![](\"https:\/\/media.wired.com\/photos\/5a6f92df17132e047375eb3d\/master\/pass\/StravaMilitarySecurity-565978087.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Jeremy Hsu| Date: Tue, 30 Jan 2018 00:14:34 +0000<\/strong><\/p>\n A modern equivalent <\/span>of the World War II era warning that \u201cloose lips sink ships\u201d may be \u201cFFS don\u2019t share your Fitbit data on duty.\u201d Over the weekend, researchers and journalists raised the alarm about how anyone can identify secretive military bases and patrol routes based on public data shared by a \u201csocial network for athletes\u201d called Strava.<\/p>\n This past November, the San Francisco-based Strava announced a huge update<\/a> to its global heat map of user activity that displays 1 billion activities\u2014including running and cycling routes\u2014undertaken by exercise enthusiasts wearing Fitbits or other wearable fitness trackers. Some Strava users appear to work for certain militaries or various intelligence agencies, given that knowledgeable security experts quickly connected the dots between user activity and the known bases or locations of US military or intelligence operations. Certain analysts have suggested the data could reveal<\/a> individual Strava users by name.<\/p>\n But the biggest danger may come from potential adversaries figuring out \u201cpatterns of life,\u201d by tracking and even identifying military or intelligence agency personnel as they go about their duties or head home after deployment. These digital footprints that echo the real-life steps of individuals underscore a greater challenge to governments and ordinary citizens alike: each person\u2019s connection to online services and personal devices makes it increasingly difficult to keep secrets.<\/p>\n The revelations began unspooling at a rapid pace after Nathan Ruser<\/a>, a student studying international security at the Australian National University, began posting his findings via Twitter on Saturday afternoon. In a series of images, Ruser pointed out Strava user activities potentially related to US military forward operating bases in Afghanistan, Turkish military patrols in Syria, and a possible guard patrol in the Russian operating area of Syria.<\/p>\n https:\/\/twitter.com\/Nrg8000\/status\/957318498102865920<\/a><\/p>\n Other researchers soon followed up with a dizzying array of international examples, based on cross-referencing Strava user activity with Google Maps and prior news reporting: a French military base in Niger<\/a>, an Italian military base in Djibouti<\/a>, and even CIA \u201cblack\u201d sites<\/a>. Several experts observed that the Strava heatmap seemed best at revealing the presence of mostly Western military and civilian operations in developing countries.<\/p>\n Many locations of military and intelligence agency bases pointed out by researchers and journalists had already been previously revealed through other public sources. But the bigger worry from an operations security standpoint was how Strava\u2019s activity data could be used to identify interesting individuals, and track them to other sensitive or secretive locations. Paul Dietrich, a researcher and activist, claimed to have used public data scraped from Strava\u2019s website to track a French soldier from overseas deployment all the way back home.<\/p>\n https:\/\/twitter.com\/Paulmd199\/status\/957732883090759680<\/a><\/p>\n \u201cThis is the part that is perhaps most worrisome, that an individual's identity might be pullable from the data, either by combining with other information online or by hacking Strava\u2014which just put a major bullseye on itself,\u201d says Peter Singer, strategist and senior fellow at New America, a think tank based in Washington, DC. \u201cKnowing the person, their patterns of life, etc., again would compromise not just privacy but maybe security for individuals in US military, especially if in the Special Operations community.\u201d<\/p>\n Strava\u2019s data could even be used to follow individuals of interest as they rotated among military bases or intelligence community locations, according to Jeffrey Lewis, director of the East Asia Nonproliferation Program in the Middlebury Institute of International Studies at Monterey, California. In a sobering Daily Beast<\/a> article, Lewis laid out a scenario by which Chinese analysts could track a Taiwanese soldier based on his activities at a known missile base and thereby discover other previously unknown missile bases as the soldier\u2019s duties required him to rotate through those bases.<\/p>\n The United States is clearly far from alone in dealing with such security challenges. Back in 2015, the People\u2019s Liberation Army Daily issued a stern warning to members of the Chinese military about the security risks posed by smart watches, fitness bands, and smart glasses, according to Quartz<\/a>. But the Strava example shows that the United States may be at greater risk, with its relatively large footprint involving troops, intelligence personnel, diplomats, and contractors deployed overseas in sensitive areas or conflict zones.<\/p>\n The US military\u2019s Central Command has already begun reassessing its privacy policies for the troops after the Strava revelations, according to reporting by The Washington Post<\/a><\/em> and others. Current US military service policies<\/a> seem to allow for use of fitness trackers and other wearables with the caveat that local commanders have the discretion to tighten security. In fact, the US Army has previously promoted use of Fitbit trackers<\/a> as part of a pilot fitness program.