Data released by fitness platform Strava may have unintentionally exposed critical information like the whereabouts of US military bases around the world.

Strava is the maker of a fitness-tracking app that uses a phone’s GPS or fitness trackers to track when and where a user is exercising, designed to be a social network of sorts for athletes. Last November, the app maker released a global heat map showing the activity of its users from around the world, containing information from a billion activities across 3 trillion latitude and longitude points.

But researchers have discovered the heat map reveals highly sensitive information about the locations and activities of soldiers at various military bases. Nathan Ruser, a member of the Institute for United Conflict Analysts, who first discovered the issue, tweeted, “Strava released their global heat map. 13 trillion GPS points from their users (turning off data sharing is an option). It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable.”

Most parts of the United States and Europe, where millions use fitness trackers and smartphones, show up on the map as bright blazes of light because of heavy activity.

In conflict zones such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered bits of activity. Zooming in on those areas throws up outlines of known US military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.

A threat to security?

Strava’s heat map doesn’t necessarily reveal the locations of military installations to the world — Google Maps and public satellite imagery sources have already done that — but rather than showing just the location of buildings and roads, Stava’s map the movement patterns in the areas and maps out frequently used paths. This is a potential security threat to military personnel.

For example, the below is a satellite image of the Pathankot Air Base in Punjab with Strava’s heat map data overlayed on it. It shows the route frequently used around the sensitive airbase which has been a terrorist target in the past.

While the users share their data with Strava voluntarily the issue does bring up questions about informed consent with regards to privacy. “Privacy of data simply cannot be negotiated person by person, especially because there’s no meaningful informed consent. People cannot comprehend what their data will reveal especially *in conjunction* with other data. Even companies do not know this, so they cannot inform anyone,” Zeynep Tufekci, an associate professor at the University of North Carolina and an opinion writer for The New York Times wrote on Twitter. “I’ll emphasize: In the digital age, there is NO meaningful informed consent with regards to data privacy that operates at an individual level. Current implications are unknown; future uses are unknowable. Companies structurally cannot inform and we are in no position to consent.”

Former soldier’s also seemed to be alarmed about the issue, “Big OPSEC [operations security] and PERSEC [personal security] fail,” tweeted Nick Waters, a former British army officer who pinpointed the location of his former base in Afghanistan using the heatmap. “Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.”

Adding to that concern, Twitter user Paul Dietrich, who writes about US’s National Security Agency wrote “I was able to identify a soldier running a route around a camp in Iraq and follow him home to France. Using the built-in interface of Strava, in the manner in which it was intended.”

Will it affect India?

The US-led military coalition has reacted by tweaking its guidelines on the use of communication devices.

“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” the coalition said in a statement to The Washington Post.

“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” it added.

In the past, the Indian military establishment has ordered the removal of certain apps from smartphones which were viewed as a threat to security although no such order has been made regarding Strava as of yet.

In December 2017, the Ministry of Defence issued an order to the Indian armed forces asking officers and all security personnel to remove, uninstall over 42 Chinese apps as these have been classified as ‘spyware’. The list included popular apps like Mi Store found on all Xiaomi smartphones, WeChat which is a popular messaging app from China, ShareIt which is used for file transfers and one of the most popular apps in India.