On the 29th of July, 2013, I discovered a privacy breach in RunKeeper. I immediately contacted them but their response was very disappointing - they ignored me and did nothing regarding the problem I brought to their attention. Since this implicated the privacy of everyone using the service, I felt obligated to put it out there so people knew what to expect.
This was the first support ticket I sent them:
I just realized my reports at http://runkeeper.com/user/[EDITED OUT]/fitnessReports/ are publicly accessible, even though I have specified in the “Sharing” settings that only Activities and Activity Maps would be available, and then only to my “friends”; everything else is set to “Just me”.
Am I missing something or is this a big privacy breach?
I had absolutely no reply for over a week, even though I’m an “elite” member (paid subscription - an impulse buy, let’s not talk about it) and them saying they reply faster to elite members, so on the 8th of August I direct messaged them on Twitter, asking if they had seen my support ticket. I also added this to my own support ticket:
Any news about this? It’s not just the reports - my list of friends and my training plans are also public.
Also, my goals seem to be visible by my friends, with no way of making them private. I don’t have big secrets but it’s not anyone’s business if I’m training to run 10Km or to lose 10Kg.
Twitter, being public and all, may have had more effect than my comment on the support ticket, but either way, one day after that, on the 9th of August, I received the following reply:
FitnessReports are only publicly accessible if someone has the link, which most people wouldn’t. We’re in the process of whipping something up to make the logged out view of those pages a little more private.
As for Goals, if you set your Weight to Just me, no one will be able to see your Weight Goals, and if you set your Activities to Just Me, no one will be able to see your Activities Goals.
If you would like ABSOLUTELY NO ONE to be able to read or look at your activities, besides you, head to http://runkeeper.com/settings/account and check the Privacy Box. This will make it so anybody clicking on your profile will receive a message saying “Only Borfast can view this page.” On this page you can also opt out of having the page be entered in Google’s search results. Please note if you do select the Privacy Box, you will be unable to share your activities to Facebook and Twitter.
If you’re just concerned about people finding you by name, remember you can always use a Nickname or Pseudonym as your RunKeeper name. As long as your friends know who you are, that’s all that matters right?
We’re very invested in providing a great experience for all RunKeeper users, and will be adding more privacy options as we continue to grow and build out our product and website. If you think there’s something we’ve missed, or an oversight in our Privacy options, please feel free to get back to us with your thoughts, and we’ll be sure to take it into account in future iterations of our product.
Hope this helped, Jim
This was no good, so I replied:
Thanks for getting back to me.
The FitnessReports link is absolutely easy to discover because it only depends on the username, which is trivial to find. Then it’s simply a matter of replacing the username on this template: http://runkeeper.com/user/[username]/fitnessReports/cardio
For example, here’s your fitness reports page: http://runkeeper.com/user/[EDITED OUT]/fitnessReports/cardio I found it simply by googling for “Jim Redding runkeeper”, which took me to your username.
I know about the privacy settings and I know I can lock my profile completely, but I don’t want to do that, I want to be able to share things with my friends.
This is something you need to address now. It’s no one else’s business to know how long I spent jogging, cycling or walking last week. I’m not paying you to divulge my private information to the world.
Please don’t tell me this is going to take time - it is trivial to implement. I know, I’m a web developer. You have done it for the profile page, the activities page, the routes page… why not this one? And since you’re at it, the friends page as well.
Unfortunately, even though you say you prioritise Elite members’ (which I am) messages, I was left with no answer to my original ticket for 11 days, after which I sent another message and then you replied.
I’m sure you can understand this doesn’t inspire much confidence in your service, so I kindly ask that you provide a time frame for this to be corrected.
It has been another 9 days with absolutely no reply whatsoever from RunKeeper. If I were using their free service, I wouldn’t complain much, but I’m paying them, and they’re ignoring me. Even worse, they don’t seem to be very concerned about an issue that affects their customers, breaks their promise of privacy, and which is trivial to resolve.
In other words, they don’t seem to give a shit.
I feel other RunKeeper users have the right to know about this, so I’m putting it out in the open and I’m also hoping with some more pressure from other users, they will address the issue, so if you feel RunKeeper should address this, please contact them and let them know.