IT West Ltd

From the blog

News from IT West

Military Bases Exposed By Fitness App

A user activity ‘heat map’ published by fitness tracker Strava has unwittingly revealed the location and structure of military bases in other countries.

How?

The app, made by San Francisco-based Strava, uses a mobile phone’s GPS to track a subscriber’s exercise activity. Although the new version of the app, introduced in November last year, is reported to be built from a billion activities – three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged or swum, the data used to produce a ‘heatmap’ of user activity is not live data.

The latest heatmap published by the company, showing the paths its users log as they run or cycle, is intended to show the app’s popularity and is actually made from aggregated data from activities recorded between 2015 and September 2017.

Revealed

Unfortunately for Strava, since military personnel engage in regular exercise, and are generally limited to following the same exercise routes in or close to the base where they are stationed, Strava’s heatmap of user activity reveals the outline of military bases and the most popular routes taken by the soldiers there.

Danger

Even though the location and outline of many military bases are already known from satellite imagery, the heatmap from the app exposes the regular routes taken by soldiers when they are most likely not armed and at their most vulnerable. Also, the heatmap could expose the routes taken by other personnel such as aid workers and NGO staffers in more remote areas. All of this could mean that the app is exposing soldiers and other personnel to danger from attack or kidnap by state and non-state actors e.g. in countries such as Syria, Yemen, Niger, Afghanistan or Djibouti.

There is also a danger that hackers could access Strava’s database and find the details of individual users.

UK Personnel at Risk Too

Even though Strava is a US app, it has also been reported that user activity at the UK’s RAF base at Mount Pleasant in the Falkland Islands was also exposed by the app’s heatmap.

Privacy Settings

Privacy settings do exist on the app but the onus is on the user to explicitly opt out of data collection for the heatmap.

US Already Takes Measures To Protect

The US government already takes measures to guard against similar risks to those posed by the app heatmap. For example, it has already published a tract called Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD, and in 2016, banned Pokémon GO from government-issued mobile phones.

What Does This Mean For Your Business?

This is not the first time that the negative aspects of fitness-tracking device companies and their activities have been featured in the news i.e. that the devices are transmitters as well as recorders of data about us. Back in February 2016, a study by a Canadian research team revealed that popular types of fitness trackers actually transmit a signal via bluetooth that could act as an ‘identifier’ signal that could be picked up by beacons that are now being used by retail stores and shopping centres to track, recognise and profile customers.

In the case of Strava, although the company could be forgiven to an extent because of the relatively unforeseen risk that its activities may have caused, there is an argument that a better approach would be to make the device opt-out by default, and to give users the choice to opt-in should they wish to. It may also have been better to avoid publishing any heatmaps, and to simply publish some statistics instead.

In addition to the possible risk to the life of service personnel (and others) that the map has caused, it has also highlighted other important issues relating to fitness-tracking devices and consumer protection e.g. data protection and privacy implications, the risk of hacking the devices, and the need for greater transparency about what is stored and transmitted by the devices.

Companies producing devices that store and transmit personal data need to ensure that they comply with data protection laws, and that they are mindful of potential identifiers and other security risks.