How the Spies Learned to Stop Worrying and Love Fitbit

When researchers last weekend noticed that a private company had published a global heat map of people running and walking around, based on data uploaded from its fitness application, the news sparked renewed debate in the U.S. national security community about rules governing wearable devices that transmit data.

What wasn’t disclosed by the intelligence and military officials reacting to the news is that the debate over whether fitness trackers should be allowed in sensitive spaces, particularly in intelligence outposts, has raged on for years. And many employees did in fact gain the right to wear certain types of trackers, even in the most sensitive locations.

However, that decision has consistently led to internal disagreement. In some cases, military and intelligence officials have wide discretion over where and when their employees can use those devices.

“We are aware of the potential impacts of devices that collect and report personal and locational data, such as information contained in the Strava ‘heat map’ recently reported in the press,” a current U.S. intelligence official wrote in an email to Foreign Policy. “The use of personal fitness and similar devices by individuals engaged in U.S. Government support is determined and directed by each agency and department.”

For example, starting around the spring of 2013 and continuing over the next year, the U.S. National Security Agency debated whether to allow its employees to wear certain low-power models of some fitness trackers, such as Fitbits, around the agency campus and inside sensitive compartmented information facilities, including top-secret rooms where cellphones are not allowed, three former intelligence officials told FP.

The NSA made the decision to allow the devices in certain areas, including some sensitive areas.

Those concerned about what information those devices reveal can point to the data published by Strava, a tech company whose application tracks fitness activity through phones and wearable devices. The revelations sparked renewed public debate about whether government employees were compromising sensitive information by using the application at and nearby work.

By searching the Strava heat map for facilities such as the NSA campus in Fort Meade, Maryland, or suspected military bases in war zones like Iraq and Syria, researchers could see bright lines tracking employees going for their daily jog — to and from the entrances or parking lots of those secretive facilities.

“NSA is aware of the information published by Strava,” Brynn Freeland, an NSA spokeswoman, wrote in an email to FP. “NSA will continue to operate in accordance with [Defense Department] and [Director of National Intelligence] guidance concerning the use of wearable fitness devices.”

While the NSA does allow wearable fitness monitors in some locations, not all national security agencies do. At military outposts globally, the decision has often been left up to the special security officer in charge; some commands decided it was a bad idea and banned it (though in places such as the U.S. Africa Command headquarters, there are still bright trails leading to the door on the Strava map).

In most classified spaces, there are signs clearly banning internet-connected devices with photos of Apple Watches and Fitbits, one military source told FP. There are no visible heat signals from inside the Pentagon.

Other intelligence agencies do show up in the Strava data: It’s easy to spot the gym at the National Geospatial-Intelligence Agency, or NGA; the most popular running trails from the NSA’s Dagger Complex in Germany; and paths leading from Camp Peary, the CIA’s secret training area known as the Farm.

By rooting around in the Strava data, Twitter users and researchers quickly identified dozens of military bases, American and foreign, as well as other facilities previously kept secret.

U.S. national security officials responded to news stories about the Strava heat map with concern but no immediate policy changes.

“It’s really clear that that heat map is a security risk,” White House cybersecurity advisor Rob Joyce told reporters Monday.

Joyce, who used to lead the nation’s top hackers at the NSA’s Tailored Access Operations unit, worked for the agency during its debate over allowing fitness trackers.

The “Strava heat map forces all to look at risks of big data analytics,” he wrote in a follow-up tweet, but urged people not to overreact to the map.

Back in 2013, the NSA decided to allow employees to wear fitness trackers in certain circumstances but only Bluetooth low-energy models with no additional internet connections. But not everyone thought it was a good idea — and some employees lodged complaints on internal NSA social media platforms.

The debate has been litigated in public forums as well. On a Reddit channel for Air Force veterans, there’s a thread from two years ago about whether military personnel can wear a fitness tracker. One commenter wrote they were aware of “certain policies in place for NSA” to allow for wearing the device.

