Who knew keeping fit would give away sensitive information? Well, now there’s a map with exact locations of the US military bases for those who know how to look. Strava, a fitness tracking company uploaded a heat map around November that shows activities of users around the world. It wasn’t a big deal until last week when it was discovered what a great deal of information the heat map has to offer. Strava has a base of about 27 million users and has a slogan which states; The Social Network for Athletes. It has its headquarters in San Francisco, and users access their app through fitness devices such as Fitbit and Jawbone. Others have subscriptions directly via its mobile app.
Strava’s interactive heatmap sports over 1 billion activities from its users, and it’s fascinating to look at. Apart from the military info, you can also know which countries and places where people exercise the most. The heat map uses both satellite related data and other location records, and it marks perfectly popular routes used on the map. Strava’s privacy is now being questioned.
Nathan Ruser, an Australian who’s studying international security discovered this info and decided to tweet about it. Ruser wrote, “It looks very pretty, but not amazing for Op-Sec. US Bases are identifiable and mappable.” Ruser further added, “If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous.” Also, another international security analyst based in Germany known as Tobias Schneider noted how the map showed activity around military sites. He further showed how makers on the map traced supply and patrol routes as well as a military outpost. On his tweet, he said, “A lot of people are going to have to sit through lectures come Monday morning.”
Some of the examples pinpoint military bases, and all this info is on twitter. For instance, “In Syria, known Coalition (i.e., US) bases light up the night. Some light markers over known Russian positions, no notable coloring for Iranian bases.” Another user Paul D, also tweeted, “It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who traveled a route, and trivially obtain a list of users.” Schneider further replied to this user, “Okay here is where things get problematic: Via Strava, using pre-set segments we can scrape location-specific user data from basically public profiles (and yes those exist w/in bases and lead us straight to social media profile of service members).” This shows the extent of which the map can make other info pop up easily for the right users.
These tweets caused a chain reaction and got soldiers, military experts, and the entire internet to take a closer look at the map for their activities. Regarding the military info, major Audricia Harris said the Department of Defense (DoD) personnel have guidelines on how to limit personal info on the internet and measures to take home and abroad. “Recent data releases emphasize the need for situational awareness when members of the military share personal information.” “DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required,” she further added.
Regarding the map, Strava responded in a statement, “Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform.” Strava also added, “It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share.” From this statement, it’s clear that its users have not set their privacy settings correctly to avoid Strava from mapping private areas.
This is not the first time, and Strava is not the first company to collect and post sensitive information including location data to prying eyes whether intentionally or not. In 2016, researchers at Kyoto University found the precise locations of people who used popular dating sites. This was regardless whether users took steps to disguise the information. In 2017, it was discovered that anyone could track more than half a million cars with GPS devices after data was found online. But Strava case is much as tracks location with precision and then sharing with the world. This precision can be attributed to the use of wearable technology used when keeping fit.
To avoid Strava from mapping your locations anymore, ensure your privacy is intact by following this guide from Strava while keeping fit. Although Strava anonymizes individual data, concentrated activities on an area will still show up on their map. To protect your location, you can use settings on either their website or on their mobile apps.