All your base are belong to us: Strava exercise app maps military sites, reveals where spies jog

Fitness fans ignored off-by-default privacy settings, emit sensitive personal info

By Richard Chirgwin


In November, exercise-tracking app Strava published a “heatmap” of user activity which it cheerily boasted comprised a billion activities, three trillion lat-long points, 13 trillion rasterized pixels and 10 TB of input data.

It took a while, but late last week someone wondered “how many Strava users are members of the military or national security groups, and are uploaded their activity?” The answer is “plenty - and they've revealed where they work, where they live, when they were sent to a new outpost and where to ambush them when they least expect it."

Ever since Nathan Ruser, an international security student at the Australian National University, observed that Strava's data included the exercise routes of military and natsec personnel, locating military installations in Strava's has become a social media sensation.

For example, in Australia, it's now possible to see where people exercise at the secretive deep desert Pine Gap sigint station:

Observers have also noted that Strava hasn't revealed much more than was already already visible on Google Earth. For example, here's Pine Gap again, this time from Google:

Google's got a much clearer image of Pine Gap

Strava's explanation of how it made the Heatmap says it excluded data that users asked to be kept private. The service allows users to create multiple "privacy zones" with a radius of up to 1km. When users enter such the zones, their digital tracks disappear in order to make it harder to figure out where they live or work.

Data revealing the location of sensitive facilities, or the habits of military personnel, would therefore have been excluded if users had employed Strava's privacy setttings.

However, as Ruser later tweeted, the location of bases isn't the only concern: the ability to establish “pattern of life” information also makes the Heatmap a serious source of risk – mainly because people weren't keeping their information private.

The Daily Beast's Adam Rawnsley noticed the app can even reveal troop movements, if new Strava users pop up in an area around a military base:

It also, by the way, possible to extract people's names, profile pictures, and heart rates from Strava's backend:

Beyond the military frenzy, however, El Reg agrees with observations that the heat map is sufficiently detailed to pose a risk to individuals. Infosec bod Brian Haugli noticed that the heatmap reaches all the way to your door:

Even if individuals had set up the area around their homes as privacy zones, which Haugli noted is not the default, the dataset still contains a level of personally identifying information that shouldn't have been published by Strava, according to European privacy researcher Lukasz Olejnik.

Olejnik said at the least, someone should have conducted a privacy impact statement before pressing “publish” on the dataset.

He told The Register in an email: “This highlights the challenges of location data anonymisation, and how mass datasets reveal unexpected patterns. Organisations should carefully consider consequences on multiple levels prior to publishing private data.

“That said, making a privacy impact assessment of this kind of a project would be quite an adventure.”

Olejnik also tweeted that Europe's General Data Protection Regulation (GDPR) considers location to be sensitive information, meaning publication should be handled with care. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Apple to require privacy policy on all apps

October iOS change reflects broader societal shift

D.O.Eh: Here's the new privacy law Canada can't really enforce

Commissioner doubts ability to carry out data breach rules

MyHealth Record privacy legislation published

That's if there's still a government to pass the amendments

MOS-SAD: Israeli govt weighs in on Facebook privacy, promises action

Israel Cyber Week Spymaster whines about smartphone privacy

Ding ding! Round Two: Second annual review for transatlantic data flow deal Privacy Shield

Talks to cover oversight, enforcement, US surveillance

United States, you have 2 months to sort Privacy Shield ... or data deal is for the bin – Eurocrats

MEPs call for urgent fix

Probe Brit police phone-peeking plans, privacy peeps plead

Investigatory Powers Commissioner urged to act on mobile data extraction tech

Doc 'Cluetrain' Searls' privacy engine project is just the ticket for IEEE

Book coauthor's machine-readable policy effort has left the station

Info Commish offers privacy addicts a 12-step GDPR programme

Get clean from your data sins

US draft bill moots locking up execs who lie about privacy violations

Don't want to consent? Law would allow firms to charge for access to products, services