Working out in war zones: fitness app reveals military sites

Where privacy and (in)security collide.

If you’ve ever used an app to record your walking, running or cycling, you’ll know how handy they can be. You may even have seen friends sharing their progress with automatic updates published on their social media accounts. Personally, I prefer to keep my details private, and never publish them – in-app, or beyond.

Well.

Last night (27 January 2018), twitter came alive with the news that fitness app, Strava, had released a global heat map of user activity – including sites in conflict zones, areas of military operations, and other sensitive locations.

Researchers, analysts and others had a – somewhat alarming – field day.

Nathan Ruser of IUC Analysts appears to have been first off the mark:

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

Not just US bases. Here is a Turkish patrol N of Manbij pic.twitter.com/1aiJVHSMZp

— Nathan Ruser (@Nrg8000) January 27, 2018

You can see the Russian operating area in Khmeimim, but also the guard patrol to the NE. pic.twitter.com/iWiX5Kozc1

— Nathan Ruser (@Nrg8000) January 27, 2018

Here are some FOBs in Afghanistan. pic.twitter.com/JoB7hKHwyh

— Nathan Ruser (@Nrg8000) January 27, 2018

If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2

— Nathan Ruser (@Nrg8000) January 27, 2018

Think-tanker and Syria researcher, Tobias Schneider, picked up on Ruser’s theme:

Fitness and social media company Strava releases activity heat map. Excellent for locating military bases (h/t to @Nrg8000). https://t.co/n5RWcI7BJF pic.twitter.com/7zzNcYV42e

— Tobias Schneider (@tobiaschneider) January 27, 2018

Somebody forgot to turn off their Fitbit. Markers trace known military outposts, supply and patrol routes. pic.twitter.com/7YTzoqKgDl

— Tobias Schneider (@tobiaschneider) January 27, 2018

Worth browsing a bit. Three positions around the US outpost at Tanf: pic.twitter.com/jS7S4LR2QS

— Tobias Schneider (@tobiaschneider) January 27, 2018

My focus is on Syria, but obviously works all over. French military base Madama in Niger: pic.twitter.com/1e9SRR73xS

— Tobias Schneider (@tobiaschneider) January 27, 2018

A lot of people are going to have to sit thru lectures come Monday morning.

— Tobias Schneider (@tobiaschneider) January 27, 2018

So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses): pic.twitter.com/wHItJwYUUI

— Tobias Schneider (@tobiaschneider) January 27, 2018

In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable colouring for Iranian bases.

— Tobias Schneider (@tobiaschneider) January 27, 2018

Journalist, John Beck, also noticed:

Strava, a "Social Network for Athletes" that tracks users' movements just released a map tracing their regular routes. In Syria alone, the precise location of US, Turkish & Russian bases, airstrips & patrol routes etc are all easily visible. https://t.co/ebINH9NP6f https://t.co/WKZH1XFYvV

— John Beck (@JM_Beck) January 27, 2018

As well as Eliot Higgins of Bellingcat:

The Strava Global Heatmaps shows us someone had their phone on them while they were going around Al Tanf military base, which is known to have been used by the US in Syria https://t.co/QNCI15lt16 pic.twitter.com/cDMObQcfsu

— Eliot Higgins (@EliotHiggins) January 27, 2018

Rather interested to see what these two circles of activity are on the Strava map, seemingly in the middle of nowhere, Yemen https://t.co/xayZs30PkN pic.twitter.com/xLpWly9D0A

— Eliot Higgins (@EliotHiggins) January 27, 2018

His response to a query provides a very succinct explanation, for those unsure of the implications of Strava’s release of this mapped information:

It's data from various apps that record people's activity, like FitBit. They've made it all public, so it creates little hotspots where people have used their apps, like soldiers walking around with their phones on.

— Eliot Higgins (@EliotHiggins) January 27, 2018

Dan Murphy also summed it up, thusly:

This is an extraordinary security oversight Tobias has found. Strava is a popular exercise app – soldiers love it, and are uploading their activity all over the world. https://t.co/lXcQVlbBYX

— Dan Murphy (@bungdan) January 27, 2018

And Joshua Forman of MIT gave his summary:

Strava releases global heatmap of all GPS data ever submitted to the site, including from GPS-enabled Fitbits. Twitter quickly notices that it clearly traces military patrol routes and underground tunnels. Oops. https://t.co/a2grw9WCuV

— Joshua Forman (@joshuaforman) January 28, 2018

The news, naturally, continued to quickly spread. Some tweets from someone interested in tracking government-supplied arms in MENA:

You can literally spend less than a minute on Stravas new data service and find sensitive sites. Nice patriot position you have there pic.twitter.com/eYS8TOuT0F

— Lost Weapons (@LostWeapons) January 27, 2018

hmmm i wonder whats at this random heavy route in what looks like a mountainous and remote area of libya. Oh look some bunkers that were targeted in 2011 pic.twitter.com/gg5VFIPVQZ

