The U.S. military said Monday that it is adjusting guidelines for the use of all wireless and technological devices on military facilities amid revelations that fitness trackers can be used to expose the identities of individuals working in sensitive and hazardous locations.
The review came after reports in The Washington Post and elsewhere that a global heat map posted online by the fitness-tracking company Strava reveals the outlines of U.S. military bases in some of the most dangerous locations in the world – along with the routes taken by supply convoys and patrols.
In the latest discoveries on Monday, experts and Internet sleuths found further ways of using the publicly available Strava data to identify individual users of the tracking service by name, along with the jogging routes they use in war zones such as Iraq and Afghanistan.
On one of the Strava sites, it is possible to click on a frequently used jogging route and see who runs the route and at what times. One Strava user demonstrated how to use the map and Google to identify by name a U.S. Army major and his running route at a base in Afghanistan.
On another Internet site, it is possible to establish the names and home towns of individuals who have signed up for a social sharing network where runners post their routes and speeds. One popular route on a base in Iraq has been nicknamed “Base Perimeter” by the U.S. runners who regularly use it. Another outside the big U.S. base in Kandahar, Afghanistan, is called “Sniper Alley.”
The U.S. military said in an emailed response to questions from The Post on Monday that new technologies pose challenges that are constantly being reviewed.
“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection. We constantly refine policies and procedures to address such challenges,” said the Central Command press office in Kuwait, which speaks for the U.S.-led coalition against the Islamic State. Some of the most readily identifiable bases exposed by the Strava data are in remote locations in Syria and Iraq, where U.S. forces are battling the Islamic State.
The existing rules on the privacy settings relating to devices such as fitness trackers are being “refined” and commanders at bases are being urged to enforce existing rules governing their use, the statement added.
“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” the statement said. “We will not divulge specific tactics, techniques and procedures. However, we have confidence in our commanders’ abilities to enforce established policies that enhance force protection and operational security with the least impact to our personnel.”
Strava issued a new statement saying that it takes the safety of its users seriously. The company “is committed to working with military and government officials to address sensitive areas that might appear,” the statement said. Strava had originally responded to the allegations by saying that users should check their privacy settings.
The public availability of the data represents “a potential catastrophe,” said Nathaniel Raymond, director of the Signal Program on Human Security and Technology at the Harvard School of Public Health. He researches the use of data technology for humanitarian workers around the world and said he has been warning for years of the dangers of the GPS data that is gathered and stored by companies such as Strava.
He said he used the map to pinpoint the jogging route he used to take when he served with U.N. peacekeepers in South Sudan in 2015. The route is evidently still being used by peacekeepers deployed there. Since Sunday, he and his team have used the other Strava sites to identify the names and daily routines of eight foreigners working for aid agencies and the United Nations in the Somali capital Mogadishu, one of the most dangerous cities in the world.
“The focus of this story has been soldiers and spies, but we are also talking about humanitarian workers. If you look at what we saw in Mogadishu and you are al-Shabab, you get a pretty good idea of who the foreigners are and where they are working,” he said, referring to the name of the al-Qaeda affiliate in Somalia.
“Once you can identify individuals the data becomes a lot more valuable,” said Tobias Schneider, a Berlin-based security analyst who has identified the names of 573 people who jog every morning around the parking lot of the headquarters of British intelligence, making it highly likely they work for the agency. “You could for example identify somebody who works at a known secret facility and then track his movements to other facilities through which he may rotate.”
The realization that the data posted by Strava contained sensitive information was made by chance by an Australian undergraduate student, Nathan Ruser, who used the company’s publicly available map to identify the perimeters of U.S. military bases in places such as northeast Syria. At one of the sites of a U.S.-led coalition base, it is possible to see that personnel regularly run along the top of a nearby dam.
One problem is that there is no clear regulatory or legal framework for companies such as Strava that collect information on individuals using newly available technologies, said Raymond.
“The duty of care for companies like Strava is not clearly defined. Companies like Facebook and Strava who collect this data don’t have clear regulations about what their liability or responsibility is,” he said. “And for users, what is the minimum viable level of knowledge that an individual user needs to have so that they can safely use these products?”
Children using GPS-guided toys and people using dating applications are among other people whose whereabouts could potentially be tracked, he said.
“We actually don’t have regulation that enables people to think about these issues,” he said. “The question is, what else has been breached?”