People around the world use the app Strava on their smartphones and Fitbits to track how far they run. But researchers have discovered that an “anonymised” data dump released by Strava last year has accidentally revealed sensitive locations, including US military bases around the world.
Screenshot from Strava heatmap
The user data was released in November as a “2017 heatmap” showing over one billion activities, including 13 trillion GPS datapoints. That includes where and how fast various people went for a jog, for instance. And if you look closely, things such as airfields in Somalia that may house American special forces suddenly light up like a Christmas tree.
Outside Mogadishu, these are areas of interest I have been able to locate on @Strava Global Heat Map in Somalia. All known hub for US/Somali Special Forces. Balidogle Airstrip is the home of Danab- US-trained Somali Special Forces modeled after the venerable US Army Rangers pic.twitter.com/FPHR8ctCWT
— Adam (@adancabdulle) January 28, 2018
Those pinkish areas are where people were going for a run or bike ride, provided they had location services turned on. And it’s clear from the pink paths that those people were, perhaps, running laps around an airfield in Somalia, a country where the US is sending more and more troops these days.
But it isn’t just Somalia. Online sleuths have discovered potentially sensitive US military sites in Afghanistan and Syria, along with sensitive Russian military sites in Ukraine, and a secret missile site in Taiwan. Make that formerly secret.
As security experts on Twitter have noted, this isn’t too far from the kind of datasets that intelligence agencies kill each other over. Especially since it’s easy to deduce who’s using Strava in places where American-based technologies are relatively rare. Smartphones and Fitbits might be scarce in a particular remote area of Afghanistan, leaving us to conclude that it must be the presence of US troops. Leaving everyone to conclude such a thing, that is.
Nathan Ruser with the Australian-based Institute for United Conflict Analysts was one of the first people to point out the vulnerability of Strava’s data dump on Twitter. But he almost certainly wasn’t the first person to make use of the data.
“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed,” Ruser told the BBC. “Someone would have noticed it at some point. I just happened to be the person who made the connection.”
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
To make things worse, some on Twitter have discovered ways to de-anonymise the heatmap, identifying unique users and where they have been exercising. It’s basically a stalker’s dream.
— Paul D (@Paulmd199) January 28, 2018
How has Strava responded? By telling people to read the privacy settings more closely. You know, that stuff that nobody reads? Yeah, that stuff.
“Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform,” Strava said in a statement.
“It excludes activities that have been marked as private and user-defined privacy zones,” Strava continued. “We are committed to helping people better understand our settings to give them control over what they share.”
The shorter version? Tough luck.
It’s a great reminder that virtually every single technology company has an enormous trove of data that can be used in myriad ways. If you don’t think Google and Facebook have your entire life mapped out already step by step, you’re kidding yourself. And you’d be mistaken if you think intelligence agencies around the world wouldn’t find Google and Facebook’s data so very useful.
How can you protect yourself? You can turn off location services for everything, but that cuts out many of the most helpful functions in your smartphone or smartwatch. My advice? Crawl into a cave and never leave. It’s the only solution at this point.