Opt-Out Fitness Data Sharing Leads to Massive Military Locations Leak

People who exercise with fitness trackers have a digital record of their workouts. They do it for a wide range of reasons, from gathering serious medical data to simply satisfying curiosity. When fitness data includes GPS coordinates, it raises personal privacy concerns. But even with individual data removed, such data was still informative enough to spill the beans on secretive facilities around the world.

Strava is a fitness tracking service that gathers data from several different brands of fitness tracker — think Fitbit. It gives athletes a social media experience built around their fitness data: track progress against personal goals and challenge friends to keep each other fit. As expected of companies with personal data, their privacy policy promised to keep personal data secret. In the same privacy policy, they also reserved the right to use the data shared by users in an “aggregated and de-identified” form, a common practice for social media companies. One such use was to plot the GPS data of all their users in a global heatmap. These visualizations use over 6 trillion data points and can be compiled into a fascinating gallery, but there’s a downside.

This past weekend, [Nathan Ruser] announced on Twitter that Strava’s heatmap also managed to highlight exercise activity by military/intelligence personnel around the world, including some suspected but unannounced facilities. More worryingly, some of the mapped paths imply patrol and supply routes, knowledge security officers would prefer not to be shared with the entire world.

This is an extraordinary blunder which very succinctly illustrates a folly of Internet of Things. Strava’s anonymized data sharing obsfucated individuals, but didn’t manage to do the same for groups of individuals… like the fitness-minded active duty military personnel whose workout habits are clearly defined on these heat maps. The biggest contributor (besides wearing a tracking device in general) to this situation is that the data sharing is enabled by default and must be opted-out:

“You can opt-out of contributing your anonymized public activity data to Strava Metro and the Heatmap by unchecking the box in this section.” —Strava Blog, July 2017

We’ve seen individual fitness trackers hacked and we’ve seen people tracked through controlled domains before, but the global scope of [Nathan]’s discovery puts it in an entirely different class.

[via Washington Post]

79 thoughts on “Opt-Out Fitness Data Sharing Leads to Massive Military Locations Leak

  1. It gets tiring being called a tinfoil hat just because one respects on principle one’s own privacy and that of others.
    Aside from perhaps the old OpenMoko line of phones or the stuff we make and program for ourselves, what electronic devices are built with the intention of working primarily and exclusively for us and not to and-also drop a few kernels of corn back to the manufacturer on a regular basis to sweeten their post-sale?
    There have been and hopefully always will be devices like walkie talkies and one-way pagers which by design have no good profitable pathway for a manufacturer to get them to turn against the user.
    But for networked stuff the best we seem to get now is and unlocked bootloader which permits custom builds of Android with reasonable security and no gapps.
    There are more possibilities, Linux, Minix, BSD, if we are talking watches there is the RebbleOS for Pebble watches.
    Reflashing is cool and fun, but I would love to be able to buy with full support a real FOSS laptop, phone, tablet, watch, and other devices where I, by design, can get under the hood and hack; perhaps voiding the warranty at some point, but where it is easy and where security and privacy have already been addressed, and perhaps even calculated into the price.
    How would it feel to click OK to a shrinkwrap agreement which signs away any rights of the manufacturer to spy on me and report back, instead of giving up my rights?
    It comes down to a battle between MBAs trying to squeeze those last few % points from as many consumers as possible for the company and taking a bonus from that, rather than a mythical invisible hand of the market always providing the best possible consumer items.
    There are community designed projects, but once business smarts buy or enter the startup the result is almost always how to squeeze the customer and provide them the minimal experience that will still get them to part with their money.
    I believe there is a market for networked electronics which do no by design spy on and act against me, there is money to be made by someone brave enough to address this market. It is mostly just paying the price to get FOSS drivers written for speced hardware and then the apps to bypass predatory social media and obfuscate ubiquitous tracking.

      1. When someone secretly slips somewhat or even completely free software inside hardware or software packages it is an attack on the user.
        Minix3 on it’s own is a great OS though giving it away the way it is now enables bad actors like Intel to abuse it’s power by denying access to the actual owner of the hardware. the end user.

        1. How is using completely free software denying access to the actual owner of the hardware worse than using paid-for software, or custom-built software to do the same? An OS is not a magic thing that only thaumaturges can write. :D

          And they’re not denying access. You can acces your own computer using IMM, just like anyone else.

