U.S. military revising its rules after fitness trackers exposed sensitive data


January 29, 2018

A portion of the Strava Labs heat map from Baghdad, Iraq, made by tracking activities. – Screenshot/Screenshot

January 29, 2018

A portion of the Strava Labs heat map from Baghdad, Iraq, made by tracking activities. – Screenshot/Screenshot

The review came after reports in The Washington Post and elsewhere that a global heat map posted online by the fitness-tracking company Strava reveals the outlines of U.S. military bases in some of the most dangerous locations in the world — along with the routes taken by supply convoys and patrols.

In the latest discoveries on Monday, experts and Internet sleuths found further ways of using the publicly available Strava data to identify individual users of the tracking service by name, along with the jogging routes they use in war zones such as Iraq and Afghanistan.

On one of the Strava sites, it is possible to click on a frequently used jogging route and see who runs the route and at what times. One Strava user demonstrated how to use the map and Google to identify by name a U.S. Army major and his running route at a base in Afghanistan.

On another Internet site, it is possible to establish the names and home towns of individuals who have signed up for a social sharing network where runners post their routes and speeds. One popular route on a base in Iraq has been nicknamed "Base Perimeter" by the U.S. runners who regularly use it. Another outside the big U.S. base in Kandahar, Afghanistan, is called "Sniper Alley."

On Monday, the Defense Department launched a review to determine whether new policies are needed, according to Army Col. Rob Manning, a Pentagon spokesman. The review will be led by Essye B. Miller, the Pentagon's acting chief information officer.

"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Manning said. "We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DOD personnel at home and abroad."


A portion of the Strava Labs heat map from the coast of Mogadishu, Somalia, made by tracking activities. – Screenshot/Screenshot

Manning said that he was not aware of the release of information on Strava's interactive map resulting in any compromise of security. He also was not aware of any interaction between the Defense Department and Strava, either before or after the data's release.

But Defense Department personnel are, he said, "advised to place strict privacy settings on wireless technologies and applications, and such technologies are forbidden at specific DOD sites and during specific activities." Service members are also expected to limit their use of social media such as Facebook and Twitter when they are deployed to sensitive locations, he said.

The U.S.-led coalition against the Islamic State is meanwhile reviewing procedures on bases in Iraq and Syria, where some of the most readily identifiable bases exposed by the Strava data are located and where U.S. service members are still fighting remnants of the Islamic State.

Rapidly changing technologies pose "potential challenges to operational security and force protection. We constantly refine policies and procedures to address such challenges," said a statement from the Central Command press office in Kuwait, which speaks for the U.S.-led coalition against the Islamic State.

The rules on the privacy settings relating to devices such as fitness trackers are being "refined" and commanders at bases are being urged to enforce those that are already in place, the statement added.

Strava issued a new statement saying that it takes the safety of its users seriously. The company "is committed to working with military and government officials to address sensitive areas that might appear," the statement said. Strava had originally responded to the allegations by saying that users should check their privacy settings.

The public availability of the data represents "a potential catastrophe," said Nathaniel Raymond, director of the Signal Program on Human Security and Technology at the Harvard School of Public Health. He researches the use of data technology for humanitarian workers around the world and said he has been warning for years of the dangers of the GPS data that is gathered and stored by companies such as Strava.

He said he used the map to pinpoint the jogging route he used to take when he served with U.N. peacekeepers in South Sudan in 2015. The route is evidently still being used by peacekeepers deployed there. Since Sunday, he and his team have used the other Strava sites to identify the names and daily routines of eight foreigners working for aid agencies and the United Nations in the Somali capital Mogadishu, one of the most dangerous cities in the world.

"The focus of this story has been soldiers and spies, but we are also talking about humanitarian workers. If you look at what we saw in Mogadishu and you are al-Shabab, you get a pretty good idea of who the foreigners are and where they are working," he said, referring to the name of the al-Qaeda affiliate in Somalia.

"Once you can identify individuals the data becomes a lot more valuable," said Tobias Schneider, a Berlin-based security analyst who has identified the names of 573 people who jog every morning around the parking lot of the headquarters of British intelligence, making it highly likely they work for the agency. "You could for example identify somebody who works at a known secret facility and then track his movements to other facilities through which he may rotate."

The realization that the data posted by Strava contained sensitive information was made by chance by an Australian undergraduate student, Nathan Ruser, who used the company's publicly available map to identify the perimeters of U.S. military bases in places such as northeast Syria. At one of the sites of a U.S.-led coalition base, it is possible to see that personnel regularly run along the top of a nearby dam.

One problem is that there is no clear regulatory or legal framework for companies such as Strava that collect information on individuals using newly available technologies, said Raymond.

"The duty of care for companies like Strava is not clearly defined. Companies like Facebook and Strava who collect this data don't have clear regulations about what their liability or responsibility is," he said. "And for users, what is the minimum viable level of knowledge that an individual user needs to have so that they can safely use these products?"

Children using GPS-guided toys and people using dating applications are among other people whose whereabouts could potentially be tracked, he said.

"We actually don't have regulation that enables people to think about these issues," he said. "The question is, what else has been breached?"

Courtesy/Source: Washington Post