Fitness app Strava exposes the location of military bases

Strava, the popular app for tracking running, cycling and swimming, is not the most obvious go-to for exposing national secrets, but a heatmap of activity from users has been found to unearth the locations of U.S. military bases worldwide.

The company’s review of 2017 showed all routes taken by its users across the world. It was released back in November 2017, but it came to the fore this weekend when Australian student Nathan Ruser noticed that trails from Strava users in certain countries made it possible to identify military from the U.S. and other nations.

While many major cities and regions are brightly colored due to huge amounts of activity, military locations stand out as hubs of activity in quieter areas, such as Syria, Afghanistan or Somalia. That’s exacerbated by the fact that the app is more popular in the West than places like the Middle East or Africa.

Strava allows its users to record their exercise via GPS using a phone or wearable devices like Fitbit, which have been given out to U.S. forces in the past.

In most cases, the public data can be useful. It can help find new trails to run, find routes in new places or even identify other runners to exercise with or compete against. With over one billion activities logged in the heat map, it provides an interesting look at how many people in the world exercise.

The service does offer a private mode which doesn’t share information outside of the app. The company said its heatmap is based on public data only. It would appear, then, that military personnel are sharing their information publicly, perhaps without knowing it or realizing the implication.

The heatmap doesn’t include user information, but, as others on Twitter demonstrated, it is possible to visit the service and look up users based on the routes they have run publicly. That could potentially expose the identification of servicemen and women.

“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share,” Strava told the Washington Post in a statement.

A U.S. military spokesperson told the paper it is looking into the issue.