Strava is the maker of a fitness-tracking app that uses a phone’s GPS to track when and where a user is exercising, with an aim of being a type of social network for athletes. Last November, the site released a heat map showing the activity of its users from around the world, containing information from a billion activities across 3 trillion latitude and longitude points. The result is a pretty image of people working out, but one analyst points out that the map makes it very easy for someone to figure out the locations of military bases and the routines of their personnel.
Nathan Ruser, a member of the Institute for United Conflict Analysts, pointed out on Twitter that it’s easy to look at the map and cross-reference it with the locations of known military installations, or pick out potential installations in combat zones based on the data from users using the app. He posted several screenshots that he theorized were regular jogging routes, patrols, and locations of forward operating bases in Afghanistan.
Strava’s map doesn’t necessarily reveal the presence of military installations to the world — Google Maps and public satellite imagery have already done that — but where Google Maps shows the location of buildings and roads, Stava’s map does provide some additional information. It reveals how people are moving along those areas, and how frequently, a potential security threat to personnel. For example, in the following pair of images, one can easily match up roadways and structures on Google Maps to how people are moving around Fort Benning, Georgia.
Ruser points out that anyone viewing the map can pick out Coalition bases in Syria, and installations in Afghanistan, and zooming in on these locations reveal heavily trafficked areas, as well as US installations that might not have been disclosed. Air Force Colonel John Thomas, a spokesperson for the US Central Command, explained to The Washington Post that the military is looking “into the implications of the map.” A Strava spokesperson told The Verge that the company is “committed to helping people better understand our privacy settings,” and that its map “represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones.”
This isn’t a new problem. The military has recognized the inherent security problems raised by service members carrying devices that track their location, prompting new regulations around the use of phones and tablets. Service members are already prohibited from bringing personal electronic devices into sensitive areas.
But while it’s not new, it is a persistent, and ever-changing situation that the military has to contend with as some apps grow in popularity. In the summer of 2016, the US military banned players from installing Pokémon Go on government-issued cellphones, while various bases and stations around the country issued warnings to personnel to be mindful of their surroundings while playing. The military has also cautioned soldiers against using apps that tag one’s location, such as FourSquare.
In July 2017, the US Government Accountability Office released a report title “Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD,” which found that even as internet-enabled devices are useful, the military needs to be mindful of the security risks that they pose, such as insider threats or intelligence gathering. Ultimately, the GAO recommended that the Department of Defense conduct security surveys to assess the risks that devices play, and develop policy accordingly.
The Strava map demonstrates the need for user awareness of the nature of the information that a device reveals to the outside world. While a single user might use the app for one particular activity, massive volumes of this information paint a revealing picture of a group’s activities. As the government and military work to evaluate and contend with potential security flaws, it’ll be up to the people using the app to be mindful of how they’re using their devices.
Update January 28th, 2018, 4:10PM ET: Updated to include comment from the military in The Washington Post.
Update January 28th, 2018, 5:30PM ET: Updated to include comment from Strava.