Fitness app highlights sensitive military positions around the world

A fitness tracking company Strava accidentally revealed sensitive military positions in a data visualisation it published in 2017.

Security concerns have been raised after the firm showed the exercise routes of military personnel in bases around the world.

Strava published a “heatmap” showing the paths its users log as they run or cycle.

It appears to show the structure of foreign military bases in countries including Syria and Afghanistan as soldiers move around them.

The centre of Pyongyang, North Korea

The US military was examining the heatmap, a spokesman said.

Stava uses the collected data, as well as that from fitness devices such as Fitbit and Jawbone, to enable people to check their own performances and compare them with others.

In a statement, Strava said: “Our global heatmap represents an aggregated and anonymised view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones.

Strava’s response has come too late for some, however, as militaries around the world contemplate banning fitness trackers to prevent future breaches.

CHQ in Cheltenham, England (Photo: Strava)

The news broke out when Nathan Ruser, a 20-year-old Australian university student came across the map while browsing a cartography blog last week.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

He realised that a large number of military personnel on active service had been publicly sharing their location data and realised that the highlighting of such exercises as regular jogging routes could be dangerous.

"I just looked at it and thought, 'oh hell, this should not be here - this is not good,'" he told the BBC.

"I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed. Someone would have noticed it at some point. I just happened to be the person who made the connection."