In an ideal world, I wouldn’t have to write a big post about two major players in the endurance sports world having a catfight. Rather, in an ideal quarantined world we’d just put both players in a Zoom call, stream it on YouTube and watch them battle it out with former GCN host Matt Stephens commentating.

But said world doesn’t exist, and thus, I’m going to try and explain all the drama. Ironically, after talking to both sides – neither actually disagrees. At least on anything substantial. Some minor differences here and there, but ultimately they actually both agree on who did what. Where they differ is on what should happen going forward.

The TLDR here is simple: Strava cut-off access for the Ironman VR Club because they violated the API agreement. That means if you were using Strava to sync activities into the newly instantiated Ironman Virtual Club, you’re SOL now. You’ll have to manually take a bunch of steps to get those workouts to that weekly competition.

Is Strava right in their move here? Probably.

Is Ironman right too? Also…probably.

Except, like all good crime stories, there’s a French Connection.

In the Beginning:

As with most companies over the past few weeks, Ironman looked to find a way to keep their customers (and fanbase) engaged in their business. With races off for the foreseeable future, they turned to figuring out how to run some indoor-ish events instead. That effort was effectively split into two pieces. The first piece was getting pros racing bikes on a livestream with the Rouvy app, dubbed Ironman VR Series. That portion is incredibly cool (watch last week’s here), and honestly a model for where virtual endurance sports racing can go in terms of production quality (despite being run out of people’s bedrooms). That part isn’t in trouble.

The other half of the plan was for ‘everyone else’ (non-pros). For that, they made Ironman Virtual Club (but they sometimes also call it Ironman VR Club, sometimes Ironman VR). You’d join the Ironman Virtual Club using a quick sign-up form, then link your device accounts to Strava, Garmin, Suunto, or Polar and then complete a weekly ‘race’. It wasn’t so much a true race, as it was attaining a certain mileage level across two runs and one bike within a specific time period. Once you completed your required mileage levels on the device of your choice, it’d sync the completed activity via Strava to the Ironman Club website and you’d get credit for that. Various prizes and social butterfly postings would ensue.

The challenge is, Ironman doesn’t have the expertise in-house to construct something like this. So they turned to a small French company based in Paris called Sport Heroes. That company has years of experience creating virtual events just like this. They’ve done it for mostly French customers, but big recognizable names like Air France and UNICEF, among many others. Their platform has some 1.2 million users on it across the various company customers they support. This can include corporate wellness programs and virtual races. And within that, they support more than just Garmin/Suunto/Polar/Strava workout uploads, but also uploads from other platforms like Under Armor and TomTom.

So, at first glance all would seem pretty straightforward. Sure, the Ironman Virtual Club had some teething pains around activity sync, but that’s to be expected for anything semi-last minute at such scale. However, what wasn’t expected to Strava, was how it was architected behind the scenes.

See, of the 41,000 applications that have Strava API (Application Platform Interface) access, each of them is assigned a unique identifier. Specifically, an authorization key that’s unique to that application. Be it a big partner like Garmin, Zwift, or Fitbit, a medium -sized partner like FulGaz, or a single hobbyist dude in a studio apartment with three fake test users. If the company wants to develop separate applications they need separate keys. Mind you, getting a key is as easy as ordering adult toys on Amazon. It takes just a few minutes and you’re on your way to self-satisfaction.

The challenge here was that when Sport Heroes created the Ironman Virtual Club platform, they didn’t request a new key for just that application. Instead, they used their existing key. Which, was the same key they’d been using for the last 6 years for all their applications and corporate customers. All these companies would just be shuffled under a single Strava API key. The practical meaning to that was somewhat simple: If you signed up for a Ironman Virtual Club account and then authenticated to Strava, you didn’t see ‘Ironman’ in the list of partners but instead saw ‘Sport Heroes’.

In Strava’s eyes, that was a big no-no. It violated their terms of service outlined on the API start page.

“You are solely responsible for the confidentiality of your API Token and may not share your API Token with any other developer or use it for more than one application or service.”

More specifically, Strava says what Sport Heroes is doing is a violation of GDPR and CCPA. From their perspective, that put them on the hook legally to inform users and severe the connection. If they did nothing and someone got wind, they argued that someone could say Strava let it happen.

To illustrate what this looks like, I’ve made a simple drawing. I could have whipped something up in Visio, but honestly, this is easier. If people can do WebEx calls in their pajamas with fake backgrounds, then I can make a drawing with my kids crayons on previously used paper.

