required to review all outputs of all automated data? This is the entire globe we're talking about. And, in this instance, where the concern might be over classified information, how is a trained human supposed to even recognize that the information should be classified by one of the hundreds of national governments out there?
It's not unreasonable to expect people who are using a product to take some responsibility for their own use of it. Strava is expressly designed to use your location, and that is obvious due to the nature of the app, and the fact that it requires the location on the device to be turned on.
A key part of her argument is normal people can't be expected to understand what the privacy risk is of running something like Strava. Particularly if the risk isn't so much to individual privacy but rather in aggregate.
While the general point is true, she actually publicly changed her mind about Strava in particular (which is amazing, all respect to her, no one does this in heated public debate.)
Well I think the heatmap is the best thing from strava. I wish it was embedded/viewable in the strava ios app to to browse running routes - particularly when I'm in a new place. I've also discovered a load of footpaths near me just by browsing it on the website.
Blaming strava is absurd. I am a strava user and privacy setting on all my runs by default is that routes are hidden. I have to manually go and edit the run to make it visible to public. As long as strava used the data available publicly I don't see as their fault. It is ridiculous to blame them. I find the privacy setting on strava clearer than any other social network but if military personnel for the sake of vanity end up posting their run publicly then there is anything strava can do. Even without the routes data released by strava, I can simply hover over iraq or Syria and see the running or cycling routes. This feature actually has been of great use to me while traveling.
Histeria is great for getting eye balls to your content. The newspapers are running with it. I also don't see how it's Strava's fault or even that serious (these places are far from secret with all the satellites nowadays).
As a Strava user, I have to agree with you here and just say that a lot of the outrage seems to come from people that never used the service. I’ve been using Strava for a couple of years already, and I must say that they are one of the most privacy concerned services out there. At one point I was getting annoyed already at them constantly publishing tips on how to change your privacy settings to stay secure and to make sure that others can’t find out your location and that you know the implications of all the new features that they pushed forward (like flybys, home/starting point and others).
What I find absurd here is the fact that people working in the military or other privacy sensitive fields would actually use a public social network to constantly publish updates on your activities and your precise location. I’m just a random guy that runs and bikes and still don’t let my activities public or only share some with friends. I still find it weird to blame Strava here for something that is so obvious. No matter what platform you use, be it you personal site, Facebook or others, you just don’t share certain things when you know you work in a certain environment.
What I've yet to see is anyone commenting on how secret these "secret" military bases really are. I have a feeling, based on the amount of attention this is getting in mainstream media, that the militaries involved aren't too concerned. Also, any nation state with access to satellite intel presumably already knows about all of these.
So if "secret" means "not listed on Wikipedia", I'm afraid only more arguments in favor of surveillance will come of this.
The problem doesn't begin, nor end at identifying military bases. There's a much a larger problem going on here where individuals' privacy is being waved around for what amounts to PR.
By PR, are you referring to the media publicizing this for dramatic effect, or Strava implementing social features? There are lots of shady ways companies try to go viral, but given how much individuals clearly want to share this data, I'm not sure blaming Strava for facilitating that sharing is very fair or accurate.
I don't think they're publicizing this for dramatic effect - just that they are painfully careless with the data that they keep. Whether the tools are useful and whether people want to use them carelessly isn't the point. A bit (a lot) more discretion would be appreciated from Strava.
As far as I'm concerned, this is an industry norm, so my problem isn't so much with Strava, but the dangerous cultures that surround massive data collection operations.
Disclaimer: I work in adtech. Opinions are my own.
> any nation state with access to satellite intel presumably already knows about all of these
Not every enemy is a nation state with satellite capabilities. And not every satellite system can so extensively map e.g. patrol routes. This is a glaring opsec failure by the U.S. military.
If anyone from Strava is watching this thread - is there any way to delete a user's information from these heat maps? I ask, because I'm not seeing anything in any of the suggested links. If so, how can I request my own records be completely deleted?
Not a strava employee, but under https://www.strava.com/settings/privacy There is a setting to disable your activity data from being incorporated into the heatmaps, which I would assume (hopefully) is retroactive at some point - not sure how frequently those maps are regenerated
I find it interesting that a lot of people seem to feel that this isn't Strava's fault, but the fault of the users who didn't manage their privacy settings correctly. Having done a lot recently related to GDPR in the EU I've been coming around to the way of thinking that has influenced this law.
We as technologists need to start taking some responsibility for our users privacy. Firstly, just because you can collect the data doesn't mean you should. There is this general idea that we should collect and store as much data as we can, just in case we can find a use for it. The problem is that firstly even if we claim to be only using/exposing 'anonymised' data, as this Strava situation shows, it is very hard to truly anonymise data. Secondly, the raw data is still stored somewhere and in the event of a data breach it doesn't matter what a users privacy setting was if you were still collecting and storing the data.
