In what sense can Strava be a danger to heads of state?

Recently, Le Monde published investigations on the use of Strava by the bodyguards of several prominent heads of state, highlighting how the service can potentially pose a security threat. The app is very popular among running enthusiasts: with Strava – which now has 125 million users worldwide – people can track their workouts (on foot or by bike), including the route followed and the duration, and share them with other members. Le Monde demonstrated that with a simple search on the platform – which has a large section similar to a social network – it was possible to locate the public profiles of some security members of Macron, Biden, Trump, and Putin. By monitoring their activities on Strava, the French newspaper managed to obtain particularly sensitive information, such as the places where these heads of state were staying during specific official trips abroad. To discover this, it was sufficient to analyze the workouts of some of their bodyguards, who usually arrive on site a few days earlier for a reconnaissance and to secure the area. Examining the workout routes recorded on Strava, it was possible, for example, to notice that the start and end points matched the location of the hotel where the leader would eventually stay. To understand the sensitivity of this information, it’s enough to know that Le Monde – simply by cross-referencing some data, including those obtained from Strava – managed to identify the exact location where Macron, during a diplomatic visit to Lithuania in 2020, met Svetlana Tikhanovskaya, the exiled leader of the Belarusian opposition.

The French newspaper also claims that finding the public profiles of many of Joe Biden and Donald Trump's bodyguards was relatively easy. It was enough to analyze the open profiles of people who, between 2017 and 2024, had run near the Secret Service training center, the agency responsible for protecting presidents and former presidents, located in the suburbs of Washington. Of the approximately 150 Strava users active in that area, over 20 public profiles reported movements that matched the locations where the individual presidents had made official visits. Using this same method, journalists at Le Monde even managed to identify in advance the location – kept secret until the last minute – where Putin met North Korean dictator Kim Jong Un in September 2023. Some years ago, another investigation – conducted by the magazine Mediapart – showed how Strava was used by at least 200 members of the French special forces, who regularly recorded their workouts during overseas missions.

The time Strava revealed the location of numerous military bases

But this isn’t the first time Strava has been considered a security problem: in 2018, for example, the app published an early version of its famous “Global Heatmap”, where the roads most frequented by members are displayed and highlighted. Viewed as a whole, the map is still extremely bright in Europe and the United States, where sports trackers are increasingly common. In densely populated areas, where Strava is widely used, the routes stand out significantly, while in desert areas, for example, the opposite occurs. In the 2018 version of the “Global Heatmap,” it was the same, except in some areas. Unintentionally, Strava ended up revealing the location of dozens of military bases worldwide. Shortly after the map's release, an Australian student noticed that, for example, in the Syrian desert, some routes appeared repeatedly: in theory, such remote and inhospitable areas should have been empty. Instead, they were soldiers stationed at a U.S. military base, and by observing the workout routes, it was even possible to deduce the internal layout of the facility. Subsequently, such discoveries became numerous and varied, until Strava took measures. The problem was not necessarily related to identifying military bases – as intelligence agencies are often aware of their locations – but rather the ability to observe the routes soldiers followed most frequently. These data could be used to conduct targeted attacks or to reconstruct activities occurring within a base prior to an assault.