Pentagon to review security after Strava reveals military’s presence

Fitness trackers broadcast US personnel movements around the globe

The Strava global heatmap can highlight areas with an unusually high concentration of connected, exercise-focused individuals. Photograph: Strava heatmap

The Strava global heatmap can highlight areas with an unusually high concentration of connected, exercise-focused individuals. Photograph: Strava heatmap

 

The Pentagon said on Monday it was reviewing whether it needed to bolster its security protocols after fitness tracking devices broadcast patterns of movement of US personnel at American military facilities around the world, including in war zones.

Nathan Russer, a student at the Australian National University in Canberra, drew attention to data when he wrote on Twitter about the images after stumbling upon GPS tracking company Strava’s “Global Heatmap”, which it published in 2017.

“Once you look at Syria you can see a bunch of bright spots,” Mr Russer said. His discovery prompted others to scour the heat map, turning up other possible locations of US personnel, including in elsewhere in the Middle East and in Africa.

The US department of defence, which has disclosed the presence of US forces in Syria, said it encourages all defence personnel, wherever they are, to limit their public presence on the internet. That guidance is even more strict when troops operate in sensitive locations.

“DOD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required,” the Pentagon said in a statement, without directly confirming that US troops had used the fitness trackers.

The Pentagon also said it was considering whether additional steps needed to be taken on the matter “to ensure the continued safety of DOD personnel at home and abroad.”

Policies

The US marines have had clear policies on the use of “personal wearable fitness devices” on base since 2016. Such devices are prohibited “if they contain cellular or wifi, photographic, video capture/recording, microphone, or audio recording capabilities”. The policy notes that “merely disabling the cellular, camera, or video capability is not sufficient”.

But it does allow such devices if they don’t contain those features, and explicitly mentions that devices with bluetooth connectivity and a GPS tracking function may be used on base, and it contains no specific ban on uploading that information. Those features are what allow apps like Strava to create personalised maps of historic activity.

Separately, Strava argued on Monday that the information it published was already made public by the users who uploaded it.

In a statement, Strava said: “Our global heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones.

“We are committed to helping people better understand our settings to give them control over what they share,” the company said, sharing a blogpost from 2017 which detailed eight things users can do to lock down their privacy on the service, including specifically opting out of the global heatmap by unchecking a box in the settings page.

Strava added: “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear.”

Further analysis

Meanwhile, the number of sensitive establishments known to be visible on the Strava heatmap continues to grow, as security analysts continue to scour the map.

In Pyongyang, North Korea, a popular riverside running route glows brightly – as does the embassy compound in the Munsu-Dong neighbourhood, to the east of the city centre, home of the British, German, Polish and Czechian embassies.

Outside Djibouti City, US base Camp Lemonnier is clearly visible. The United States Naval Expeditionary Base from which drone strikes in Yemen and Somalia are launched is marked out by the exercise regimes of thousands of US servicemen and women.

Almost as visible, to the southwest of Camp Lemonnier, is a smaller base, unmarked on maps but ringed by inhabitants running circuits of the external walls. The compound appears to be a CIA “black site”, first publicly named as such by analyst Markus Ranum just a week before the heatmap confirmed its activity.

The headquarters of GCHQ, in Cheltenham, England, are just one of the sensitive sites to be crisscrossed with GPS activity, suggesting that spies and intelligence analysts are recording and uploading their commutes or lunchtime runs.

Similar activity can be seen around the CIA headquarters in Langley, Virginia. – Reuters/Guardian