So if you want to start a new social network site to allow people to publicly share fitness information and routes used by runners, swimmers and cyclists, how would you go about it that would be different from what Strava already does?
Strava doesn't collect the data because it can, it's doing so because that's the service it provides. This isn't a case of installing some generic Messenger app and discovering that it also collects and sends to their servers the list of local wifi networks (for which there may be a valid technical reason but it would otherwise be surprising as it's removed from the main objective which is to send messages), it's more like installing a forum app and discovering that your post on the forums can be read by anyone else that accesses the same forum... I get that not all people have the same understanding of how an Internet forum works but that doesn't mean that it's always the website's fault here.
I see a lot of people talking about how it is unfair to blame Strava for this.
That is BS. When you make anonymized data available publicly, you ABSOLUTELY bear a responsibility to making sure that your
anonymized data is actually anonymous.
> However, we learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations.
Strava absolutely needs to be held to account for not filtering out anonymous data from regions that don't have other activity density. This should be a legal responsibility .(Currently I think the FTC can bring legal action for violating a privacy policy, but this is the only legal enforcement route?)
Strava also has a ethical responsibility to block data from sensitive area (such as military bases).
> Strava also has a ethical responsibility to block data from sensitive area (such as military bases).
How are they supposed to know if they're displaying data for a secret base if the information to determine it actually is secret is, umm...secret?
I blame the joes -- they should know better than to share their location data because it's not a good idea for countless reasons. Back when I was deployed with the 82nd Airborne such a thing would be inconceivable.
> How are they supposed to know if they're displaying data for a secret base if the information to determine it actually is secret is, umm...secret?
This isn't about hiding secret bases, censoring a region from the data they release will obviously leave a blind spot. This is about not exposing the activity data of sensitive regions.
I wasn't aware that people were blaming Strava for this. I think it's pretty clear that the purpose of strava as a social network for runners is to share your run data with others, or at least to benefit from others data. I'd need these answers before I could judge how culpable they are:
1) Does Strava present the user with privacy settings and properly explain what they do? (i.e. they don't have to dig in settings to even know that they exist)
2) Is data set to 'private' omitted from anonymized aggregate statistics like the heatmap?
If the answer to both is 'yes', then I don't understand what the fuss is about.
Stravas main objective is to share information about workouts by tracking where you have been between you start and stop the workout, how could they do that without collecting the route for the workout? The users select when to start and stop the tracking.
I like privacy and think GDPR could clean up some of the mess online, but I don't even see that this tracking done by Strava is in any conflict with the law
I love using the heatmap tool especially the one that shows the differences from 1 year to the next. As a MTB'er, I see the routes that people stop using because of downed trees and other obstacles. Helps prioritize where trail cleaning must be done.
The main selling point for Strava when it was introduced was to share the information to compete with any other person also using Strava. When first setting it up, at least when I did it years ago, is to set a privacy sector for which areas to not upload detailed route for. So in this case I would say it is the users fault to not understand that areas not set to private will be public available when you select to share your workout. The public available data to compete with others and the large userbase is the one reason to use Strava instead of any other fitness tracker
I’m on team Blame Strava. When you have an obvious comprehension failure by large numbers of users, it’s a UX design bug. Don’t blame the users.
It’s pretty clear why in this case. The privacy settings are overcomplicated and misleading. It’s not intuitive at all that turning on “enhanced privacy” still includes you in route leaderboards and the heatmap, which you might not even know is a thing. This was bad design.
I'd go one step further, and blame our growth obsessed startup culture. So many incentives to get people to share so a product can go "viral". Strava has a number of anti-patterns that make it difficult to do what you want with the app, rather than what they want you to do. (Share! Tell your friends! Brag about how fast you just ran this! Compare yourself to others!)
I think this news-event and some of the struggles Facebook has are highly similar (they're experiencing the pullback after years of inducing users to help them game their numbers).
I don't blame strava for this incident because it's obvious that your information is being sent to them and there must be some onus on users, maybe there should even be some pain until the message sinks in.
What isn't obvious is if they are retaining the information or who they are sharing it with, etc. For my non-social uses there is no reason that the data really needs to leave my phone but it does anyway. We need much better consumer laws here and these things need to be made obvious and with explicit permission given by the user for each step.
In any case, I've found tech like this is more of a distraction and offers no real value. I'm a lot happier now that I've deleted strava, stopped using fitbit, removed my bike computer and gone back to basics. It feels like I can just go for a bike ride again without having to start recording and analyze all the feedback. It's like that feeling when you throw out all those kitchen gadgets you never used.