The other companies there on the right are things like Air France and other corporate customers. But it’s the single API connection shared among all these different projects/apps/companies that’s the sticking point.

Whereas, below is what it ‘should’ have looked like in order to appease Strava’s terms of service as well as regulatory concerns:

Now, the point of some debate is whether or not the data was comingled within the Sport Heroes platform. Meaning, are all of the user data from Strava in a single repository at Sport Heroes, or are they separate databases for each company customer? Strava says they’re all in one pile, but Sport Heroes says it’s a bit more complicated. For some of their corporate customers they are totally separate silos. While others share the same database but don’t have rights across it. They say there’s no awareness across these sets unless a user specifically consents to it.

Strava says that some proof to the contrary is that if you delete the connection between Strava and Ironman Virtual Club, it doesn’t actually delete the activities as it should. They note that if you were to re-connect to Ironman Virtual Club, then you’ll find your existing activities from before that then resided in the Sport Heroes (app/platform). These shouldn’t be there at this point since the connection was severed.

Frankly, I’m not sure it really matters a ton in this context. Some 60,000 users agreed to terms of service when they signed up for an Ironman Club account that clearly spelled out what was happening. And to date, they haven’t violated those terms in any obvious way.

Get Me A Calendar:

When the Ironman Club launched is the first time Strava realized what was happening. The same day you as a user found out about it, was the same day Strava found out about it. Which isn’t to say Strava didn’t know what Sport Heroes was doing, at least in passing.

According to Sport Heroes they had a video conference last fall that detailed their operations and forward-looking business plans. This included an outline of how things worked today and the existing customers. At no point during that call or afterwards did Strava raise concerns about the technical implementation that had been in place for the last 6 years. Inversely, it’s also not clear how deep that call went into the implementation.

In talking with Strava, given they have some 41,000 API partners, they can’t reasonably investigate and interrogate every single one on a monthly basis. Instead, they tend to pay more attention to a given partner when the user count profile rises high enough (or, some other racket occurs). Fair enough, that’s how most companies operate. In other words, the squeaky wheel gets the oil.

So, re-wind to March 29th when the Ironman Club site went live and Strava realized the implications of it. According to them they pretty much immediately reached out to both Ironman and Sport Heroes to try and get things changed. They offered new and unique API keys, which they assumed would be a quick and simple operation. Companies swap API keys all the time according to Strava, which they say is a non-event.

But based on the way Sport Heroes architected their platform, such a swap was all but easy. Still, on April 6th Strava gave them 10 days to make the change, with a cut-off slated for April 16th. Between April 6th and April 15th, more or less nothing happened from the Sport Heroes side in terms of movement towards a change (both sides agree to this).

However, Sport Heroes says they requested a technical call multiple times, which they say was only given on April 15th. During that “technical call”, it didn’t sound like much technical discussion occurred (and both sides agree to this too). Strava was offering that if Sport Heroes at least fixed the Ironman connection short term, they’d give the company more time to sort out the remainder of their company customers. Whereas Sport Heroes was looking for other business guarantees and commitments from Strava. Ultimately, by 10:35PM European time on April 15th Sport Heroes had sent a note to Strava saying they couldn’t meet the timelines imposed, and would need four more weeks.

Strava cut them off the next morning US Pacific time (yesterday, April 16th).

From talking to both sides here, it sounds like there might have been a bit of presumptive assumptions going on. I get the feeling Sport Heroes had seen what had occurred with Relive nearly a year early and figured Strava was after them too. Concurrently, Strava is still a bit touchy on companies violating GDPR after the Relive fiasco. I think both sides feared the worst, and neither side seemed to want to back down.

(Because this post is already too long, I’ll simply note that no, this isn’t exactly like Relive. Strava says they actually want to keep Sport Heroes and Ironman Club in the platform and offered to help. That same offering wasn’t mirrored for Relive.)

Throwing Mud:

Of course, the fun doesn’t actually get started until after the cut-off occurs. That’s when both sides start to make their PR moves. Or in this case, all members of the threesome. The first was actually Strava, at around 8AM Pacific on April 16th. After cutting off sync of new activities from Strava to all of Sport Heroes (thus, impacting some 200,000-300,000 active Strava linked users well beyond just Ironman), Strava updated their support page with information about why they were doing what they were doing. You can read below pretty easily, so I won’t re-hash it.

