Security agencies and defence chiefs worldwide will today be assessing what action to take following the revelation that details of military bases, including what are believed to be secret sites, are being made public through Strava Global Heatmaps.
Exercise activity, whether running, cycling or swimming, uploaded by users of the social network allows Strava to create its Heat Maps, relaunched late last year with unprecedented levels of detail.
The collective data has applications in areas such as urban planning since they allow local transport authorities to see, for example, exactly which roads are most popular among cycle commuters so could benefit from improved infrastructure.
But as the Guardian reports, the popularity of the app among military personnel, who through their training are fitter than the average person with many also taking part in sport in their free time, has raised security concerns.
In terms of UK military and intelligence bases, both domestic sites such as the Government Communications Headquarters(GCHQ) in Cheltenham, Gloucestershire and overseas ones, for example, RAF Mount Pleasant on the Falkland Islands, can clearly be seen.
RAF Mount Pleasant (source Strava Global Heatmaps)
Zooming in further on the latter map, individual buildings can be clearly identified, as well as the most popular routes that personnel who happen to be users of Strava take out of it, and where they are likely to go.
The availability of data relating to military bases was initially noticed by Nathan Ruser, who is an analyst at the Institute for United Conflict Analysts.
He said that while Strava’s presentation of the data “looks very pretty” it was “not amazing for Op-Sec” [operational security].
“US bases are clearly identifiable and mappable,” he continued.
“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” for example when they run the same route daily.
It is in bases where personnel are on active duty, or that are located in combat zones – such as Camp Bastion in Afghanistan’s Helmand Province, that the availability of Strava Global Heatmap data can be most compromising to security and safety.
Camp Bastion (source Strava Global Heatmaps)
The example below shows the United States Naval Expeditionary Base Camp Lemonnier, south of Djibouti City in the Horn of Africa and from where drone strikes are launched into Somalia and Yemen.
Camp Lemonnier (source Strava Global Heatmaps)
But the Guardian points out the appearance of another, smaller base that appears in the bottom left of the picture but is not marked on maps.
It is believed to be a CIA ‘black site’, that is an unofficial location used to detain and interrogate prisoners, which was identified a week before Strava published its latest Heat Map by analyst Markus Ranum.
Site southwest of Camp Lemmonier (source Strava Global Heatmaps)
Strava said: “Our Global Heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform.
“It excludes activities that have been marked as private and user-defined privacy zones.
“We are committed to helping people better understand our settings to give them control over what they share.”
The company added that further information regarding privacy could be found on this blog post on its website, where users can find out for example how to opt out of having their data collected for Strava Global Heatmaps.
https://blog.strava.com/privacy-14288/
The fact that sensitive military installations can be identified and analysed through Strava is likely in the short term to lead to restrictions in the range of devices military personnel are able to use to track their fitness, and what they permitted to do with the data.
Existing restrictions, such as those imposed by the US Marine Corps, which allows some Bluetooth- and GPS-enabled devices on base, are likely to be tightened up further.
In the longer term, it’s not inconceivable that individual countries may introduce legislation looking to limit the use of Strava in some way, or regulate the data it captures and restrict how it is used.
As analyst Tobias Schneider, noted: “In Syria, known coalition bases ligily.ht up the night.
“Some light markers over known Russian positions, no notable colouring for Iranian bases,” he added.
“A lot of people are going to have to sit through lectures come Monday morning.”
41 thoughts on “Strava accused of giving away military secrets through its Global Heatmaps”
The line taken in most of
The line taken in most of these pieces is that this is some type of breach by Strava or, at least, something they should have done something about. Am I missing the headlines where stupid people who work in important jobs are doing stupid things?
bendertherobot wrote:
This is the important detail that most people covering this story seem to be missing. I suppose I feel a bit of frustration on Strava’s part.
Where’s the bit where Strava
Where’s the bit where Strava is “accused of giving away military secrets”? Granted I haven’t read all the media coverage of this, but I’ve yet to see any accusation levelled at them (they are, after all, simply presenting data that users have chosen to make public) nor has any such accusation been cited in this article.
Richthornton wrote:
Did you actually read the headline of that article above?
Griff500 wrote:
Indeed, did you? Headline says Strava has been accused of… Yet the article doesn’t describe any accusation being levelled at Strava. Even Mssrs Ruser and Schneider appear to suggest that individual users are at fault here.
