Strava is a neat fitness app that tracks your running and uses the data to create charts, graphs, and most interestingly for runners, a “heat map” that shows you the routes other runners take and how often they take them. Using 13 trillion points of data, it’s a really cool way to find new places to run and new challenges. Unfortunately, it also may have given away the exact location of U.S. military bases.
The problem, according to BBC News, is that soldiers going on runs use Strava on their phones, which means they have an active GPS. Phone GPS coordinates aren’t terribly accurate but collect enough data points and you can assemble a map of anything, eventually. And that’s exactly what an international security student in Australia, Nathan Ruser, realized after he saw the Strava map:
…a large number of military personnel on active service had been publicly sharing their location data and realised that the highlighting of such exercises as regular jogging routes could be dangerous. “I just looked at it and thought, ‘oh hell, this should not be here – this is not good,'” [Ruser] told the BBC. “I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed. Someone would have noticed it at some point. I just happened to be the person who made the connection.”
It’s unlikely the vulnerabilities are limited to just U.S. military bases, although fortunately, you can shut off data sharing in the app, something the company quickly recommended military personnel do. There are quite a few restricted or private areas that likely have people jogging through them, not just military bases, and likely every single one of them is checking the heat map as we speak. And this can’t really be put on Strava, as the app is upfront with the data it collects. In the end, this shows how little we think about the data we send out from the devices in our pockets, and how even when it’s put to well-meaning, seemingly harmless use, there are effects we simply can’t anticipate.