People around the world use the app Strava on their smartphones and Fitbits to track how far they run. But researchers have discovered that an “anonymized” data dump released by Strava last year has accidentally revealed sensitive locations, including US military bases around the world.
The user data was released in November as a “2017 heatmap,” showing over 1 billion activities, including 13 trillion GPS datapoints. That includes where and how fast various people went for a jog, for instance. And if you look closely, something like airfields in Somalia that may house American special forces suddenly light up like a Christmas tree.
Those pinkish areas are where people were going for a run or bike ride, provided they had location services turned on. And it’s clear from the pink paths that those people were, perhaps, running laps around an airfield in Somalia, a country where the US is sending more and more troops these days.
But it’s not just Somalia. Online sleuths have discovered potentially sensitive US military sites in Afghanistan and Syria, along with sensitive Russian military sites in Ukraine, and a secret missile site in Taiwan. Make that formerly secret.
As security experts on Twitter have noted, this isn’t too far from the kind of datasets that intelligence agencies kill each other over. Especially since it’s easy to deduce who’s using Strava in places where American-based technologies are relatively rare. Smartphones and Fitbits might be scarce in a particular remote area of Afghanistan, leaving us to conclude that it must be the presence of US troops. Leaving everyone to conclude such a thing, that is.
Nathan Ruser with the Australian-based Institute for United Conflict Analysts was one of the first people to point out the vulnerability of Strava’s data dump on Twitter. But he almost certainly wasn’t the first person to make use of the data.
“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed,” Ruser told the BBC. “Someone would have noticed it at some point. I just happened to be the person who made the connection.”
To make things worse, some on Twitter have discovered ways to de-anonymize the heatmap, identifying unique users and where they’ve been exercising. It’s basically a stalker’s dream.
How has Strava responded? By telling people to read the privacy settings more closely. You know, that stuff that nobody reads? Yeah, that stuff.
“Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform,” Strava said in a statement.
“It excludes activities that have been marked as private and user-defined privacy zones,” Strava continued. “We are committed to helping people better understand our settings to give them control over what they share.”
The shorter version? Tough shit.
It’s a great reminder that virtually every single technology company has an enormous trove of data that can be used in myriad ways. If you don’t think Google and Facebook have your entire life mapped out already step by step, you’re kidding yourself. And you’d be mistaken if you think intelligence agencies around the world wouldn’t find Google and Facebook’s data so very useful.
How can you protect yourself? You can turn off location services for everything, but that cuts out many of the most helpful functions in your smartphone or smartwatch. My advice? Crawl into a cave and never leave. It’s the only solution at this point.
Update, 2:15pm: The White House would like Americans to know that it’s taking this serious situation very seriously, but not too seriously, as it were.
Rob Joyce, the White House Cybersecurity Coordinator on the National Security Council, told Politico that they’re on it, explaining on Twitter that, “Security and OPSEC need to be considered in our new reality” and when it comes to fitness trackers, “it is important to make good security policy balanced by not over reacting too.”
So there you have it. Clear as mud. Something, anything, will happen. Or not.