Richthornton wrote:
As I said in another post, this is trial by media. Roadcc in the headline you say you read, and various other media sources have accused Strava. “Too much onus placed on the user to apply settings” said one. Of course that is bollocks. Anybody party to even the most trivial of military secrets has to sign appropriate documents (official secrets act in UK) saying they will not share or transmit such by any means, far less send it to a social media site!
Griff500 wrote:
As I said in another post, this is trial by media. Roadcc in the headline you say you read, and various other media sources have accused Strava. “Too much onus placed on the user to apply settings” said one. Of course that is bollocks. Anybody party to even the most trivial of military secrets has to sign appropriate documents (official secrets act in UK) saying they will not share or transmit such by any means, far less send it to a social media site!— Richthornton
Apologies, I think you’ve misunderstood my point, probably due to me being unclear. I don’t think road.cc are accusing Strava; I think they are reporting that Strava have been acused. My point being that the content of the article contains nothing to the effect of an accusation towards Strava. Even if other media sources are accusing Strava, it’s poor journalism on road.cc’s part not to reference anything to support their headline.
Richthornton wrote:
I understand what you mean, but my issue is that in writing such emotive headlines as this, and then writing an article about Strava, which this is, they are in essence already pointing the finger at Strava, evidence or no. This is how smearing by the press works. This article should be about military personnel uploading GPS coordinates to social media sites, not about Strava. Buried deep within the Guardian article is a reference to a 2016 ban by the US Marines on wearable fitness devices containing cellular or wifi capability, photographic, audio or video capture, so this is not really new, and these guys are already breaking their own regulations.
[/quote] Apologies, I think
So who accused them? If road.cc don’t know then it points to this story being fed to them from the same source as all the other ‘news’ outlets.
Shock news: Strava reveals
Shock news: Strava reveals that there are personnel on military bases…
I’m pretty sure that the
I’m pretty sure that the locals know there’s a miltary base next to them. Hard to hide.
Annoyingly the heat map does show me running and biking to my door and I have my privacy zones set – so anyone looking at my tracks can’t see where I’m going to. But it does on here.
Is that the same for everyone else ?
fenix wrote:
My heat map stops at my privacy zones so you might want to check you have you have them set up right.
I thought Strava had security
I thought Strava had security settings which could stop this data being publicly available? I also thought that security was one of those things with which the military is supposed to be very concerned…
brooksby wrote:
It does. Much of this is trial by media, but concern has been expressed in the press in the past about the onus being on the user to apply those settings.
A year or so ago US military personnel had to remove Pokémon from their phones for the same reason. One would have thought that at that point “military intelligence” would have asked “what else?” Clearly not!
I served before social media
I served before social media was a thing, but surely (don’t call me Shirley) Opsec training should have had this covered? Pretty disappointed that the people delivering these courses didn’t see their own habits (if they were runners etc) or that of their colleagues were a potential risk…
If Strava IS telling the
If Strava IS telling the truth and they have not included data which has been marked as private or is in a privacy zone (I really hope they are telling the truth), then this just goes to show that there are far too many people that are no way near as careful as they should be online.
Regardless of if Strava is or isn’t sharing data marked as private, I would suggest that Strava should not publish any data for sensitive areas. I’m sure NATO intelligence is very interested in Russian usage of Strava though.
wellsprop wrote:
True, Strava should know where the secret bases are and eliminate them 🙂
wellsprop wrote:
Nothing to do with Strava. The layout of the bases is hardly secret, given that the average person can see most of it on google maps and even the smallest government can see unredacted versions from many companies. The only issue in this is that some military personnel may have made themselves more at risk by publishing enough information to make their routines more traceable in places like Syria or Iraq. If they don’t follow the rules about not being predictable then they are more at risk, but this is 100% on the shoulders of the personnel, not Strava.
John Smith wrote:
I do totally agree that it is, ultimately, the responsibility of the personnel as well as the armed forces and intelligence agencies. However, I would still suggest the Strava behave sensitively around sites which may be of military interest.
For example, google maps would be unlikely to take photos of sensitive military sites (in fact they blur out a lot of military sites) this is by request, I assume – but it would be wise for Strava to do the same.
