The Pentagon has now made it official. Eight months after a researcher discovered that the “heatmap” feature of the Strava fitness tracking community was revealing the location of US military facilities in Syria and other conflict zones as well as some troop movements, the Department of Defense has instructed troops headed to potentially hostile territory to turn off the Global Positioning System features of their fitness tracking gadgets and mobile applications.
In a memo obtained by the Associated Press, the new instructions state that “These geolocation capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission.” But Defense Department leadership stopped short of instructing troops to leave their wearable devices at home.
Instead, the memorandum instructs that the devices’ geospatial tracking capabilities must be turned off in sensitive or dangerous operating areas where the exposure of location data could cause a “significant risk” to members of the military. Operational commanders will be given leeway to decide whether GPS tracking needs to be turned off by their troops based on the threat level in their area of operations.
The military is a fitness-centered organization, and fitness trackers have been widely adopted across the services by those trying to keep on top of their training goals. So trackers and services like Strava have worked their way deep into the military at home and abroad. But the risks posed by geotagging of any sort of activity—whether it be running on bases or the taking of selfies inside an armored vehicle in foreign territory—can pose huge risks to military operations.
As Ars reported in January, the data that brought the threat to light was drawn from Strava’s “anonymized” heatmap. This included “one billion activities from all public Strava data through September 2017,” as Strava infrastructure and data engineer Drew Robb noted in a November 2017 post. Strava also offers a “top clusters” view that allows a geographic search for the highest concentrations of activity, along with links to the individual profiles of those who posted them—so it’s conceivable that someone would be able to search for individuals in a specific geographic area and expose more recent geospatial tracks.