Apps Like Strava Can Help You Run Better, but Could Put Your Privacy at Risk

Runners love Strava, but is it safe to share your running routes and other stats?

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
6 min read

Careful where you put your data. You might be sharing it with more than just your running buddies.


Of all the weird things to come out of COVID-19, I never expected to become a runner. Forget Couch to 5K: In about a year, I went from my couch to my first half marathon and then I ran a couple more.

Too much pandemic sourdough had me feeling a little sluggish. Years living in New York had turned me into a champion walker, but it didn't do much for my fitness. So I did Couch to 5K, then eventually sucked it up and joined a neighborhood running group. 

Not to be cliche, but that was a game-changer for me. I've grown to love my running family. They've been there for me from the start with oodles of practical advice and encouragement, and they've pushed me to do more than I ever thought I could.

I also signed up for the popular fitness app Strava. As I got more into running -- and racing -- I increasingly used Strava to track everything from the location, mileage and elevation of my routes to the data generated by my body, including my heart rate, running pace and a Strava-generated score for overall fitness.

Then there's the social aspect of the app. At first glance, it looks a lot like Facebook. Strava users have profile pages and their run maps and other workouts are posted to a feed. Fellow athletes can see this information and then cheer each other on with "kudos," the same way they'd "like" something on Facebook.

But experts say those similarities to Facebook should give runners pause before handing over their personal information. In addition to subscription fees, users of Strava and other fitness-tracking apps are paying with some of their most personal data.

And that could have some potentially scary effects on both their digital and physical security, especially if they don't take important steps to protect their data. Keep reading for CNET's guide to running safely, online and on the streets.

Who's following you?

As a woman who regularly runs alone on the streets of New York, this is something I think about a lot. Runners, and not just women in big cities, continue to be attacked, assaulted and worse. The thought of my favorite apps and other tech making things easier for the bad guys is alarming.

What's worse is a lot of athletes probably don't even know that their data is out there for others to see and that it's potentially putting them in danger, says Jeff Sizemore, chief governance office for the data security company Egnyte. 

"I hate to say this in the grimmest of ways, but how many pretty girls have been killed running in the mornings?" he asked.

While Sizemore emphasized that he's not blaming those deaths on the use of tracking apps, he says that when you consider the amount of data, especially location data, that the apps collect and share, "the fact remains this is really dangerous stuff we're dealing with."

Sadly, it's up to consumers to look critically at an app's data protection and sharing practices before they start using it, he says. That means being critical of what those apps have done in the past, rather than taking their current promises as guarantees.

Much like the kudos and social focus of Strava, Sizemore says Strava's handling of data security and privacy issues reminds him of Facebook, which he notes has long preferred to pay fines for data privacy violations instead of protecting its users from the start.

"The transparency isn't there and I just don't feel that it's a company that I can trust," he says. "(Like Facebook) they don't proactively protect, they react when people are mad enough."

In a statement to CNET, Strava asserted that it's transparent about its data collecting and sharing practices through its privacy policy, adding that its privacy controls give users several options when it comes to their data.

"We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava," the company said in its statement, adding that those efforts have included the simplification of its privacy policy.

Strava's security and privacy problems have been well documented for years. It came under fire in 2018 after it released a global heatmap showing the activities tracked by its users and researchers were able to use it to locate secret US military bases.

On a more consumer level, a Strava feature known as "Flybys" has drawn criticism from privacy experts for potentially endangering runners. The feature, which was originally turned on by default, allows Strava users to replay their runs and identify people they passed along the way, as well as where they encountered them. They could even use this feature to identify complete strangers. Strava changed the feature to be off by default in 2020, but you can still opt into it.

On top of that, Strava makes it clear in its privacy policy that, like a lot of other apps do, it sells user information to third parties in an aggregated form, meaning a specific user's data is combined with other people's in an attempt to anonymize it. This is on top of the fact that while the Strava app is technically free, many of the stat-tracking features that draw athletes to it require a subscription that costs $12 a month or $80 a year. 

In its statement, Strava noted that users have the ability to turn off that data sharing by flipping a simple toggle switch, though the sharing is turned on by default. Other privacy boosting options include settings that let you mask the starts and ends of your runs, or hide your maps completely. 

Sizemore, a veteran of the Air Force and still a fitness enthusiast, doesn't use Strava but does use other fitness apps that also collect and share personal information. The trick, he says, is signing up for those apps knowing that your data is going to be collected, sold and probably stolen in a breach, too.

He protects his privacy by not using his real name, or other personal details that could tie the collected data to his identity, as well as opting out of any social parts of the apps that he can. Apple users can also use an iOS feature that lets them hide their email address.

You don't always need tech to be a great runner

Other runners with backgrounds in security go for a more offline approach. Gene Fay, CEO of the cybersecurity company ThreatX has managed to run 59 marathons, and plans to run more, largely without the help of apps or fitness tech hardware.

He always carries a phone with him for safety reasons, but his Garmin smartwatch, used for help with his golf game instead of runs, is relegated to just letting him know what time it is.

Like many experienced runners, Fay choses to "run by feel," listening to how his body is handling a given run, whether it be around his neighborhood or part of a competitive race. He does acknowledge that smartwatches can be helpful for beginners looking to make sure they don't overdo it.

An early riser, Fay says he wakes up with a "noisy mind." Running helps him plan his day and figure out exactly what he needs to get done. There's no music or audio books, he says. It's almost like a form of meditation.

"That's why I don't have any technology," Fay says. "I'm not an elitist or a purist. My personal enjoyment of running is about going out running."