Few national security experts took notice last November when Strava, a social media site that lets athletes upload and share data from wearable devices like Fitbits, released a “global heat map” culled from its users’ data.
That changed on Saturday, when a 20-year-old college student revealed that the map also shows the locations of sensitive military bases.
Nathan Ruser, who’s studying international security at Australian National University in Canberra, told The Washington Post that the idea came to him after his father quipped that the Strava map shows “where rich white people are.”
Ruser decided to zoom in on Syria, one of his areas of interest. He discovered that “the military bases just light up” on the map, he told The Sydney Morning Herald.
“Having sort of any background knowledge in where those bases are you can just look at the map and think, ‘These are all military bases, crap,'” Ruser told The Herald.
Ruser had discovered what appeared to be data shared with Strava from personal fitness devices while at installations operated by the United States, the United Nations, Russia, Turkey, and others. While many of the installations were either widely suspected or publicly acknowledged by the governments that operate them, others were not. Journalists, national security experts, and former soldiers quickly latched onto Ruser’s tweet and started finding other bases — including a suspected Patriot missile site in Yemen, a possible CIA base in Somalia, and a possible U.S. special forces base in Niger.
The data appears to show not just where military personnel jog while on base, but also patrols, convoy routes, and supply lines between bases.
The data doesn’t identify individual users. But it does show well-worn routes that experts warned could be used to establish a “pattern of life” — where soldiers jog on-base, patrol routes they take every day, or where they walk when going about their work.
For most people, that kind of data isn’t very sensitive. But on a U.S. military base overseas, it could be useful for someone launching an attack.
“This is a clear security threat,” German security analyst Tobias Schneider told The Washington Post. “You can see a pattern of life. You can see where a person who lives on a compound runs down a street to exercise. In one of the U.S. bases at Tanf [in Syria], you can see people running round in circles.”
In a statement issued to The Washington Post on Monday, U.S.-Central Command said the coalition against the self-proclaimed Islamic State (ISIS) is cracking down on fitness trackers, reassessing its rules and urging base commanders to better enforce the rules already in place.
“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” the statement read.
The Army issued at least 2,200 FitBits to soldiers in 2013 as part of a pilot program aimed at fighting obesity.
Strava issued a statement Sunday night that directed users to a website with information on how they can control their individual privacy settings by, for example, turning off data sharing at certain times or in certain locations.
“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform,” the company said. “It excludes activities that have been marked as private and user-defined privacy zones.We are committed to helping people better understand our settings to give them control over what they share.”
By Monday, the site had taken a more conciliatory tone, pledging overnight to “committed to working with military and government officials to address sensitive areas that might appear,” according to The Washington Post.
This isn’t the first time social media users have inadvertently revealed sensitive military or intelligence information. In 2014, Al Jazeera reported that U.S. intelligence contractors were revealing the codenames of classified surveillance programs on LinkedIn. Privacy advocates were able to aggregate that publicly available information using a set of tools called Transparency Toolkit to infer what individuals and companies worked on specific programs.
Transparency Toolkit later launched a tool, ICWATCH, that aggregates and cross-references over 100,000 publicly available resumes from people in the U.S. Intelligence Community, which includes the Central Intelligence Agency, the National Security Agency, and the Federal Bureau of Investigations.
“I was, like, huh, maybe there’s more we can do with this — actually get a list of all these profiles that have these results and use that to analyze the structure of which companies are helping with which programs, which people are helping with which programs, try to figure out in what capacity, and learn more about things that we might not know about,” M. C. McGrath, the founder of Transparency Toolkit, told Al Jazeera in 2014.
While the Strava and LinkedIn data is public, experts warn that other smartphone apps and wearable devices are collecting user data that could also be used to reveal sensitive government information if it fell into the wrong hands. On Monday, New York Times op-ed contributor Zeynep Tufekci took to Twitter to lambast Strava’s initial response and warn against an individual approach to user privacy.
“Privacy of data simply cannot be negotiated person by person, especially because there’s no meaningful informed consent,” Tufekci wrote. “People cannot comprehend what their data will reveal especially *in conjuction* with other data. Even companies do not know this, so they cannot inform anyone.”