The Pentagon and White House are chewing over what to do about fitness tracking apps, in wake of the news last week that a global heat map posted online by Strava could be used to identify the whereabouts and activities of military personnel, including those in conflict zones and other sensitive areas such as the halls of the National Security Agency. A heat map transforms data into a map in which values are represented by colors, which in this case includes the location of fitness trackers carried by government employees.
While officials acknowledge a serious potential threat, it’s unlikely that DoD, which makes extensive use of tracking capabilities for a variety of purposes, is going to abandon their use. This is another example of the military being blindsided by the capabilities of an existing application. One clear step will be to educate personnel on the risks of advertising their locations, and enforcing policies that are already in place to keep that information out of the public domain.
“We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed,” Pentagon spokesman Army Col. Robert Manning III said at a briefing. The review will be led by Essye Miller, the Pentagon’s acting CIO.
Strava, maker of fitness tracking apps that works with Fitbit and Jawbone devices, allows runners and bikers to track and post their exercise routes and routines. Strava has 27 million users worldwide. But many users, including military personnel, apparently leave their devices on after exercising, thus revealing in bright lines on the map where they go on a job or on a mission. After a 20-year-old Australian noticed that the map could be used to identify activity at military deployments, the Washington Post reported, others zeroed in on known and merely suspected U.S. outposts in hot spots around the world.
The heat map itself displays a lot of information, but it isn’t current. It shows patterns – drawn from 10 terabytes of raw information covering 1 billion activities across a total of 17 billion miles in distances traveled – between 2015 and September 2017, when it was last updated. However, the Strava site does allow its members to mine current information on individual users, which would be a particular risk for personnel operating in war zones or covert areas.
By the military’s guidelines, this isn’t supposed to happen. Personnel receive annual cybersecurity training that includes the risks of posting personal information on social media sites. The Army’s Social Media Handbook, for instance, notes the risk of one person’s revealed location can endanger an entire mission. The handbook further states that, “Deployed soldiers, or soldiers conducting operations in classified areas, should not use location-based social networking services.”
Strava also advises its users on protecting their privacy, offering instructions on setting privacy levels including a single-player mode that limits the availability of information only to that user, and setting privacy zones that will not display information near where a user lives or works. Devices such as Fitbit, Jawbone, and Apple Watch all have privacy settings, as do training apps like Runkeeper.
It’s not the first time the military has been caught unaware by the built-in capabilities of mobile devices or social media applications. Back in 2007, insurgents used the geotags on photos taken with a cell phone to find and destroy several U.S. AH-64 Apache helicopters in Iraq. In 2014, while Russia was swearing up and down that it had not sent any troops into Ukraine, a Russian soldier’s selfies from a military vehicle proved that he was actually there.
The revelations about Strava’s map are likely to raise awareness about what could be done with the data, and DoD is sure to re-emphasize the importance of privacy settings when using fitness trackers, as well as when to not use them at all. But as with any element of cybersecurity, users are the biggest weakness, so DoD may have to decide whether it needs to implement broader security steps–perhaps insisting on devices that default to turning location data off? Strava also has released a statement saying it will review its security policies and work “with military and government officials to address potentially sensitive data.”