          They did not even abuse their power, because Tanenbaum made Minix completely free for anyone to use, corporate or private.

          What they did do, is to obscure what they did as much as possible. Security through obscurity. Well. That type of security only works up until the obscurity breaks. And from that moment on, all security is rendered useless for all devices that contained that type of security, up until the very first produced device.

          No attack on the user. Just simply the arrogance of a manufacturer.

    1. I feel your pain.
      Perhaps the best tactic now is to let them think the spying is working and simply null route the whole telemetry.
      And fill the pipe with fake info if you can.

      But even so, that will only work in a tiny percent of the cases I fear :/

      Funny story, one time I blocked Google’s IP’s and then tried to go to google.com and lo and behold it worked, turned out windows nicely rerouted to use the damn IPv6 Google site…. Showing you can’t trust your efforts to be working even if you think you went radical.

      1. “And fill the pipe with fake info if you can.”

        The VLF radio messages sent to US submarines are kept busy with front page news and sports scores. That way if a “event” is transpiring, there won’t be a corresponding increase in (encrypted) data to alert the unfriendlies.

    2. Well, yes there’s an argument to be made for such transparancy… but business and government don’t want to hear about it.

      There’s, I think, a stronger argument to be made for not buying and using every shiny new thing without understanding what it does. Did those individuals, or the military/intelligence communities NOT understand the implications of cloud-sourcing personnel movements? Then again, you can gain much the same intel by directly observing the chiseled, buff Americans jogging around the streets of a foreign capitol.

      Next up – operatives outed by their likes on the CIA’s Facebook page.

  2. Heatmap, that isn’t even in the spelling checker. What an obfuscated way of saying Tracking! Add that buzz word to backstory and takeaway, (which are in the spelling checker) to flush.

    I thought they learned during desert storm not to let GPS get tagged to any other media.

    1. a heatmap (or heat map, with a space) is a thing and it’s more than just “tracking”.
      https://en.wikipedia.org/wiki/Heat_map

      It’s generically a way to indicate a third ‘axis’ of data onto a 2-d representation; in this case, the basic 2-d map of GPS location is overlaid with the frequency that the location has been on. So not an obfuscated way of saying tracking, just perhaps a specialised term that was not in your lexicon.

    2. I’ve come across some very common English words that were missing from my spellcheck.

      To name a few: trebuchet chipsets clusterfuck fresnel deniability supercritical overclocking pissant dopants snarky willy-nilly deburred collider
      Also, ‘spellcheck’ as one word

        1. My Oxford dictionary has fresnel lens in lower case, and so is ‘watt’ when describing the unit, however it capitalizes Fahrenheit for some reason, whereas coulomb is lower case but ‘Coulomb’s law’ is upper case.
          I’m not sure what the convention is now, but I’ll go and assume the Oxford dictionary people have more knowledge on it and it’s alright to go with lower case fresnel while at the same time it also being OK to use upper case.

          1. “Fresnel lens” would indicate Fresnel owns the lens himself, so common case is used when describing the lens( I there’s no “‘s” but you already know people are weird). “Watt” and “watt” are, similarly, person and measure respectively. Fahrenheit, Centigrade/Celsius, and Kelvins to keep from frequency, cent( currency/math/measure), and kilo. “Coulomb’s Law” is a proper noun with possession but “coulomb” is a measure. In short, it’s meant to reduce confusion in units of measures and standards.

  3. Actually I found two more interesting aspects of that map, areas where never people go that are in populated zones, and areas that don’t have a lot of roads on google maps but have heat trails all over them. The second is easier to explain.

    1. My nephew attends high school in a major metropolitan area. He uses G..gle Maps everyday to get to school. It will route him around traffic slowdowns (as detected by G..gle users on the road).

  4. It’s kinda funny seeing the heat map including someone going through Area 51.

    But seriously, this give a lot more insight into lives then you might think. I’ve seen that a few of my neighbors have these trackers, leads right to their doors. I can see ferry crossings over Lake Michigan, main thoroughfares through my city, I can see what people might think is there own personal fishing holes, I can see what circle tracks are popular for runners, I’m seeing that what I’m guessing are player’ss tracks on ball fields, I can see how people move about their own houses even.

    It’s almost like ctOS is inching closer to being a real thing. Imagine what insurance companies could use this data for, for example. You have a heatmap of someone who works at a pizza joint. You can see what houses they frequent. Guess what, now you know they order a lot of delivery and you can up the cost, a page right out of Watch_Dogs. It’s like a train wreck going over the data, I can’t look away.

