Strava fitness app accidentally reveals top-secret military deployments
Fitness apps are an incredibly useful utility, especially if you're a lazy guy like me who habitually finds excuses to avoid gyms. Apps like Fitocracy or Gympact are great at turning what should be a hard, tiring cardio slog into something akin to a game; allowing users to keep track of their goals and progress. In many ways, it's the perfect way to upgrade exercise.
But that's not to say that there aren't disadvantages, as one such fitness app showed this month. In a Silicon Valley screw-up so monumental that it ended up severely compromising US military secrets, Strava has just launched a big update, which comes bundled with a new feature called a "Heat Map".
Unfortunately, it seems that a lot of users are either professional soldiers or members of the intelligence community on clandestine deployments around the globe: exactly the kind of people who don't want anyone to know their whereabouts.
The issue was first discovered by Nathan Ruser, an analyst at the Institute for United Conflict Analysts, who noticed that the digital footprints left behind by Strava users could be easily traced. He promptly posted his findings to Twitter on Saturday January 27, and showed that many routes on the Heat Map appeared to correspond to personnel presumably stationed at US military forward operating bases in Afghanistan, Syria and Djibouti. Other people soon joined in the investigations, and discovered that quite a lot of valuable data had been compromised. Once they'd cross-referenced Strava user activity with Google Maps, it was easy to discover a French military base in Niger, an Italian military base in Djibouti, and even certain black sites which enemy combatants are detained. Because of the ubiquity of such apps in developed nations, it was mostly Western militaries who ended up being exposed.
Even worse, the data gleaned from Strava could even be used to pinpoint the locations of specific individuals. Activist and researcher Paul Dietrich exploited public data scraped from Strava’s website to keep tabs on one particular French soldier and follow him from his overseas deployment and to the trip back home again. Jeffrey Lewis, director of the East Asia Nonproliferation Program in the Middlebury Institute of International Studies, speculated that, for example, one could use the position of a soldier stationed at one particular missile base to find other bases around the country.
In response to the crisis, CEO James Quarles released the following statement: "I’d like to take a moment to address the recent attention focused on Strava and our global heatmap ... we learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations."
He added, "Many team members at Strava and in our community, including me, have family members in the armed forces. Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us ... We are committed to working with military and government officials to address potentially sensitive data. We are reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent We continue to increase awareness of our privacy and safety tools Our engineering and user-experience teams are simplifying our privacy and safety features to ensure you know how to control your own data."
But is the app itself purely to blame? After all, many other social media applications could be used to potentially track military personnel. Isn't it up to the discretion of the soldiers using the product to make sure that they aren't spilling the beans? It might be that Fitbit trackers and other similar devices are simply too risky for soldiers to use. It's all very well for us civilians to use it, but maybe our troops should stay off the grid; at least until the next patch is released to fix the issue.