Fitness application Strava, known for its social feed that shares the activity of its users, may have accidentally revealed the locations of military bases around the world, including those used by American troops in Iraq and Syria, among other locations.

The apparent exposure, which occured on Strava’s global “heat map” that it has been publishing since November 2017, was highlighted by security experts who warn the data may represent a security breach for military personnel operating in sensitive and dangerous regions.

The issue stems from a social feature utilized by Strava—a popular app among the fitness-minded that uses the GPS information from a person’s mobile device to track their activity. The app works with fitness-centric wearables like Fitbit and Jawbone and has a reported 27 million users worldwide.

The app takes the data collected from its millions of users and displays it on what it calls a heatmap, which is essentially a visualization created to show the activity of users around the world. The latest version of the map includes more than one billion activities, including runs, jogs, and swim sessions tracked from users. The map contains data recorded from 2015 to September 2017.

Included in that map, troublingly, is the location of military members who Strava to track their activity. That activity can not only reveal the location of individuals on military bases and operating within active military theaters, but could also reveal the locations of individuals who may be put at risk from the exposure.

Security experts including Tobias Schneider, an international security analyst associated with the Middle East Instituted, warned that data from Strava could be combined with other social media information to identify the locations of individuals—a process that Schneider said is “easy” and can be done “very quickly.”

Known military bases in countries like Afghanistan, Iraq and Syria all appeared on the tracking map, with heat signatures making clear outlines around the bases. Given the lack of local activity, it is relatively easy to determine that the activity belongs to members of the military.

Jeffrey Lewis, the director of the East Asia Nonproliferation Program at Middlebury Institute of International Studies wrote on Twitter that Strava is “sitting on a ton of data that most intelligence entities would literally kill to acquire.”

In response to the incident, the U.S. Pentagon announced that it will reexamine its policy regarding GPS trackers. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement.

Strava responded to the situation by stating, “Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share.”

Strava has published a guide on its website that explains how users can create “privacy zones” that are intended to hide the activity of its users when they are active in certain locations. The privacy tools for the app have been criticized for unintuitive and requiring a significant amount of effort from the user to set up.

RELATED STORIES
Software Afghanistan Iraq