The Strava fitness tracker is raising high security and privacy concerns after a recently publicized heat map posted online was found to possibly reveal U.S. military personnel activity.
Twenty-year-old Australian student Nathan Ruser, who is currently studying international security and the Middle East and is a member of the Institute for United Conflict Analysts, stumbled upon the map from November 2017 on a mapping blog.
When his father joked that the map revealed “where rich white people are” in the world, Ruser wondered if the heat map could actually map U.S. soldiers, and he zoomed in on Syria to find out.
“It sort of lit up like a Christmas tree,” he told the Washington Post.
Once Ruser revealed his discovery online, data analysts, security and military experts and others chimed in.
"I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed. Someone would have noticed it at some point. I just happened to be the person who made the connection,” Ruser told the BBC.
Here’s what you need to know about Strava:
What is Strava?
Strava calls itself “the social network for athletes.” It’s a GPS tracker that allows users to record their fitness activity, share it on their Strava feeds and “give kudos” to fellow performers.
The tracking technology can be linked with data from Fitbits, phones and other devices.
What is the Strava global heat map?
In November, Strava launched an updated global heat map visualizing all of its users location data to reveal the most popular running spots around the world. It includes data aggregated between 2015 and September 2017.
The interactive “global heatmap of athletic activity” revealed logged activities covering nearly 17 billion miles. It allows viewers the option to explore areas all over the world. The brighter the region, the more activity.
Our global heatmap is the largest, richest, and most beautiful dataset of its kind. It is a direct visualization of Strava’s global network of athletes. To give a sense of scale, the new heatmap consists of:
- 1 billion activities
- 3 trillion latitude/longitude points
- 13 trillion pixels rasterized
- 10 terabytes of raw input data
- A total distance of 17 billion miles
- A total recorded activity duration of 200 thousand years
- 5 percent of all land on Earth covered by tiles
What information did the map expose about U.S. military?
Ruser, the Australian student who uncovered the map, found it could be cross-referenced to identify known military installations or even identify potential installations based on user data.
For example, a map of U.S. Air Force base Area 51, which is located near Homey Airport, Nevada, shows a lone cyclist taking a ride from the base along the west end of Groom Lake. It’s the thin red line.
On Twitter, shared screenshots from the heat map that he believed were regular jogging routes, locations of operating bases or patrols.
And it didn’t just offer insight into U.S. military bases.
Why is this so dangerous?
While Google Maps and other public satellite cameras already reveal where the world’s military installations are located, Strava brings people and soldiers into the picture.
Strava shows how they move and how often they move. This poses a potential security threat to military personnel.
The Verge pointed out that you can easily cross-reference the Strava heat map visualization below of Fort Benning with Google Maps to see which roads people frequent:
What has Strava said in response to the inquiries?
The company initially released a brief statement Sunday and asked users to check the Strava website to better understand privacy settings.
“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones,” the company said. “We are committed to helping people better understand our settings to give them control over what they share. For more information about Strava privacy, please visit blog.strava.com.”
In a letter to the Strava community, CEO James Quarles wrote, “We are committed to working with military and government officials to address potentially sensitive data.”
He said the company is reviewing features designed for motivation and inspiration to ensure they can’t be compromised and will continue to increase awareness of Strava’s privacy tools. A team of Strava engineers and user-experience techs are also helping to simplify the privacy features for users, he said.
What are U.S. officials doing in response to the concerns?
Politico’s Eric Geller asked Rob Joyce, President Donald Trump’s Cybersecurity Coordinator of the National Security Council, about U.S. action Monday morning. In response, Joyce said the White House is “absolutely” considering responses, including limiting service members’ use of tracking apps.
“It’s really clear that that heat map is a security risk,” Joyce said. But “
“it is important to make good security policy balanced by not overreacting too.”
- Choose the highest level of privacy available on the app.
- Add privacy zones.
- Select “Nobody” when asked who can see your activity on Strava Labs Flyby.
- Enable enhanced group activity to ensure only you and those in your network can see you were part of a group activity.
- Hide activities from leaderboards. You can apply this to all new uploads or use it on an individual upload.
- Select “Nobody” when asked who can see your training log.
- Manage your followers list.
- Manage your metro and heatmap data sharing by unchecking the box for “Include my anonymized public activity data in Strava Metro and the Heatmap.”