Strava, a fitness-tracking app, is revealing potentially sensitive information about military bases and supply routes via its global heatmap website.

The data map shows 1 billion activities and 3 trillion points of latitude and longitude from "Strava's global network of athletes", according to the American company.

On the weekend, 20-year-old Australian university student Nathan Ruser noticed the map showed the locations and running routines of military personnel at bases in the Middle East and other conflict zones.

Loading

Speaking from Thailand, Mr Ruser, who is studying international security at the Australian National University, said he had been following the situation in Syria since 2014.

When he came across Strava's heatmap, he decided to look at the war-torn region and said "the whole thing lit up like a Christmas tree."

When you look at Strava's heatmap in countries like Australia, you see a lot of "noise" from civilians using the app. Sydney, for example, glows gold with people's jogging habits.

That's not the case in the Middle East or Africa, where lone activities stand out against an all-black background.

"In countries where that is not so much a thing, that noise gets filtered out," Mr Ruser said.

"The only people using the apps would be foreign military personnel."

It is also possible that workers from charities and other NGOs might feature on the conflict zone maps.

According to the Washington Post, the US military is looking into the situation.

Strava activity around Al Asad airbase in Iraq, where Australian soldiers have trained local forces. ( Strava screenshot )

Strava collects data from phones and fitness trackers such as Fitbit, and allows users to share their routine with friends and followers. Its aggregated heatmap shows information collected between 2015 and September 2017.

While security analysts often use satellite imagery to study military installations, Mr Ruser said the Strava data added an additional, possibly dangerous layer of information.

Using satellite imagery, you can see base buildings, for example. But on the heatmap, you can see which buildings are most used, or the jogging routes of soldiers.

"You can establish a pattern of life for a base," he said.

It also shows the turns patrols take when moving through towns in Syria: "You can see the main supply highway for US forces in Syria, and I just remember thinking 'f***, that's not good'," Mr Ruser said.

"Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence," tweeted ex-British Army officer Nick Waters.

Loading

Other analysts have scoured the map since Sunday, tweeting about missile sites and patrol routes around the world.

Jeffrey Lewis, founding publisher of the Arms Control Wonk blog, wrote at the Daily Beast that "the underlying data that Strava is collecting is a security nightmare."

Edward Farrell, an Australian security researcher, said the risk of being able to spot "military bases in secretive places" may be overstated.

While many of these bases are known, it still presents a potential issue of operational security if the data can be "individually allocated to someone".

"It can certainly allow for tracking of patterns of life and behaviour in those locations," Mr Farrell said.

Some installations seem to have dealt with the risk, he pointed out. The Pentagon, for example, shows no internal Strava data.

Strava data around the Pentagon. ( Strava screenshot )

Danielle Cave, a senior analyst at the International Cyber Policy Centre at the Australian Strategic Policy Institute, called the heatmap an "open source intelligence gold mine".

She suggested the data also raised a cyber security risk.

"A hacking group, state or non-state, could very easily now target Strava knowing how valuable the data is that they are holding," she said.

"If it does turn out that people can strip out the personal details of some of these Strava users, then I think it's getting into a very dangerous place."



A Strava spokesperson said the heatmap represented "an aggregated and anonymized view" of its users activities.

He added that Strava allows users to create a "privacy zone" — a tool that obscures activity within a pre-selected radius.

Mr Ruser doesn't think the situation is all Strava's fault.

"They probably should have had the foresight to look at the map before they released it, but the app has a policy where you can opt out of data sharing, and that hasn't been done by the soldiers," he said.

"If you ask me, I don't expect the map will be online for that much longer."

Ms Cave suggested the military needs to be clear about where such devices and apps are or are not allowed.

"It gives our defence and intelligence community a perfect reminder to triple check that they are on top of these emerging technologies," she said.

In Australia, the map shows movements taking place around known military installations such as the Joint Defence Facility Pine Gap in the Northern Territory.

A Department of Defence spokesperson said the circumstances did not constitute a security breach.

"Defence personnel are advised to actively use and manage privacy controls to limit the amount of information they make publicly available, and report any suspicious online activities or contacts," he added.