While I was doing research for my article about the updates to Strava’s Global Heatmap, I zoomed into some otherwise dark and undocumented areas in the Middle East to inspect some hot spots. “Hmm,” I thought to myself, “these routes look strange. It almost looks like someone is jogging around a yard inside of a military base or something. But nah, nobody would be stupid enough to record a Strava activity on an active military base in the Middle East.”
Well, I guess I was both right and wrong.
I was right that I could easily identify military bases, but I was wrong that nobody would be that stupid. Or, perhaps more likely, the people recording these activities are simply ignorant. We’ll dive into that in a minute.
According to a report on CNN, military bases worldwide can be easily identified on Strava’s Global Heatmap. This issue was first publicized on Twitter by Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts on Saturday:
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
Ruser went on to note that it wasn’t just US military bases, either. Rather, he claims to have identified Turkish and Russian military movements as well.
In the report published by CNN, Scott Lafoy, an open-source imagery analyst, said that it’s too early to determine if this data will pose a serious threat to the military. However, while we already knew where most of these bases were, seeing the movement of individuals within and around those bases could give away critical information. The data becomes even more dangerous if it isn’t actually anonymous, despite Strava’s claims.
“If the data is not actually anonymous, then you can start figuring out timetables and like some very tactical information, and then you start getting into some pretty serious issues,” LaFoy said.
According to CNN, “In response to inquiries about the Strava data, Pentagon spokeswoman Maj. Audricia Harris said, ‘DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.'”
“This is literally what 10,000 innocent individual screw-ups look like,” said Lafoy. He went on to explain that this is why operational security is so important.
Secret Military Bases Exposed
In addition to identifying personnel movements, some Twitter users claim to have identified the locations of rumored military bases, according to CNN:
“Twitter users have identified locations including a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and […] US special operations bases in the Sahel region of Africa. CNN cannot independently verify these claims. Known military sites like Diego Garcia in the Pacific Ocean and the Falkland Islands’ RAF Mount Pleasant also show activity.”
Pictured above is the Thule Air Base in Greenland. While the location of the base isn’t a secret, this area is blurred out on Google Maps, so you can’t really tell what’s there. However, on the Strava Heatmap you can see the road network of the base–data that isn’t widely available.
How to Keep this from Happening to You
While members of the military should be trained to be cognizant of the security concerns presented by uploading location data with apps like Strava and sharing it with the world, it’s more than likely that, as Lafoy put it, these are simply honest mistakes. For major bases, it’s even possible that civilian visitors have posted some of this data. While we shouldn’t judge too harshly, these errors are preventable.
So, how do you prevent yourself from giving away the location of a secret military base? Even if you aren’t in the military, how do you keep yourself from posting more information about your location and movements online than is recommended?
The answer: use Strava’s privacy settings wisely.
Tip #1: Setup a Privacy Zone
Every Strava user should have at least one or two privacy zones set: around their house, around their place of work, or perhaps the military base where they’re stationed. While originally you could only set one privacy zone on Strava, you can now set as many as you’d like.
To do this, navigate to the “Privacy” page in Strava’s settings section, or click here to access it directly. In the box that reads “enter address here,” enter the address for the desired center of your privacy zone. You can select the radius, ranging from 1/8 mile to 5/8 mile. Then save it.
Now, none of your activity will be displayed within that circle, even on activities that you have set to public.
Since you can set multiple privacy zones, if you want even more privacy you can feasibly create an even larger blacked out area by creating multiple zones so that the circles overlap. This would effectively black out an even a larger portion of the map. You can even feasibly create privacy zones to cover unofficial trails on the map, or anything else you don’t want displayed.
Tip #2: Turn on Enhanced Privacy
Enhanced Privacy Mode is a great tool to control who can follow you on Strava and consequently, who can see your activities. Using enhanced privacy, your activities will only be visible to “approved followers,” and you can choose to only approve people who are your friends in real life.
However, based on Strava’s initial Global Heatmap press release and their statement to CNN about the map, it seems likely that even if you have enhanced privacy turned on, activities set to “public” will be incorporated into the Global Heatmap, since Strava “anonymizes” the data. This is not the case for data included in privacy zones as in #1 or set totally private, as in #3.
Tip #3: Opt Out of Sharing Your Anonymized Data
Strava even provides a function to allow you to opt out of sharing your anonymized data. This function is located at the bottom of the privacy settings page, and unclick the checkbox box will prevent your data from being shared to the Global Heatmap and Strava Metro maps. However, if your profile is public, that doesn’t prevent people who follow you from seeing the data. To do that, you should consider making your activities private by default.
Tip #4: Make Your Activities Private by Default
Finally, if you actually are on a military base or you have real concerns about privacy, I highly recommend that you check the box on the settings page that says “make my activities private by default.” With this box checked, any activity that you record and quickly upload will… well, be set to private by default. If you’re using the Strava app, you can manually deselect the lock button at the bottom of the upload screen to upload an activity as public. You can also always login to Strava and switch a private activity to a public activity.
But with this setting checked, it will take an extra step to publicly share an activity with the world on Strava. This gives you the chance to ask yourself, “is it a good idea to share this GPS data with the world? What are the potential ramifications of this data being released?”
While perhaps very few mountain bikers could risk giving away the location of a secret military base, there are numerous examples of activities that should not be shared on Strava. If you’re breaking the law — which we don’t recommend — do not post about it on the internet. If there’s one rule of thumb that you should always live by, no matter who you are, this is it.
[see_also id=’232854′]