Certain people don’t behave sensibly and often, it up to those who do, to go the extra mile in keeping things on track.
Most of those bases have
Most of those bases have strava segments on – you can search for them yourself.
I always knew Strava was evil
I always knew Strava was evil…
I dont really see the risk
I dont really see the risk there – you cant see what time someone does a run – just that they have. And as most runs are round the perimeter of a base or on roads inside – I don’t see what extra strava brings – intelligence wise.
I’m sure someone cleverer
I’m sure someone cleverer than I could probably establish where the ‘digs’ are etc.
Shouldn’t the people working
Shouldn’t the people working at these sites be a bit more careful when uploading their activities?
given the detailed maps the
given the detailed maps the Russians were able to make half a century ago highlighting all the UK bases both land and sea with even greater detail than that on OS maps (showing very accurate water depths near sub pens/dockyards etc) I’m pretty certain that no ‘secrets’ or bases or anything else important were given away by these heat maps that ‘others’ didn’t already have.
BehindTheBikesheds wrote:
Yes I saw them on something on the BBC and itvwas ridiculously detailed. Strava isn’t helping the enemy.
fenix wrote:
given the detailed maps the Russians were able to make half a century ago highlighting all the UK bases both land and sea with even greater detail than that on OS maps (showing very accurate water depths near sub pens etc) I’m pretty certain that no ‘secrets’ or bases or anything else important were given away by these heat maps that ‘others’ didn’t already have.
— fenix Yes I saw them on something on the BBC and itvwas ridiculously detailed. Strava isn’t helping the enemy.— BehindTheBikesheds
I think the problem (not that this is Strava’s fault) is that it shows an individual’s routine, often outside a base, which could lead to an ambush. In addition, some of the routes are segments (of if not, a segment can be created) and so have a leaderboard. Said leaderboard can then be used to identify the individual and can even link back to their facebook account, family address back in Blighty etc.
I blame the US military for
I blame the US military for putting all those satellites into orbit and letting anyone in the world use the GPS tracking data for free. What were they thinking!
And there’s this in the
And there’s this in the middle of nowhere Nevada. Interesting
https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all
spen wrote:
That is Burning Man. What is really interesting is the position of the site has moved year by year.
Leviathan wrote:
Well, that’s disappointingly mundane
Leviathan wrote:
So, like, Area 52, dude? I’d really hoped it was Area 51
spen wrote:
Aliens use Strava
?!
It’s not Strata though. Do a
It’s not Strava though. Do a segment explore on RNAS Culdrose, lots of segments within the security fence.
Stupid Personell do Stupid Stuff with Data isn’t such a good headline though.
Former US Airman speaking
Former US Airman speaking here: It is not Strava’s responsibility to protect US military sites! You can run or ride and only post the distance and time without the map. I can tell you I received briefings about this very thing!
It isn’t Strava that is
It isn’t Strava that is ‘giving away military secrets’ it’s soldiers not unticking the box labelled “Include my anonymized public activity data in Strava Metro and the Heatmap”
Same goes for the people commenting here that they can see their driveway on the heatmap despite it being in a privacy zone, this is a different setting.
Wouldn’t it make more sense,
Wouldn’t it make more sense, and save a lot of grief, if the default settings on Strava, or anything else, were to have ALL privacy enabled, so users have to select what they make public…?
markfireblade wrote:
Except that a large part of the business model of any of these type of companies is data mining, so they don’t actually want everyone opted out.
I’m sure that the various
I’m sure that the various terrorist organisations are pretty capable of gathering intel on individuals in the forces etc., without turning to Strava. This is something that is being blown out of proportion and servicemen need a gentle reminder on personal security.
I can think of one place that
I can think of one place that has got a Strava segment right across a double-width runway. Thing is though, it’s the double-width enormously long runway that’s the easy thing to spot. It’s on Google earth too, because it’s been there a while.
Now, Box Hill cafe – there must be a bunker under that, or is it only Donald Jenius Trump’s sh1tholes that count?
Agree that Strava have no
Agree that Strava have no obligations here with one possible exception.
Others can see your home address if you return home in the middle of an activity- e.g. you return home to pick up something you forgot.
Seems to be the first 500 and last 500m of a ride that are protected with Privacy settings.
Would probably be happier if that was resolved.