A global heat map designed to highlight world exercise patterns has revealed how fitness tracking could potentially reveal sensitive security information. Most recently, people discovered that the map, created by the company Strava, revealed the location of known U.S. military bases as well as some potentially unknown secure sites. Now, the mapping is raising concerns about the safety of U.S. troops.
For its part, Strava issued a statement encouraging users to use their privacy settings to control the type of information that they make publicly-available:
Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share.
The Washington Post reported on Sunday that Strava's heat map reveals patterns of accumulated exercise activity between 2015 and September 2017. Strava reportedly has 27 million users worldwide and the map represents the activities of these users. Strava's clients include people who use popular fitness devices, like Fitbit, as well as those who subscribe to the company's mobile application.
The Post also noted that Strava's heat map was first published online in Nov. 2017, but the fact that it could potentially reveal secure information was not pointed out until Saturday. As The Verge reported, over the weekend, Nathan Ruser, a member of the Institute for United Conflict Analysts, noted on Twitter that one can easily cross reference the map with locations of known military bases.
[The map] looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable.
To be clear, Strava's heat map does not necessarily reveal U.S. military base locations, as satellite imagery and Google Maps have already made this information public. However, as Andrew Liptak of The Verge reported, Strava's map potentially serves as more of a risk to U.S. and global security.
[Because] Google Maps shows the location of buildings and roads, Strava's map does provide some additional information. It reveals how people are moving along those areas, and how frequently, a potential security threat to personnel.
Indeed, as the Post pointed out, even though base locations are typically public information, this additional knowledge could pose a threat because revealing patterns of activity could expose information like patrol and supply routes, which are not typically made public. Moreover, the heat map could also reveal troops' general locations inside bases, potentially making them more vulnerable to attack or ambush from enemies.
In addition to potentially making troops at existing bases more vulnerable, the Post further added that the map appears to reveal activity in areas where there is no public record of bases, possibly revealing secure information.
Many on social media were surprised by how much information the map seemed to reveal — and by the potential security oversight. The Post noted, for example, that Nick Waters, a former British army officer, was able to locate his former base in Afghanistan using Strava's map. Waters condemned this on Twitter:
Big OPSEC [operations security] and PERSEC [personal security] fail. Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.
The U.S. military has not released a statement in regard to the matter, but Air Force Col. John Thomas, a spokesman for U.S. Central Command, did reveal to the Post on Sunday that it is looking into the issue. The Post also noted that the military did not respond to its question regarding what, if any, regulations exists regarding troops' fitness-tracking app use — but did report that the Pentagon has actively encouraged personnel to use Fitbits in the past.
It is clear that Strava's map has indeed raised many questions about security and military troops' use of fitness trackers. Many will likely be closely watching to see if a policy change results after the revelation of these findings. For the time being, Strava has advised its users to adjust their security settings as they see fit.