Fitness tracker Strava lights up US military base

Geolocation isn’t a new problem for the military

Compiled by Bhagyasri Chaudhury

Online fitness tracker Strava has published a “heatmap” showing the paths its users log as they run or cycle.

It appears to show the structure of foreign military bases in countries including Syria and Afghanistan, as soldiers move around inside.

The US military is examining the heatmap, a spokesman said.

Air Force Colonel John Thomas, a spokesman for US Central Command, told the Washington Post that the US military was reviewing the implications.

Strava said it had excluded activities marked as private from the map.

The data map shows 1 billion activities and 3 trillion points of latitude and longitude from “Strava’s global network of athletes”, according to the American company.

On the weekend, 20-year-old Australian university student Nathan Ruser noticed the map showed the locations and running routines of military personnel at bases in the Middle East and other conflict zones.

Users who record their exercise data on Strava have the option of making their movements public or private. Private data, the company said, has never been included.

The appearance of military bases on the heatmap suggests that large numbers of military personnel across the globe have been publicly sharing their location data.



The latest version of the map was released in November 2017, but the implications for service personnel were only raised over the weekend.

Nathan Ruser, an Australian university student who first highlighted the issue, said he came across the map while browsing a cartography blog last week.

“I just looked at it and thought, ‘oh hell, this should not be here – this is not good,'” Ruser told the BBC.

Nathan Ruser, a member of the Institute for United Conflict Analysts, pointed out on Twitter that it’s easy to look at the map and cross-reference it with the locations of known military installations, or pick out potential installations in combat zones, based on the data from users using the app. He posted several screenshots that he theorized were regular jogging routespatrols, and locations of forward operating bases in Afghanistan.

Strava’s map doesn’t necessarily reveal the presence of military installations to the world: Google Maps and public satellite imagery have already done that. But where Google Maps shows the location of buildings and roads, Stava’s map does provide some additional information: it reveals how people are moving along those areas, and how frequently, a potential security threat to personnel. For example, in the following pair of images, one can easily match up roadways and structures on Google Maps to how people are moving around Fort Benning, Georgia.

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away,” Ruser tweeted.

Ten thousand screw-ups

Scott Lafoy, an open-source imagery analyst, told CNN it’s too early to truly assess how useful the data is.
“In terms of strategic stuff, we know all the bases there, we know a lot of the positions, this will just be some nice ancillary data,” said Lafoy.
From the site, it’s possible to identify individuals’ running routes, and around military bases users had posted profile photos of themselves wearing military uniforms.


Tracking the timing of movements on bases could provide valuable information on patrol routes or where specific personnel are deployed, Lafoy said.
It could also pose a danger for government officials posted in dangerous locations, like diplomats, who may not be in as secure locations as military personnel.
“If the data is not actually anonymous, then you can start figuring out timetables and like some very tactical information, and then you start getting into some pretty serious issues,” Lafoy said.
Strava said in a statement to CNN that the company is “committed to helping people better understand” its privacy settings.
The Pentagon shows very little (but some) activity.
“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones,” the statement said.
Regardless of the data’s usability, the fact that it’s out there shows a lapse in protocol, one that likely has the potential to cost information and operation security personnel their jobs, Lafoy said.
“This is literally what 10,000 innocent individual screw-ups look like,” he said. “A lot if it is going to be a good reminder to security services why you do opsec (operational security) and why you do manage this sort of thing, and everyone is going to really hope it doesn’t get a couple people killed in the meantime.”

Limiting public profiles

When zoomed out, the heatmap shows more populated and developed parts of the world nearly completely lit up. Remote areas and conflict zones are darker, but eagle-eyed observers have noticed small lights in some of the areas, potentially identifying military personnel.

Twitter users have identified locations including a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and US special operations locations include a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and US special operations bases in the Sahel region of Africa. CNN cannot independently verify these claims. Known military sites like Diego Garcia in the Pacific Ocean and the Falkland Islands’ RAF Mount Pleasant also show activity.
A Strava heatmap showing the Falkland Islands and RAF Mount Pleasant.