Strava, a GPS-enabled mobile app that allows users to track their running, biking and swimming workouts, is attracting controversy after observers noticed that its global workout heatmap apparently revealed the location of secret military bases and the exercise habits of individual troops on those bases. The heatmap raises questions about the soundness of troops' operational security practices, as well as about whether big data is sufficiently anonymized and whether apps like Strava are being cavalier about users' privacy. Here's what's going on.

​Strava's Heatmap Tracks The Location And Frequency Of Its Users Workouts Around The Globe

Strava released the latest version of its heatmap, which shows the precise location and frequency of one billion workouts, in November. You can look at and play around with the heatmap here. Strava brags:

Our global heatmap is the largest, richest, and most beautiful dataset of its kind. It is a direct visualization of Strava's global network of athletes. To give a sense of scale, the new heatmap consists of:

1 billion activities

3 trillion latitude/longitude points

13 trillion pixels rasterized

10 terabytes of raw input data

A total distance of 27 billion km (17 billion miles)

A total recorded activity duration of 200 thousand years

5% of all land on Earth covered by tiles

A 20-Year-Old Student Noticed That The Heatmap Left US Military Bases Exposed

The trouble started on Saturday, when a 20-year-old Australian student named Nathan Ruser noticed that, since most of Strava's users are Westerners and there aren't many Strava users in the Middle East, Central Asia and Northern Africa, the Strava workouts that do appear in those regions likely represent the activity of Western troops. Ruser observed on Twitter that "US Bases are clearly identifiable and mappable" on Strava's heatmap, which was "not amazing for Op-Sec" (operational security).

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq — Nathan Ruser (@Nrg8000) January 27, 2018

If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2 — Nathan Ruser (@Nrg8000) January 27, 2018

Soon People Were Finding Workouts That Seemed To Represent Secret Outposts

Soon, other people began noticing Strava workouts in Iraq, Somalia and Niger — among other countries — that seemed to represent secret military outposts.

So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses): pic.twitter.com/wHItJwYUUI — Tobias Schneider (@tobiaschneider) January 27, 2018

Some heavy jogging activity on the beach around what looks like the reported CIA annex at Mogadishu airport pic.twitter.com/1OLP8zWKGl — Adam Rawnsley (@arawnsley) January 27, 2018

Especially effective (as in dangerous?) in the Sahel.

In Niger, you can instantly spot the French base in Madama, the U.S. base in Agadez... I even found a base I didn't know about, just outside of Arlit—and Nigerien troops aren't jogging around with Fitbits. https://t.co/ywQVQ51H6Q — Ben Taub (@bentaub91) January 28, 2018

Even Worse, Strava Makes It Easy To Match Workouts With Individual Users' Identities

Because Strava allows users to post their workouts publicly, using their real names, it's not difficult to match a workout that appears on the heatmap to a specific person.

It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who travelled a route, and trivially obtain a list of users. #Strava pic.twitter.com/U9DnPsyHUD — Paul D (@Paulmd199) January 28, 2018

The Guardian used Strava's website to personally identify several service members in Afghanistan and Djibouti.

The leaderboard for one 600m stretch outside an airbase in Afghanistan, for instance, reveals the full names of more than 50 service members who were stationed there, and the date they ran that stretch. One of the runners set his personal best on 20 January this year, meaning he is almost certainly still stationed there.

In Djibouti's Chabelley Airport, used as a staging ground for US Air Force drones, three runners have completed a 7km loop of the runway – two in December 2014, and one two years later in August 2016. At least one of them is no longer based there: their running profile shows they were transferred to an air base in Germany in 2016.



Strava Shares Lots Of Its Users' Personal Information By Default

Quartz's Rosie Spinks, who has written about privacy concerns associated with fitness apps like Strava, points out that Strava's default settings make users' workout timing and routes public. If you want to limit your exposure or keep your information off of Strava's heatmap, you have to opt out rather than in.

If you set up a Strava account and do nothing, your workout activity, name, and photos are visible to everyone. Anyone can follow you and see your photos, and logged-in users can also download your activities (which include very granular analytics). While Strava likens this public mode to a public Twitter account, the habitual and location-based nature of the app makes it rather different. Depending on how much you use Strava, there is potentially a lot of information to be gleaned about your physical whereabouts from a public profile.



In A Statement, Strava Promised To 'Help People Better Understand' Its Privacy Policies

Despite journalists' ability to identify individual service members based on their Strava profiles and the heatmap, Strava insisted in a statement that the map is "anonymized" and emphasized that users can opt out of being included in the map by marking their activity as "private."

Strava said in a statement to CNN that the company is "committed to helping people better understand" its privacy settings.

"Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones," the statement said.



The Pentagon Is Reviewing The Situation

In the past the Defense Department has "encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity," according to the Washington Post. In response to the Strava heatmap revelations, a Pentagon spokesperson told the New York Times that it was considering additional security training for service members.

The Pentagon did not directly address whether the heat map had revealed any sensitive location data. But Maj. Audricia Harris, a Pentagon spokeswoman, said that the Defense Department recommends that all its personnel limit their public social media profiles and that it was reviewing the situation.

"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Major Harris said. The Pentagon "takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required," the major added.