<\/p>\n Some of the security tightening may involve certain \u201cno-go areas\u201d or \u201cleave-at-home policies\u201d for personal smartphones and wearables, similar to what already exists in sensitive offices of the Pentagon and other installations, Singer says.<\/p>\n 'People on their third or fourth deployment are going to lose their minds or their marriages if they can't use tech to simulate normalcy.'<\/p>\n Lynette Nusbacher, Military Historian<\/p>\n Certain military or intelligence facilities may also need upgrades to their security as a result of the Strava data reveal, says Lynette Nusbacher, a strategist and military historian based in the UK. She adds that militaries and other organizations will require constant, up-to-date training for both their leadership and the rank-and-file, to ensure they\u2019re aware of the threat from modern geolocation technology.<\/p>\n The idea of banning wearable technologies outright may potentially make sense in certain cases: \u201cA small minority of tier one special forces operators can go without toilet paper or soap or mobile phones for weeks,\u201d Nusbacher says. But she warns that imposing extreme restrictions more broadly could reduce the number of people willing to sign up for military or intelligence stints overseas.<\/p>\n \u201cWhen I was deployed on operations in 1999 we expected one phone call a week and dial-up internet,\u201d Nusbacher says. \u201cPeople on their third or fourth deployment are going to lose their minds or their marriages if they can't use tech to simulate normalcy.\u201d<\/p>\n Many analysts place the burden of responsibility on the US military and other organizations for the lapse, rather than on Strava. The latter does, after all, allow users to choose whether they share their data. \u201cStrava offered a service,\u201d Nusbacher says. \u201cIt's not their fault that soldiers who needed better training and briefing turned that service into a vulnerability.\u201d<\/p>\n But Paul Scharre, senior fellow and director of the Technology and National Security Program at the Center for a New American Security, argues that technology companies do have certain responsibilities, especially after a problem of this magnitude has been identified.<\/p>\n \u201cMilitary service members, particularly in the special operations community, take operational security seriously: They would not have shared this data if they understood the consequences,\u201d Scharre says. \u201cIf Strava was serious about the negative consequences of this data being public, they would temporarily take the maps offline and work with the government to scrub sensitive data. I do not think it is acceptable for a company to release data that might imperil the lives of US service members.\u201d<\/p>\n In a statement, James Quarles, CEO of Strava, acknowledged that "members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations. Many team members at Strava and in our community, including me, have family members in the armed forces. Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us."<\/p>\n Quarles said that Strava was "committed to working with military and government officials to address potentially sensitive data." He added that the company was "reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent," and was also working to simplify "privacy and safety features" for customers to more easily understand and control their data.<\/p>\n The heat map may contain a few bright spots, though. There is no evidence as of yet that certain countries or militant groups exploited the Strava heatmap along with other open-source intelligence to inflict real harm. \u201cIt\u2019s a good thing this was reported now versus being exploited by an enemy later in a major war<\/a>,\u201d says Singer.<\/p>\n The Strava heatmap also represents the cumulative activity of users over several years up through September 2017. That means nobody can use it to track military patrols or analysts walking through CIA bases in real-time.<\/p>\n 'I do not think it is acceptable for a company to release data that might imperil the lives of US service members.'<\/p>\n Paul Scharre, Center for a New American Security<\/p>\n Still, the Strava incident is just the latest and perhaps most spectacular example of how social media can compromise the operations security of even the most sensitive military and intelligence agencies. Analysts and journalists have previously tracked the locations of soldiers, such as Russian troops<\/a> in Ukraine, based on selfies and other public data shared on social media. Back in 2007, Iraqi insurgents used geo-tagged photos shared on social media of US Army attack helicopters landing at an airbase to pinpoint and destroy<\/a> four of the expensive war machines in a mortar attack.<\/p>\n Much of the public data needed to compromise certain aspects of military or intelligence operations was already out there and hiding in plain sight years ago, according to Gavin Sheridan, CEO of Vizlegal and a former journalist. In a lengthy Twitter thread<\/a>, he explained how geotagging has made it relatively easy to detect Westerners\u2014usually soldiers\u2014in remote areas of the world, or even to compile lists of family members for individuals working at the CIA or the Pentagon.<\/p>\n But addressing the security risks highlighted by Strava will require much more than simply updating a few policies. A world dominated by the rise of social media, the growing availability of commercial satellite and drone imagery, and increasing usage of smartphones necessitates an entirely new cultural mentality.<\/p>\n \u201cToo often we think secrets lie hidden, when now they are mostly out in the open,\u201d says Singer. \u201cBoth militaries and the public need to come to grips with the fact that the era of secrets is arguably over.\u201d<\/p>\n