On January 27, Nathan Ruser, a founder of the Institute for United Conflict Analysts, started looking at a rich source of geospatial data for locating military operations in Afghanistan, Iraq, Syria, and other conflict zones: a newly published “activity hotmap” for the fitness tracking application Strava. Others, including Tobias Schneider, started plumbing the depths of the Strava data store, based on data pulled from app users’ mobile devices. The heatmap was meant as a demonstration of the mass of activity over 2017 by Strava users.

But it, along with the other data available through Strava's website and APIs, also may be exposing sensitive “patterns of life” of military and contractor personnel in conflict zones and even information about individuals in some of those places.

There’s nothing in the heatmap that specifically identifies who is connected with the data for a very confined path of movement in a compound northeast of Raqqa, for example, or the long tracks of what is most likely a vehicle route from Iraq to northern Syria. But those traces on the heatmap, along with others in areas around the world linked to military operations, have highlighted sometimes covert locations from Niger to Ukraine to Taiwan. And with a little work, it is in some cases possible to connect those activities to individuals—and track them back to their homes.

The data also shows that people at some of the world’s most secure locations—including the National Security Agency headquarters at Fort Meade, Maryland—are perhaps unwittingly transmitting their location data. Heatmaps show that NSA employees who may use Strava to track their workouts left the app enabled while driving to work, finding a parking spot, and even walking the hallways of the NSA—though the building's electromagnetic shielding limits the extent of that tracking. Similar heatmaps exposed activity around the Australian Pine Gap signals intelligence facility and a British nuclear weapons handling facility.

Ars attempted to get a comment from Strava but did not receive a response. Strava does provide “opt-out” settings to protect users’ privacy, but apparently some users in the military are not changing those settings. In some cases, military users appear to be leaving the application on while engaged in convoys and patrols. As a result, those movements appear as bright lines on the Strava heatmap. Not all of the locations tied to the data in these areas—some of which are already being labeled on sites such as Wikimapia as “US military compounds”—are tied to military operations. Some appear to be related to aid operations and may reveal the locations of non-governmental organizations’ operating centers and aid delivery routes.

The Strava heatmap got an update in November. As Strava infrastructure and data engineer Drew Robb noted in a post at the time, “one billion activities from all public Strava data through September 2017.” So the data on the map is now nearly four months old. Strava also offers a “top clusters” view that allows a geographic search for the highest concentrations of activity, along with links to the individual profiles of those who posted them.

Let me jog your memory

















Social media has long been a major operational security concern for military organizations, as proven dramatically by a Russian soldier who posted selfies to Instagram from his armored personnel carrier with location services turned on—showing that he was inside Ukraine. Other Russian soldiers gave up their locations on the social media site VKontakte.

The US military has placed restrictions on social media use in the past to try to prevent the leaking of operational data, much as the military has long sought to censor information being sent from operation areas for security reasons.

But in the fitness-focused world of the military, fitness trackers have largely gotten less attention from an operational security standpoint. While the data published by Strava is hardly real time, the data offers an opportunity to potential adversaries to gain insight into the routines of individuals within organizations. And Strava does offer a way to drill down specifically on individuals to gather data on them, once you’ve joined the service with a Gmail or Facebook account.

Digging into the data presented by Strava’s main site shows live data associated with specific individuals—someone’s profile is associated with a bicycling activity near Kandahar Airfield from January 12 of this year, for example. And sometimes, the route names submitted by users reveal a bit of subversiveness. Tobias Schneider pointed out a short route near the headquarters of the United Kingdom’s signals intelligence organization, GCHQ, at Benhall called “Snowden’s Way”—“attempted” more than 2,000 times by 573 people.

The real problem with Strava for organizations operating in hazardous places—and for sensitive organizations operating anywhere—is that it is not difficult to mine Strava data for links to individuals’ movements that could be exploited by an adversary. But just what anyone can do about it isn’t clear—Strava is, after all, in the business of building a community of athletes and fitness-focused people, and the company is unlikely to police the data on behalf of security and defense organizations. Strava has already suggested that people in the military turn off uploads of fitness data from sensitive locations.