STREAMING NOW: Watch Now

US military reviewing security practices after fitness app reveals sensitive info

The US Central Command says it's in the process of refining its privacy policies after it was reported that a fitness...

Posted: Jan 29, 2018 4:22 PM
Updated: Jan 29, 2018 4:22 PM

The US Central Command says it's in the process of refining its privacy policies after it was reported that a fitness tracking app that maps people's exercise habits could pose security risks for security forces around the world.

Strava, which bills itself as "the social network for athletes" and allows its users to share their running routes, released a newly updated global heatmap last November. But experts and keen observers have recently realized its potential to reveal location patterns of security forces working out at military bases in remote locations.

Defense Secretary James Mattis has been made aware of the issue and the DoD is reviewing policy regarding smartphones and wearable devices, Pentagon spokesman Col. Rob Manning said on Monday.

"We take these matters seriously and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad," Manning said.

He added that Mattis "has been very clear about not highlighting our capabilities to aid the enemy or give the enemy any advantage, so that would be our approach going in on this one as well."

Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts, noted on Twitter on Saturday that the map made US bases "clearly identifiable and mappable."

"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away," Ruser tweeted.

In a statement to CNN, a spokesperson for US Central Command said it is constantly working to "refine policies and procedures to address such challenges."

"The coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain coalition sites and during certain activities. We will not divulge specific tactics, techniques and procedures," the statement continued.

In addition, the statement said that Central Command maintains "confidence in our commanders' abilities to enforce established policies that enhance force protection and operational security with the least impact to our personnel."

The Army previously issued fitness trackers to officers, though it's unclear how many of these devices were synced to Strava's software.

In 2013, the Army issued Fitbit Flex wristbands to some 2,200 soldiers as part of its "Performance Triad" program, Military.com reported. In 2015, the program expanded: 20,000 soldiers and reservists across American bases within the continental US were tagged to participate, according to the Army Times.

In a post about the update in November, Strava said the update would include "six times more data than before -- in total one billion activities from all Strava data through September 2017." Strava boasts "tens of millions" of users, and according to the company, marked three trillion latitude/longitude points on the updated map. It tracks location data using GPS from Fitbits, cellphones, and other fitness tracking devices.

In response to inquiries about the Strava data, Pentagon spokeswoman Maj. Audricia Harris said "DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad."

10,000 'screw-ups'

Scott Lafoy, an open-source imagery analyst, told CNN it's too early to truly assess how useful the data is.

"In terms of strategic stuff, we know all the bases there, we know a lot of the positions, this will just be some nice ancillary data," said Lafoy.

From the site, it's possible to identify individuals' running routes, and around military bases users had posted profile photos of themselves wearing military uniforms.

Tracking the timing of movements on bases could provide valuable information on patrol routes or where specific personnel are deployed, Lafoy said.

It could also pose a danger for government officials posted in dangerous locations, like diplomats, who may not be in as secure locations as military personnel.

"If the data is not actually anonymous, then you can start figuring out timetables and like some very tactical information, and then you start getting into some pretty serious issues," LaFoy said.

Strava said in a statement to CNN that the company is "committed to working with military and government officials to address sensitive areas that might appear."

"Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share," the statement said.

Regardless of the data's usability, the fact that it's out there shows a lapse in protocol, one that likely has the potential to cost information and operation security personnel their jobs, Lafoy said.

"This is literally what 10,000 innocent individual screw-ups look like," he said. "A lot if it is going to be a good reminder to security services why you do opsec (operational security) and why you do manage this sort of thing, and everyone is going to really hope it doesn't get a couple people killed in the meantime."

Limiting public profiles

When zoomed out, the heatmap shows more populated and developed parts of the world nearly completely lit up. Remote areas and conflict zones are darker, but eagle-eyed observers have noticed small lights in some of the areas, potentially identifying military personnel.

Twitter users have identified locations including a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and US special operations bases in the Sahel region of Africa. CNN cannot independently verify these claims. Known military sites like Diego Garcia in the Pacific Ocean and the Falkland Islands' RAF Mount Pleasant also show activity.

