People who exercise with fitness trackers have a digital record of their workouts. They do it for a wide range of reasons, from gathering serious medical data to simply satisfying curiosity. When fitness data includes GPS coordinates, it raises personal privacy concerns. But even with individual data removed, such data was still informative enough to spill the beans on secretive facilities around the world.
This past weekend, [Nathan Ruser] announced on Twitter that Strava’s heatmap also managed to highlight exercise activity by military/intelligence personnel around the world, including some suspected but unannounced facilities. More worryingly, some of the mapped paths imply patrol and supply routes, knowledge security officers would prefer not to be shared with the entire world.
This is an extraordinary blunder which very succinctly illustrates a folly of Internet of Things. Strava’s anonymized data sharing obsfucated individuals, but didn’t manage to do the same for groups of individuals… like the fitness-minded active duty military personnel whose workout habits are clearly defined on these heat maps. The biggest contributor (besides wearing a tracking device in general) to this situation is that the data sharing is enabled by default and must be opted-out:
“You can opt-out of contributing your anonymized public activity data to Strava Metro and the Heatmap by unchecking the box in this section.” —Strava Blog, July 2017
We’ve seen individual fitness trackers hacked and we’ve seen people tracked through controlled domains before, but the global scope of [Nathan]’s discovery puts it in an entirely different class.
[via Washington Post]
79 thoughts on “Opt-Out Fitness Data Sharing Leads To Massive Military Locations Leak”
It gets tiring being called a tinfoil hat just because one respects on principle one’s own privacy and that of others.
Aside from perhaps the old OpenMoko line of phones or the stuff we make and program for ourselves, what electronic devices are built with the intention of working primarily and exclusively for us and not to and-also drop a few kernels of corn back to the manufacturer on a regular basis to sweeten their post-sale?
There have been and hopefully always will be devices like walkie talkies and one-way pagers which by design have no good profitable pathway for a manufacturer to get them to turn against the user.
But for networked stuff the best we seem to get now is and unlocked bootloader which permits custom builds of Android with reasonable security and no gapps.
There are more possibilities, Linux, Minix, BSD, if we are talking watches there is the RebbleOS for Pebble watches.
Reflashing is cool and fun, but I would love to be able to buy with full support a real FOSS laptop, phone, tablet, watch, and other devices where I, by design, can get under the hood and hack; perhaps voiding the warranty at some point, but where it is easy and where security and privacy have already been addressed, and perhaps even calculated into the price.
How would it feel to click OK to a shrinkwrap agreement which signs away any rights of the manufacturer to spy on me and report back, instead of giving up my rights?
It comes down to a battle between MBAs trying to squeeze those last few % points from as many consumers as possible for the company and taking a bonus from that, rather than a mythical invisible hand of the market always providing the best possible consumer items.
There are community designed projects, but once business smarts buy or enter the startup the result is almost always how to squeeze the customer and provide them the minimal experience that will still get them to part with their money.
I believe there is a market for networked electronics which do no by design spy on and act against me, there is money to be made by someone brave enough to address this market. It is mostly just paying the price to get FOSS drivers written for speced hardware and then the apps to bypass predatory social media and obfuscate ubiquitous tracking.
Minix? You sure?
When someone secretly slips somewhat or even completely free software inside hardware or software packages it is an attack on the user.
Minix3 on it’s own is a great OS though giving it away the way it is now enables bad actors like Intel to abuse it’s power by denying access to the actual owner of the hardware. the end user.
How is using completely free software denying access to the actual owner of the hardware worse than using paid-for software, or custom-built software to do the same? An OS is not a magic thing that only thaumaturges can write. :D
And they’re not denying access. You can acces your own computer using IMM, just like anyone else.
They did not even abuse their power, because Tanenbaum made Minix completely free for anyone to use, corporate or private.
What they did do, is to obscure what they did as much as possible. Security through obscurity. Well. That type of security only works up until the obscurity breaks. And from that moment on, all security is rendered useless for all devices that contained that type of security, up until the very first produced device.
