Sensitive information about the locations of U.S. and allied military bases, apparent troop movements, and even data linked to social media profiles has been revealed in a map released by a popular fitness app company.

The Global Heat Map, published by Strava Labs, used GPS satellite information to map the locations and movements of some of the 27 million people who subscribe to its fitness service over a two-year period, between 2015 and September 2017, by illuminating areas of activity.

The map, released last November but only publicized over the weekend, shows all activities ever uploaded to Strava — more than 3 trillion individual GPS data points, according to a blog posting by the company.

The firm’s app can be used on a number of devices, including smartphones and fitness trackers such as Fitbit. The software lets users share this information, acting as a type of social network for them, while also helping them find popular exercise routes in major cities and rural areas across the globe.

While population centers show a great deal of activity in the U.S., Japan and across Europe, the heat map can go dark in war zones and around restricted and even apparently secret areas, where troops and others are often asked or required to turn off their electronic devices.

The map, however, shows that at least some apparent Strava users at military bases or other installations kept their devices on while traveling, creating a list of what appear to be routes commonly taken by forces moving outside of bases — valuable information for those wishing to stage ambushes or attacks, some analysts say.

Nathan Ruser, an analyst with the Institute for United Conflict Analysts, wrote on Twitter that the map “looks very pretty,” but is “not amazing for Op-Sec” — short for operational security. “US Bases are clearly identifiable and mappable.”

After he began tweeting about his discovery a number of security experts and amateur sleuths followed suit, posting about their own areas of expertise. Soon, the internet was flooded with tweets detailing everything from apparent patrol routes along the Demilitarized Zone that separates North and South Korea to jogging activity on a beach near a suspected CIA compound in Mogadishu.

In the wake of the revelations, the U.S. Department of Defense said Monday that it was conducting a broad review of how military forces use exercise trackers and other wearable electronic devices.

“We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DOD personnel at home and abroad,” said Pentagon spokesman Col. Robert Manning.

Manning said he was not aware of any compromise of U.S. security by the map and he did not believe there was any move yet to ban the devices. He also said he wasn’t aware of any Pentagon effort to reach out to the company or request that the data be taken offline.

“DOD personnel are advised to place strict privacy settings on wireless technologies and applications,” Manning said, noting that service members are prohibited from wearing such wireless technologies in some areas and during some operations.

In a statement, Strava said that the map “excludes activities that have been marked as private and user-defined privacy zones” and that the company was “committed to helping people better understand our settings to give them control over what they share.”

Contacted by The Japan Times, a spokesman for U.S. Forces Japan said that it had not made any specific recommendations to service members in the country about using personal fitness apps.

“We will continue however remind all of our service members of the importance of protecting both their personal data online as well as safeguarding information that could compromise personal and operational security,” Col. John S. Hutcheson said. “If DOD issues new guidance or policy, we will ensure those changes are communicated to the force.”

The issue is the latest in a series of possible security breaches related to increasing use of electronics in daily lives that the Pentagon has grappled with. In recent years, widely used apps, games, and devices have become so prevalent that the military has struggled to keep up.

In 2016, the Defense Department was forced to urge U.S. troops and other military personnel not to play the game “Pokemon Go” on Pentagon-issued cellphones over concerns that data from the app could be used by foreign intelligence services, media reports at the time said. The game collected data that could be used to pinpoint secure and sensitive facilities, an internal memo said.

Ultimately, though, the Defense Department may be trying to keep a lid on a potentially far more damaging residual effect of the technological revolution it is facing — in this case, that Strava itself could become a target of nations trying to mine its data to discover information that identifies who was wearing and continues to wear the devices.

“There are a lot of nefarious things one could do with this data,” Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, California, told The Japan Times. “Using the heat map to find secret bases is just the tip of the iceberg. The underlying data is the real danger.”

Lewis said access to that data could allow individual users with access to secure locations to be identified.

“From that, you can probably figure out where they live — since people often like to exercise near home — and probably social media apps, since usernames may be shared across platforms,” he said. “That might compromise secret locations, but it could also be used to understand readiness of certain units and track deployments.”

Perhaps most disconcerting of all is that much of this could be accomplished not by hacking but simply by accessing the site.

In a simple experiment, The Japan Times was able to locate a number of apparent U.S. service members by exploring “segments,” or routes taken during their exercises, near American bases in Japan and elsewhere. Several of these service members’ profiles contained full names, photos, city addresses and military affiliations. Some users had even logged into their Strava accounts using social media accounts. This information could then be cross-referenced via internet searches to ascertain further identities and locations.

According to Lewis, uncovering this emerging “pattern of life” — and looking to see if there are disruptions to that pattern — is the “big thing” that intelligence agencies worry about.

“Anyone with access to the data could make a pattern-of-life map for individual users, some of whom may be very interesting to foreign intelligence services,” he wrote in a column on the Daily Beast news site.

But, Lewis said, the bigger concern was whether hackers might be able to breach security and get at the data marked private.

“If I were a Strava employee,” he said, “I’d be very careful about what sort of email links I clicked on.”

Asked about how the Strava data could potentially put Self-Defense Force personnel in danger, Lewis was coy.

“I’d rather not spell it out,” he said.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.