Support road.cc

Like this site? Help us to make it better.

news

Strava accused of giving away military secrets through its Global Heatmaps

Data uploaded by users working in intelligence and military highlight layout of bases, including in war zones

Security agencies and defence chiefs worldwide will today be assessing what action to take following the revelation that details of military bases, including what are believed to be secret sites, are being made public through Strava Global Heatmaps.

Exercise activity, whether running, cycling or swimming, uploaded by users of the social network allows Strava to create its Heat Maps, relaunched late last year with unprecedented levels of detail.

The collective data has applications in areas such as urban planning since they allow local transport authorities to see, for example, exactly which roads are most popular among cycle commuters so could benefit from improved infrastructure.

But as the Guardian reports, the popularity of the app among military personnel, who through their training are fitter than the average person with many also taking part in sport in their free time, has raised security concerns.

In terms of UK military and intelligence bases, both domestic sites such as the Government Communications Headquarters(GCHQ) in Cheltenham, Gloucestershire and overseas ones, for example, RAF Mount Pleasant on the Falkland Islands, can clearly be seen.

Strava Heatmap RAF Mount Pleasant.PNG

RAF Mount Pleasant (source Strava Global Heatmaps)

Zooming in further on the latter map, individual buildings can be clearly identified, as well as the most popular routes that personnel who happen to be users of Strava take out of it, and where they are likely to go.

The availability of data relating to military bases was initially noticed by Nathan Ruser, who is an analyst at the Institute for United Conflict Analysts.

He said that while Strava’s presentation of the data “looks very pretty” it was “not amazing for Op-Sec” [operational security].

“US bases are clearly identifiable and mappable,” he continued.

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” for example when they run the same route daily.

It is in bases where personnel are on active duty, or that are located in combat zones – such as Camp Bastion in Afghanistan’s Helmand Province, that the availability of Strava Global Heatmap data can be most compromising to security and safety.

Strava Heatmap Camp Bastion.PNG

Camp Bastion (source Strava Global Heatmaps)

The example below shows the United States Naval Expeditionary Base Camp Lemonnier, south of Djibouti City in the Horn of Africa and from where drone strikes are launched into Somalia and Yemen.

Strava Heatmap Camp Lemonnier.PNG

Camp Lemonnier (source Strava Global Heatmaps)

But the Guardian points out the appearance of another, smaller base that appears in the bottom left of the picture but is not marked on maps.

It is believed to be a CIA ‘black site’, that is an unofficial location used to detain and interrogate prisoners, which was identified a week before Strava published its latest Heat Map by analyst Markus Ranum.

Strava Heatmap Djibouti site.PNG

Site southwest of Camp Lemmonier (source Strava Global Heatmaps)

Strava said: "Our Global Heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform.

“It excludes activities that have been marked as private and user-defined privacy zones.

“We are committed to helping people better understand our settings to give them control over what they share.”

The company added that further information regarding privacy could be found on this blog post on its website, where users can find out for example how to opt out of having their data collected for Strava Global Heatmaps.

https://blog.strava.com/privacy-14288/

The fact that sensitive military installations can be identified and analysed through Strava is likely in the short term to lead to restrictions in the range of devices military personnel are able to use to track their fitness, and what they permitted to do with the data.

Existing restrictions, such as those imposed by the US Marine Corps, which allows some Bluetooth- and GPS-enabled devices on base, are likely to be tightened up further.

In the longer term, it’s not inconceivable that individual countries may introduce legislation looking to limit the use of Strava in some way, or regulate the data it captures and restrict how it is used.

As analyst Tobias Schneider, noted: “In Syria, known coalition bases ligily.ht up the night.

“Some light markers over known Russian positions, no notable colouring for Iranian bases,” he added.

“A lot of people are going to have to sit through lectures come Monday morning.”

Simon joined road.cc as news editor in 2009 and is now the site’s community editor, acting as a link between the team producing the content and our readers. A law and languages graduate, published translator and former retail analyst, he has reported on issues as diverse as cycling-related court cases, anti-doping investigations, the latest developments in the bike industry and the sport’s biggest races. Now back in London full-time after 15 years living in Oxford and Cambridge, he loves cycling along the Thames but misses having his former riding buddy, Elodie the miniature schnauzer, in the basket in front of him.

Add new comment

41 comments

Avatar
paddyirish | 6 years ago
0 likes

Agree that Strava have no obligations here with one possible exception.

Others can see your home address if you return home in the middle of an activity- e.g. you return home to pick up something you forgot.

Seems to be the first 500 and last 500m of a ride that are protected with Privacy settings.

Would probably be happier if that was resolved.

Avatar
nniff | 6 years ago
0 likes

I can think of one place that has got a Strava segment right across a double-width runway.  Thing is though, it's the double-width enormously long runway that's the easy thing to spot.  It's on Google earth too, because it's been there a while. 

