Strava map shows the tradeoffs of geo-tracking
- By Matt Leonard
- Jan 29, 2018
Who knew the use of fitness trackers has national security implications? A 20-year-old Australian student of international security and the Middle East, that's who.
Nathan Ruser took a close look at a heatmap of workout routes posted online by Strava, the maker of a fitness tracking app, and examined to the trails around military bases.
“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” Ruser tweeted. One path that was highlighted looked to Ruser like a regular jogging route on a forward operating base. "I shouldn't be able to establish any Pattern of life info from this far away,” he tweeted.
Strava provides services for companies like Fitbit and Jawbone, but users can also download its fitness tracking application for their personal devices.
In a statement to The Washington Post, the Central Command press office in Kuwait said it was refining its rules for fitness trackers.
Anthony Stefanidis, the Director of the Department of Homeland Security Center of Excellence on Criminal Investigations and Network Analysis at George Mason University, told GCN this is just the most recent example of new technology providing geolocational data on troops.
The Defense Department has long warned troops about the dangers of providing locations over the internet, specifically geotagged photos that can be used by adversaries. In 2007, four AH-64 Apaches were destroyed by a mortar attack after soldiers' geotagged photos of the new helicopters were uploaded to the internet, according to the Army.
Stefanidis said the information provided by the Strava data could be especially insightful when used in combination with other open source resources, like Google Maps. It provides movement and trajectory data for people in locations that otherwise might be ignored, he said.
“It’s almost like the bases have glass walls,” he said.
There isn’t any personally identifiable information in the Strava data -- it’s just lines showing paths people have taken. But an adversary intent on singling someone out might still be able to, Stefanidis said, referring to a 2013 study in which researchers identified individuals from an anonymized mobility dataset and concluded that "little outside information is needed to re-identify the trace of a targeted individual even in a sparse, large-scale, and coarse mobility dataset.”
Many of the applications or services that track location have settings for managing the privacy of this information. Strava told The Washington Post it plans to work with the military and government regarding any concerns.
Part of the process for ensuring something like this doesn’t happen again will be education, according to Stefanidis. “What we need to explain to the troops is what type of information can be deciphered … [when they're] posting that type of information,” he said.
The incident with Strava is the result people knowingly using an application that tracks their location. But Joshua Franklin, an IT security specialist in the National Cybersecurity Center of Excellence, said there are a number of ways for potential advisories to track the location of a connected device including from the cell towers and Wi-Fi networks they connect to.
Wearables and mobile applications can also divulge a user’s location, but users can protect themselves by turning off location services for individual apps or switching to airplane mode, he said.
Location-based data has become increasingly important as advanced traffic analytics play a larger role in city planning and as that data is collected, anonymization and privacy continues to be a major concern. StreetLight Data CEO Laura Schewel said data used in her company's transportation analysis goes through a two-step process to help ensure privacy. First, location data is provided without any personally identifiable information – the systems only track device numbers and locations. Then, data analysis is conducted on groups of devices so the movement of a single individual can’t be tracked.
And as cities integrate sensing platforms into their smart infrastructures, they are also updating privacy policies.
Chicago held multiple public meetings as it was revamping the privacy statement for its Array of Things.
“Because the Array of Things will be collecting data from the public, we felt it was very important -- both in the technical design of the nodes themselves and in the design of the policies that will govern the project -- to be very mindful around the transparency, security and privacy approach that we were taking with the overall project,” Chicago’s then-CIO Brenna Berman told GCN in 2016.
To stay ahead of the next tech trend that will track location and possibly compromise security, Stefanidis suggested IT managers simply talk with the people in the organization.
“Keep asking your people what they’re using and what they’re having fun with,” he said.
Matt Leonard is a former reporter for GCN.