When a fitness tracking company produced an insanely detailed and admittedly very cool looking heatmap of the exercising routes of millions of its users worldwide, it’s unlikely the company knew it was potentially handing information to intelligence agencies that, as one observer put it, they “would literally kill to acquire.”
Strava, a “social network” for athletes, published in November 2017 a global heat map based on what it said, “includes every one of the 3 trillion GPS points ever uploaded to Strava.” The company said then that it did not include users’ activities that had been set to private, but this weekend military analysts realized that apparently, some Strava users at sensitive military and intelligence sites around the world hadn’t bothered to turn off the public reporting.
The result? A nice outline of activity around a highly sensitive Taiwanese missile command site. And a British nuclear site. Oh, and someone apparently has been doing laps at the secretive North Carolina military facility where SEAL Team Six practiced the raid that killed Osama bin Laden.
The company said that the heat map doesn’t give away information about individual users, including what nationality they are — so perhaps these suspicious-seeming laps in the middle of nowhere in Yemen are simply Yemeni nationals getting their exercise in. It would be speculation to say otherwise. But the information available is likely enough for intelligence agencies to make some pretty good guesses about what’s going on in some secretive places, and Wired reported Jan. 30 that it is possible to manipulate Strava’s data to reveal the identity of individual users.
“I am guessing that @Strava had exactly zero idea the unholy sh*t storm it was about to unleash,” arms proliferation expert Jeffrey Lewis said on Twitter.
In a statement to The Guardian, Strava said, “Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones.” The company also pointed to a months-old blog that explained its users can opt-out of several data-gathering programs, including the heat map.
The U.S. military appeared to confirm concerns over the app, telling The Washington Post, “The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection. We constantly refine policies and procedures to address such challenges. The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.”
“We will not divulge specific tactics, techniques & procedures,” it said. “However, we have confidence in our commanders’ abilities to enforce established policies that enhance force protection & operational security with the least impact to our personnel.”
It’s only been a couple of days since Nathan Ruser, an analyst with the Institute for United Conflict Analysts, reportedly first noted the security implications of the map, and the fallout from this fresh dash of analysis is yet to be seen.
But considering how much data a host of tracking apps have collected on users over the years, Strava is likely, as some security analysts have put it, the “tip of the iceberg.”
“Strava is only unique because they made some of the data they’re collecting visible, it’s not the only app collecting masses of data about their users, military and all,” said Eliot Higgins, a security analyst who specializes in open source information (OSINT).
Oh, by the way, there’s apparently a popular river-run route in Pyongyang, North Korea:
This article was featured in the InsideHook newsletter. Sign up now.