A fitness tracking app is causing security concerns on military bases because it gives away the location and exercise activities of military personnel, The Washington Post has reported.
GPS tracking company Strava published a “heatmap” that uses satellite information to share the app’s users’ logs and running routes. The app “lights up” based on user activity.
The app has 27 million users worldwide, including people who use Fitbit and Jawbone, according to The Washington Post. The heatmap tracked activity between 2015 and September 2017.
The heatmap is mostly lit up in places in Europe and the United States due to fitness activity, but in other places around the world, such as Syria and Afghanistan, most of the country is not lit up except for military bases, making them identifiable.
Nathan Ruser, a 20-year-old Australian university student who works as an analyst for the Institute for United Conflict Analysts, found the heatmap on a mapping blog and wondered if it could effect military security.
“I wondered, does it show U.S. soldiers,” Ruser said, according to The Washington Post, referring to the heatmap in Syria. “It sort of lit up like a Christmas tree.”
“Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). … It looks very pretty, but not amazing for Op-Sec. U.S. Bases are clearly identifiable and mappable,” Ruser tweeted.
“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any pattern of life info from this far away,” Ruser tweeted.
Due to the discovery, the U.S.-led coalition said changes would be made on the use of wireless technology on military bases and facilities.
“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” according to a statement from the Central Command press office in Kuwait provided to The Washington Post. “The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.”
According to a statement from Strava, the company said there are “private and user-defined privacy zones” to opt out of data collection for the heatmap.
“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones,” a Strava statement to CNN read.
“Some heavy jogging activity on the beach around what looks like the reported CIA annex at Mogadishu airport,” the Daily Beast’s Adam Rawnsley tweeted.
“I regret to inform you that there is no Strava activity at Punggye-ri, North Korea’s nuclear test site,” Rawnsley said.
While the location of most military facilities and bases are well-known, the locations of where military personnel are walking or jogging through most of those areas are not. This intelligence could determine valuable patrol information and where troops are deployed to.
“Annual training for all [Defense Department] personnel recommends limiting public profiles on the internet, including personal social media accounts,” Maj. Audricia Harris, a Pentagon spokeswoman, said in a statement to CNN. “Furthermore, operational security requirements provide further guidance for military personnel supporting operations around the world. Recent data releases emphasize the need for situational awareness when members of the military share personal information.”