The Washington PostDemocracy Dies in Darkness

U.S. military reviewing its rules after fitness trackers exposed sensitive data

GPS tracking company Strava published an interactive map in Nov. 2017, showing where people have used fitness tracking devices. (Video: Patrick Martin/The Washington Post)

BEIRUT — The U.S. military said Monday that it is reviewing its guidelines for the use of wireless devices at military facilities after revelations that popular fitness apps can be used to expose the locations and identities of individuals working in sensitive areas.

The review came after reports by The Washington Post and other outlets that a "heat map" had been posted online by the fitness-tracking company Strava showing where users jog, bike and exercise — and in the process inadvertently highlighting the locations of U.S. military facilities in some of the most dangerous spots in the world.

The concerns raised by the online map went beyond sensitive military sites, with evidence that Strava could help reveal the movements of international aid workers, intelligence operatives and millions of other people in many countries.

In the latest discoveries Monday, Internet sleuths found ways of using the publicly available Strava data to identify individual users of the tracking service by name, along with the jogging routes they use in war zones such as Iraq and Afghanistan.

On one of the Strava sites, it is possible to click on a frequently used jogging route and see who runs the route and at what times. One Strava user demonstrated how to use the map and Google to identify by name a U.S. Army major and his running route at a base in Afghanistan.

On a separate Internet site, it is possible to establish the names and home towns of individuals who have signed up for a social sharing network on which runners post their routes and speeds. One popular route on a base in Iraq has been nicknamed "Base Perimeter" by the U.S. runners who regularly use it. Another outside the big U.S. base in Kandahar, Afghanistan, is called "Sniper Alley."

On Monday, the Defense Department launched a review to determine whether new policies are needed, according to Army Col. Robert Manning III, a Pentagon spokesman. The review will be led by Essye B. Miller, the Pentagon's acting chief information officer.

"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Manning said. "We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DOD personnel at home and abroad."

Privacy experts noted that Strava is far from alone in collecting and using location data and that such granular information about the movements of individuals could reveal where they live, work, shop and socialize.

Devices and smartphone apps that track steps or other fitness goals typically work by monitoring the movements of their users, even when they are not exercising. Strava has drawn scrutiny for making such data widely available and for constructing its app in ways that allow users to easily find each other by name. The functions were designed in part to spur Strava users to measure themselves against one another, but the extent of the data publicly available surprised many users when revealed in news reports.

Privacy experts have long warned that tech companies often make personal information — including contact lists, social media posts and location data — available by default. That means users who do not routinely read privacy notices and tweak settings can be surprised by how much information is collected by private companies, as well as how that data ultimately is used.

"It's very jarring when the curtain on these things is lifted a little bit," said John Scott-Railton, a senior researcher for Citizen Lab at the University of Toronto's Munk School of Global Affairs.

At the Pentagon, Manning said that he was not aware of the release of information on Strava's interactive map resulting in any compromise of security.

But Defense Department personnel are, he said, "advised to place strict privacy settings on wireless technologies and applications, and such technologies are forbidden at specific DOD sites and during specific activities." Service members are also expected to limit their use of social media such as Facebook and Twitter when they are deployed to sensitive locations, he said.

The U.S.-led coalition against the Islamic State is reviewing procedures on bases in Iraq and Syria, where some of the most readily identifiable bases exposed by the Strava data are located and where U.S. service members are still fighting remnants of the militant group.

Rapidly changing technologies pose "potential challenges to operational security and force protection," said a statement from the Central Command press office in Kuwait, which speaks for the U.S.-led coalition. "We constantly refine policies and procedures to address such challenges."

The rules on the privacy settings relating to devices such as fitness apps are being "refined," and commanders at bases are being urged to enforce those that are already in place, the statement added.

Fitbit, one of the most popular fitness-tracking companies, issued a statement saying that only those users who sign up for the Strava service and synchronize it with their Fitbit accounts show up on the Strava heat map. "Fitbit devices do not automatically connect to the map," the statement said. "The vast majority of Fitbit users are not Strava users and would not be included in Strava's data set."

Strava issued a statement Monday saying that it "is committed to working with military and government officials to address sensitive areas that might appear." Strava had originally responded to the allegations Sunday by saying that users should check their privacy settings.

Privacy experts say companies should be more forceful in drawing users' attention to what personal data is being shared and how.

Many technology companies, including Google, Facebook, Twitter and Apple, routinely collect various types of location information, as do ride-hailing apps such as Uber and Lyft. In the absence of privacy laws guiding the use of such data, there is wide leeway for companies to use it for marketing or other purposes.

"We live in a world in which data is increasingly the engine of economic activity. We pay for a lot of things not with money but our data. And people are not catching up quickly enough to what's going on," said Omri Ben-Shahar, a professor at the University of Chicago Law School and co-author of "More Than You Wanted to Know: The Failure of Mandated Disclosure."

Even when companies are careful about restricting access to data, sensitive location information, when paired with names and other identifying details, makes a valuable target for hackers, including those working for foreign intelligence services, experts said.

News reports about the possible vulnerability of U.S. personnel drew notice within the online Islamist militant community Monday. Articles about the availability of location information were posted on at least one pro-Islamic State channel on Telegram, a social media application popular with militant Islamists.

It "should be expected" that groups such as the Islamic State would seek to exploit any vulnerabilities, said Steven Stalinsky, executive director of the Middle East Media Research Institute, a Washington nonprofit that monitors militant Islamist websites.

"We do know that they have a lot of computer experts and engineers working for them around the world who today may very well be checking out other ways to use Strava," Stalinsky said. But he said there is "no clear evidence" that such efforts are underway.

The public availability of the data represents "a potential catastrophe," said Nathaniel Raymond, who is director of the Signal Program on Human Security and Technology at the Harvard School of Public Health and researches the use of data technology for humanitarian workers.

He said he used the map to pinpoint the jogging route he would take when he served with U.N. peacekeepers in South Sudan in 2015. The route is evidently still being used by peacekeepers deployed there. Since Sunday, Raymond and his team have used Strava to identify the names and daily routines of eight foreigners working for aid agencies and the United Nations in the Somali capital Mogadishu, one of the most dangerous cities in the world.

"Once you can identify individuals, the data becomes a lot more valuable," said Tobias Schneider, a Berlin-based security analyst who has identified the names of 573 people who jog every morning around the parking lot of the headquarters of British intelligence, making it highly likely they work for the agency. "You could for example identify somebody who works at a known secret facility and then track his movements to other facilities through which he may rotate."

The realization that the data posted by Strava contained sensitive information was made by chance by an Australian undergraduate student, Nathan Ruser, who used the company's publicly available map to identify the perimeters of U.S. military bases in places such as northeast Syria.

Lamothe and Timberg reported from Washington. Drew Harwell and Joby Warrick in Washington contributed to this report.

Today’s coverage from Post correspondents around the world

Like Washington Post World on Facebook and stay updated on foreign news