When Strava, an exercise-tracking firm, last year published a “heat map” of its user activity around the world, it probably didn’t expect the data representation to cause a national security scandal—but it has.
Over the weekend, an Australian conflict analyst named Nathan Ruser realized that the map clearly showed activities around U.S. military bases in war-torn regions, due to its tracking of soldiers’ Fitbits and other such devices.
While places in North America and Europe, for example, show tons of exercise-tracking activity that is difficult to analyze with the naked eye, that doesn’t hold true for places where few people might be expected to be wearing costly fitness trackers—just soldiers and aid workers.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
Ruser’s tweets prompted journalists to check out the activities around military bases that they already knew about, in places like Iraq and Somalia, and even to identify bases that weren’t common knowledge.
The information could be used to plan attacks on soldiers, as it shows where they are likely to be, and essentially maps out their supply routes.
According to The Washington Post, U.S. Central Command is now “looking into the issue.”
Users of Strava’s app can turn off location tracking, but that’s really down to them. When the Pentagon distributed thousands of Fitbits among its personnel—in order to combat obesity—it’s not clear what regulations came along with the perk.
“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share,” Strava said in an emailed statement.
This appears to be a case of people simply not thinking through the implications of the personal data they are broadcasting when they wear a fitness tracker and allow it to constantly connect to a cloud-based service. However, multiple studies have shown that many of these devices also suffer from poor security that can leave users’ health data exposed.
