Security agencies and defence chiefs worldwide will today be assessing what action to take following the revelation that details of military bases, including what are believed to be secret sites, are being made public through Strava Global Heatmaps.
Exercise activity, whether running, cycling or swimming, uploaded by users of the social network allows Strava to create its Heat Maps, relaunched late last year with unprecedented levels of detail.
The collective data has applications in areas such as urban planning since they allow local transport authorities to see, for example, exactly which roads are most popular among cycle commuters so could benefit from improved infrastructure.
But as the Guardian reports, the popularity of the app among military personnel, who through their training are fitter than the average person with many also taking part in sport in their free time, has raised security concerns.
In terms of UK military and intelligence bases, both domestic sites such as the Government Communications Headquarters(GCHQ) in Cheltenham, Gloucestershire and overseas ones, for example, RAF Mount Pleasant on the Falkland Islands, can clearly be seen.
RAF Mount Pleasant (source Strava Global Heatmaps)
Zooming in further on the latter map, individual buildings can be clearly identified, as well as the most popular routes that personnel who happen to be users of Strava take out of it, and where they are likely to go.
The availability of data relating to military bases was initially noticed by Nathan Ruser, who is an analyst at the Institute for United Conflict Analysts.
He said that while Strava’s presentation of the data “looks very pretty” it was “not amazing for Op-Sec” [operational security].
“US bases are clearly identifiable and mappable,” he continued.
“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” for example when they run the same route daily.
It is in bases where personnel are on active duty, or that are located in combat zones – such as Camp Bastion in Afghanistan’s Helmand Province, that the availability of Strava Global Heatmap data can be most compromising to security and safety.
Camp Bastion (source Strava Global Heatmaps)
The example below shows the United States Naval Expeditionary Base Camp Lemonnier, south of Djibouti City in the Horn of Africa and from where drone strikes are launched into Somalia and Yemen.
Camp Lemonnier (source Strava Global Heatmaps)
But the Guardian points out the appearance of another, smaller base that appears in the bottom left of the picture but is not marked on maps.
It is believed to be a CIA ‘black site’, that is an unofficial location used to detain and interrogate prisoners, which was identified a week before Strava published its latest Heat Map by analyst Markus Ranum.
Site southwest of Camp Lemmonier (source Strava Global Heatmaps)
Strava said: "Our Global Heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform.
“It excludes activities that have been marked as private and user-defined privacy zones.
“We are committed to helping people better understand our settings to give them control over what they share.”
The company added that further information regarding privacy could be found on this blog post on its website, where users can find out for example how to opt out of having their data collected for Strava Global Heatmaps.
https://blog.strava.com/privacy-14288/
The fact that sensitive military installations can be identified and analysed through Strava is likely in the short term to lead to restrictions in the range of devices military personnel are able to use to track their fitness, and what they permitted to do with the data.
Existing restrictions, such as those imposed by the US Marine Corps, which allows some Bluetooth- and GPS-enabled devices on base, are likely to be tightened up further.
In the longer term, it’s not inconceivable that individual countries may introduce legislation looking to limit the use of Strava in some way, or regulate the data it captures and restrict how it is used.
As analyst Tobias Schneider, noted: “In Syria, known coalition bases ligily.ht up the night.
“Some light markers over known Russian positions, no notable colouring for Iranian bases,” he added.
“A lot of people are going to have to sit through lectures come Monday morning.”
Add new comment
41 comments
Agree that Strava have no obligations here with one possible exception.
Others can see your home address if you return home in the middle of an activity- e.g. you return home to pick up something you forgot.
Seems to be the first 500 and last 500m of a ride that are protected with Privacy settings.
Would probably be happier if that was resolved.
I can think of one place that has got a Strava segment right across a double-width runway. Thing is though, it's the double-width enormously long runway that's the easy thing to spot. It's on Google earth too, because it's been there a while.
Now, Box Hill cafe - there must be a bunker under that, or is it only Donald Jenius Trump's sh1tholes that count?
I’m sure that the various terrorist organisations are pretty capable of gathering intel on individuals in the forces etc., without turning to Strava. This is something that is being blown out of proportion and servicemen need a gentle reminder on personal security.
Wouldn't it make more sense, and save a lot of grief, if the default settings on Strava, or anything else, were to have ALL privacy enabled, so users have to select what they make public...?
Except that a large part of the business model of any of these type of companies is data mining, so they don't actually want everyone opted out.
