It was supposed to be fun: Compiled from more than a billion paths taken by users of Strava, a workout-tracking app, an interactive online heat map shows “where we play” the world over. The map traces popular jogging routes, bike paths, and walking trails. The veins of D.C.’s Rock Creek Park glow white-hot, as do the contours of Moscow’s Gorky Park and the leafy corridors of Tehran’s Park Mellat. See? We’re not so different after all.
Except in some ways. The popular Strava app connects to GPS-enabled devices—Fitbits, smartwatches, phones—and tracks them as their owners sweat through a run or bike ride. Those devices aren’t cheap, and you can’t get them just anywhere, so the map of Strava activity isn’t lit up entirely evenly. Western Europe and the United States shine brightly, as do Japan, South Korea, and Taiwan; other population centers gleam, too, but the map fades to darkness in developing countries.
Zoom into just the right points in those dark patches, though, and you’ll come across anomalous hives of activity, shining like incriminating fingerprints under a blacklight. But who’s running in laps on the beach next to the Mogadishu airport? In a trapezoid-shaped compound in Djibouti? Why is there a constellation of isolated tracks in Afghanistan?
Many of these patches, it turns out, are Western military bases, both overt and secret, lit up for the world to see. Military personnel walking through their compounds over the past two years left behind an invisible trail of data that mapped out, in detail, the paths they and their cohort trace daily. Patrols seem to show up on the map, as do trails that could be commuting routes, connecting homes to sensitive workplaces.
(The first of an ensuing flood of tweets screenshotting what appear to be army bases and patrol routes appeared to come from a precocious Australian college student, and earned him a brief profile in the New York Times.)
What’s worse, the data is easily de-anonymized, revealing the names of the joggers who charted each individual path. The user can then be connected to the rest of his or her Strava activity, thus assembling, for example, a timeline of the bases a particular soldier cycled through. Combined with social-media information, an online snoop could put together a pretty good picture of an individual’s comings and goings.
Strava’s dangerous data dump is a textbook example of the usually hidden trails of data we create nearly every moment of our lives. With the flip of a switch, the workout company has lit the breadcrumbs aglow, revealing how many of its users in sensitive locations didn’t think twice about continually broadcasting their satellite-determined locations to a server they know nothing about.
The heatmap has been live online since November, but it only began attracting attention this week. Still, the data remains live online at the time of this writing, and Strava has offered only a tepid public letter in response, acknowledging that the tool “inadvertently increased awareness of sensitive locations.” The letter, written by the company’s CEO, said Strava would work with the government to “address potentially sensitive data,” and to “increase awareness” of its privacy tools.
But Strava, like so many lucrative companies founded in the last decade or two, relies on user data for survival. The app is a social network, after all, and wouldn’t function without gathering the “sensitive” data it caught heat for publishing.
Whether or not it compiles them into an easily searchable online map, it’s in possession of extremely valuable information that could be attained by hacking… or by other means. Strava “is sitting on a ton of data that most intelligence entities would literally kill to acquire,” tweeted Jeffrey Lewis, a nuclear weapons expert at the Middlebury Institute of International Affairs, on Tuesday. (That statement would ring equally true for any number of tech companies that profit from gathering users’ contact and friend lists, photos, locations, preferences, and personal correspondence.)
The United States Central Command said it was taking a closer look at rules for fitness trackers in a statement it shared with The Washington Post. “The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications,” it said. “And such technologies are forbidden at certain Coalition sites and during certain activities.”
