Strava’s fitness heatmap has a major security problem for the military

Andrews Air Force Base in Maryland lit up on the Strava global heatmap shows activity at the military base.

Strava, a fitness tracking platform that logs activities on Fitbits, Jawbones and Garmin wearable devices, has a security problem.

In November, the platform launched a global heatmap of all the activity recorded through the tracking service. While it’s not live, it’s gathered a lot of data about user activity, patterns, routines, and locations — and it appears to be exposing some military secrets.

For the U.S. military the maps look like a potential security threat. With one billion activities logged on the map, it’s a lot of useful data from all over.

Known and potentially secret military bases show bursts of activity and show where military members connected to the devices are exercising or sleeping. The Washington Post pinpointed potential exposure to military operations in Iraq, Syria, Afghanistan, and Somalia.

See where America exercises.

See where America exercises.

Image: strava global heatmap

The map could also show other agencies and organizations, including non-American patrols, but as a security expert told the WaPo, the data could help enemy forces plan an attack or ambush on troops, American or otherwise. 

While there’s not enough data to pinpoint American troops in low-activity areas like in the Middle East, American service members have in recent years been encouraged to use fitness trackers. A website for current and former military members lists discounts for a bevy of trackers.

Strava responded to the potential secret-exposing map with a statement reiterating its privacy options and a link to its privacy blog

“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share,” the statement said.

The only issue with the privacy options are that to keep things truly private you have to opt out and carve out privacy zones. So until someone goes in and fine tunes the settings, someone — like a Fitbit-wearing soldier — could inadvertently expose covert location and behavioral information.

Moreover, blind spots in otherwise populated areas could themselves point out facilities that are supposed to remain a secret.

That Fitbit challenge just turned into a security setback. a138 973f%2fthumb%2f00001