Fitness-tracking company Strava has responded to claims that it accidentally revealed sensitive military positions in a data visualisation it published in 2017, arguing that the information was already made public by the users who uploaded it.

Militaries around the world are considering banning fitness trackers to prevent future breaches.

The “global heatmap” shows, in aggregate form, every public activity uploaded to the app over its history. In major cities, it lights up popular running routes, but in less trafficked locales it can highlight areas with an unusually high concentration of connected, exercise-focused individuals – such as active military personnel serving overseas.

In a statement, Strava said: “Our global heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones.

“We are committed to helping people better understand our settings to give them control over what they share,” the company said, sharing a blogpost from 2017 which detailed eight things users can do to lock down their privacy on the service, including specifically opting out of the global heatmap by unchecking a box in the settings page.

Strava added: “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear.”

Military response

The Australian military has become one of the first to consider taking action to prevent further security breaches, according to a report from the Australian Associated Press. Australia Defence Association spokesman Neil James said any devices that record or transmit should be left at home on deployments. “In World War II, all you had to do was censor people’s letters so they didn’t inadvertently tell someone at home something they shouldn’t,” he told AAP.

The US marines have had clear policies on the use of “personal wearable fitness devices” on base since 2016. Such devices are prohibited “if they contain cellular or wifi, photographic, video capture/recording, microphone, or audio recording capabilities”. The policy notes that “merely disabling the cellular, camera, or video capability is not sufficient”.

But it does allow such devices if they don’t contain those features, and explicitly mentions that devices with bluetooth connectivity and a GPS tracking function may be used on base, and it contains no specific ban on uploading that information. Those features are what allow apps like Strava to create personalised maps of historic activity.

The number of sensitive establishments known to be visible on the Strava heatmap continues to grow, as security analysts continue to scour the map.

Pyongyang route

In Pyongyang, North Korea, a popular riverside running route glows brightly – as does the embassy compound in the Munsu-Dong neighbourhood, to the east of the city centre, home of the British, German, Polish and Czechian embassies.

Outside Djibouti City, US base Camp Lemonnier is clearly visible. The United States Naval Expeditionary Base from which drone strikes in Yemen and Somalia are launched is marked out by the exercise regimes of thousands of US servicemen and women.

But almost as visible, to the southwest of Camp Lemonnier, is a smaller base, unmarked on maps but ringed by inhabitants running circuits of the external walls. The compound appears to be a CIA “black site”, first publicly named as such by analyst Markus Ranum just a week before the heatmap confirmed its activity.

The headquarters of GCHQ, in Cheltenham, England, are just one of the sensitive sites to be crisscrossed with GPS activity, suggesting that spies and intelligence analysts are recording and uploading their commutes or lunchtime runs.

Similar activity can be seen around the CIA headquarters in Langley, Virginia. – Guardian