    1. Depends on whether or not they were allowed to have the devices. If they were allowed the devices then a new directive will be issued banning the use of such products and lessons will be learned. The current military atmosphere is about as far from Draconian as possible. It’s a kinder, gentler, military now.

        1. You assume too much. There is a reason that military intelligence may be considered an oxymoron. Also most people do not think about their actions in more than the immediate context.

          From my experience the military is like the government most times in that it is filled with bureaucracy and is mostly reactionary.

    1. No it’s not; it’s just understanding the risks produced by consumer technology. And what’s stopping the military from having their own version of the fitness devices, transmitting to their own fitness ‘cloud’, that isn’t available to the general public?

      1. Defense contracting for any device that operates according to MILSPEC will make up the bulk of the devices’ cost. This also make it too expensive to make such a simple device. With this going on, it would be even more expensive just to implement greater security.

    2. I expect the military and certain industries will soon ban their use on security concerns.
      Really wearing something that tracks your every movement and reports it to some remote server is just stupid anyway.

  5. In Sweden we had a courtcase where a murderer who claimed he was asleep all night had a fitbit telling that he was moving very slowly, but with a very high heartrate down to the lake where they found the body, in the middle of the night when he was supposed to sleep…

    1. An insider deal court case in Denmark where the defendant claimed to have never met with the CEO of a contractor, building Time shares in Spain and his signature had been faked, but Cell tower logs showed that he had been visiting the contractor at the exact date and time of signing.

    1. Don’t forget North Korea! A quick look at the Strava map shows surprising amounts of activity, and i doubt it is Kim Jong-Il himself that is out for a jog, particularly not those tracks out in – seemingly – the middle of nowhere.

  6. This only touches on fitness trackers , you do realize google does it by wifi, your phone is doing this constantly and some phones have been banned from the us for the same. The key is likely where the datum is being shipped back to . Every single device we have become dependant on does this.

    Take away your devices , go full foily (never go full foily) , wifi can be used independently (think one device only, just the router itself) can be used to map inside the building it is installed in. Literally wifi itself is a tracking device https://w w.activistpost.com/2017/05/new-wifi-tech-can-see-walls-map-inside-building-20-30-seconds.html Notice the missing W, in www.

    Worrying about a fitness tracker is pretty far down the line of actual threats to privacy. There is good reason comcast is giving away ‘free’ wifi in their new routers that drop xfi hotspots anyone can log into if they have comcast.

    I have to admit I get a solid chuckle from the bottom of my belly seeing how upset / worried people are connecting the dots of a slim margin of the tracking tech employed in at will fitness trackers . The above tin foil excursion doesn’t even call out red light cameras , networked cctv feeds, intersection cameras (look up at intersections you are in the center of multiple cameras at about 70% of major intersections in chicagoland. its all networked. If you can imagine it , it has been done. But lets maybe ponder the unseen 99% of the iceberg instead of just the tip so to speak.

    1. That site you pseudo-linked describes itself thus: “Latest alternative news from independent journalists around the world”. The front page currently has an article about chemtrails. You’re not doing your argument any favors by using that site to back it up.

      1. fair point, the original article i saw was on had itself. Wifi mapping. TBH i did not bother looking for reputable site because i figured everyone would remember it from here.

        I beg forgiveness and am not trying to spread chemtrail shenanigans

    2. The CIA tracks people in Pakistan that don’t have a cellphone or who turn it off. They consider it a suspicious telltale sign.
      Now in a similar vein, if you have areas that are phone-data-blank you could also figure there would be a US base at that spot then. Especially if it’s in an area where there is activity/buildings spotted or where there is data-activity all around it.

  7. One solution would be spoof the civilian GPS at the bases with erroneous signals making them think they’re in a location hundreds of miles away but this would be costly.
    But the most logical and easiest course of action would be to simply ban the use of devices that transmit information like this at military installations.

  8. The bases were only secret from the US taxpayer. The enemies knew where they were the entire time and just used Google Earth to get the layouts. And they know the supply lines as well, just not the timing. This is a classic example of how classification often really protect much. In Moynahan’s book “Secrecy” he tells of how Soviet negotiators at the SALT talks sent their aides out of the room when the US was describing what it knew about Soviet missiles. The aides weren’t allowed to know such details about their own weapons systems.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.