Heat maps of troops and military personnel movement overseas, created using data sourced from wearable technology, circulated in nationwide media reports Monday, prompting concern for national security and military operations in war-torn regions of the world.
Now the issue is calling into question whether a social networking app known for “connecting the world’s athletes” could compromise the safety and security of not only San Antonio-based warriors, but also military installations across Joint Base San Antonio (JBSA).
Strava, an app in use on personal fitness and mobile devices, allows millions of users to time and map their fitness routines and share it with their friends. In November, the company began using this open-source data to publish global heat maps showing these movements, which it said includes 136 million runs uploaded in 2017 covering more than 700 million miles.
On Monday, the Rivard Report created a free user account to view detailed routes of users at JBSA military installations showing when and where people ran, walked, or cycled, along with users’ full names, run times and, in some cases, heart rates. JBSA includes Lackland and Randolph Air Force bases, Fort Sam Houston, and Camp Bullis. There are 283,000 active-duty service members and vets living in San Antonio.
Similar maps can be viewed for the headquarters campus of USAA, financial services provider to the military where thousands of former service members, reservists, and their spouses work and exercise every day. The USAA headquarters campus at 9800 Fredericksburg Road covers 282 acres and provides employees with miles of outdoor running trails, sports fields, and courts.
On Monday evening, Strava CEO James Quarles responded with a letter to the community, stating: “Many team members at Strava and in our community, including me, have family members in the armed forces. Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.”
Quarles added that Strava is “committed to working with military and government officials to address potentially sensitive data.”
By Tuesday morning, route maps for local military installations had been scrubbed. JBSA, USAA, and Strava did not respond to requests for comment.
Recent data releases emphasize the need for situational awareness when members of the military share personal information, a Pentagon official stated Monday.
“I can tell you DoD [Department of Defense]-wide that we take these matters very seriously and are now determining if any additional training or guidance is required,” said Army Maj. Audricia Harris, Pentagon press officer.
Public affairs training currently instructs service members to avoid any geotagging activity that would, for instance, show where a photo was taken and uploaded, and thus the location where a service member is posted.
“Those are operational security concerns. Any time you show routines or patterns of life, those are things that can potentially put our service members or their families at risk, whether in the U.S. or abroad,” Harris said.
An Operational Security (OPSEC) briefing, “The Dark Side of Open Source,” available online, warns: “The web is not the only open source available, but it is the easiest to use, the most accessible, and the least risky. However, once information is released, it is gone for good. Finding information on the web requires only persistence. Once a piece of information is released to the public domain, it is waiting for someone to find it. You can’t get it back.”
Another OPSEC briefing from 2010 claimed that a terrorist how-to handbook stated that about 80 percent of the information needed to conduct terrorist operations can be obtained from open sources, and suggests gathering as much information about location as possible.
“That is exactly right,” Harris said. “That’s why we are reviewing the policy about wearable electronic devices trying to determine if it needs to be modified or issue more guidance. Commanders … always have discretion to issue guidance. Right now, from a DOD-policy perspective, we’re looking at overarching guidance right now.”
Local IT developer Justin Solomonic, 37, began using Strava four years ago during his lunch-hour runs several times a week. “It’s a nice way of keeping track of runs, following friends, and motivating,” he said.
He admits to merely glancing at the Strava terms of service and privacy policy, but added he is aware that the app makes his data accessible to anyone with an account. “Heart rate is a premium service, otherwise I would share that also,” he said.
“With today’s geographical availability it would seem to me that Strava data is easily available via services such as Google maps,” Solomonic said. “For military purposes, I suppose it could show daily schedules and repetition, and I could see that being a concern.”
Richard James, 33, also uses Strava during his runs. It helps him find new routes and share his progress with runner friends. “I know Strava does collect the data from my runs,” he said. “I actually like the annual reports they share with the world – heat maps and logged miles. I know the app allows you to block out start points if you’re leaving from your home. I probably need to make that update.”
In its letter to the community, Strava said that its “engineering and user-experience teams are simplifying our privacy and safety features to ensure you know how to control your own data.”
According to Strava Metro, the division of Strava that gathers and analyzes the company’s data, there are nearly 85,000 app users in Texas and about 20,0000 users in Bexar County. Local governments regularly purchase Strava’s data for transportation planning purposes. In 2017, TxDoT purchased two years of pedestrian and cycling data from the company.
A retired local FBI agent who works in corporate security and asked not to be named, responded to the news by pondering how the problem can be solved. “At what point do we say who regulates it?” he said. “We don’t want Uncle Sam to regulate it because that’s too ‘big brother.’ As a society, we have to say what we want out in the open and what we don’t. Who do you want to solve the problem and what are you willing to give up? It’s a merry-go-round. You want to get on, but you don’t want to spin too fast.”
The heat maps of military installations probably reveal information not public before now, he added, and he expects the military will now ban Strava use on bases and posts “as a quick fix.”
Reporting on Monday’s news of the Strava snafu, TechCrunch writer Natasha Lomas called it a “textbook example of why privacy needs to be the default, not a hard-to-find opt-out, and what privacy-hostile design looks like.”
