An online fitness tracking map can be used to reveal potentially top secret national security information, including the movements of soldiers stationed at far-flung military bases around the world.
And the person responsible for the discovery – which is likely to prompt global warnings about how defence personnel use popular devices such as the Fitbit – is a 20-year-old Australian university student.
After using a global heat map published by the fitness and social media company Strava to track the locations of US military bases, ANU security studies student Nathan Ruser posted his discovery on Twitter.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” Mr Ruser, 20, said in a tweet on Sunday.
“This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any pattern of life info from this far away.”
While the map is almost entirely lit up in populous places, remote areas appear in black with scattered lines of light helping a clued-in user to determine the location and perimeter of a suspected military base.
The map, which is not live, is designed to show the exercise routes of Strava “athletes” using data accumulated between 2015 and September last year.
As a result, the running or cycling patterns of those who use the devices can be clearly made out, including the tracks favoured by soldiers in far-flung places around the world. The Pentagon has encouraged American soldiers to use Fitbits, according to the Washington Post.
Mr Ruser’s discovery was quickly picked up by international media, including the Post, which said the US military was investigating the security implications of the Strava map.
Australia’s defence department is “aware of the possible risks of the collection of location data through personal electronic devices and applications”, a spokesperson told The New Daily on Monday night.
“The circumstances of this application do not constitute a security breach,” they said.
Following Mr Ruser’s initial tweets, security analysts began scouring the map to identify activity at bases in places such as Mosul, Mogadishu and the South China Sea.
So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses): pic.twitter.com/wHItJwYUUI
— Tobias Schneider (@tobiaschneider) January 27, 2018
Others reported the data could be used to identify who had travelled along a particular track in cases where the user’s profile was public.
Writing in The Daily Beast, analyst Jeffery Lewis argued the data could be a target for hackers because “Strava knows which user made each track”.
Malcolm Davis, a senior analyst at the Australian Strategic Policy Institute, said the map opened up “a whole new way for an adversary to potentially gather intelligence on our forces”.
While the discovery was “significant”, Dr Davis said it was “important not to get to overwrought” about it.
“There are ways to limit the tracking through the privacy settings of the device,” he told The New Daily.
A Defence spokesperson said devices like Strava that collect user information were “important to the quality of life of Defence staff”.
“Defence manages the risks associated with the collection of such information by having layered physical and information security protections for Defence personnel and facilities,” the spokesperson said.
They said defence personnel underwent training on the “risks posed by internet-connected devices and online activities” and were advised to “ctively use and manage privacy controls to limit the amount of information they make publicly available”.
In a statement obtained by The New Daily, Strava said: “Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform.”
“It excludes activities that have been marked as private and user-defined privacy zones.”