Georgetown Law
Technology Review

At the end of last November, the Supreme Court heard oral arguments in Carpenter v. United States on whether the Fourth Amendment permits the warrantless seizure and search of cellphone records that contain the location and movements of a user over a 127-day period.1Carpenter v. United States, SCOTUSBLOG, http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/ (last visited Feb. 11, 2018). In anticipation of this hearing, the Georgetown Law Technology Review explained how the Court’s ruling could potentially give the government “free rein to search your records and electronic information without a warrant.”2Alan Zorofchian, Supreme Court to Hear Challenge to Warrantless Cell-Site Data Collection by Law Enforcement, GEO. L. TECH. REV. (Nov. 2017), https://georgetownlawtechreview.org/supreme-court-to-hear-challenge-to-warrantless-cell-site-data-collection-by-law-enforcement/GLTR-11-2017/. Exactly which records and electronic information are available to warrantless searches is unclear at this point. However, after a recent incident regarding user privacy at Strava, an online fitness-tracking company, another important question arises: Is the data collected by wearable devices protected by the Fourth Amendment?

Late last month, the New York Times ran an article that highlighted the potential operational security issues with Strava’s online Heatmap, which detailed user activity at sensitive military locations.3Richard Perez-Pena & Matthew Rosenberg, Strava Fitness App Can Reveal Military Sites, Analysts Say, N.Y. TIMES (Jan. 29, 2018), https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html?rref=collection/sectioncollection/technology. Strava, the self-proclaimed “social network for athletes,” is used by “a global community of millions.”4About Us, STRAVA https://www.strava.com/about (last visited Feb. 11, 2018). The fitness tracker and its CEO, James Quarles, have come under fire recently for the way its technology exposes its users to certain privacy risks.

The company recently published an update, allowing bulk activity stream access to their global Heatmap—a visualization of one billion activities—which included over three trillion GPS points detailing its users’ movements.5Drew Robb, The Global Heatmap, Now 6x Hotter, STRAVA (Nov. 1, 2017), https://medium.com/strava-engineering/the-global-heatmap-now-6x-hotter-23fc01d301de. As the tech community examined Strava’s Heatmap, it became pretty clear that fitness routes of members of the U.S. military and intelligence communities were exposing sensitive operating locations in foreign territory.6Violet Blue, Strava’s Fitness Heatmaps Are a ‘Potential Catastrophe’, ENGADGET (Feb. 2, 2018) https://www.engadget.com/2018/02/02/strava-s-fitness-heatmaps-are-a-potential-catastrophe/. Jeffrey Lewis, a nonproliferation expert at Middlebury Institute of International Studies in Monterey, issued a stark warning to Strava:  “it is sitting on a ton of data that most intelligence entities would literally kill to acquire.”7Jeffrey Lewis (@ArmsControlWonk), TWITTER (Jan. 28, 2018, 6:20 PM.) https://twitter.com/ArmsControlWonk/status/957755184876109824.

Despite recent criticism by U.S. Senators,8Bart Jansen, Fitness App Strava Under Fire. Now, Senators Want Answers, USA TODAY (Feb. 14, 2018,  9:03 a.m.), https://www.usatoday.com/story/news/2018/02/14/senators-question-strava-inadvertently-revealing-location-military-war-zones/336389002/. the Heatmap is still up and fully functioning.9Global Heatmap, STRAVA (last visited Feb. 20, 2018), https://labs.strava.com/heatmap/#7.00/-120.90000/38.36000/hot/all. At the time of publishing, it does not appear that any sensitive locations have been scrubbed from the map.10Id. However, Strava has attempted to educate users on potential privacy risks and applicable mitigation methods since last year.11How to Manage Your Privacy on Strava, STRAVA (July 28, 2017) https://blog.strava.com/privacy-14288/, Yet, as technology blog Engadget explains, even though Strava is committed to providing its athletes with proper data controls, many people are simply unaware of what certain apps share with the world.12Rachel England, Strava Will Focus on Privacy Awareness to Address Security Issues, ENGADGET (Jan. 30, 2018) https://www.engadget.com/2018/01/30/strava-will-focus-on-privacy-awareness-to-address-security-issue/.

Strava acknowledges the identifying information that can be shared, such as physical address, gender, age, name, email address, activities, equipment usage, routes (to include geo-location information), and photos.13Strava Privacy Policy, STRAVA (May. 22, 2017) https://www.strava.com/legal/privacy. Strava also cites fundamental privacy principles, and states it won’t share any personal information “with anyone without [user] consent except to comply with the law, develop our products and services, or protect our rights.”14Id. (emphasis added). The company even notes it “may retain information from closed accounts to comply with the law . . . assist with investigations . . . and take other actions permitted by law.”15Id.

Regardless of whether users can opt-out of certain privacy settings, companies like Strava still have access to users’ intimate data. Courts have long permitted certain surveillance practices, finding that individuals do not always have a justified expectation of privacy in information that is shared to a third party. Under this third-party doctrine, law enforcement has been able to bypass the impartial oversight of judges and magistrates issuing search warrants.16Carpenter v. United States, supra note 1.  Beyond cell-site location data, the Supreme Court’s decision in Carpenter may have further-reaching implications—this case has the potential to further refine the third-party doctrine.17Zorofchian, supra note 2. If the Court finds that Carpenter’s Fourth Amendment rights were not violated by the government’s collection of cell-site location data, it could mean that users also have no reasonable expectation of privacy in data voluntarily provided to companies like Strava.

The MIT Technology Review recently made an obvious, yet important, point about digital privacy: since companies like Strava, Twitter, and Facebook promote tracking all aspects of users’ lives and sharing with others, it is important to determine which data should remain private and what is safe to share.18Rachel Metz, Strava’s Privacy PR Nightmare Shows Why You Can’t Trust Social Fitness Apps to Protect Your Data, MIT TECH. REV. (Jan. 29, 2018) https://www.technologyreview.com/s/610090/stravas-privacy-pr-nightmare-shows-why-you-cant-trust-social-fitness-apps-to-protect-your/. Wired, more pointedly, warned readers that “since the data collected on apps like [Strava] is particularly sensitive—including personal information about health and location—it’s worth reviewing the privacy policies for all the fitness apps you regularly use to see how your data might be used.”19Arielle Pardes, How to Manage Your Privacy on Fitness Apps, WIRED (Jan. 30, 2018) https://www.wired.com/story/strava-privacy-settings-how-to/. Depending on the holding in Carpenter, these notices may prove even more pertinent in the very near future.