It isn't Strava that is 'giving away military secrets' it's soldiers not unticking the box labelled "Include my anonymized public activity data in Strava Metro and the Heatmap"
Same goes for the people commenting here that they can see their driveway on the heatmap despite it being in a privacy zone, this is a different setting.
Former US Airman speaking here: It is not Strava's responsibility to protect US military sites! You can run or ride and only post the distance and time without the map. I can tell you I received briefings about this very thing!
It's not Strava though. Do a segment explore on RNAS Culdrose, lots of segments within the security fence.
Stupid Personell do Stupid Stuff with Data isn't such a good headline though.
And there's this in the middle of nowhere Nevada. Interesting
https://labs.strava.com/heatmap/#12.25/-119.21962/40.78810/hot/all
That is Burning Man. What is really interesting is the position of the site has moved year by year.
Well, that's disappointingly mundane
So, like, Area 52, dude? I'd really hoped it was Area 51
Aliens use Strava ?!
I blame the US military for putting all those satellites into orbit and letting anyone in the world use the GPS tracking data for free. What were they thinking!
given the detailed maps the Russians were able to make half a century ago highlighting all the UK bases both land and sea with even greater detail than that on OS maps (showing very accurate water depths near sub pens/dockyards etc) I'm pretty certain that no 'secrets' or bases or anything else important were given away by these heat maps that 'others' didn't already have.
Yes I saw them on something on the BBC and itvwas ridiculously detailed. Strava isn't helping the enemy.
I think the problem (not that this is Strava's fault) is that it shows an individual's routine, often outside a base, which could lead to an ambush. In addition, some of the routes are segments (of if not, a segment can be created) and so have a leaderboard. Said leaderboard can then be used to identify the individual and can even link back to their facebook account, family address back in Blighty etc.
Shouldn't the people working at these sites be a bit more careful when uploading their activities?
I'm sure someone cleverer than I could probably establish where the 'digs' are etc.
I dont really see the risk there - you cant see what time someone does a run - just that they have. And as most runs are round the perimeter of a base or on roads inside - I don't see what extra strava brings - intelligence wise.
I always knew Strava was evil...
Most of those bases have strava segments on - you can search for them yourself.
If Strava IS telling the truth and they have not included data which has been marked as private or is in a privacy zone (I really hope they are telling the truth), then this just goes to show that there are far too many people that are no way near as careful as they should be online.
Regardless of if Strava is or isn't sharing data marked as private, I would suggest that Strava should not publish any data for sensitive areas. I'm sure NATO intelligence is very interested in Russian usage of Strava though.
True, Strava should know where the secret bases are and eliminate them
Nothing to do with Strava. The layout of the bases is hardly secret, given that the average person can see most of it on google maps and even the smallest government can see unredacted versions from many companies. The only issue in this is that some military personnel may have made themselves more at risk by publishing enough information to make their routines more traceable in places like Syria or Iraq. If they don’t follow the rules about not being predictable then they are more at risk, but this is 100% on the shoulders of the personnel, not Strava.
I do totally agree that it is, ultimately, the responsibility of the personnel as well as the armed forces and intelligence agencies. However, I would still suggest the Strava behave sensitively around sites which may be of military interest.
For example, google maps would be unlikely to take photos of sensitive military sites (in fact they blur out a lot of military sites) this is by request, I assume - but it would be wise for Strava to do the same.
Certain people don't behave sensibly and often, it up to those who do, to go the extra mile in keeping things on track.
I served before social media was a thing, but surely (don't call me Shirley) Opsec training should have had this covered? Pretty disappointed that the people delivering these courses didn't see their own habits (if they were runners etc) or that of their colleagues were a potential risk...
I thought Strava had security settings which could stop this data being publicly available? I also thought that security was one of those things with which the military is supposed to be very concerned...
It does. Much of this is trial by media, but concern has been expressed in the press in the past about the onus being on the user to apply those settings.
A year or so ago US military personnel had to remove Pokémon from their phones for the same reason. One would have thought that at that point "military intelligence" would have asked "what else?" Clearly not!
I'm pretty sure that the locals know there's a miltary base next to them. Hard to hide.
Annoyingly the heat map does show me running and biking to my door and I have my privacy zones set - so anyone looking at my tracks can't see where I'm going to. But it does on here.
Is that the same for everyone else ?
Pages