Global Heat Map Strava users out there, the training app’s privacy settings are easily overlooked. Sure, you might choose to lock down runs starting or ending near your home, and if you're the type to run an eight-miler just after calling in to work with “the flu,” well, maybe you don't want your boss to see that.
But for one segment of Strava’s user base, neglecting to check off a series of boxes reflecting privacy options is having national-security ramifications.
That's because in November 2017, Strava released its Can Your Garmin Watch Replace a Coach, a cartographic representation of Strava users’ GPS-tracked activities from 2015 to September 2017. Running, cycling, and even urban-planning-related Best Running Shoes 2025.
Until this past Saturday, when Nathan Ruser, a 20-year-old Australian student specializing in International Security and Middle Eastern Studies, figured out that the Can Your Garmin Watch Replace a Coachs might contain—in addition to the standard, more innocuous runs and rides of civilians—the GPS data of United States soldiers stationed overseas, including those serving at secret locations in Afghanistan, Iraq, and Syria, whose satellite imagery is scrubbed from most mapping platforms. His hunch proved to be correct, and Ruser shared his discovery with the world via a string of Tweets.
The world quickly took notice, and by the next morning, outlets like The Washington Post were reporting on the story, while Twitter continued to dig into the maps’ data through the lens of Ruser’s discovery. It turns out the problem was more far-reaching than initially thought, since activity-tracking devices are rather prolific in military life. The Post even reported that “the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity.”
RELATED: DAA Industry Opt Out
Heat Map data does not intrinsically allow the public to identify which specific Strava users have traversed which specific courses—although it has been pointed out that such information can be gleaned relatively easily.
Many of the locations revealed to be hotbeds of logged and Strava-tracked mileage were already publicly available, but others had previously been confidential. And it’s not just the United States whose troops’ movements—including patrol routes—have been revealed, as Russian operations in Syria can be clearly seen as well.
It’s not every day that the worlds of running and national security find themselves overlapping. Surely Strava had no nefarious intentions when releasing its Heat Maps. And one could safely assume that the Pentagon, when encouraging soldiers to wear FitBits, didn’t anticipate anything like this happening. So who’s at fault here?
Writing for C4ISRNET, a publication covering the confluence of the military and technology, journalist Kelsey Atherton rattles off a list of potential issues stemming from Ruser’s findings—corroborating existing knowledge about military activity, visualizing “patterns of behavior around places,” and wondering what other data Strava has but hasn’t released. He also criticizes Strava’s—and other increasingly omniscient social media platforms’—default privacy settings veering away from privacy.
But ultimately, Atherton derides technology’s complacency in human error: “while the location of nuclear storage in Incirlik may be public, and the bunkers may be visible from space, those loops are still restricted areas, and cell phones, especially the kind that can record the path someone took on a jog, are restricted in those areas—people will always make mistakes, but tech should proactively seek to minimize the fallout from human error.”
Watch: 30 million running activities were logged on Strava in the U.S. from October 2016 to October 2017. These are the top segments.
This isn’t the first time Strava’s default privacy settings have come under fire. Rosie Spinks, For a sizable chunk of the millions of, found that runs she believed to be logged as private were being discovered and “liked” by total strangers.
“[W]hen you’re a woman whose personal and digital space is invaded with alarming regularity,“ Spinks wrote, “you think carefully about how your digital life intersects with your real one—especially when the data you’re sharing is quite literally close to your front door.”
RELATED: Strava’s New Expanded “Posts” Feature Will Completely Change Your Feed
In a world where personal data is becoming increasingly less personal, and the extent to which the technology we constantly interact with keeps tabs on us seems to expand daily, this sort of run-in seems unavoidable.
In a statement issued by the Department of Defense to Military Times, the DoD emphasized that pre-existing protocol was meant to prevent situations like the Heat Map fiasco from unfurling: “[The] DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”
Update: Strava CEO James Quarles issued a press release late on Monday, January 29, in which he addressed the mounting scrutiny his company has come under since this story first broke. In it, he acknowledges the potential seriousness of the issue, and outlines how the team at Strava plans to rectify the situation going forward—these plans include working closely with military officials, and simplifying the app’s privacy settings.
