Strava’s global activity heatmap is rich with sensitive military information
In its mission to “connect the world’s athletes”, ubiquitous activity tracking app Strava may inadvertently be putting military personnel at risk. The shocking revelation came as an Australian student passionate about “pretty maps” took a closer look at the over 27 billion kilometers of data publicly shared by Strava users on a global heatmap updated back in November 2017.
Described as the “largest, richest, and most beautiful dataset of its kind”, the heatmap includes one billion activities from all Strava data through September 2017, offering a “direct visualization of Strava’s global network of athletes.”
However, what a small but significant subset of those “athletes” may not have realized was the implications and ramifications of their voluntary fitness info sharing. As it turns out, soldiers on active duty like to, well, stay active even when not engaged in combat, often enabling their phones’ or wearable devices’ GPS chips while jogging, and allowing Strava to add all that data to the “global heatmap.”
Worse yet, patrol routes could be easily identified by carefully analyzing the information transpiring from known or suspected military bases, creating the perfect circumstances for surprise attacks by an otherwise clueless enemy.
The student who made the discovery never expected it to get so much “mainstream attention”, but in the hours following the initial revelation, countless security analysts and military experts weighed in with some highly alarming comments. Ex-infantry officer Nick Waters perhaps best described the situation as a “big OPSEC (operations security) and PERSEC (personal security) fail.”
It’s not only US troops that are at risk of being ambushed while on patrol or a casual run with a Fitbit on their wrist, as Russian military personnel apparently likes to go for the occasional GPS-tracked jog as well. Strava, of course, doesn’t see this as a security oversight on its part, highlighting the global heatmap at fault “excludes activities that have been marked as private and user-defined privacy zones.” For what it’s worth, the company is “committed to helping people better understand our privacy settings.”