Working out in war zones: fitness app reveals military sites

Where privacy and (in)security collide.


If you’ve ever used an app to record your walking, running or cycling, you’ll know how handy they can be. You may even have seen friends sharing their progress with automatic updates published on their social media accounts. Personally, I prefer to keep my details private, and never publish them – in-app, or beyond.


Last night (27 January 2018), twitter came alive with the news that fitness app, Strava, had released a global heat map of user activity – including sites in conflict zones, areas of military operations, and other sensitive locations.

Researchers, analysts and others had a – somewhat alarming – field day.

Nathan Ruser of IUC Analysts appears to have been first off the mark:

Think-tanker and Syria researcher, Tobias Schneider, picked up on Ruser’s theme:

Journalist, John Beck, also noticed:

As well as Eliot Higgins of Bellingcat:

His response to a query provides a very succinct explanation, for those unsure of the implications of Strava’s release of this mapped information:

Dan Murphy also summed it up, thusly:

And Joshua Forman of MIT gave his summary:

The news, naturally, continued to quickly spread. Some tweets from someone interested in tracking government-supplied arms in MENA:

Here’s journalist Adam Rawnsley of the Daily Beast, also looking further afield, including the South China Sea, Iran and Somalia – and Area 51, naturally:

Adam shared this link to a Foreign Policy piece by Jeffrey Lewis, to provide “an idea of what a reasonably competent adversary could do if they pwned Strava”:

Adam also took a peek at Strava data elsewhere in the US:

He wasn’t the only one – the aforementioned Jeffrey Lewis tweeted:

Kate Oh, of the ACLU, explained Jeffrey’s finding:

Which he also later elaborated:

Across the pond, there was also this find by Phil Chamberlain, Head of the School of Film and Journalism at UWE Bristol and author of Drones and Journalism:

You can almost make out the early modern design of the original fortress defences, intended to deflect cannon shots.

But it’s not all about military installations. The cause of this flurry of activity on twitter and these finds originates with personal data.

Lawyer, Tiffany C. Li, of The Information Society Project at Yale Law School wrote in relation to the privacy aspects:

Here in Ireland, Pat Walshe recalls GDPR requirements and a previous overview of Strava’s data protection compliance:

All of the data used to populate Strava’s heat map derives ultimately from personal data – those people using the app, logged in with their personal details while the app gobbles up and processes data relating to everything they do while using it.

To generate the map, Strava may strive to ‘anonymise’ the data. This may be successful (I stress: may be) in a large and busy metropolis such as New York. However this anonymity breaks down in sparsely populated areas.

In low population areas, it may become easy to identify individual activites – if not the individuals themselves. If this is the case, the data are no longer anonymised: they have become personal data. And, as this information involves location data, this may also amount to sensitive personal data, according to the Court of Justice of the EU (CJEU). (A guidance note from Ireland’s ODPC can be read here.)

Consider, for instance, the example found by one tweeter last night. This (which I am not linking to here) was of a remote compound in a conflict zone which has seen multiple mass atrocities over recent years.

From its appearance, there is a possibility that it is a UN compound. On the Strava heat map overlaid on the site, we can see multiple, overlapping perimeter routes and tracks.

However, we can also see where the individual has kept their device on when they re-entered the compound, and they can be traced through the compound into individual buildings – including their destination building. This may be assumed to be either washing facilities, accommodation, office or (given the small size of the compound) all three.

Let’s say, if I had been based locally and was watching this individual from afar, and wished to know where to access their private rooms, now I know.

Oh yes, by the way: today is 28 January. Happy Data Protection Day!