In November 2017, Strava, a fitness tracking company, released a heatmap of their users’ activity and sending pulses racing all across the world.
Instead of joggers rejoicing at new and more useful paths for cardio, secret US military operations and even individual soldiers in training were now glowing in full color against a black background.
The Strava heatmap incident – Timeline and impact
“This update includes six times more data than before – in total 1 billion activities from all Strava data through September 2017. Our global heatmap is the largest, richest, and most beautiful dataset of its kind. It is a direct visualization of Strava’s global network of athletes,” the company proudly boasted. No one expected those athletes to inadvertently expose highly sensitive data or, if they did, the app’s warnings on security policies and privacy risks were not heeded.
While it was and still is possible to use satellite imagery to pinpoint military sites around the world, so far no intelligence agency had access to such an accurate map of human activity. Until now, all thanks to soldiers wearing Strava devices or using the Strava app to track their fitness progress.
Strava was “sitting on a ton of data that most intelligence entities would literally kill to acquire,” policy expert Jeffrey Lewis of the Middlebury Institute of International Studies warned on Twitter.
Selfie soldiers not going away anytime soon
Back in 2015, investigative journalist Simon Ostrovsky from Vice News coined the term “selfie soldiers” in a documentary about how social media could confirm Russian soldiers’ activity in Ukraine.
Taking it one step further, Ostrovsky used a combination of satellite imagery and good old-fashioned footwork to visit the locations where military personnel was located along the Russia-Ukraine border, using only the data gathered from the selfies of one individual soldier.
“I was able to confirm that he is a real person who has been posting all this stuff online about himself and how he got from here in Siberia all the way to eastern Ukraine. I also found out a lot of other information like who his brothers and sisters are and where he lives. The most important bit of information I got was that he is a contract soldier with the Russian Army up until the year 2016. So this just goes to show how difficult it is for any government, including Russia’s, to try and keep anything secret from pretty much anyone in the modern world,” was the way Ostrovsky summarized his investigation.
Selfie soldiers is a term that can be useful when discussing civilian technology in military settings, especially where security breaches are concerned, because, more than two years later, breaches still occur.
Just like with the Vice News investigation, in the Strava incident, highly sensitive military data pertaining to operations in Afghanistan and Syria was exposed and, along with it, personal data belonging to soldiers. On the Strava heatmap, a researcher from the Atlantic Council’s Digital Forensic Research Lab found a user named Igor who was jogging inside a military base in Sevastopol, Crimea. Then, the researcher quickly discovered pictures of the soldier and a list of friends attached to his Strava profile, which further helped him to find out even more details about the individuals serving in the military facility.
Responses to data breaches and policy deployment
What’s truly worrying is the U.S. Department of Defense’s response to the Strava heat map incident.
More than 8 months after the incident, on August 6, the Associated Press obtained an internal memo sent by the U.S. Department of Defense outlining steps to take to prevent another incident like this.
What did it say?
The new rules outlined in the memo stop short of banning fitness trackers or other electronic devices. Instead, the memo is a mere set of guidelines designed to educate military personnel over the risks of location-sharing apps.
“These geolocation capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission,” was one explanation included in the DoD memo.
To respond to a incident of this magnitude, which exposed secret military activities, with advice that any somewhat-savvy Internet user is already familiar with, paints a grim picture of the way the authorities secure information in a time of constant and grave cyber security threats.
For example, the Israeli military took no risks when it came to the rise of a new trend and, back in August 2016, quickly banned soldiers and officers from playing Pokemon Go. A location-based game that also requires access to a phone’s camera, Pokemon Go represented a big risk for leaking sensitive information, one that the Israeli authorities quickly assessed.
Achieving security when civilian technology is used in military settings
It’s true, the Strava incident serves as an example of how difficult, if not almost impossible, secrecy and policy enforcement is. As location-based services become ubiquitous, governments around the world are facing a hydra-headed privacy challenge. Even with location turned off, in 2016 a team of researchers found a way to pinpoint the whereabouts of various dating apps users:
“Without using sophisticated hacking techniques, our proposed model (called colluding-trilateration) is still very effective and efficient at locating the targeted victim, and of course in a so-called “legal” manner, because we only use information that can be obtained just as same as any other ordinary user.”
With studies like these and cyber security breaches of the magnitude seen in the past few years, there is not enough emphasis put on actually training military personnel. The human element is always going to be the major flaw of any cybersecurity policy. Yet, on the privacy front, it seems that soldiers get little to no education, at least if you look at how the Department of Defense handled the aftermath of the Strava heat map incident.
Other security experts outlined quick actionable plans for individuals concerned about their privacy, so perhaps it is time for state agencies to implement them as well. After all, even the most watertight cyber security policy will have a gap – the human element. State-sponsored hackers are not the only enemy, a nation’s own military without proper cyber security training can be considered an APT (advanced persistent threat) as well.