U.S. officials are raising concerns that the popular cycling app Strava might be accidentally revealing the location of key military installations around the world through its Global Heatmaps function.
Since November, the company has published a global “heat map” showing the movements of people who have made their posts public. In the last few days, security analysts have started to take note of that data, and some have argued that the map represents a security breach.
Strava “is sitting on a ton of data that most intelligence entities would literally kill to acquire,” Dr. Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, California warned over social media.
Other analysts have also taken to social media to warn that individual users can easily be tracked, by cross-referencing their Strava data with other social media use. That could put individual members of the military at risk, even when they are not in war zones.
The outlines of known military bases around the world are clearly visible on the map, especially in countries like Afghanistan, Iraq and Syria, where few locals own exercise tracking devices. In those places, the heat signatures on American bases are set against vast dark spaces. Tobias Schneider, a security analyst, posted on social media that “known Coalition (i.e. US) bases light up the night.”
More importantly for the military are the thin lines that appear to connect bases. Those lines seem likely to trace the roads or other routes most commonly used by American forces when traveling between locations, and their exposure could leave troops open to attack when they are most vulnerable.
The Pentagon did not directly address whether the heat map had revealed any sensitive location data. But Maj. Audricia Harris, a Pentagon spokeswoman, said that the Defense Department recommends that all its personnel limit their public social media profiles and that it was reviewing the situation.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Major Harris said. The Pentagon “takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required,” the major added.
The threat also extends to countries where the app is more popular. Mr. Lewis of the Middlebury Institute is quoted by the media site, The Daily Beast, as saying the pattern of movements clearly showed the location of Taiwan’s supposedly secret missile command center.
Strava is not the first program to collect far more information, including location data, than users realize, nor is it the first to make some of that information available to prying eyes, intentionally or not.
Researchers at Kyoto University revealed in 2016 that they could find the precise locations of people who used popular dating sites, even when the users took steps to disguise that information. Last year, data was found online that would allow anyone to track more than half a million cars with GPS devices.
But the Strava app, which works with wearable technology, goes even further in tracing people’s location with precision and sharing that information with the world. The map’s settings show the extent to which routes are traveled, and whether on foot, by bicycle or in a vehicle.
The company released a statement on Sunday noting that the app has privacy settings that can exclude users from the map and hide their activities from the general public. It urged people to read a blog post from last year about how to use those settings.
The map “excludes activities that have been marked as private and user-defined privacy zones,” Strava said. “We are committed to helping people better understand our settings to give them control over what they share.”
You must be logged in to post a comment.