In November 2017, Strava, a fitness tracking company, released a heatmap of their users’ activity and sending pulses racing all across the world.
Instead of joggers rejoicing at new and more useful paths for cardio, secret US military operations and even individual soldiers in training were now glowing in full color against a black background.
The Strava heatmap incident – Timeline and impact
“This update includes six times more data than before – in total 1 billion activities from all Strava data through September 2017. Our global heatmap is the largest, richest, and most beautiful dataset of its kind. It is a direct visualization of Strava’s global network of athletes,” the company proudly boasted. No one expected those athletes to inadvertently expose highly sensitive data or, if they did, the app’s warnings on security policies and privacy risks were not heeded.
While it was and still is possible to use satellite imagery to pinpoint military sites around the world, so far no intelligence agency had access to such an accurate map of human activity. Until now, all thanks to soldiers wearing Strava devices or using the Strava app to track their fitness progress.
Strava was “sitting on a ton of data that most intelligence entities would literally kill to acquire,” policy expert Jeffrey Lewis of the Middlebury Institute of International Studies warned on Twitter.
Selfie soldiers not going away anytime soon
Back in 2015, investigative journalist Simon Ostrovsky from Vice News coined the term “selfie soldiers” in a documentary about how social media could confirm Russian soldiers’ activity in Ukraine.
Taking it one step further, Ostrovsky used a combination of satellite imagery and good old-fashioned footwork to visit the locations where military personnel was located along the Russia-Ukraine border, using only the data gathered from the selfies of one individual soldier.
“I was able to confirm that he is a real person who has been posting all this stuff online about himself and how he got from here in Siberia all the way to eastern Ukraine. I also found out a lot of other information like who his brothers and sisters are and where he lives. The most important bit of information I got was that he is a contract soldier with the Russian Army up until the year 2016. So this just goes to show how difficult it is for any government, including Russia’s, to try and keep anything secret from pretty much anyone in the modern world,” was the way Ostrovsky summarized his investigation.
Selfie soldiers is a term that can be useful when discussing civilian technology in military settings, especially where security breaches are concerned, because, more than two years later, breaches still occur.
Just like with the Vice News investigation, in the Strava incident, highly sensitive military data pertaining to operations in Afghanistan and Syria was exposed and, along with it, personal data belonging to soldiers. On the Strava heatmap, a researcher from the Atlantic Council’s Digital Forensic Research Lab found a user named Igor who was jogging inside a military base in Sevastopol, Crimea. Then, the researcher quickly discovered pictures of the soldier and a list of friends attached to his Strava profile, which further helped him to find out even more details about the individuals serving in the military facility.