No attack on the user. Just simply the arrogance of a manufacturer.
I feel your pain.
Perhaps the best tactic now is to let them think the spying is working and simply null route the whole telemetry.
And fill the pipe with fake info if you can.
But even so, that will only work in a tiny percent of the cases I fear :/
Funny story, one time I blocked Google’s IP’s and then tried to go to google.com and lo and behold it worked, turned out windows nicely rerouted to use the damn IPv6 Google site…. Showing you can’t trust your efforts to be working even if you think you went radical.
“And fill the pipe with fake info if you can.”
The VLF radio messages sent to US submarines are kept busy with front page news and sports scores. That way if a “event” is transpiring, there won’t be a corresponding increase in (encrypted) data to alert the unfriendlies.
VLF busy? A better word would be occupied – the data rate is more snail slow than bee busy.
There needs to be an app that does just that feeds the trackers bogus data.
This pretty much describes companies like Google these days.
haha best comment ever
Well, yes there’s an argument to be made for such transparancy… but business and government don’t want to hear about it.
There’s, I think, a stronger argument to be made for not buying and using every shiny new thing without understanding what it does. Did those individuals, or the military/intelligence communities NOT understand the implications of cloud-sourcing personnel movements? Then again, you can gain much the same intel by directly observing the chiseled, buff Americans jogging around the streets of a foreign capitol.
Next up – operatives outed by their likes on the CIA’s Facebook page.
Heatmap, that isn’t even in the spelling checker. What an obfuscated way of saying Tracking! Add that buzz word to backstory and takeaway, (which are in the spelling checker) to flush.
I thought they learned during desert storm not to let GPS get tagged to any other media.
a heatmap (or heat map, with a space) is a thing and it’s more than just “tracking”.
It’s generically a way to indicate a third ‘axis’ of data onto a 2-d representation; in this case, the basic 2-d map of GPS location is overlaid with the frequency that the location has been on. So not an obfuscated way of saying tracking, just perhaps a specialised term that was not in your lexicon.
I’ve come across some very common English words that were missing from my spellcheck.
To name a few: trebuchet chipsets clusterfuck fresnel deniability supercritical overclocking pissant dopants snarky willy-nilly deburred collider
Also, ‘spellcheck’ as one word
Fresnel refers to Augustin-Jean Fresnel, and should be capitalized.
My Oxford dictionary has fresnel lens in lower case, and so is ‘watt’ when describing the unit, however it capitalizes Fahrenheit for some reason, whereas coulomb is lower case but ‘Coulomb’s law’ is upper case.
I’m not sure what the convention is now, but I’ll go and assume the Oxford dictionary people have more knowledge on it and it’s alright to go with lower case fresnel while at the same time it also being OK to use upper case.
“Fresnel lens” would indicate Fresnel owns the lens himself, so common case is used when describing the lens( I there’s no “‘s” but you already know people are weird). “Watt” and “watt” are, similarly, person and measure respectively. Fahrenheit, Centigrade/Celsius, and Kelvins to keep from frequency, cent( currency/math/measure), and kilo. “Coulomb’s Law” is a proper noun with possession but “coulomb” is a measure. In short, it’s meant to reduce confusion in units of measures and standards.
Interesting Rollyn01, but what it comes down to is that the spellcheck has to allow lower case then to cover the occasions where such is appropriate.
Actually I found two more interesting aspects of that map, areas where never people go that are in populated zones, and areas that don’t have a lot of roads on google maps but have heat trails all over them. The second is easier to explain.
My nephew attends high school in a major metropolitan area. He uses G..gle Maps everyday to get to school. It will route him around traffic slowdowns (as detected by G..gle users on the road).
It’s not Bloody Mary. Saying “Google” three times in a post won’t make Larry Page crawl out of your monitor and read your mail.
Just a leftover from my F*c****k days, were they did read your comments and homed in on any use of their name.
Bwahhahahaha! You win the Internets today.
If that happened I’d probably do this.