Now, Box Hill cafe - there must be a bunker under that, or is it only Donald Jenius Trump's sh1tholes that count?

 

Avatar
giff77 | 6 years ago
0 likes

I’m sure that the various terrorist organisations are pretty capable of gathering intel on individuals in the forces etc., without turning to Strava. This is something that is being blown out of proportion and servicemen need a gentle reminder on personal security. 

Avatar
markfireblade | 6 years ago
0 likes

Wouldn't it make more sense, and save a lot of grief, if the default settings on Strava, or anything else, were to have ALL privacy enabled, so users have to select what they make public...?

Avatar
brooksby replied to markfireblade | 6 years ago
0 likes

markfireblade wrote:

Wouldn't it make more sense, and save a lot of grief, if the default settings on Strava, or anything else, were to have ALL privacy enabled, so users have to select what they make public...?

Except that a large part of the business model of any of these type of companies is data mining, so they don't actually want everyone opted out.

Avatar
pruaga | 6 years ago
1 like

It isn't Strava that is 'giving away military secrets' it's soldiers not unticking the box labelled "Include my anonymized public activity data in Strava Metro and the Heatmap"

 

Same goes for the people commenting here that they can see their driveway on the heatmap despite it being in a privacy zone, this is a different setting.

Avatar
The_Vermonter | 6 years ago
3 likes

Former US Airman speaking here: It is not Strava's responsibility to protect US military sites! You can run or ride and only post the distance and time without the map. I can tell you I received briefings about this very thing! 

Avatar
CycCoSi | 6 years ago
1 like

It's not Strava though. Do a segment explore on RNAS Culdrose, lots of segments within the security fence.

Stupid Personell do Stupid Stuff with Data isn't such a good headline though.

Avatar
spen | 6 years ago
1 like

And there's this in the middle of nowhere Nevada.  Interesting

 

https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all

Avatar
Leviathan replied to spen | 6 years ago
1 like

spen wrote:

And there's this in the middle of nowhere Nevada.  Interesting

 

https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all

That is Burning Man. What is really interesting is the position of the site has moved year by year.

Avatar
spen replied to Leviathan | 6 years ago
2 likes

Leviathan wrote:

spen wrote:

And there's this in the middle of nowhere Nevada.  Interesting

 

https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all

That is Burning Man. What is really interesting is the position of the site has moved year by year.

Well, that's disappointingly mundane

Avatar
brooksby replied to Leviathan | 6 years ago
0 likes

Leviathan wrote:

spen wrote:

And there's this in the middle of nowhere Nevada.  Interesting

 

https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all

That is Burning Man. What is really interesting is the position of the site has moved year by year.

So, like, Area 52, dude?  I'd really hoped it was Area 51 yes

Avatar
StraelGuy replied to spen | 6 years ago
1 like

spen wrote:

And there's this in the middle of nowhere Nevada.  Interesting

 

https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all

 

Aliens use Strava  ?!

Avatar
Leviathan | 6 years ago
1 like

I blame the US military for putting all those satellites into orbit and letting anyone in the world use the GPS tracking data for free. What were they thinking!

Avatar
BehindTheBikesheds | 6 years ago
3 likes

given the detailed maps the Russians were able to make half a century ago highlighting all the UK bases both land and sea with even greater detail than that on OS maps (showing very accurate water depths near sub pens/dockyards etc) I'm pretty certain that no 'secrets' or bases or anything else important were given away by these heat maps that 'others' didn't already have.

Avatar
fenix replied to BehindTheBikesheds | 6 years ago
1 like
BehindTheBikesheds wrote:

given the detailed maps the Russians were able to make half a century ago highlighting all the UK bases both land and sea with even greater detail than that on OS maps (showing very accurate water depths near sub pens etc) I'm pretty certain that no 'secrets' or bases or anything else important were given away by these heat maps that 'others' didn't already have.

Yes I saw them on something on the BBC and itvwas ridiculously detailed. Strava isn't helping the enemy.

Avatar
jimhead replied to fenix | 6 years ago
2 likes

fenix wrote:
BehindTheBikesheds wrote:

given the detailed maps the Russians were able to make half a century ago highlighting all the UK bases both land and sea with even greater detail than that on OS maps (showing very accurate water depths near sub pens etc) I'm pretty certain that no 'secrets' or bases or anything else important were given away by these heat maps that 'others' didn't already have.

Yes I saw them on something on the BBC and itvwas ridiculously detailed. Strava isn't helping the enemy.

 

I think the problem (not that this is Strava's fault) is that it shows an individual's routine, often outside a base, which could lead to an ambush.  In addition, some of the routes are segments (of if not, a segment can be created) and so have a leaderboard. Said leaderboard can then be used to identify the individual and can even link back to their facebook account, family address back in Blighty etc.

Avatar
earth | 6 years ago
3 likes

Shouldn't the people working at these sites be a bit more careful when uploading their activities?