They also published a short written statement from their CEO Michael Horvath:

“We’re big fans of all of the ways athletes in our community are inspiring and motivating each other right now. We’ve been working with our partners to help provide virtual race experiences for athletes whose races have been cancelled around the world. Strava is focused on athletes having a fun and safe experience using our platform and we discontinued Sport Heroes’ access to our API when we learned that they failed to give athletes transparency or clear choices about where their data is going and took no action after we asked them to fix the problem. We want to find ways to work with Sport Heroes going forward, but they have to fix it first.”

Now, the connection from Strava to Sport Heroes remains in place. It’s just that there’s no data flowing across it at this moment. Sorta like stadiums, hair salons, and restaurants right now. Turning that data flow back on is relatively straightforward if/when Sport Heroes makes the change.

Speaking of which, Sport Heroes updated their site as well – with what seems like it might be the understatement of the day. Polite though, similar to Strava.

However, Ironman themselves decided they didn’t want to be outdone. They went full Team Americana on the situation with this e-mail out to all users of the platform:

Now, I think we’d all agree that in terms of accuracy of the situation presented by each side, I’d rank them as follows:

Strava: Pretty accurate, debatable on Sport Heroes data consolidation aspects

Sport Heroes: Technically accurate, debatable dependent on point of view on who has to fix what

Ironman: Burn the ship down! Pretty misleading about the situation

Most misleading from Ironman was the opening statement that they were “informed by Strava this morning”. No, actually, they weren’t. They were informed nearly three weeks ago by Strava, then again numerous times. Both Strava and Sport Heroes agree upon that quite clearly. It’s just that based on what Strava is saying – Ironman pretty much just shrugged this off and tried to wash its hands of it into Sport Heroes lap.

Why not just fix it?

Obviously, that’d be easiest. But neither side seems to agree here that a fix is needed. In Strava’s eyes, the fix is simple: Just use a new API key like every other app.

To Sport Heroes though, that’s a huge re-write of their platform – irrespective of the Ironman aspect. Setting aside whether or not Sport Heroes is comingling data, the way their platform is architected to use that single key is a huge technical issue for them to solve. According to Paul-Emile Saab, their COO, it would take them approximately 4 weeks to do that. And that’s assuming they dropped everything else on their plate to deal with it.

Remember, Strava only asked for the Ironman bits to be solved for now, giving Sport Heroes time to sort out the rest of their corporate customers. But in Sport Heroes eyes, there wasn’t much technical difference there – the lift was the same either way. All in all the company would need about 15-20 different API keys. Technically that’d be a breeze for Strava, but practically that would mean a significant re-architecture behind the scenes for Sport Heroes.

And in their eyes – it’s not worth it.

In talking with Paul-Emile this evening, he says they’ve got no urgency on changing their architecture to support Strava. He says that at present users can directly link Garmin, Polar, and Suunto devices to their Ironman Club accounts, and via the larger Sport Heroes ecosystem they can link Adidas, Nike+, UnderArmour, TomTom, and many other devices.

Said differently, don’t expect a fix anytime soon.

Wrap-Up:

As I said at the beginning, it’s easy to see how both sides are probably right here. There’s no ambiguity that Sport Heroes is violating Strava’s terms of service in relation to the API. That’s spelled out in plain English in the second paragraph of the API terms “…and may not share your API Token with any other developer or use it for more than one application or service.” Whether or not that somehow violates GDPR or other regulatory bits as Strava claims is probably debatable.

Similarly though, Sport Heroes is also kinda right too. This isn’t a new platform, and it’s certainly not small. With 1.2 million users, undoubtedly it was on Strava’s radar. And certainly enough so that the meeting Sport Heroes had with Strava last fall with key Strava individuals that are responsible for the platform and the API. At no point did Strava say that violated the rules then.

Still, as anyone who has sat in a corporate video conference of what is effectively a status update or sales pitch – it’s rare that you’d leave that call and go off looking for violations of some agreement. No, you’d leave that call and go about the rest of your day. It’s like finding out later on the money is missing.

Could the two have come to some extension of time agreement here? Probably. But it also doesn’t sound like either side trusted the other enough to let that happen. And it certainly doesn’t sound like Ironman stepped in to play a helpful mediator, their e-mail shows that side of the story far more clearly than any of my conversations with the other two parties already had.

Ultimately, in the pursuit of user protection, users get hurt. Who to ultimately pin the blame on is a much tougher question.