Well duh, it’s the guys in the black van opposite your window that does!
It’s kinda funny seeing the heat map including someone going through Area 51.
But seriously, this give a lot more insight into lives then you might think. I’ve seen that a few of my neighbors have these trackers, leads right to their doors. I can see ferry crossings over Lake Michigan, main thoroughfares through my city, I can see what people might think is there own personal fishing holes, I can see what circle tracks are popular for runners, I’m seeing that what I’m guessing are player’ss tracks on ball fields, I can see how people move about their own houses even.
It’s almost like ctOS is inching closer to being a real thing. Imagine what insurance companies could use this data for, for example. You have a heatmap of someone who works at a pizza joint. You can see what houses they frequent. Guess what, now you know they order a lot of delivery and you can up the cost, a page right out of Watch_Dogs. It’s like a train wreck going over the data, I can’t look away.
How much detail of Area 51 is in the data?
Not much. Just one line coming off the 375, through the East entrance, down the main drag, and oddly stopped in the middle of a road. Secret entrance? *puts on shiny hat*
the individual was snuffed out by security forces.
His fitbit would also had to have been snuffed out then.
Much more likely the guy was abducted by an UFO, we’re talking Area 51 right?
There’s studies using location data. Quite enlightening. Also autonomous cars need excellent maps so people are using cellphone data to update maps.
I’m sure those leakers of military secrets will be punished to the fullest extent.
Depends on whether or not they were allowed to have the devices. If they were allowed the devices then a new directive will be issued banning the use of such products and lessons will be learned. The current military atmosphere is about as far from Draconian as possible. It’s a kinder, gentler, military now.
But slightly dumber, too, if they hadn’t figured out the implications of such data on the ‘cloud’. Don’t they read the briefings from the NSA?
You assume too much. There is a reason that military intelligence may be considered an oxymoron. Also most people do not think about their actions in more than the immediate context.
From my experience the military is like the government most times in that it is filled with bureaucracy and is mostly reactionary.
“reactionary” may not mean what you think it means…
So who’s forwarding this to Risks Digest then?
I find it amusing; from a tinfoil hat enthusiast’s standpoint; it makes a change for the spying to be the other way around. There’s some irony in there somewhere.
No loss then, since its only used by people into fitness. Hand me that beer and the danish will ya?
I hope the person handing you the beer or danish aren’t wearing one… or so on through out your day.
No it’s not; it’s just understanding the risks produced by consumer technology. And what’s stopping the military from having their own version of the fitness devices, transmitting to their own fitness ‘cloud’, that isn’t available to the general public?
Defense contracting for any device that operates according to MILSPEC will make up the bulk of the devices’ cost. This also make it too expensive to make such a simple device. With this going on, it would be even more expensive just to implement greater security.
I expect the military and certain industries will soon ban their use on security concerns.
Really wearing something that tracks your every movement and reports it to some remote server is just stupid anyway.
*sets cellphone on fire*
Samsung already had you in mind with the Note 7
In Sweden we had a courtcase where a murderer who claimed he was asleep all night had a fitbit telling that he was moving very slowly, but with a very high heartrate down to the lake where they found the body, in the middle of the night when he was supposed to sleep…
An insider deal court case in Denmark where the defendant claimed to have never met with the CEO of a contractor, building Time shares in Spain and his signature had been faked, but Cell tower logs showed that he had been visiting the contractor at the exact date and time of signing.
You’d figure he would had enough sense to have taken it off or put it on the dog.
Heh. Wonder if this is why apple phones have the FM turned off!
FM radio has a bunch of advertisers that are not going through Apple’s money stream, and “we” can’t have that now, can we?
Also, FM radio on phones use the headphone wire as antenna
Headphone wires need a headphone port….
Maybe that’s why Apple removed it, to be extra sure.
Newer Iphones use a wireless antenna port.
China and Russia take note!
Don’t forget North Korea! A quick look at the Strava map shows surprising amounts of activity, and i doubt it is Kim Jong-Il himself that is out for a jog, particularly not those tracks out in – seemingly – the middle of nowhere.
