The fitness tracking app Strava has unwittingly leaked the whereabouts of secret military bases and spy outposts around the world.
Strava is compatible with smartphones, smartwatches, and other wearable technology, and utilizes GPS tracking to map users’ routes when they go out for runs or bike rides. In November 2017, the company released a data visualization that mapped every single GPS data point ever recorded by the service — more than three trillion points.
Recently military analysts discovered that this map is detailed enough to divulge information about the location of active military personnel. Nathan Ruser, an analyst who is part of the Institute for United Conflict Analysts, observed on Twitter that U.S. bases are “clearly identifiable and mappable.” Russian and Turkish outposts were also spotted.
If troops are using Strava to log their runs, hostile forces could potentially intercept that information and use it to parse out daily operations at a particular base. That intelligence could be used to facilitate an attack. These military facilities cannot be found using satellite visualizations provided by Google Maps or Apple’s Maps app. However zooming in on Strava’s heatmap offers detailed enough images to observe each base’s internal layout.
What’s more, in countries like Afghanistan, Djibouti, and Syria, anyone using Strava is most likely to be a member of foreign military personnel, according to a report from The Guardian. This makes those foreign military bases even easier to spot on the heat map.
Strava’s heatmap doesn’t just reveal sensitive location data for active conflict zones. The visualization also offers a view of a cyclist’s path around Homey Airport in Nevada — otherwise known as Area 51 — as well as the exercise routines of personnel at the United Kingdom’s Royal Air Force base in the Falkland Islands.
When the company released the map in November 2017, it was pegged as “a direct visualization of Strava’s global network of athletes.” While Strava was aware of how detailed its imagery was, the company likely did not anticipate the consequences it would have for the safety of stationed military personnel.
The company is now recommending that users in sensitive situations opt out of the tracking functionality. Strava defended its publication of the heatmap, saying that the users who uploaded their location through the app are the ones who made the data public in the first place. But the company also shared a statement with The Guardian that said: “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear.”
This situation illustrates how difficult it is to perform covert operations in today’s interconnected environment. Though organizations like the U.S. Marine Corps explicitly ban the use of personal fitness trackers on base if they are capable of communicating via cellular networks or Wi-Fi, there’s no such restriction on GPS functionality. Just how much our wearable devices are capable of is changing every day, and it can be difficult to anticipate the consequences of that changing functionality, and regulating the data that those devices collect.