— Lost Weapons (@LostWeapons) January 27, 2018

what do you guys think, they decided to go for a stroll up that hill or we have a tunnel system too. right next to the bombed out bunkers in PT pic.twitter.com/KFtTrLfuJf

— Lost Weapons (@LostWeapons) January 27, 2018

Here’s journalist Adam Rawnsley of the Daily Beast, also looking further afield, including the South China Sea, Iran and Somalia – and Area 51, naturally:

Pretty faint but data from the Strava exercise app shows like China has deployed joggers to its disputed Woody Island in the South China Sea, in addition to fighter jets and HQ-9 SAMs pic.twitter.com/HG6zkb8tcw

— Adam Rawnsley (@arawnsley) January 27, 2018

Looks like someone has been using Strava while sailing through the disputed Paracel Islands. Note to self: see if you can chart freedom of navigation apps by seeing if someone left their Fitbit on. pic.twitter.com/HHYQ15BsbF

— Adam Rawnsley (@arawnsley) January 27, 2018

Pretty nice running route for someone at Iran's Chabahar Air Base. IIRC, Shahed-129, Iran's take on the Predator, has been spotted in the hangar next door. pic.twitter.com/p8BLvQbAZM

— Adam Rawnsley (@arawnsley) January 27, 2018

Some heavy jogging activity on the beach around what looks like the reported CIA annex at Mogadishu airport pic.twitter.com/1OLP8zWKGl

— Adam Rawnsley (@arawnsley) January 27, 2018

Guessing on that one. Article says 8 hangars + finished in late 2011. That's the only area of the airport I see fitting that description https://t.co/7zH46fMdfA

— Adam Rawnsley (@arawnsley) January 27, 2018

More Strava app activity at the HESA airbase north of Esfahan. HESA, according to the Treasury Dept, "conducts research on, development of, production of, and flight operations for unmanned aerial vehicles (UAVs) in Iran." pic.twitter.com/q1lcDWYI02

— Adam Rawnsley (@arawnsley) January 27, 2018

Area 51 aka Groom Lake. Clearly they've been letting the aliens get some outdoor exercise. pic.twitter.com/KhaYVoaGnV

— Adam Rawnsley (@arawnsley) January 27, 2018

I regret to inform you that there is no Strava activity at Punggye-ri, North Korea's nuclear test site.

— Adam Rawnsley (@arawnsley) January 27, 2018

The north end of Russia's Hmeimim airbase in Latakia, Syria is where all the jocks hang out. pic.twitter.com/cKZmZbNInR

— Adam Rawnsley (@arawnsley) January 27, 2018

Suspected oil well northwest of Palmyra. Shows a lot of exercise activity. Then bombed out in sat imagery. pic.twitter.com/umDR9T0I3f

— Adam Rawnsley (@arawnsley) January 27, 2018

Interesting pattern of activity in this little patch of ground seemingly in the middle of nowhere, north of Raqqa and south of Ain Issa 🤔 pic.twitter.com/ZYFIMvlD1Z

— Adam Rawnsley (@arawnsley) January 27, 2018

Adam shared this link to a Foreign Policy piece by Jeffrey Lewis, to provide “an idea of what a reasonably competent adversary could do if they pwned Strava”:

Oops. Wrong link. This is the fun example from @ArmsControlWonk I was thinking of https://t.co/kgvOvReVhq

— Adam Rawnsley (@arawnsley) January 28, 2018

Adam also took a peek at Strava data elsewhere in the US:

Pro tip: when visiting Camp Peary, reportedly the CIA's training facility, turn off your fitness app. pic.twitter.com/iRd2f7uz61

— Adam Rawnsley (@arawnsley) January 27, 2018

🤦‍♂️

— Adam Rawnsley (@arawnsley) January 27, 2018

He wasn’t the only one – the aforementioned Jeffrey Lewis tweeted:

Oh boy. pic.twitter.com/LtfAGdcDZL

— Jeffrey Lewis (@ArmsControlWonk) January 27, 2018

Kate Oh, of the ACLU, explained Jeffrey’s finding:

Here's what you'd see if you were peering down at the Office of the DNI and National Counterterrorism Center from above, looking at employees' exercise trackers 😱https://t.co/GVVS2AMDSr https://t.co/PFB53Wbc2z

— Kate Oh (@kathoh) January 28, 2018

Which he also later elaborated:

TFW when you leave your exercise social media app on and it tracks you right into your highly secure office. 😬 https://t.co/AS2L6lzX8G

— Jeffrey Lewis (@ArmsControlWonk) January 28, 2018

Across the pond, there was also this find by Phil Chamberlain, Head of the School of Film and Journalism at UWE Bristol and author of Drones and Journalism:

Maybe similar policy at MI6 training centre at Fort Monckton (at least until you leave the gates) pic.twitter.com/vppskHBbPM

— Phil Chamberlain (@philchamberlain) January 27, 2018

You can almost make out the early modern design of the original fortress defences, intended to deflect cannon shots.