65 comments
[ 2.6 ms ] story [ 132 ms ] thread"Sorry we have SO MANY users that it shows the location of, well, everything."
The military, CIA should have a clear policy to disable all location services, on all devices at all times.
If you're not supposed to be somewhere and you go for a run on Strava, it's pretty much your fault.
Doesn't look like they're actually public, though? https://www.strava.com/athletes/22230419
That is easy to change, but again there is the opt-int vs opt-out discussion.
If you purposely disengaged from this social part of the app and were trying to use it as a simple stopwatch and mileage logger then uploading data may seem weird. But that's not the clearly intended purpose of the app.
The app makes it pretty obvious and easy to control whether your profile is private or public, and if it's public, you can easily hide any activity. They've even got a "privacy screen" feature where you can set a geofence, and activities that start or end within the geofence are automatically made private.
(it's also very much in their interests not to have "delete Strava" as the first recommendation given to anyone starting a sensitive job)
You’re not supposed to be using a device which logs and beams your GPS coördinates when deployed. The fact that this is widespread means superiors failed to communicate and enforce some very basic rules.
I was later walking the dogs with my wife when she told me her mother was shocked that Strava was giving away the location of military bases. This was when I first became aware of Strava as a controversy.
So crazy how uninformed a populace can be. How is it Stravas fault that people use their software? If I logged onto Facebook and posted th location of a secret military base would it be Facebooks fault that I posted it?
Anyway, I have been an almost daily user of Strava for years- it's the best at what it does.
I'm not sure how to evaluate the risk here.
I'm sure the location of these bases are already known by other governments through various other means. But maybe they can gather some insight into the level of activity at a base, particularly if they monitor strava data over time.
OTOH, this info might be interesting to low-level adversaries (terrorists, ...) to find "weaker bases" which might be easier to attack.
Anybody informed can comment on the actual risks?
The big threat I see here is the names. Want to infiltrate a base? Get the name of someone who has access to the areas you want, find them on Facebook, get pictures of their family and children, learn about their habits, and <creativity>use that information</creativity> and now you've infiltrated the base.
Units shift bases all the time for various reason from simple rotation to specific operational needs.
This is a huge leak since it provides you a source for both collaborating intelligence you already have and gaining new intelligence.
Names of individual people might not be nearly as important especially for other nation states but through this data not only that the location is revealed but also the level of activity and through the personal information what is more valuable as far as intelligence goes who is deployed and here we aren’t talking about individuals but rather units.
This is huge, the level of activity in the base increases? Likely an influx of personnel which means that you’ve shifted your operational envelope to this area.
2 new support units and a SAR airwing we’re deployed to a base? Looks like some special operation is cooking.
Looks like a lot of army nerds are being deployed to this base might be setting up a SIGINT operation....
Heck the activity level alone is invaluable since it provide you with a signal which allows you to direct other sources of intelligence collection to a base that might otherwise would not have been noticed.
I can tell you that during specific operations when we would work out of hours or there would’ve be an increase in personnel an order would go out that would prohibit people from parking their car overnight and other controls would be set in place so no unusual activity that can be easily remotely picked up would be noticed.
On a non state actor level this as things like on the level of AQAP for example then the routines that can be gathered from the activity are more important, you know when people get up when they run and hitting a large group of soldiers on their morning run might be a juicy target.
Fortunately as a member of the elite RAF Regiment he was able to escape. That’s what they learn on the Five Miles Of Death.
That no human has to step in and check and maybe sometimes go, hmm, that's actually not a good idea to do that.
Computers are super-stupid, literal automatons being allowed to do whatever because Silicon Valley makes more money if it doesn't have to curate anything.
Normal humans expect computers to be a bit like humans. Have some common sense. Not have a god view. Forget stuff that happened 5 years ago, or at least be pretty hazy about it. Definitely not remember stuff from 20 years ago. Not, and this is totally crazy I know, record every voice search you've ever done in some creepy vault somewhere where it's used to sell you shit. Not be able to track you every movement from the time you leave your work, to when you go sleep with your bit-on-the-side, to where you go buy your drugs, to when you go back to your boyfriend.
We know they're not. Normal people don't, or at least haven't really thought the consequences through.
I find your view more disturbing and odd than your in-law's.
It actually is a feature. The problem is that not every feature is for everyone. When you are working in a security sensitive environment (or just like to have your privacy), you should be aware of risks and act accordingly.
> Normal humans expect computers to be a bit like humans.
This is about product design, not computer or software architecture.
The one lesson "normal humans" (whatever that means to you) should learn is that every bit of data can help to identify them.