Multiple airports in Somalia show circles around airfields in the city. "Heavy jogging" at the airport in the capital of Mogadishu was spotted earlier by The Daily Beast's Adam Rawnsley.

The US Department of Defense said in response to the Strava data that "annual training for all DoD personnel recommends limiting public profiles on the internet, including personal social media accounts."

"Furthermore, operational security requirements provide further guidance for military personnel supporting operations around the world. Recent data releases emphasize the need for situational awareness when members of the military share personal information," said Pentagon spokeswoman Harris.

This story has been updated.

Huntsville
Scattered Clouds
87° wxIcon
Hi: 87° Lo: 69°
Feels Like: 87°
Florence
Few Clouds
88° wxIcon
Hi: 88° Lo: 70°
Feels Like: 88°
Fayetteville
Few Clouds
86° wxIcon
Hi: 88° Lo: 68°
Feels Like: 87°
Decatur
Clear
88° wxIcon
Hi: 88° Lo: 69°
Feels Like: 90°
Scottsboro
Broken Clouds
88° wxIcon
Hi: 88° Lo: 68°
Feels Like: 93°
WAAY Radar
WAAY WAAY-TV Cam
WAAY Temperatures

Alabama Coronavirus Cases

Confirmed Cases: 18354

Reported Deaths: 649
CountyConfirmedDeaths
Mobile2271118
Jefferson1859103
Montgomery175843
Tuscaloosa79916
Marshall7009
Franklin5628
Lee55033
Shelby52220
Tallapoosa42765
Butler41418
Unassigned3842
Walker3702
Elmore3628
Chambers35825
Madison3434
Baldwin2929
Morgan2871
Dallas2793
Etowah26012
Lowndes25212
DeKalb2493
Coffee2381
Autauga2335
Sumter2247
Houston2214
Bullock2096
Pike2060
Colbert1862
Russell1750
Hale1759
Barbour1721
Marengo1716
Lauderdale1662
Calhoun1643
Choctaw15310
Wilcox1507
Cullman1471
Clarke1462
St. Clair1281
Randolph1277
Dale1220
Marion12211
Pickens1184
Talladega1175
Limestone1080
Chilton1031
Greene954
Winston900
Macon854
Covington811
Jackson812
Henry802
Bibb761
Crenshaw753
Escambia723
Washington716
Blount631
Lawrence500
Monroe432
Geneva430
Perry420
Conecuh411
Coosa401
Cherokee383
Clay282
Lamar260
Fayette160
Cleburne151

Tennessee Coronavirus Cases

Confirmed Cases: 22566

Reported Deaths: 364
CountyConfirmedDeaths
Davidson504062
Shelby4943111
Trousdale13924
Rutherford119623
Sumner88145
Hamilton79415
Bledsoe6071
Williamson55210
Putnam4795
Robertson4653
Tipton4423
Out of TN4184
Lake4140
Wilson4078
Knox3755
Bedford2834
Montgomery2693
Rhea2100
Hardeman1960
Madison1752
Loudon1430
McMinn14114
Macon1363
Cheatham1230
Bradley1221
Fayette1152
Cumberland1121
Dickson1090
Unassigned920
Blount913
Maury890
Sevier812
Washington750
Coffee730
Wayne640
Gibson631
Monroe622
Sullivan602
Hickman580
Lauderdale561
Franklin531
Greene502
Dyer500
Marion401
Anderson401
DeKalb370
Hamblen362
Smith341
White330
Hawkins332
Lawrence310
Grundy311
Haywood312
Marshall311
Obion301
Henry300
Jefferson280
Carroll271
Overton260
Meigs260
Weakley260
Lincoln250
Warren230
Cannon210
Perry210
Cocke200
Carter191
Campbell181
Morgan170
Jackson170
Crockett162
Roane160
Polk160
Johnson160
Henderson150
Hardin152
Sequatchie150
Humphreys131
Fentress120
McNairy120
Chester120
Giles120
Scott120
Stewart110
Claiborne90
Houston80
Grainger80
Clay70
Benton71
Decatur50
Unicoi40
Union40
Van Buren40
Lewis30
Pickett30
Moore30
Hancock10

 

 

Community Events