And strangely enough, there’s even track crossing the border!
This only touches on fitness trackers , you do realize google does it by wifi, your phone is doing this constantly and some phones have been banned from the us for the same. The key is likely where the datum is being shipped back to . Every single device we have become dependant on does this.
Take away your devices , go full foily (never go full foily) , wifi can be used independently (think one device only, just the router itself) can be used to map inside the building it is installed in. Literally wifi itself is a tracking device https://w w.activistpost.com/2017/05/new-wifi-tech-can-see-walls-map-inside-building-20-30-seconds.html Notice the missing W, in www.
Worrying about a fitness tracker is pretty far down the line of actual threats to privacy. There is good reason comcast is giving away ‘free’ wifi in their new routers that drop xfi hotspots anyone can log into if they have comcast.
I have to admit I get a solid chuckle from the bottom of my belly seeing how upset / worried people are connecting the dots of a slim margin of the tracking tech employed in at will fitness trackers . The above tin foil excursion doesn’t even call out red light cameras , networked cctv feeds, intersection cameras (look up at intersections you are in the center of multiple cameras at about 70% of major intersections in chicagoland. its all networked. If you can imagine it , it has been done. But lets maybe ponder the unseen 99% of the iceberg instead of just the tip so to speak.
That site you pseudo-linked describes itself thus: “Latest alternative news from independent journalists around the world”. The front page currently has an article about chemtrails. You’re not doing your argument any favors by using that site to back it up.
fair point, the original article i saw was on had itself. Wifi mapping. TBH i did not bother looking for reputable site because i figured everyone would remember it from here.
I beg forgiveness and am not trying to spread chemtrail shenanigans
Still looking for the specific breakthru, this is it i think. Not finding the post i was thinking of yet.
I believe this is as ‘reputable’ as i can achieve without effort. http://rfcapture.csail.mit.edu/
The CIA tracks people in Pakistan that don’t have a cellphone or who turn it off. They consider it a suspicious telltale sign.
Now in a similar vein, if you have areas that are phone-data-blank you could also figure there would be a US base at that spot then. Especially if it’s in an area where there is activity/buildings spotted or where there is data-activity all around it.
Nah. They have a bot that simulates traffic to cover the mil zone; 419 scams, bitcoin mining, pr0n-surfing, reddit, online gambling, herbal ‘remedies’…
You seem to have some expertise from that list. I think I’m starting to suspect you to be in some related business now O_o.
Well, time to move all the secret sites.
Put em on wheels. Call it an RV.
On the upside, the heat map is great to discover unmapped shortcuts through neighborhoods. Time to mix up my Sunday walk :-)
If they knew what Strava meant in certain Slavic languages, they would not be using it in the first place …. Hahaha …
Please elaborate for the less enlightened. I can only find ‘diet’, ‘straw’, and ‘awesome,’ which don’t seem *that* funny.
Perhaps they should have a Furby in their pocket, too.
One solution would be spoof the civilian GPS at the bases with erroneous signals making them think they’re in a location hundreds of miles away but this would be costly.
But the most logical and easiest course of action would be to simply ban the use of devices that transmit information like this at military installations.
What’s up with the huge “C” in Antarctica? It’s interesting to see what is going on in northern Canada, too. Some really lonely joggers up there!
I can relate. Do you think there are certain dangers to the civilian mapping these sites?
There is a massive pentagon in the middle of the nevada desert that looks like a tiny perfectly laid out city.
It’s burning man!
The bases were only secret from the US taxpayer. The enemies knew where they were the entire time and just used Google Earth to get the layouts. And they know the supply lines as well, just not the timing. This is a classic example of how classification often really protect much. In Moynahan’s book “Secrecy” he tells of how Soviet negotiators at the SALT talks sent their aides out of the room when the US was describing what it knew about Soviet missiles. The aides weren’t allowed to know such details about their own weapons systems.
It’s like Google using HTTPS so ‘they’ can’t find out your secrets.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)