US military reviewing tech use after Strava privacy snafu

The U.S. military has responded to privacy concerns over a heatmap feature in the Strava app which displays users’ fitness activity — and has been shown exposing the locations of military facilities around the world — by saying it’s reviewing the rules around usage of wireless devices and apps by its personnel.

At the weekend, Australian student Nathan Ruser noticed that trails from Strava users in certain countries made it possible to identify military bases and other facilities operated by countries, including the U.S., in locations such as Afghanistan, Iraq, Somalia and Syria.

A U.S. military press office has now told The Washington Post that existing rules on privacy settings relating to apps and devices are being “refined” as a result of the privacy snafu, and that commanders at its bases are being urged to enforce existing rules.

Alarm quickly flared when it became apparent how precisely Strava’s heatmaps were highlighting the existence of active military bases — literally by lighting up the activity levels of personnel using its app in and around the facilities — and even potentially also divulging the identities and activity data of serving military personnel.

“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” a spokesperson for the Central Command press office in Kuwait told the newspaper, speaking for the U.S.-led coalition against the Islamic State.

“We will not divulge specific tactics, techniques and procedures. However, we have confidence in our commanders’ abilities to enforce established policies that enhance force protection and operational security with the least impact to our personnel.”

“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection. We constantly refine policies and procedures to address such challenges,” the spokesperson added.

Strava has long been criticized for the confusing structure of its privacy settings — though it’s hardly alone on that front where technology services are concerned — and for how, as a consequence, its service can leak personal data without users realizing.

In this case even users who had applied an “enhanced privacy” option were apparently still having their activity data fed into public heatmaps.

We reached out to Strava for comment but at the time of writing the company had not responded.

“We are committed to helping people better understand our settings to give them control over what they share,” Strava told the Post in a statement earlier.

When the company launched the latest version of its global heatmap feature last year it said the feature included more than 27 billion kilometers of data — “overlapping to show the most frequented spots for sport on the globe.”

Apparently not realizing that less-frequented locations for sports on the globe could result in some massively sensitive privacy leaks — largely as a consequence of Strava opting users into the heatmaps (without them necessarily realizing it had, thanks to confusing settings).

If you want a textbook example of why privacy needs to be the default, not a hard-to-find opt-out, and what privacy-hostile design looks like, well, it’s pretty tough to beat this. So we can at least thank Strava for illustrating the problem so beautifully.