Fitness Tracker Strava, used by me and many of my peers, updated its user heat maps in November of 2017, showing exercise location data for billions of activities, and consequently, the improved clustered information showed the location of sensitive military and security locations around the world.
In January of 2018, more detailed revelations began surfacing at a rapid pace when Nathan Ruser, a student studying international security at the Australian National University, began posting his findings via Twitter.
Using a series of images, Ruser pointed out Strava user activities potentially related to US military bases in Afghanistan, Turkish military patrols in Syria, as well as a possible guard patrol in the Russian operating area of Syria.
I felt terrible when I first read this information. I use Strava to record my bike rides. And I use MapMyRun. I felt angry toward Strava for publishing the heat maps. But the more I thought about it, the more I found myself ticked about the apparent lack of training provided to our military and security personnel to protect sensitive information.
The Garmin app has a selective option to turn off selected data sharing to Social Media, but there should be military and security worker training on how to shut it off, completely, so that an app’s data is not visible on Social Media, or even to an app administrator.
Some of the apps have options to protect the geographical reference to a user’s start and stop location. But in my mind, that’s not enough security when your job makes you and your coworker’s locations vulnerable. Hiding my “start” location might be useful in my neighborhood of 200 homes, but in an Afghani Desert, any information is too much information.
My spouse is a 30-year military veteran who has been in harm’s way. And I’m deeply concerned about the safety of our military members and unintentional Social Media data sharing that could affect them.
Military members and security workers are trained (and policy is set for them) to stay away from Social Media or to severely limit its use. Using an app that had an active location service running “should” be a no-no in the scope of a military members role. Many security workers that I know actively self-monitor their own Social Media use.
While it is fun and motivational to measure exercise results, there is no requirement to do so in an app, and it is my opinion that a military member or security employee should know better. My spouse has a Facebook account that he very rarely uses, and he has never used an app for exercise that would track his location while on duty–I did that, and the only way anyone would have known his running location is IF they knew that he was running with me.
In the event of an emergency, my spouse carries his phone while exercising, and lets me know about his plans ahead of time. And if he wanted to “measure” his exercise results, he used an offline wrist exercise monitor, or timed his run and calculated his results the old fashioned way, with a stopwatch. Remember those?
In our household, we’ve always had a policy that we don’t post Facebook “vacation” or activity information that reveals where we are “until” we get home. We started that even when our kids were young.
In the “old days” we had exercise trackers that had no connections to Social Media. Anyone remember the old Polar exercise monitors? No personal data was required to use the device, and you could still measure your results. It was simply a measuring device that retained anonymous data.
My husband got his first smartphone last year, the year he retired from active duty. Up to that point, he always had a flip phone. It may have had GPS, but had no apps. It was a phone. This was the first year in his life that he used any Google apps.
The old World War II era warning that “loose lips sink ships” still holds as true today as it always did, and I am shocked that our military and security agencies aren’t more diligent about new technology developments that allow access to personal data on Social Media.
Training military or security employees to protect sensitive information should be a top priority of these agencies. The exposure of the sensitive heat map data by Strava should be a lesson to those agencies to determine better policies to protect personnel.
Sadly, when I went seeking information distributed by the DoD on Social Media policies, all I found was a reference page that gave instructions on things like, “How to set up your Tinder” account.