What is the half-life on a map?

Strava, the popular run-tracking app that also releases heat maps of its users’ movements, is hoping that remaking its maps every month is enough to mitigate any risks that come from broadcasting how people travel. This change came earlier in March as part of the company’s response to the high visibility of an exercise heat map that revealed jogging routes on small military bases across the world.

Announced last week, the changes include maps that only show the last two years of data, and that refresh monthly, removing any data from users with profiles set to “private.” Routes run by only one or a few people will no longer show up on the heat map (the update doesn’t specific how many people for that threshold), which in theory could eliminate the tracks around missile sites that were part of January’s uproar.

Still, as The Verge notes, this change is more cosmetic than effective:

None of these changes seem super helpful for avoiding the exposure of low-profile locations. Researchers can always register to view data, and assuming a group of people work out at a military base and run the same routes with Strava, their data will make it to the heat map. The monthly clear is nice, though, and will at least erase data for people who have changed their mind about sharing their location.

As Strava even notes in the update, “The heat map remains available to the public, but only registered Strava athletes may zoom in to street-level details of activity on the heat map,” which sets the threshold for looking at a more-accurate maps as just “download the app and sign up.”

What meaningful changes there are to the heat map are mostly secondary to the privacy changes Strava made already, primarily making the opt-out button within the app much more prominent.

None of this mitigates the existing maps, already published and using data from before the privacy changes went into place. If someone wanted to check out jogging patterns at, say, Incilkirk Air Base in Turkey, then that data is public. It might become less relevant over time; new airmen could find new routes, or the base could perhaps suggest that the track around nuclear weapons storage isn’t the best place for a stroll while a phone collects and then uploads GPS data. For smaller routes, ones that reveal maybe a single guard walking around a fence at a power plant, the change to hide low-traffic routes is a net benefit, though it still doesn’t prevent that route from having already been released.

Undercutting all of this is the fundamental problem of data collection itself. As we noted in January:

The bigger, specific question is what else Strava knows that isn’t on the heat map. And more broadly, the bigger danger is what happens when every technologies vital for everyday life record that information and share it widely. Strava accounts are linked to Facebook, Google or email and, depending on the sign-up method, by simply making the account a user gives Strava the same data about their connections already siloed away in a social network.

The Cambridge Analytica revelations show that it isn’t hard for researchers to get data from a company, like Facebook, whose purpose is largely to siphon up information from users and then collect that information into giant data sets. Strava, like most online anything, is tied into that Facebook data collection, and it’s entirely likely that some running data from the app is floating around in the set, in multiple data collections already shared or sold online.

The heat map is a neat novelty, and in edge cases a useful tool for people looking for insight into movements at military bases or within secure facilities. But at heart, what makes the heat map a concern to the defense community (and the public more generally), is that it’s a tangible manifestation of the otherwise abstract yet highly personal data scooped up by an app, an immense tracking trove disguised as shiny novelty.