This existed as a massive data-leak for a really long time. The "API" didn't have any meaningful protection, and the service was opt-in.
It was really easy to download flyby exports for any activity and do analysis.
I had a script downloading my Strava recordings of my commute and the associated fly-by data and was easily able to figure out all of the people I was seeing on the way to/from work. Since it linked to the activities and included profile pictures and names, you could easily figure out a lot.
If I remember correctly, you could still see fly-bys of other peoples' rides even if your own was private or followers-only.
It was a pretty massive oversight for a company like Strava - and a bit of an eye opener for me about what kind of data I might be leaking by making "harmless" activities like riding my bike into public data.
It was really easy to download flyby exports for any activity and do analysis.
I had a script downloading my Strava recordings of my commute and the associated fly-by data and was easily able to figure out all of the people I was seeing on the way to/from work. Since it linked to the activities and included profile pictures and names, you could easily figure out a lot.
If I remember correctly, you could still see fly-bys of other peoples' rides even if your own was private or followers-only.
It was a pretty massive oversight for a company like Strava - and a bit of an eye opener for me about what kind of data I might be leaking by making "harmless" activities like riding my bike into public data.