But it’s not all about military installations. The cause of this flurry of activity on twitter and these finds originates with personal data.

Lawyer, Tiffany C. Li, of The Information Society Project at Yale Law School wrote in relation to the privacy aspects:

In addition to the nat sec probs @tobiaschneider & others flagged, this isn't great on the privacy front either. Depending on how granular Strava gets w/activity mapping, data showing user activity in low population areas could be identifiable. https://t.co/GAPfNXGtHf

— Tiffany C. Li (@tiffanycli) January 28, 2018

Strava heatmap security probs remind me of the work @joshbegley & @trevorpaglen have done on the ability to spot "secret" military bases using publicly available maps (e.g., Google Maps). https://t.co/7tVnlwayvI

— Tiffany C. Li (@tiffanycli) January 28, 2018

Strava does address privacy in its heatmap explanation post, but it doesn't explain if/how data is aggregated & whether location data can be traced back to individuals: https://t.co/e4FG6CoixO pic.twitter.com/urQUChqQdx

— Tiffany C. Li (@tiffanycli) January 28, 2018

Strava's privacy settings are mostly opt-out, not opt-in (but at least the opt-out settings exist): https://t.co/yW7Pu04CTx Users probably don't realize that anonymized data ≠ non-identifiable data.

— Tiffany C. Li (@tiffanycli) January 28, 2018

Nothing too out of the ordinary in the Strava privacy policy: https://t.co/VnS4ZxYCWK Section on aggregate & de-identified information is important b/c, again, there are key differences among data that is (1) anonymous, (2) anonymized, (3) de-identified, (4) non-identifiable. pic.twitter.com/vLoTPaZTkJ

— Tiffany C. Li (@tiffanycli) January 28, 2018

I wouldn't necessarily say privacy or security is the issue w/the Strava heatmap – at least not more than w/any other location tracker. What's more interesting are the #dataethics questions presented by Strava's choice in data visualization.

— Tiffany C. Li (@tiffanycli) January 28, 2018

Here in Ireland, Pat Walshe recalls GDPR requirements and a previous overview of Strava’s data protection compliance:

This. Recall the discussions at #CPDP2018 on data protection and privacy by design and default. THIS is why it’s important. Recall my tweets about Strava a few weeks ago – check your privacy settings. #DataProtectionDay https://t.co/esAylcflN8

— Privacy Matters (@PrivacyMatters) January 28, 2018

And here’s the quick on the fly review of the Strava privacy policy I did a few weeks ago https://t.co/0pehpUcfsG It’s really important people check the privacy settings of apps etc .. take five minutes .. do it now #DataProtectionDay

— Privacy Matters (@PrivacyMatters) January 28, 2018

All of the data used to populate Strava’s heat map derives ultimately from personal data – those people using the app, logged in with their personal details while the app gobbles up and processes data relating to everything they do while using it.

To generate the map, Strava may strive to ‘anonymise’ the data. This may be successful (I stress: may be) in a large and busy metropolis such as New York. However this anonymity breaks down in sparsely populated areas.

In low population areas, it may become easy to identify individual activites – if not the individuals themselves. If this is the case, the data are no longer anonymised: they have become personal data. And, as this information involves location data, this may also amount to sensitive personal data, according to the Court of Justice of the EU (CJEU). (A guidance note from Ireland’s ODPC can be read here.)

Consider, for instance, the example found by one tweeter last night. This (which I am not linking to here) was of a remote compound in a conflict zone which has seen multiple mass atrocities over recent years.

From its appearance, there is a possibility that it is a UN compound. On the Strava heat map overlaid on the site, we can see multiple, overlapping perimeter routes and tracks.

However, we can also see where the individual has kept their device on when they re-entered the compound, and they can be traced through the compound into individual buildings – including their destination building. This may be assumed to be either washing facilities, accommodation, office or (given the small size of the compound) all three.

Let’s say, if I had been based locally and was watching this individual from afar, and wished to know where to access their private rooms, now I know.

Oh yes, by the way: today is 28 January. Happy Data Protection Day!

Today is #dataprotectionday! Your personal data are precious and valuable. Protect them! Vos données personnelles sont précieuses. Protégez-les! Ihre persönlichen Daten sind wertvoll. Schützen Sie sie! #EUdataP #GDPR #eprivacy @icdppc2018 pic.twitter.com/jrCXhdO9UG

— EDPS (@EU_EDPS) January 28, 2018

One comment

anncooneyireland says:

28/01/2018 at 7:22 pm

Hi Joan, Interesting and frightning piece. Nothing is private. Happy Data Protection Day to you too !! Is it ok t share this with Peter ? Ann

Sent from my Samsung Galaxy smartphone.

Joan O'Connell

blah • blah • blah

Working out in war zones: fitness app reveals military sites

One comment

Leave a Reply Cancel reply

Share this:

Like this:

Related

One comment

Leave a Reply Cancel reply