A French officer’s fitness app leaked the position of the country’s only aircraft carrier and its accompanying strike team bound for NATO exercises in the Mediterranean Sea, according to reporting by Le Monde.
This is not the first time that data from a fitness app has unwittingly outed military secrets, something that the French newspaper has made a point to report on before. Military members going for their daily runs or bike rides at secret bases or on the decks of ships have accidentally made exact geopositioning coordinates available via their public profiles, a possibility that has previously prompted bans by the US and other countries.
Fitness app reveals exact location of France’s only carrier
The fact that the French carrier and its escort were headed to the Mediterranean for NATO exercises was public knowledge, announced by President Emmanuel Macron in early March and scheduled to conclude sometime in May. However, even in these situations armed forces would prefer to keep the exact locations of their assets secret as they come within striking range of hostile forces. Just one soldier using a fitness app or tracking device can out this location if their fitness results are automatically posted to a public profile.
In this case, the officer outed the ship in real time on the morning of March 13 as it passed near Cyprus about 62 miles off the coast of Turkey. The officer was using Strava, a combination fitness app and social networking platform that incorporates the use of GPS data to track elements such as elevation and precise distance traveled. The app integrates with smartwatches, which reportedly is what was used in this case. Other news outlets doing follow-up reporting note that the user’s information was removed from public view following the publication of the original story.
The French military does not presently have a ban on use of fitness apps while in the field. However, a statement was issued indicating that the officer did not follow “current instructions” about the use of such trackers.
As Matthew Stern (Chief Security Officer at Hypori) notes, this case illustrates how use of personal devices at work can create risk even when these devices are separated from the business network: “Security strategies tend to focus on protecting systems from unauthorized access, but less emphasis is placed on how authorized users may unintentionally create risk outside those systems. Personal applications that track movement, health metrics, or usage patterns are continuously collecting data that exist beyond enterprise controls. When that data intersects with individuals who have access to sensitive environments, it creates an indirect but very real exposure path that traditional security models are not designed to address.”
“If employees are expected to use personal devices for work, then their personal and professional lives are inevitably connected, and so is the data they generate. Organizations have to operate with that assumption,” Stern adds. “The priority should be creating clear separation between those environments, so work-related data and access are not exposed through the same device activity. Without that separation, even routine personal app usage can unintentionally surface information that puts sensitive operations at risk.”
Fitness apps have frustrated governments and militaries since their inception
This is far from the first time that fitness apps have leaked sensitive or classified military position information, and it is also not the first time Le Monde has broken such a story about Strava. In 2024, the paper reported on 12 members of the security detail for French President Emmanuel Macron doing something similar with their Strava fitness apps and public profiles. These leaks dated back to at least 2021 and could have been used to identify hotels Macron was staying at as well as locations at which he had meetings and went on vacation outside of France.
That same story also revealed that 26 US Secret Service agents were similarly exposing then-president Joe Biden’s location, as well as six members of the Russian Federal Protection Service guarding Vladimir Putin. Secret Service agents assigned to Donald Trump during his 2024 presidential campaign, as well as Melania Trump and Jill Biden, also reportedly were broadcasting public location information via their fitness apps.
This is hardly a new issue, however, or one exclusive to Strava. Fitness apps of various types that allow for public information sharing have been available since the early 2010s. In 2014, a study conducted by the American Medical Informatics Association found that of the hundreds of most commonly used apps in this category only about 30% had privacy policies. Concerns at first centered mostly on personal health data being sold to third party marketers and their use as a side channel to pass medical information that should otherwise be covered by HIPAA regulations and similar, but Strava brought the issue of potential military espionage to light in 2018 when its “heat maps” of user activity inadvertently exposed the location of secret US bases. This prompted a US military review and eventual ban for some personnel.
Fitness apps have something of an inherent business conflict in this area. They largely rely on extensive logging and simple cross-device syncing as features to both sell customers on the app and provide revenue streams. This necessitates forcing them to interact with a cloud server to pass potentially sensitive health data, and users are generally opted into this by default as most of the app’s “killer features” will not function without it. “Local only” apps focused on user privacy are thus relatively few and far between. Military members may be continuing to opt to use these apps despite years of security warnings about them simply because there is little on the market available as a workable alternative for their needs.
