Everyone is connected to the internet these days. It’s unavoidable and most of the time, it’s not a problem. But when your fitness app starts outlining your military bases and sharing them with the world, it becomes a little more serious.
Online fitness tracker Strava recently published heatmaps that show the routes taken by their users. These maps were an aggregation of data collected between 2015 and September 2017. Nathan Ruser, a 20-year-old student in Australia, was the first to flag up the fact that the routes seemed to map out military bases in places like Syria and Afghanistan.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
Nathan said he found the map while viewing a cartography blog. He realised that a large number of military employees would have been sharing location data and combined with the route mapping, would result in a serious security risk.
“I just looked at it and thought, ‘oh hell, this should not be here – this is not good,'” he told the BBC. Nathan said he believed the best way to fix the problem was to highlight the vulnerabilities. “Someone would have noticed it at some point. I just happened to be the person who made the connection.”
While the location of military bases is normally known, the heatmap has revealed which routes are more popular than others and which areas are patrolled more frequently.
Russian, Turkish, American and British activities have all been identified using the heatmaps.
A spokesperson for the DoD said that they take “matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required”. They have been aware of such problems and published documentation aimed at targeting the problem. For similar reasons, the US military banned Pokemon GO from government issued mobile phones.
Strava released a short statement saying the data they used had been rendered anonymous and “excludes activities that have been marked as private and user-defined privacy zones”.