Photo Credit: Screenshot from https://labs.strava.com/heatmap
An interactive map posted on the Internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the location and activities of soldiers at US military bases, in what appears to be a major security oversight.
The Global Heat Map, published by the GPS tracking company Strava, uses satellite information to map the location and movements of subscribers to the company's fitness service over a two-year period, by illuminating areas of activity.
Strava says it has 27 million users around the world, including people who own widely available fitness devices such as Fitbit, Jawbone and Vitofit, as well as people who directly subscribe to its mobile phone application. The map is not live - rather it shows a pattern of accumulated activity between 2015 and September last year.
Photo Credit: Screenshot from https://labs.strava.com/heatmap
Most parts of the United States and Europe, where millions of people use some form of fitness tracker, show up on the map as a blaze of light, because there is so much activity.
In war zones and deserts such as Iraq and Syria, the heatmap becomes almost entirely dark - except for a few scattered pinpricks of activity. Zooming in on those brings into focus the locations and outlines of known US military bases, as well as of other unknown and potentially sensitive sites - presumably because US soldiers and other personnel are using fitness trackers as they move around.
Air Force Col. John Thomas, a spokesman for US Central Command, said Sunday the US military is looking into the implications of the map.
The US military did not respond to a question about what the regulations are regarding use of fitness tracking apps. But the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity.
The Global Heat Map was posted online in November 2017, but the information it contains was only publicised on Saturday after a 20-year-old Australian student stumbled across it. Nathan Ruser, who is studying international security and the Middle East, found out about the map's existence from a mapping blog and was inspired to look more closely, he said, after a throwaway comment by his father, who observed that the map offered a snapshot of "where rich white people are" in the world.
"I wondered, does it show US soldiers?" he said, and immediately zoomed in on Syria. "It sort of lit up like a Christmas tree."
He started tweeting about his discovery, and the Internet also lit up, as data analysts, military experts and former soldiers began scouring the map for evidence of activity in their areas of interest.
Andrew Rawnsley, a Daily Beast journalist, noticed a lot of jogging activity on the beach near a suspected CIA base in Mogadishu.
Another Twitter user said he'd located a Patriot site in Yemen.
Ben Taub, a journalist with the New Yorker, homed in on the location of US special operations bases in the Sahel.
The site does not identify the users of the app and shows many locations that may belong to aid agencies, United Nations facilities and the military bases of other nations - or anyone whose personnel is likely to use fitness trackers, said Tobias Schneider, an international security analyst based in Germany. But it is not hard, he said, to map the activity to known, or roughly known, US military sites, and then glean further information.
The location of most of the sites is already public knowledge - such as the vast Kandahar airbase in Afghanistan. The Pentagon has publicly acknowledged that US special operations troops maintain a small outpost at Tanf in the Syrian desert near the Iraqi border, which shows up on the map as a neatly illuminated oblong, probably because US soldiers wearing Fitbits or similar devices either jog or patrol around the perimeter.
But the data also offers a mine of information to anyone who wanted to attack or ambush US troops in or around the bases, said Schneider, including patterns of activity inside the bases. Lines of activity extending out of bases and back may indicate the routes of patrols. The map of Afghanistan appears as a spiderweb of lines connecting bases, showing supply routes, as does northeast Syria, where the United States maintains a network of mostly unpublicised bases. Concentrations of light inside a base may indicate where concentrations of troops live, eat or work, suggesting possible targets for enemies who wished to target the base.
At a site in northern Syria near a dam, where analysts have suspected the US military is building a base, the map shows a small blob of activity accompanied by an intense line along the nearby dam, suggesting the personnel at the site jog regularly along the dam, Schneider said.
"This is a clear security threat," he said. "You can see a pattern of life. You can see where a person who lives on a compound runs down a street to exercise. In one of the US bases at Tanf you can see people running round in circles."
"Big opsec and persec fail," tweeted Nick Waters, a former British army officer who pinpointed the location of his former base in Afghanistan using the map. "Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence."
By no means all of the activity discovered is US activity, said Schneider. The perimeter of the main Russian base in Syria, Hmeimim, is clearly visible - as are several routes out of the base that are presumably taken by patrols, he said.
Other Russian bases also show up, but Iranians either don't use fitness trackers or prudently turn them off, he noted.
Strava apps and devices contain an option to turn off the data transmission service, making it more the responsibility of the user to ensure that security isn't breached, said Ruser. "It seems like a big oversight," he said.
The US military did not respond to a question about what the regulations are regarding use of fitness tracking apps. But the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity.
Strava did not respond to a request for comment.
© The Washington Post 2018
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.