The social-fitness app Strava published an interactive heat map that tracks users’ fitness routines, but the Strava heat map also inadvertently revealed the locations of secret military bases around the world.
The heat map was first published back in 2015 and it has been accumulating data since then. In November 2017 Strava announced an updated heat map, which includes over one billion activities from public data via the Strava app.
The problem with the Strava heat map
According to Strava, the global heat map is “the largest, richest, and most beautiful dataset of its kind. It is a direct visualization of Strava’s global network of athletes.” The heat map covers a total distance of 17 billion miles, according to Strava.
While the map might provide graphical information to users to help track their fitness routines or used as a social network to see how others are using the app, data engineers have discovered the map has uncovered the locations of some secret military bases.
Drew Robb, a data engineer at Strava notes on his blog that the Strava app takes in data from non-moving activities, too.
“Data from non-moving activities can have the undesirable effect of highlighting homes or businesses.”
Nathan Ruser, a founder of the Institute for United Conflict Analysts noted that the heat map Strava uses to track users’ fitness activities also uncovered the locations of secret military bases. The map also revealed the movements of military personnel in areas where military bases are located. He posted a series of tweets with screenshots of locations on the heat map that show jogging routes near military bases.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq— Nathan Ruser (@Nrg8000) January 27, 2018
His research shows that it is not only United States military bases that could be found on the Strava heat map. In a series of tweets, Ruser shows a location that appears to show a Turkish patrol north of Manbij, Syria.
"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route," he wrote in a tweet. "I shouldn't be able to establish any Pattern of life info from this far away," he added.
If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2— Nathan Ruser (@Nrg8000) January 27, 2018
According to Tobias Schneider, an independent international security analyst, the Strava heat map data becomes more problematic for people or agencies who do not want to have sensitive information released to the public. He notes that the map data could also reveal social media information about the user.
"Via Strava, using pre-set segments we can scrape location-specific user data from basically public profiles (and yes those exist w/in bases and lead us straight so social media profile of service members),” Schneider wrote.
Strava CEO James Quarles releases statement
When it was discovered that the Strava heat map data contained sensitive information and could potentially reveal the locations of military bases around the world, Strava’s CEO James Quarles released a statement to address the potential security flaws in the map, noting that the company respects the privacy of its users.
“In building it [the heatmap], we respected activity and profile privacy selections, including the ability to opt out of heatmaps altogether," Quarles wrote. “However, we learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations.”
According to Quarles, Strava is “committed to working with military and government officials” to address sensitive data. The company is also reviewing all of its original features on their app to make sure user information cannot be used maliciously.
After this recent incident, expect to see changes in the privacy settings for the Strava social-fitness app.