Strava’s data lets anyone see the names (and heart rates) of people exercising on military bases

Thought Strava’s heatmap fitness data was totally anonymised? Think again

In March 2017, a member of the Royal Navy ran around HMNB Clyde, the high-security military base that's home to Trident, the UK's nuclear deterrent. His pace wasn't exceptional, but it wasn't leisurely either.

His run, like millions of others around the world, was recorded through the Strava app. A heatmap of more than one billion activities – comprising of 13 billion GPS data points – has been criticised for showing the locations of supposedly secretive military bases. It was thought that, at the very least, the data was totally anonymised. It isn't.

By uploading an altered GPS file, it's possible to de-anonymise the company's data and show exactly who was exercising inside the walls of some of the world's most top-secret facilities. Once someone makes a data request for a specific geographic location – a nuclear weapons facility, for example – it's possible to view the names, running speeds, running routes and heart rates of anyone who shared their fitness data within that area.

The fitness app – which can record a person's GPS location and also host data from devices such as Fitbits and Garmin watches – allows users to create segments and leaderboards. These are areas where a run, swim, or bike ride can be timed and compared. Segments can be seen on the Strava website, rather than on the heatmap.

Computer scientist and developer Steve Loughran detailed how to create a GPS segment and upload it to Strava as an activity. Once uploaded, a segment shows the top times of people running in an area. Which is how it's possible to see the running routes of people inside the high-security walls of HMNB Clyde.

"Once Strava has gone through its records, you'll be able to see the overall top 10 per gender/age group, when they ran, it where they ran with," Loughran wrote in a blog post. "And, if their profile isn't locked down enough: which other military bases they've been for runs on."

The segment for HMNB Clyde shows multiple people have run through the restricted area in recent years. The Guardian has also reported it is possible to see the names of more than 50 US service members at a base in Afghanistan. Revealing the names of individuals – and their movements around high-security military bases – may be a potential security risk.

"If you can have access to the personnel training and exercises then you also have information about where this person is and when does he or she do certain activities," says Beyza Unal, a research fellow at Chatham House's international security department. She says that over time it may be possible to build-up an idea of a person's behaviour.

"That could lead to getting patterns about the personnel training, that pattern is important for operational military sake. If you are an enemy or adversary you may want to use certain information that you did not have beforehand."

In response to the fallout from its heatmap showing military information, Strava has said it is keen to help people better understand its privacy controls. It also said the company is "committed to working with military and government officials" where sensitive locations are involved. Strava has not directly commented on the ability to see the names of individuals and their movements over time.

Strava has a number of different privacy options but, as has been pointed out by users, they aren't always the clearest. A Quartz article from August 2017 details some of the different options that are available. Some of the privacy settings can only be changed through the company's website rather than in its app.

The company released its most recent heatmap in November 2017, building upon the first version released in 2015. The map shows the popularity of running, cycling and swimming routes completed by people either using the app or importing data from third-party devices. The more popular a route is, the brighter it shows up on the heatmap.

In an open letter published by Strava's CEO James Quarles, on January 29, it was said the company is taking the heatmap issue seriously. He also said it will review features that were "originally designed for athlete motivation" to ensure they can't be "compromised by people with bad intent".

Despite the heatmap being released more than two months ago, the ability to see activity in potentially sensitive locations was only spotted in recent days when Nathan Ruser, an international security student at the Australian National University, noticed data was being displayed around military bases.

Want to know how people are moving around US military bases in Beirut? How about at GCHQ or Area 51? Simple. Just look at the map. The situation has raised questions as to whether people working in the military and related fields should record their movements with a GPS fitness tracker.

"The underlying problem is that the devices we wear, carry and drive are now continually reporting information about where and how they are used 'somewhere'," Loughran said. "In comparison to the datasets which the largest web companies have, Strava's is a small set of files, voluntarily uploaded by active users."

On Twitter, Tim Mathews, who has served in the US military, said during his time he was not permitted to use any "non-military issue device with GPS tracking".

UK military guidelines for social media use caution that location services should be turned off. The US Marines also have clear guidelines on when and where fitness trackers can be used.

Update 30/01/2018, 8:10AM: This article has been updated to remove a reference to Strava's API. Additional comment from Strava and Loughran have also been added.

This article was originally published by WIRED UK