Avatar
alansmurphy | 6 years ago
1 like

I'm sure someone cleverer than I could probably establish where the 'digs' are etc. 

Avatar
fenix | 6 years ago
0 likes

I dont really see the risk there - you cant see what time someone does a run - just that they have.  And as most runs are round the perimeter of a base or on roads inside - I don't see what extra strava brings  - intelligence wise. 

Avatar
MarkiMark | 6 years ago
1 like

I always knew Strava was evil...

Avatar
fenix | 6 years ago
0 likes

Most of those bases have strava segments on - you can search for them yourself. 

Avatar
Canyon48 | 6 years ago
1 like

If Strava IS telling the truth and they have not included data which has been marked as private or is in a privacy zone (I really hope they are telling the truth), then this just goes to show that there are far too many people that are no way near as careful as they should be online.

Regardless of if Strava is or isn't sharing data marked as private, I would suggest that Strava should not publish any data for sensitive areas. I'm sure NATO intelligence is very interested in Russian usage of Strava though.

Avatar
alansmurphy replied to Canyon48 | 6 years ago
2 likes

wellsprop wrote:

 

Regardless of if Strava is or isn't sharing data marked as private, I would suggest that Strava should not publish any data for sensitive areas. I'm sure NATO intelligence is very interested in Russian usage of Strava though.

 

True, Strava should know where the secret bases are and eliminate them  1

 

Avatar
John Smith replied to Canyon48 | 6 years ago
3 likes

wellsprop wrote:

If Strava IS telling the truth and they have not included data which has been marked as private or is in a privacy zone (I really hope they are telling the truth), then this just goes to show that there are far too many people that are no way near as careful as they should be online.

Regardless of if Strava is or isn't sharing data marked as private, I would suggest that Strava should not publish any data for sensitive areas. I'm sure NATO intelligence is very interested in Russian usage of Strava though.

 

Nothing to do with Strava. The layout of the bases is hardly secret, given that the average person can see most of it on google maps and even the smallest government can see unredacted versions from many companies. The only issue in this is that some military  personnel may have made themselves more at risk by publishing enough information to make their routines more traceable in places like Syria or Iraq. If they don’t follow the rules about not being predictable then they are more at risk, but this is 100% on the shoulders of the personnel, not Strava.

Avatar
Canyon48 replied to John Smith | 6 years ago
1 like

John Smith wrote:

wellsprop wrote:

If Strava IS telling the truth and they have not included data which has been marked as private or is in a privacy zone (I really hope they are telling the truth), then this just goes to show that there are far too many people that are no way near as careful as they should be online.

Regardless of if Strava is or isn't sharing data marked as private, I would suggest that Strava should not publish any data for sensitive areas. I'm sure NATO intelligence is very interested in Russian usage of Strava though.

 

Nothing to do with Strava. The layout of the bases is hardly secret, given that the average person can see most of it on google maps and even the smallest government can see unredacted versions from many companies. The only issue in this is that some military  personnel may have made themselves more at risk by publishing enough information to make their routines more traceable in places like Syria or Iraq. If they don’t follow the rules about not being predictable then they are more at risk, but this is 100% on the shoulders of the personnel, not Strava.

I do totally agree that it is, ultimately, the responsibility of the personnel as well as the armed forces and intelligence agencies. However, I would still suggest the Strava behave sensitively around sites which may be of military interest.

For example, google maps would be unlikely to take photos of sensitive military sites (in fact they blur out a lot of military sites) this is by request, I assume - but it would be wise for Strava to do the same.

Certain people don't behave sensibly and often, it up to those who do, to go the extra mile in keeping things on track.

Avatar
karl_d | 6 years ago
1 like

I served before social media was a thing, but surely (don't call me Shirley) Opsec training should have had this covered? Pretty disappointed that the people delivering these courses didn't see their own habits (if they were runners etc) or that of their colleagues were a potential risk...

Avatar
brooksby | 6 years ago
0 likes

I thought Strava had security settings which could stop this data being publicly available?  I also thought that security was one of those things with which the military is supposed to be very concerned...

Avatar
Griff500 replied to brooksby | 6 years ago
1 like
brooksby wrote:

I thought Strava had security settings which could stop this data being publicly available?  I also thought that security was one of those things with which the military is supposed to be very concerned...

It does. Much of this is trial by media, but concern has been expressed in the press in the past about the onus being on the user to apply those settings.

A year or so ago US military personnel had to remove Pokémon from their phones for the same reason. One would have thought that at that point "military intelligence" would have asked "what else?" Clearly not!

Avatar
fenix | 6 years ago
4 likes

I'm pretty sure that the locals know there's a miltary base next to them. Hard to hide.

Annoyingly the heat map does show me running and biking to my door and I have my privacy zones set - so anyone looking at my tracks can't see where I'm going to. But it does on here.

Is that the same for everyone else ?

Pages

Latest Comments