Transferring this burden to the individual could very well lead, quickly, to no one wanting to take sensitive positions. Which would be a societal catastrophe of epic proportions.
A key part of her argument is normal people can't be expected to understand what the privacy risk is of running something like Strava. Particularly if the risk isn't so much to individual privacy but rather in aggregate.
https://twitter.com/zeynep/status/958702722232012801
What I find absurd here is the fact that people working in the military or other privacy sensitive fields would actually use a public social network to constantly publish updates on your activities and your precise location. I’m just a random guy that runs and bikes and still don’t let my activities public or only share some with friends. I still find it weird to blame Strava here for something that is so obvious. No matter what platform you use, be it you personal site, Facebook or others, you just don’t share certain things when you know you work in a certain environment.
So if "secret" means "not listed on Wikipedia", I'm afraid only more arguments in favor of surveillance will come of this.
As far as I'm concerned, this is an industry norm, so my problem isn't so much with Strava, but the dangerous cultures that surround massive data collection operations.
Disclaimer: I work in adtech. Opinions are my own.
Not every enemy is a nation state with satellite capabilities. And not every satellite system can so extensively map e.g. patrol routes. This is a glaring opsec failure by the U.S. military.
https://www.military.com/defensetech/2012/03/15/insurgents-u...
* sees collected data *
Smartphone user: "How did they do this to me"
We as technologists need to start taking some responsibility for our users privacy. Firstly, just because you can collect the data doesn't mean you should. There is this general idea that we should collect and store as much data as we can, just in case we can find a use for it. The problem is that firstly even if we claim to be only using/exposing 'anonymised' data, as this Strava situation shows, it is very hard to truly anonymise data. Secondly, the raw data is still stored somewhere and in the event of a data breach it doesn't matter what a users privacy setting was if you were still collecting and storing the data.
Strava doesn't collect the data because it can, it's doing so because that's the service it provides. This isn't a case of installing some generic Messenger app and discovering that it also collects and sends to their servers the list of local wifi networks (for which there may be a valid technical reason but it would otherwise be surprising as it's removed from the main objective which is to send messages), it's more like installing a forum app and discovering that your post on the forums can be read by anyone else that accesses the same forum... I get that not all people have the same understanding of how an Internet forum works but that doesn't mean that it's always the website's fault here.
That is BS. When you make anonymized data available publicly, you ABSOLUTELY bear a responsibility to making sure that your anonymized data is actually anonymous.
> However, we learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations.
Strava absolutely needs to be held to account for not filtering out anonymous data from regions that don't have other activity density. This should be a legal responsibility .(Currently I think the FTC can bring legal action for violating a privacy policy, but this is the only legal enforcement route?)
Strava also has a ethical responsibility to block data from sensitive area (such as military bases).
How are they supposed to know if they're displaying data for a secret base if the information to determine it actually is secret is, umm...secret?
I blame the joes -- they should know better than to share their location data because it's not a good idea for countless reasons. Back when I was deployed with the 82nd Airborne such a thing would be inconceivable.
This isn't about hiding secret bases, censoring a region from the data they release will obviously leave a blind spot. This is about not exposing the activity data of sensitive regions.
We get OpSec briefing shoved down our throats down so much that im putting this one on the DoD and the base's risk management policy.
Guys srsly wth
1) Does Strava present the user with privacy settings and properly explain what they do? (i.e. they don't have to dig in settings to even know that they exist)
2) Is data set to 'private' omitted from anonymized aggregate statistics like the heatmap?
If the answer to both is 'yes', then I don't understand what the fuss is about.
I like privacy and think GDPR could clean up some of the mess online, but I don't even see that this tracking done by Strava is in any conflict with the law
If so, then I completely blame them for this. If not, then this is clearly a user error.
It’s pretty clear why in this case. The privacy settings are overcomplicated and misleading. It’s not intuitive at all that turning on “enhanced privacy” still includes you in route leaderboards and the heatmap, which you might not even know is a thing. This was bad design.
I think this news-event and some of the struggles Facebook has are highly similar (they're experiencing the pullback after years of inducing users to help them game their numbers).
What isn't obvious is if they are retaining the information or who they are sharing it with, etc. For my non-social uses there is no reason that the data really needs to leave my phone but it does anyway. We need much better consumer laws here and these things need to be made obvious and with explicit permission given by the user for each step.
In any case, I've found tech like this is more of a distraction and offers no real value. I'm a lot happier now that I've deleted strava, stopped using fitbit, removed my bike computer and gone back to basics. It feels like I can just go for a bike ride again without having to start recording and analyze all the feedback. It's like that feeling when you throw out all those kitchen gadgets you never used.