The controversy over information gathered from GPS-enabled fitness devices and published online – in some cases highlighting possible activity at U.S. military bases in places like Syria and Afghanistan – could be just the start of an ever-growing problem in a world where more people and devices are connected to the internet.
Already, U.S. Defense Secretary Jim Mattis has ordered a review of security protocols following concerns that a so-called Heatmap published by the fitness app company Strava showed locations and movement patterns of troops serving overseas.
“We take matters like these very seriously and are reviewing the situation to determine if any additional training or guidance is required,” the Pentagon said in a statement Monday.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” the statement continued, further noting that annual training for all military personnel, “recommends limiting public profiles on the internet, including personal social media accounts.”
Yet the concern about the impact is not new.
Numerous sensitive U.S. military and intelligence offices and installations ban the use of so-called smart devices on their premises, including smart phones and the GPS-enabled fitness trackers from companies like Fitbit, Garmin and Polar, which helped Strava create its global Heatmap, highlighting the most popular routes for walking, running and biking this past February.
And U.S. intelligence officials have been warning for years about the impact of what they call “digital dust,” information that by itself seems to have little relevance and that users have posted to social media.
The U.S. National Counterintelligence and Security Center cautions member of the U.S. intelligence community they could be targeted by adversaries who have, “Collected information on you from social media postings.”
And a pamphlet from the U.S. Office of the Director of National Intelligence warns employees to, “Maintain direct positive control of, or leave at home, electronic devices during travel, especially when traveling out of the U.S.”
Still, the potential consequences of sharing information with a fitness tracking app seemed to have escaped notice until Nathan Russer, a student at the Australian National University in Canberra, tweeted about the Strava Heatmap this past Saturday.
It was not just the United States, though. Russer also identified the routes of Turkish forces and Russian activity in Syria, as well.
Strava says it excluded activities that users marked as private or ones that took place in areas people did not want to make public. Even so, the map included 1 billion activities between 2015 and September 2017.
And in places like Iraq, Syria and Afghanistan, where activities show up bright against otherwise dark terrain, combining the Strava data with information from other maps available online could have far reaching consequences.
“This is pattern analysis,” according to Michael Pregent, a former U.S. intelligence officer now with the Hudson Institute. “This [Strava] map is a tool that most intelligence analysts seek out.”
And, it is a tool that can be exploited by a wide range of actors.
“This allows an enemy to pinpoint their fire,” Pregent said, noting this type of information could have been used to great effect by Shia militias who had been targeting U.S. bases during the Iraq War.
Now, he said, it could guide new attacks by the Taliban or even the Islamic State (IS) in Afghanistan.
“Several of the [Strava] graphics are our bases in Afghanistan and you can see the most trafficked areas,” he said.
So far, there is no evidence that groups like the Taliban, IS or al-Qaida have managed to make use of the type of information provided in the Strava Heatmap. Still, the possibility has gotten their attention.
“All I’ve seen is Jihadi groups sharing the Strava news, consuming it just like us,” Raphael Gluck, an independent researcher, told VOA. “Maybe there’s some wishful thinking on their part, but so far [I’ve] not seen anyone talking further than that.”
And the information may only be so useful to an untrained eye.
Interpreting the data
“The map alone is sometimes inadequate to provide useful analysis,” Aric Toler, a lead researcher for the investigative journalism website Bellingcat wrote on his blog.
Toler told VOA activity in Strava can be falsified. For example, he found Strava activity in the Atlantic Ocean, south of Ghana – likely a spoof or an error. But he said in less obvious cases, without understanding the context, it can be difficult to know what the data means.
Still, he warned,”obvious that there can be danger in this.”
As for why it appears so many U.S. military personnel in war zones like Afghanistan and Syria allowed their devices to keep sending data to Strava, some experts say it’s just human nature.
“These aren’t necessarily the special operators out there killing ISIS or helping our partners on the ground,” said Hudson Pregent. “The majority of these forces are back at bases where they try to normalize life.”
“We’ve seen everyone from police officers to members of the military, members of the foreign service — people in sensitive positions — oversharing online, whether it be Facebook or Twitter,” said Stratfor Threat Lens Senior Analyst Ben West. “I see this, the Strava map, as an extension of this.”
And Strava is just one of hundreds of apps and devices that make it easy to expose this vulnerability.
“Wherever these things are located and are operating, they are collecting information on our daily routines which can be used to anticipate our behavior and bad guys can exploit that,” West said.