Strava says working on 'inadvertent' exposure of secret locations


The chief executive of exercise tracking app company Strava has said it’s working with military and other officials to reduce the risk of inadvertently exposing sensitive sites in a global “heat map” which when released appeared to show activity in U.S. and other bases around the world.

“We learned…that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations,” Strava CEO James Quarles said in a statement posted on the company’s blog in response to security fears over the maps.

Strava reacted to accusations that its “global heat map” risked putting members of the armed services and other sensitive roles in danger by exposing their activities on both known and previously unknown locations.  The maps use data fed by the fitness applications and Strava said it’d work to remind users they can turn off the location-based data feeds.

“Many team members at Strava and in our community, including me, have family members in the armed forces,” Quarles said, presumably referring to the U.S. armed forces though the maps appear to have exposed activity in British and even Syrian bases as well. “Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.” He said the company was working with government and military authorities.

The company, which uses the slogan “Connecting the world’s athletes,”  records running, cycling, and swimming activity uploaded from cell phones and GPS devices. It aggregates more than one billion activities on its heat map, visualizing them in bright lines, depending on the popularity of the route.

While Western Europe and the United States are lit up in high relief, in isolated areas with little activity the map gives more away – such as the jogging routines of soldiers on active duty, the presence of little-known bases, and other military presence. One was in a remote area of Yemen, a country where a Saudi Arabia-led coalition is at war with rebels and the U.S special forces are engaged in tracking down and eliminating Islamic terror groups.

While the newest version of the app was released by Strava in November 2017, and tracks two years of exercise, the potential exposure of bases because users were not turning off the feeds was discovered on Saturday by Nathan Ruser, a 20-year-old Australian university student.

Ruser tweeted: “It looks very pretty, but not amazing for Op-Sec. U.S. Bases are clearly identifiable and mappable.”

Nathan Ruser on Twitter

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable

Cybersecurity and privacy researcher John Scott-Railton wrote in a blog post that in just an hour he was able to “identify several covert and non-declared operating bases, diplomatic outposts, and possible intelligence facilities in several ongoing conflict zones in Africa and the Middle East.”

Following the revelations, some militaries are considering a ban on Strava, as reported by The Guardian.

The CEO’s statement appeared to go further and be more contrite than earlier Strava statements reported in The Guardian which said it was an issue of how users applied privacy settings, saying its heat map “represents an aggregated and anonymized view … It excludes activities that have been marked as private and user-defined privacy zones … We are committed to helping people better understand our settings to give them control over what they share.”

Analysts and other interested parties are continuing to scrutinize the map.

Eliot Higgins on Twitter

Rather interested to see what these two circles of activity are on the Strava map, seemingly in the middle of nowhere, Yemen https://t.co/xayZs30PkN

Mustafa Al-Bassam on Twitter

It gets better, someone even created a Strava run segment in the UK nuclear weapons military base (HMNB Clyde) called “You shouldn’t be using Strava here”, but it was clearly ignored by employees.

This is an emerging story which needs expansion if you wish to EDIT to add information or discuss it in TALK.

  • Share
    Share

Subscribe to our newsletter and be the first to collaborate on our developing articles:

WikiTribune Open menu Close Search Like Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Email us