American service members around the world have potentially been violating operational security by using the popular fitness tracking application Strava during workouts. As a result of the run tracking software, maps of installations manned by forward deployed service members, as well as their frequently traveled routes, have surfaced online, potentially providing valuable intelligence to the enemy.

While there are a number of fitness tracking apps available for the smart phones that have become prevalent in recent years, Strava touts itself specifically as “the social network for athletes.” The application allows runners and cyclists to compete against others by posting maps of terrain covered along with a variety of statistics regarding the workout. In a best case scenario, this form of sharing data permits users to compare their workouts to others who have either covered the same terrain, or by comparing the pertinent details of workouts conducted in different places.

In a worst case scenario, however, Strava’s “heat mapping” offers up an easy to track read-out of installations, including supposedly clandestineclandestineclandestine ones, all around the world.

“This is literally what 10,000 innocent individual screw-ups look like,” Scott Lafoy, an open-source imagery analyst, said of the revelation. “A lot if it is going to be a good reminder to security services why you do opsec (operational security) and why you do manage this sort of thing, and everyone is going to really hope it doesn’t get a couple people killed in the meantime.”

That’s not the only OPSEC concern presented by this form of run mapping – it also offers valuable intelligence on what many refer to as “patterns of life,” an important element in devising offensive operations against a location or group of people. Collecting pattern of life data allows you to better understand a subject’s habits, improving your chances at predicting future actions of those being observed, an important part of planning an attack, among other things.

Special Forces Forward Operating Base in Syria, as depicted by Strava’s heat mapping. (Strava)

“There is no excuse, given all the OPSEC training we provide, for giving away positions through phone applications,” explained Danielle Bizier, a former counter intelligence officer and instructor with the Defense Intelligence Agency and SOFREP contributor. “These guys should have known better. And if they genuinely didn’t, then clearly we are doing a piss poor job of providing that OPSEC training.”

The Department of Defense has acknowledged that they are currently looking into the problem, and will release further guidance or updates to standard operating procedures as deemed appropriate, according to a statement released over the weekend. For their part, Strava said only that they are invested in helping users better understand how to properly utilize the privacy settings provided within the application.

“The coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain coalition sites and during certain activities. We will not divulge specific tactics, techniques and procedures,” U.S. Central Command wrote in a statement over the weekend.

The damage, however, may already be done. With billions of data points logged the world over, it may simply be a matter of time before America’s enemies discover a way to leverage the information available in an effective way. Even if the heat mapping of sensitive sites is removed from Strava’s online maps, the data has already reached the internet, where valuable information has a knack for resurfacing.


Featured image created using images from Wikimedia Commons, Pixels