30/1/2018 Strava suggests military users 'opt out' of heatmap as row deepens | Technology | The Guardian

Strava suggests military users 'opt out' of heatmap as row

deepens
Fitness-tracking company suggests secret army base locations were made public by users,
while militaries around world weigh up ban

Alex Hern
Mon 29 Jan 2018 10.46 GMT

Fitness-tracking company Strava has defended its publication of heatmaps that accidentally
reveal sensitive military positions, arguing that the information was already made public by
the users who uploaded it.

Following the revelations, militaries around the world are contemplating bans on fitness
trackers to prevent future breaches. As well as the location of military bases, the identities of
individual service members can also be uncovered, if they are using the service with the
default privacy settings.

The “global heatmap” shows, in aggregate form, every public activity uploaded to the app over
its history. In major cities, it lights up popular running routes, but in less trafficked locales it
can highlight areas with an unusually high concentration of connected, exercise-focused
individuals – such as active military personnel serving overseas.

In a statement, Strava said: “Our global heatmap represents an aggregated and anonymised
view of over a billion activities uploaded to our platform. It excludes activities that have been

https://www.theguardian.com/technology/2018/jan/29/strava-secret-army-base-locations-heatmap-public-users-military-ban 1/4
30/1/2018 Strava suggests military users 'opt out' of heatmap as row deepens | Technology | The Guardian

marked as private and user-defined privacy zones.

“We are committed to helping people better understand our settings to give them control over
what they share,” the company said, sharing a blogpost from 2017 which detailed eight things
users can do to lock down their privacy on the service, including specifically opting out of the
global heatmap by unchecking a box in the settings page.

Strava added: “We take the safety of our community seriously and are committed to working
with military and government officials to address sensitive areas that might appear.”

While the heatmap only shows information in aggregate, Strava’s own website allows users to
drill down into the tracked runs to find the names of individuals, as well as the dates they set
their personal best times on particular runs.

When applied to military bases, that information can be extremely sensitive. The leaderboard
for one 600m stretch outside an airbase in Afghanistan, for instance, reveals the full names of
more than 50 service members who were stationed there, and the date they ran that stretch.
One of the runners set his personal best on 20 January this year, meaning he is almost certainly
still stationed there.

In Djibouti’s Chabelley Airport, used as a staging ground for US Air Force drones, three runners
have completed a 7km loop of the runway – two in December 2014, and one two years later in
August 2016. At least one of them is no longer based there: their running profile shows they
were transferred to an air base in Germany in 2016.

The Pentagon said on Monday it was reviewing whether it needed to bolster its security
protocols. “The Department of Defense takes matters like these very seriously and is reviewing
the situation to determine if any additional training or guidance is required,” the Pentagon said
in a statement, without directly confirming that U.S. troops had used the fitness trackers.

The Australian military said it was considering taking action to prevent further security
breaches, according to a report from the Australian Associated Press. Australia Defence
Association spokesman Neil James said any devices that record or transmit should be left at
home on deployments. “In world war II, all you had to do was censor peoples’ letters so they
didn’t inadvertently tell someone at home something they shouldn’t,” he told AAP.

The US Marines have had clear policies on the use of “personal wearable fitness devices” on
base since 2016. Such devices are prohibited “if they contain cellular or wifi, photographic,
video capture/recording, microphone, or audio recording capabilities.” The policy notes that
“merely disabling the cellular, camera, or video capability is not sufficient”.

But it does allow such devices if they don’t contain those features, and explicitly mentions that
devices with bluetooth connectivity and a GPS tracking function may be used on base, and it
contains no specific ban on uploading that information. Those features are what allow apps like
Strava to create personalised maps of historic activity.

The number of sensitive establishments known to be visible on the Strava heatmap continues
to grow, as security analysts continue to scour the map.

In Pyongyang, North Korea, a popular riverside running route glows brightly – as does the
embassy compound in the Munsu-Dong neighbourhood, to the east of the city centre, home of
the British, German, Polish and Czech embassies.

https://www.theguardian.com/technology/2018/jan/29/strava-secret-army-base-locations-heatmap-public-users-military-ban 2/4
30/1/2018 Strava suggests military users 'opt out' of heatmap as row deepens | Technology | The Guardian

Camp Lemonnier (top right), and a suspected CIA base (bottom

left) in Djibouti. Photograph: Strava heatmap

Outside Djibouti City, US base Camp Lemonnier is clearly visible. The United States Naval
Expeditionary Base from which drone strikes in Yemen and Somalia are launched is marked
out by the exercise regimes of thousands of US servicemen and women. But almost as visible,
to the southwest of Camp Lemonnier, is a smaller base, unmarked on maps but ringed by
inhabitants running circuits of the external walls. The compound appears to be a CIA “black
site”, first publicly named as such by analyst Markus Ranum just a week before the heatmap
confirmed its activity:

The headquarters of GCHQ, in Cheltenham, England, are just one of the sensitive sites to be
crisscrossed with GPS activity, suggesting that spies and intelligence analysts are recording and
uploading their commutes or lunchtime runs:

GCHQ in Cheltenham, England. Photograph: Strava heatmap

Similar activity can be seen around the CIA headquarters in Langley, Virginia:

https://www.theguardian.com/technology/2018/jan/29/strava-secret-army-base-locations-heatmap-public-users-military-ban 3/4
30/1/2018 Strava suggests military users 'opt out' of heatmap as row deepens | Technology | The Guardian

The George Bush Center for Intelligence in Langley Virgina.

Photograph: Strava heatmap

Since you’re here …

… we have a small favour to ask. More people are reading the Guardian than ever but
advertising revenues across the media are falling fast. And unlike many news organisations, we
haven’t put up a paywall – we want to keep our journalism as open as we can. So you can see
why we need to ask for your help. The Guardian’s independent, investigative journalism takes a
lot of time, money and hard work to produce. But we do it because we believe our perspective
matters – because it might well be your perspective, too.

I appreciate there not being a paywall: it is more democratic for the media to be available for all
and not a commodity to be purchased by a few. I’m happy to make a contribution so others with
less means still have access to information. Thomasine F-R.
If everyone who reads our reporting, who likes it, helps fund it, our future would be much
more secure. For as little as £1, you can support the Guardian – and it only takes a minute.
Thank you.

Become a supporter
Make a contribution

Topics
GPS

https://www.theguardian.com/technology/2018/jan/29/strava-secret-army-base-locations-heatmap-public-users-military-ban 4/4