People who regularly post their workout routes online through fitness apps may be putting their privacy and safety at risk, according to  recently published research about privacy features on fitness-tracking apps.

Tens of millions of users post their running, walking or biking routes online through Strava, a fitness-tracking app, while using a privacy feature they believe would hide their home address. However, their locations could be revealed by a geometry problem so simple a high school freshman could solve it, said Adam Bates, professor in Engineering.

In a recently published paper, Bates and his team found privacy features on fitness-tracking apps like Strava and Garmin Connect that allow users to map and share their workout routes on social media weren’t able to effectively protect user privacy.

The previous privacy features the apps used, called endpoint privacy zones, placed a circle centered around the user’s home address, blotting out activity occurring inside the circle to prevent others from immediately identifying a sensitive address like a home or workplace.

However, because the home address exists at the center of the circle, and radius and points on the boundary of the circle can be seen by other users, Bates said it could be relatively simple to calculate where the hidden starting point was.

The attack algorithm Bates and his team developed and deployed on 21 million public posts on Strava guessed the home addresses of 95 percent of regular users who used the privacy zone feature.

“The start and end points are usually close to where you live or work, and someone with bad intentions can use that information to track your whereabouts,” said Pat Wade, communications director for the University of Illinois Police Department. “I can’t think of any theft or injury specifically related to these apps, but certainly stalking or harassment can be a concern. Stalkers commonly use social media to track the whereabouts of victims.”

Bates said all of the apps his team reached out to ended up implementing his team’s recommendations in some form.

Strava and Garmin Connect now offer a feature where users can generate a circle that’s not centered around the house, so the user’s home address is equally likely to fall anywhere within the privacy circle, making it substantially more difficult to guess where the user’s home is located.

Bates said the attack algorithm his team designed to guess home addresses with the updated privacy feature was successful only 30 to 45 percent of the time.

Bates emphasized the inherent risk in posting personal information online and said users should hesitate to post routes online until they consider the safety concerns that might be associated with it.

When Bates uses an app to track his exercise routes, he sets up multiple privacy zones around his home, instead of just one, a practice the Garmin webstie also recommends.

Bates said other countermeasures could include users making their profiles private so only their friends can see where the user is exercising or avoiding broadcasting location altogether when exercising alone or in a dangerous location.

Wade said he cautions students not to post their exercise routes online.

“I personally use these apps to track my running, but I always make sure all the information I log is set to private. I would also go a step further and implore students to take a look at all of their social media and think carefully about the information they are sharing,” Wade said. “Sometimes you may be surprised by what you’re putting out there. Not everything needs to be shared with the world.”

[email protected]