Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers — experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns.
"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines.
Strava — which includes an option for keeping users' workout data private — published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day.
Using data from fitness trackers such as the Fitbit, Strava's map shows millions of users' runs, walks, and bike trips from 2015 to September of 2017 — and in some countries, the activities of military and aid personnel are seen in stark contrast, as their outposts shine brightly among the comparative darkness of their surroundings.
The seeming lapses in operational security highlighted by Strava's Heat Map were first pointed out by Nathan Ruser, a university student who studies the Middle East and security issues in Sydney, Australia. On Sunday, Ruser tweeted about Strava's global Heat Map, "It looks very pretty, but not amazing for Op-Sec. U.S. bases are clearly identifiable and mappable."
And while Ruser made his discovery largely because of his focus on Syria's section of the map, his finding prompted security experts to root through Strava's data, unearthing more activity at U.S. and other countries' bases in sensitive areas — and leading to questions of how an opposing force could possibly use the data. Likely U.S. and coalition forces' activities are seen in Afghanistan, for instance.
Describing what he calls "a security nightmare for governments around the world," foreign policy columnist Jeffrey Lewis describes for The Daily Beast about how he used the Strava data to explore a missile command center in Taiwan whose location is meant to be secret.
Lewis writes, "there are a number of avid Strava users who work there, causally jogging right by the parking lot where the missile launchers are parked."
To explore the Strava data, analysts are comparing it alongside Google Maps' historical views and other resources, to see how potential military emplacements might have developed in recent years. And the U.S. isn't the only country whose operations could be put at risk.
Looking at a section of land in Yemen, researcher Aric Toler of Belling Cat highlights how the Strava data gives new details about activity in Aden, where a Patriot missile system was reported to have been deployed early last year.
Toler and other experts are also warning against assuming that any fitness-trackers being used in remote and/or contested areas are military — rather than a civilian or relief — operation.
As for the researcher who exposed the security concern, Ruser tells the Sydney Morning Herald, "I'm surprised at how much mainstream attention the map has gotten. I expected it to languish in wonk circles and open source circles until the U.S. government quietly fixed the problem, but instead it seems to have blown up a lot more than I would have thought."
The U.S. Department of Defense has taken notice, and is now reviewing its policies.
In an email to NPR, Rankine-Galloway of the Pentagon said, "We take matters like these very seriously and are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad."