As many of you know, Strava is a fitness tracking application. It first roused interest with its distinctive “Social” features that allow users to share their fitness activities publicly on-line. Though this functionality may be tempting for fitness junkies everywhere, this use opens up huge privacy risks, especially for members of the military. The app automatically removes the first and last 200 meters of your run. This feature is meant to shield users’ home addresses. To make the pictures public, the reason the platform is public makes it easy for anyone to access. This openness, paired with detailed location data, could inadvertently put OPSEC at risk for users in sensitive positions.
The social media platform lets users record and broadcast everything from runs, and hikes to bike rides. Friends can unlock achievements together by commenting on and hearting their workouts logged. A feature added in 2018, Strava’s global heat map, has come under intense scrutiny. This global heat map shows aggregated, anonymized activity data from public users and highlights the most popular locations people have been running, walking, and cycling around the globe. What may seem like a benign addition can highlight trends that can uncover sensitive information about military installations and troops.
Potential Risks for Military Personnel
Strava’s built-in features let athletes easily explore popular running paths, and uncover public profiles of people who have tracked an activity on that path. These features can have unintended consequences, especially for our military men and women. In places such as Afghanistan and Iraq, where few locals utilize the app, thick clusters of activity hotspots usually mark the presence of military bases. Bad actors present a real risk through malicious exploitation of Strava data. They can therefore figure out the positions of U.S. troops at these bases as a consequence.
Now imagine the ease with which malicious actors can gather the list of service members at known, fixed military installations. They accomplish this by taking advantage of Strava’s public profiles. Yet these profiles function under military installations. They can inadvertently disclose sensitive information, potentially putting our service members at risk. The risks that identifiable user data falls into the hands of U.S. military operations are serious and require urgent action.
Additionally, by using pre-established segments on Strava, users are able to filter activities by sex, race, or other qualities. Without proper safeguards, this functionality means that anyone who has access to the internet—including those with malicious intent—can search for location-specific user data. Second, misuse is indeed a concern. This new phenomenon underscores the need for better user education around the risks associated with publicly sharing one’s fitness activity.
The Intersection of Public Data and Security
While Strava’s public profiles are undoubtedly excellent tools for social interaction between users, they pose serious risks by their nature. Many users do not personally understand that the things they share get made visible to the entire internet. This reality raises critical questions about how to maintain social connection while protecting our health. This is particularly important for those in trusted positions.
The heat map feature displays popular running routes, based on activity that has been logged. At worst, this can put military personnel’s lives in danger. Through processing this data, adversaries would be able to identify patterns of life in proximity to military installations. This intelligence can be harmful, in particular if it exposes regular patterns or places regularly visited by service members.
Additionally, OPSEC is threatened as Strava’s data aggregation process has the potential to expose patterns of life and geolocate movement of military personnel by accident. Aggregating third-party fitness data would provide comprehensive profiles. These profiles can be hijacked by anyone seeking to cause real world harm or gain tactical insight into US military operations.
Strava’s Response and User Awareness
In consideration of all these issues, Strava has taken steps to improve privacy in their application. The app now defaults to blurring the first and last 200 meters of users’ runs in order to safeguard home addresses. This precaution is inadequate when there are so many ways to manipulate and gain access to data.
To that end, users need to be proactive in managing their privacy settings and think about the risks of making their fitness activities visible to everyone. Individuals in sensitive occupations should exercise caution when using platforms like Strava, as the information they share could inadvertently compromise their safety or that of their peers.
Leave a Reply