Fitness app Strava lights up staff at military bases

Security concerns have been raised after a fitness tracking firm showed the exercise routes of military personnel in bases around the world.

Online fitness tracker Strava has published a “heatmap” showing the paths its users log as they run or cycle.

It appears to show the structure of foreign military bases in countries including Syria and Afghanistan as soldiers move around them.

The US military was examining the heatmap, a spokesman said.

How does Strava work?

San Francisco-based Strava provides an app that uses a mobile phone’s GPS to track a subscriber’s exercise activity.

It uses the collected data, as well as that from fitness devices such as Fitbit and Jawbone, to enable people to check their own performances and compare them with others.

It says it has 27 million users around the world.

What is the heatmap?

The latest version of the heatmap was released by Strava in November last year.

It is a data visualisation showing all of the activity of all of its users around the world.

Strava says the newest version has been built from one billion activities – some three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged or swum.

But it is not a live map. The data aggregates the activities recorded between 2015 and September 2017.

So why is it in the news now?

That is thanks to Nathan Ruser, a 20-year-old Australian university student who is studying international security at the Australian National University and also works with the Institute for United Conflict Analysts.

He said he came across the map while browsing a cartography blog last week.

It occurred to him that a large number of military personnel on active service had been publicly sharing their location data and realised that the highlighting of such exercises as regular jogging routes could be dangerous.

“I just looked at it and thought, ‘oh hell, this should not be here – this is not good,'” he told the BBC.

“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed. Someone would have noticed it at some point. I just happened to be the person who made the connection.”

What does the heatmap show?

Although the location of military bases is generally well-known and satellite imagery can show the outline of buildings, the heatmap can reveal which of them are most used, or the routes taken by soldiers.

It displays the level of activity – shown as more intense light – and the movement of personnel inside the walls.

It also appears that location data has been tracked outside bases – which may show commonly used exercise routes or patrolled roads.

Mr Ruser said he was shocked by how much detail he could see. “You can establish a pattern of life,” he said.

Presentational grey line

A significant risk

By Jonathan Marcus, defence and diplomatic correspondent

Many years ago, operational security was a relatively simple matter of not being physically overheard by the enemy.

Think of the British WWII poster with the slogan “Careless Talk Costs Lives”.

Well, no more. Our modern electronic age means that we all move around with a number of “signatures”; we send and receive a variety of signals, all of which can be tracked. And as the episode with the exercise tracker shows, you do not need to be an American or Russian spy to be able to see and analyse these signals.

Russian troops have been tracked in Ukraine or in Syria by studying their social media interactions or geo-location data from their mobile phone images.

Each piece of evidence is a fragment, but when added together it could pose a significant risk to security – in this case highlighting the location of formerly secret bases or undisclosed patterns of military activity.

Presentational grey line

Which bases are affected and why?

The app is far more popular in the West than elsewhere and major cities are aglow with jogging routines.

But in remote areas foreign military bases stand out as isolated “hotspots” and the activities of a single jogger can be illuminated on dark backgrounds.

Exercise activities stand out in such countries as Syria, Yemen, Niger, Afghanistan and Djibouti, among others.

A US base at Tanf in Syria, near the Iraqi border, is an illuminated oblong, while forward bases in Helmand, Afghanistan, are also lit up.

Although US bases have been frequently mentioned it is by no means just an American problem.

One image shows the perimeter of the main Russian base in Syria, Hmeimim, and possible patrol routes.

The UK’s RAF base at Mount Pleasant in the Falkland Islands is also lit up with activity, as are popular swimming spots nearby.

And it is not exclusively the more remote areas either. Jeffrey Lewis in the Daily Beast highlights one potential security flaw at a Taiwan missile command centre.

Neither is it just military personnel who could be affected, but also aid workers and NGO staffers in remoter areas too.

Both state and non-state actors could use the data to their advantage.

Can’t you apply a privacy setting?

Yes. The settings available in Strava’s app allow users to explicitly opt out of data collection for the heatmap – even for activities not marked as private – or to set up “privacy zones” in certain locations.

Strava has not said much since the concerns were raised but it released a brief statement highlighting that the data used had been anonymised, and “excludes activities that have been marked as private and user-defined privacy zones”.

But journalist Rosie Spinks is one of those who has expressed concern at the privacy system.

In an article for Quartz last year she said there was too much onus on the consumer to navigate an opting-out system that required different levels.

Then there is the fear that hackers could access Strava’s database and find the details of individual users.

What have authorities said?

A US Department of Defense spokeswoman, Maj Audricia Harris, said it took “matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required”.

The US has been aware of such problems, publishing a tract called Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD.

In 2016, the US military banned Pokemon GO from government-issued mobile phones,

An image of the Pentagon on the Strava heatmap showed no activity.

The UK’s Ministry of Defence said it also took “the security of its personnel and establishments very seriously and keeps them under constant review” but would not comment on specific security arrangements.