From the BBC: “Online fitness tracker Strava has published a "heatmap" showing the paths its users log as they run or cycle. It appears to show the structure of foreign military bases in countries including Syria and Afghanistan as soldiers move around them. The US military was examining the heatmap, a spokesman said.”
What are your thoughts about the implications of users at your organization sharing so much data with third parties?
What are the implications/responsibilities for vendors collecting all this data (even if anonymous) and sharing it for promotional purposes (or any reason at all)?
I see some people are saying there's not much to look at here. Just make sure your privacy settings are set correctly and randomize your GPS, etc and you will be fine. The problem is that most devices are configured to not have the privacy settings turned on out of the box and make the onus on the user to properly configure them. Most people don't. It's human nature. Secondly, assumptions are being made that if you set the privacy settings correctly that NO information is being transmitted. Have you run Wireshark and then connected your fitness device and checked and verified this is true? Most people probably won't go through that level of verifying that the device is not transmitting any information.
Even if you do that, have we all not seen updates that accidentally reset privacy settings? Other areas of a lack of security that would allow an attacker access and then they could reset or make changes to the privacy settings. How many people go back and recheck the settings once they did it the first time.'
Lastly, if an attacker can get any information about you it has value. The point of this article was not that we were giving away national Top Secret data, although we could have been, but that we were giving away data that could be useful to an adversary.
Surely, this is a case, of applying technology for one purposes, and then by default finding other uses of it. If we don't apply "Privacy by Design" at the outset and look at the implications from a different perspective. It could be quite interesting, from a lawyers perspective. Wasn't it a Council in London, a few years back, which implemented WiFi enabled rubbish bins. Which attracted a lot of mobile phones users running around with their WiFi enabled, so they collected the information and then sold it.
What are the implications, from a GDPR perspective? The ramifications have not been fully tested, but they will be tested in a few short months. We need to take more responsibility and look more holistically at the what and how we deploying technology and whether they have aspects, we just did not determine would happen or be abused.
Take for example, the Australian Privacy Commissioner next month has introduced Mandatory Breach Notification, with some hefty fines for those organisations or individuals who do not fully think about the design implications.