GPS data shared by fitness apps has not compromised location of US troops: Pentagon
US troops overseas appear to not use privacy settings on fitness trackers.
— -- The Pentagon is insisting that public GPS data from commonly-worn fitness devices has not compromised the location of U.S. troops in classified or sensitive locations around the world, but will now review its policies on how service members use security settings on wearable electronic devices.
The data, which shows the movement of fitness devices such as Jawbone and Fit Bit, was publicly released in an online interactive map by the GPS tracking company Strava in November 2017.
It resurfaced over the weekend after it was discovered the map could not only reveal the most popular jogging paths in New York City, but the location of U.S. service members abroad who often operate in precarious security environments.
Strava's Global Heatmap used satellite information from users around the globe who allow their fitness devices to track and share their location, as well as individuals who upload their GPS data directly to Strava's mobile application.
The company said the map shows over 1 billion uploaded activities from users between 2009 and November 2017. More frequently trafficked routes show as bright yellow or white lines.
On Saturday, 20-year-old Australian student Nathan Ruser, who is studying international security and the Middle East at the Australian National University in Canberra, was exploring the map when he wanted to see if it would show U.S. troops inside Syria.
"It was very clear to see what you knew were U.S. bases lighting up so much clearer than any of the rest of the country," Ruser told ABC News on Monday.
"The biggest concerns with the data is firstly it allows an unprecedented look at the geographic build of a lot of these bases," he added. "You can see the supply lines, you can see the patrol routes in some cases, and you can see the infrastructure within the bases. But more than that, one of the most important and disturbing elements of the map is that it’s possible to establish an understanding of how the base works."
Journalists quickly started using the Global Heatmap to identify what they believed to be the locations of other U.S. personnel, including a suspected CIA base near Mogadishu, Somalia or U.S. troops operating in the Sahel region of Africa.
I removed location labels, but, to illustrate the point, here's an sample round of "spot the fit-but-hapless Westerners" in the Sahel: pic.twitter.com/KYUvapviY5
— Ben Taub (@bentaub91) January 29, 2018
Well-known U.S. bases are even easier to identity, such as Kandahar Airfield in Afghanistan.
Speaking with reporters Monday, Pentagon spokesman Col. Rob Manning said the Department of Defense has policies in place for how service members use specific security settings on their wearable electronic devices and smart phones.
After the department learned about Strava's interactive map over the weekend, Defense Secretary James Mattis ordered a review of those policies to see if there needs to be additional guidance or a new policy altogether.
"Operational security and force protection require constant vigilance," Manning said, adding, "We've already got policies out there that designate, specify for service members to be very specific about their security settings, and we're going to take a look at this now to determine if additional policy needs to be created in order to address this."
But Manning insisted that, to his knowledge, the classified or sensitive locations of U.S. service members had not been compromised by the data.
"Annual training for all [Department of Defense] personnel recommends limiting public profiles on the internet, including personal social media accounts," said Pentagon spokesperson Maj. Audricia Harris in a statement to ABC News. "Furthermore, operational security requirements provide further guidance for military personnel supporting operations around the world. Recent data releases emphasize the need for situational awareness when members of the military share personal information."
In a statement provided to ABC News Strava said, "Strava’s Global Heatmap represents an anonymized and aggregated view of over a billion activities uploaded to our platform, with more than 11 million shared per week. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to working with military and government officials to address sensitive areas and help users better understand our settings to give them control over what they share."
Someone familiar with Strava’s operations told ABC News that the company had reached out to the Department of Defense .
Manning said he was not aware of any outreach from Strava to the Department of Defense or whether the department had asked the company to take down information corresponding to U.S. service members.
"Nothing is more important than the safety of our community, and part of our commitment to safety is providing world class tools to allow you to choose what to share," Strava wrote in a July 2017 blog post. "We have a dedicated cross-functional group of employees who meet regularly to explore ways to improve privacy on Strava and our team works hard to make it easy for you to manage your privacy settings on both our mobile app and website. You can customize the information you share and find the balance between being social and being private that feels just right to you."
Ruser told ABC News that U.S. service members should weigh the benefits of fitness devices, saying, "what is convenient for them in tracking their fitness has these real world potential security risks associated with it."
"That needs to be communicated much better from higher-ranking officials to the people that are actually doing the runs and taking their afternoon jogs around the base," he said.
I removed location labels, but, to illustrate the point, here's an sample round of "spot the fit-but-hapless Westerners" in the Sahel: pic.twitter.com/KYUvapviY5
Well-known U.S. bases are even easier to identity, such as Kandahar Airfield in Afghanistan.
Speaking with reporters Monday, Pentagon spokesman Col. Rob Manning said the Department of Defense has policies in place for how service members use specific security settings on their wearable electronic devices and smart phones.
After the department learned about Strava's interactive map over the weekend, Defense Secretary James Mattis ordered a review of those policies to see if there needs to be additional guidance or a new policy altogether.
"Operational security and force protection require constant vigilance," Manning said, adding, "We've already got policies out there that designate, specify for service members to be very specific about their security settings, and we're going to take a look at this now to determine if additional policy needs to be created in order to address this."
But Manning insisted that, to his knowledge, the classified or sensitive locations of U.S. service members had not been compromised by the data.
"Annual training for all [Department of Defense] personnel recommends limiting public profiles on the internet, including personal social media accounts," said Pentagon spokesperson Maj. Audricia Harris in a statement to ABC News. "Furthermore, operational security requirements provide further guidance for military personnel supporting operations around the world. Recent data releases emphasize the need for situational awareness when members of the military share personal information."
In a statement provided to ABC News Strava said, "Strava’s Global Heatmap represents an anonymized and aggregated view of over a billion activities uploaded to our platform, with more than 11 million shared per week. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to working with military and government officials to address sensitive areas and help users better understand our settings to give them control over what they share."
Someone familiar with Strava’s operations told ABC News that the company had reached out to the Department of Defense .
Manning said he was not aware of any outreach from Strava to the Department of Defense or whether the department had asked the company to take down information corresponding to U.S. service members.
"Nothing is more important than the safety of our community, and part of our commitment to safety is providing world class tools to allow you to choose what to share," Strava wrote in a July 2017 blog post. "We have a dedicated cross-functional group of employees who meet regularly to explore ways to improve privacy on Strava and our team works hard to make it easy for you to manage your privacy settings on both our mobile app and website. You can customize the information you share and find the balance between being social and being private that feels just right to you."
Ruser told ABC News that U.S. service members should weigh the benefits of fitness devices, saying, "what is convenient for them in tracking their fitness has these real world potential security risks associated with it."
"That needs to be communicated much better from higher-ranking officials to the people that are actually doing the runs and taking their afternoon jogs around the base," he said.