Fitness fad could pose military security risk

A fitness tracking app that maps people’s exercise habits could pose security risks for security forces around the world.

Strava, which bills itself as “the social network for athletes” and allows its users to share their running routes, released a newly updated global heatmap last November. But experts and keen observers have recently realized its potential to reveal location patterns of security forces working out at military bases in remote locations.

Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts, noted on Twitter on Saturday that the map made US bases "clearly identifiable and mappable."

"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away," Ruser tweeted.

In a post about the update in November, Strava said the update would include "six times more data than before -- in total one billion activities from all Strava data through September 2017." Strava boasts "tens of millions" of users, and according to the company, marked three trillion latitude/longitude points on the updated map. It tracks location data using GPS from FitBits, cellphones, and other fitness tracking devices.

In response to inquiries about the Strava data, Pentagon spokeswoman Maj. Audricia Harris said "DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad."

Ten thousand screw-ups

Scott Lafoy, an open-source imagery analyst, told CNN it's too early to truly assess how useful the data is.

"In terms of strategic stuff, we know all the bases there, we know a lot of the positions, this will just be some nice ancillary data," said Lafoy.

From the site, it's possible to identify individuals' running routes, and around military bases users had posted profile photos of themselves wearing military uniforms.

Tracking the timing of movements on bases could provide valuable information on patrol routes or where specific personnel are deployed, Lafoy said.

It could also pose a danger for government officials posted in dangerous locations, like diplomats, who may not be in as secure locations as military personnel.

"If the data is not actually anonymous, then you can start figuring out timetables and like some very tactical information, and then you start getting into some pretty serious issues," LaFoy said.

Strava said in a statement to CNN that the company is "committed to helping people better understand" its privacy settings.

"Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones," the statement said.

Regardless of the data's usability, the fact that it's out there shows a lapse in protocol, one that likely has the potential to cost information and operation security personnel their jobs, Lafoy said.

"This is literally what 10,000 innocent individual screw-ups look like," he said. "A lot if it is going to be a good reminder to security services why you do opsec (operational security) and why you do manage this sort of thing, and everyone is going to really hope it doesn't get a couple people killed in the meantime."

Limiting public profiles

When zoomed out, the heatmap shows more populated and developed parts of the world nearly completely lit up. Remote areas and conflict zones are darker, but eagle-eyed observers have noticed small lights in some of the areas, potentially identifying military personnel.

Twitter users have identified locations including a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and US special operations locations include a suspected CIA base in Somalia, a Patriot missile defense system site in Yemen and US special operations bases in the Sahel region of Africa. CNN cannot independently verify these claims. Known military sites like Diego Garcia in the Pacific Ocean and the Falkland Islands' RAF Mount Pleasant also show activity.

Multiple airports in Somalia show circles around airfields in the city. "Heavy jogging" at the airport in the capital of Mogadishu was spotted earlier by The Daily Beast's Adam Rawnsley.

The US Department of Defense said in response to the Strava data that "annual training for all DoD personnel recommends limiting public profiles on the internet, including personal social media accounts."

"Furthermore, operational security requirements provide further guidance for military personnel supporting operations around the world. Recent data releases emphasize the need for situational awareness when members of the military share personal information," said Pentagon spokeswoman Harris.