GPS, Smartphones and Operational Security – is Strava the only problem?
The recent hullabaloo over the Strava heatmap reminded me of a strange case from a few years ago…
If you have any kind of interest in GPS, fitness apps, unusual maps or just technology news then you were probably at least vaguely aware of a story about the fitness app Strava and some analysis of the heatmap they published last month. This publicly-viewable heatmap of anonymised user data isn’t new – but the last update was from 2015 data. The 2017 data release included over 1 billion activities and 10 terabytes of raw data. The total distance clocked up was 27 billion KM – 180 times the distance from the Earth to the sun. It’s an impressive piece of user-generated information and it’s quite good fun to see which are the most popular routes to the summit of Snowdon, or the tracks made by people swimming, kayaking or SUP’ing in Llyn Padarn.
There’s also potentially a bit of a security risk – but that’s something I’ve got prior experience of, and it’s still a potential problem for those who work in ‘sensitive’ areas of the world.
The security issues raised over the Strava heatmap started off with Nathan Ruser, an analyst with the Institute for United Conflict Analysts:
Strava is arguably the most popular fitness app in the world, and members of the armed forces are no strangers to running, cycling and swimming to keep fit for their roles at work. It’s no surprise that many of them around the world (both on deployment and at home bases) use the app in the same way every other user does (me included). It’s almost certain that nobody in those roles is using Strava on operations, but running around the perimeter track of the base you’re deployed to is probably OK, right?
Well… although the data in the Strava heatmap is anonymised it does show the outline of that perimeter track. And all of the other tracks, and the access paths between accommodation blocks and admin areas. On bases that sometimes aren’t meant to exist, at least not officially. It’s something that the military forces of the world have probably been vaguely aware of, but it looks like it hasn’t been raised as a specific operational security (opsec) issue until now. I would put good money on there having been some rapid editing of operational procedures with regards to apps, smartphones and how those working and training in operationally-sensitive areas handle their own data. Knowing that the running app on your phone is going to share your movements with the enemy is something of a sobering thought. Strava have released a statement about the issue, and some advice for military personnel.
It’s not just fitness apps – a lot of people are surprised when I show them this link – if you have a Google account (all Android phone users and most of the western world probably do) then there is a good chance your daily position is being logged and uploaded to the Google servers. They even let you see your own personal location timeline – HERE.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2
— Nathan Ruser (@Nrg8000) January 27, 2018
But it’s not just smartphones and Strava – there’s another problem
This whole story reminded me of something that happened with a client of ours a few years ago. It has been long enough, and the story anonymous enough, for me to share it here – especially as it is probably still an overlooked opsec issue.
The advertised public courses on the Original Outdoors site probably only make up 40% of what we actually do. The rest is private training, consultancy and working with individuals and organisations to do something specific. A lot of that work doesn’t make it to the blog or our social media pages because we work under confidentiality agreements and our respect for the privacy, commercial sensitivity and sometimes opsec of those clients. We have worked with private military and security contractors on various things over the years and more than once doing work with GPS devices and navigation training.
There was one training session where I worked with a small group, all seasoned contractors with military backgrounds and who had been deployed to combat areas several times with their previous and current employers. I was about to deliver a session on GPS use and particularly the difference between routes, tracks, POIs and waypoints. One of the contractors handed me his GPS device – a Garmin model with no external connectivity – just an SD card and a port for attaching a data cable. Whilst scrolling through the menu screens and showing the rest of the group we discussed the relative merits of a standalone GPS versus a smartphone with a GPS/mapping app. The opinion of the group was that ‘dumb’ devices that didn’t transmit data to the wider world were more secure and ‘safer’ than smartphones.
Then I opened up the track history of that particular device.
There were several recorded tracks from the country the contractor had recently worked in, including from their base of operations out to various work sites on oil pipelines. Plus a long one that led from their compound to an airport, then another airport, then back to the UK.
Then along several motorways until it arrived at the contractor’s house. Where it squiggled around a bit whilst the GPS hunted for a signal until the battery died – presumably in their kitbag, forgotten until they next went to work.
This wasn’t from their most recent deployment either – they had more recent tracks, both ‘in-country’ and at home in the U.K.
Leaving your home address on the battlefield
Can you imagine what was going through that person’s head, realising that they had been carrying a map to their home (and family) around in a device strapped loosely to their belt or their chest rig?
They probably went through a ritual every time they left the gate of the compound to make sure they were as anonymous as they could be, and to separate their work life from their home life as much as they possibly could. They were very careful in how they used social media, and followed strict guidelines from their employer and colleagues about maintaining operational security – all whilst carrying around a map leading directly to everything they held dear in life.
As you would expect, this led to a discussion about deleting tracklogs from GPS devices and a greater understanding of exactly what information their GPS was gathering. I know that particular company has changed their procedures following that training session, and I make it part of the regular briefings when working with similar clients. I now have to mention Strava and fitness apps too I suppose…
It’s very similar to the Strava heatmap issue – a device of convenience being a little too convenient, and the data it gathers giving away more than you would like it to. Just like the Strava problem it can be avoided by understanding the technology used, and diving into the settings of the device to make sure it is only recording your position when you need it to, and that if it is sharing your location with the wider world you turn it off.
The Simple Advice
If you’ve read through this blog post and are wondering if it’s something that might affect you then here is the simple advice I give to clients when the subject comes up:
- If it’s a device that doesn’t transmit anything (most GPS devices without wifi or a sim-card slot) then make sure that you start and stop any track logs, don’t just let them run continuously
- If the device transmits information (smartphones, newer GPS devices, smartwatches etc) then pay careful attention to all of the settings of the app/device you are using. Most have the facility to turn off location sharing, or opt-out of sharing anonymised location data
- Be aware of apps running in the background that could be sharing your location – like Google Maps (see your location timeline here)
Being careful with potentially sensitive information is nothing new to those working in the military and security fields – but as technology and the way we use it continues to evolve we need to be more vigilant about what we share – and also what is being shared by those who work with us.