At the end of last November, the Supreme Court heard oral arguments in Carpenter v. United States on whether the Fourth Amendment permits the warrantless seizure and search of cellphone records that contain the location and movements of a user over a 127-day period.1 In anticipation of this hearing, the Georgetown Law Technology Review explained how the Court’s ruling could potentially give the government “free rein to search your records and electronic information without a warrant.”2 Exactly which records and electronic information are available to warrantless searches is unclear at this point. However, after a recent incident regarding user privacy at Strava, an online fitness-tracking company, another important question arises: Is the data collected by wearable devices protected by the Fourth Amendment?
Late last month, the New York Times ran an article that highlighted the potential operational security issues with Strava’s online Heatmap, which detailed user activity at sensitive military locations.3 Strava, the self-proclaimed “social network for athletes,” is used by “a global community of millions.”4 The fitness tracker and its CEO, James Quarles, have come under fire recently for the way its technology exposes its users to certain privacy risks.
The company recently published an update, allowing bulk activity stream access to their global Heatmap—a visualization of one billion activities—which included over three trillion GPS points detailing its users’ movements.5 As the tech community examined Strava’s Heatmap, it became pretty clear that fitness routes of members of the U.S. military and intelligence communities were exposing sensitive operating locations in foreign territory.6 Jeffrey Lewis, a nonproliferation expert at Middlebury Institute of International Studies in Monterey, issued a stark warning to Strava: “it is sitting on a ton of data that most intelligence entities would literally kill to acquire.”7
Despite recent criticism by U.S. Senators,8 the Heatmap is still up and fully functioning.9 At the time of publishing, it does not appear that any sensitive locations have been scrubbed from the map.10 However, Strava has attempted to educate users on potential privacy risks and applicable mitigation methods since last year.11 Yet, as technology blog Engadget explains, even though Strava is committed to providing its athletes with proper data controls, many people are simply unaware of what certain apps share with the world.12
Strava acknowledges the identifying information that can be shared, such as physical address, gender, age, name, email address, activities, equipment usage, routes (to include geo-location information), and photos.13 Strava also cites fundamental privacy principles, and states it won’t share any personal information “with anyone without [user] consent except to comply with the law, develop our products and services, or protect our rights.”14 The company even notes it “may retain information from closed accounts to comply with the law . . . assist with investigations . . . and take other actions permitted by law.”15
Regardless of whether users can opt-out of certain privacy settings, companies like Strava still have access to users’ intimate data. Courts have long permitted certain surveillance practices, finding that individuals do not always have a justified expectation of privacy in information that is shared to a third party. Under this third-party doctrine, law enforcement has been able to bypass the impartial oversight of judges and magistrates issuing search warrants.16 Beyond cell-site location data, the Supreme Court’s decision in Carpenter may have further-reaching implications—this case has the potential to further refine the third-party doctrine.17 If the Court finds that Carpenter’s Fourth Amendment rights were not violated by the government’s collection of cell-site location data, it could mean that users also have no reasonable expectation of privacy in data voluntarily provided to companies like Strava.
The MIT Technology Review recently made an obvious, yet important, point about digital privacy: since companies like Strava, Twitter, and Facebook promote tracking all aspects of users’ lives and sharing with others, it is important to determine which data should remain private and what is safe to share.18 Wired, more pointedly, warned readers that “since the data collected on apps like [Strava] is particularly sensitive—including personal information about health and location—it’s worth reviewing the privacy policies for all the fitness apps you regularly use to see how your data might be used.”19 Depending on the holding in Carpenter, these notices may prove even more pertinent in the very near future.