“[A]ll agencies have different regulations,” another user responded.

One former Africom official told FP about an episode in Stuttgart, Germany, where American military personnel were being gifted free fitness trackers from a local hotel.

The ownership of the hotel, not far from Kelley Barracks, the headquarters of Africom, had rumored connections to Russia. A U.S. military security officer immediately confiscated the devices, citing counterintelligence concerns, the former official said.

A spokesperson for the command said security personnel were not aware of the free Fitbits being given away or concerns about the hotel.

In the meantime, U.S. intelligence agencies appear to be making their own policies. “The [intelligence community] was split on Fitbit,” one former intelligence official wrote to FP. “Lots of organizations allow (and still allow) Fitbits and some banned them.”

After the NSA greenlighted certain fitness trackers, other intelligence agencies followed suit, including NGA and the Defense Intelligence Agency, or DIA.

“[A]fter careful evaluation and testing … [NGA] established new policy and procedures to permit employees at its St. Louis, Springfield, Va., and Arnold, Mo. campuses to wear personal fitness devices inside its facilities,” an NGA spokesperson wrote in an email to FP. Those policies were implemented in February 2016. There are still certain “controlled and special access spaces” where no trackers are allowed.

An agency spokesperson told FP that the “real-world ‘perks’ at NGA is certainly a selling point.” Allowing people to use their Jawbones, Fitbits, and other wearable devices “increases morale and provides a higher quality of life.”

The CIA, however, said no to the devices, one former intelligence official told FP. The CIA declined to comment on questions about its security policies.

“We do not discuss specific policies concerning permissible or prohibited technologies at DIA,” James Kudla, a public affairs officer for the agency, wrote in an email to FP. “We routinely review DIA security policies and procedures to ensure we are mitigating the myriad risks we face.”

Jake Williams, the founder of the cybersecurity consulting company Rendition Infosec and a former vulnerability analyst for the Pentagon, told FP that he was “aware of those debates” concerning the security of wearable devices but thinks the technology is generally acceptable because “the risk of someone using a traditional Fitbit to pivot into a secure system is exceedingly low.”

In other words, an adversary can’t hack into a facility through a digital bracelet. And the location of most military and intelligence outposts are public, or at least well known, even if unacknowledged.

Where Williams finds a potential issue is with the GPS feature in wearable devices — where undercover agents might inadvertently leak personal information about themselves or the place they work.

Nathan Ruser, an Australian student who monitors areas of conflict and was one of the first to pore through the Strava data, says the ability to track a specific person’s route is the most dangerous aspect of the data.

“You can take this anonymised data and attribute it to the users,” he wrote in a message to FP. Individuals could be identified through different security flaws, such as one in Strava, which allows users to compare their time to real people who also ran the route.

“I know that some friends looking into it have found intelligence personnel through it,” Ruser said.

If Strava is connected to Facebook, it provides another tool for exposing someone’s life — including exercise routines, past deployments, and other personal information.

By late Monday afternoon, when users tried to create new routes, a notification popped up suggesting that the site was undergoing “server maintenance.” It’s unclear whether the maintenance was due to concerns about security flaws.

Even if military and intelligence officials choose to ban all electronics within sensitive spaces, it will be hard to get people to unplug right outside the door, while working out in public spaces nearby, or heading home — especially if those employees are not undercover and are working in unclassified spaces.

For example, a high-ranking NGA official regularly ran sub six-minute miles right outside the agency’s headquarters, his name appearing on the leaderboards despite choosing to share data with only friends, according to the Strava data. “From NGA’s perspective, this is an unclassified location, surrounded by public roads which NGA employees often use for exercise,” the NGA spokesperson wrote.

“I am a Strava user with sharing enabled,” one former intelligence official told FP, who described running around GCHQ, the British signals intelligence agency.

“No doubt a few of those lines on the heat map around GCHQ were mine.”