I just created an overlay of Google Maps and Strava Heatmap of the forward operating base I was at in Afghanistan. The heatmap clearly shows the layout of the base.
That base has been in operation for at least 6-8 years, and it is well-developed. The up-to-date satellite imagery of the area is not available on Google Maps for a good reason, and Strava just released it.
I imagine that this heatmap has been thoroughly scraped already.
* I was deployed to Afghanistan from 2011-2012.
edit: initially mis-typed '2011-2102' =D
edit2: A well-established military base, even in a combat zone, has access to wifi and cellphone network.
We are constantly training physically, and we like to keep track of ourselves. We were early adopters of fitness trackers, and I used a couple of them myself also.
Strava didn't release it. It's not strava's job to stop you from uploading sensitive information. Strava does not have a security clearance. Military personell released it to strava. Surely the military already has rules about not uploading GPS tracks of their bases to random websites?
In some cases where the data is sparse, you can find where individual people live, because the trails sometimes lead back to a starting point. Like this person who runs around the park regularly. Of course you could also just follow them IRL if you were there, so I'm not sure this is a big deal.
There is an alley in my neighborhood where a single line is super dark and turns into a single house. I'm not sure how useful that is but I'd still rather not have that line if it were my house.
That's ... honestly a bit disappointing. While I personally believe that the leaking of military location data is almost entirely the military's problem/fault, I feel that this could have been avoided with a minimal bit of forethought by the Strava team. It's not their job to protect military secrets or keep track if some of the data that's sent to them may be connected to a military secret or not. They are, however, responsible for the individual privacy of their own users/customers.
I am reminded of the Dutch "first name database". It's a neat little website showing data (collected by the government/administrative/statistics dept). You can look up any first name in the Netherlands (17M ppl, FYI) and see how many people share this name. You can also see historical data how usage of the first name tracks through time.
AND, this is the crucial bit, you can also see a nice heat map of the geographical distribution for this first name, per municipality.
HOWEVER, and this is where it gets relevant to Strava. They simply won't show the geographical distribution heat map for names that are very rare. If a first name is not nationally rare, but it is in a certain municipality, they will also round it down to zero. Finally, if there's only 5 or less people in NL with that name they won't even show the full total (regardless of location).
Strava could, and IMHO should have done that for regions where only a single (or just a few) individual accounts run a track.
> Of course you could also just follow them IRL if you were there, so I'm not sure this is a big deal.
Yes. But in that case, the person being followed can tell that they are being followed. A spy (MI6/CIA/etc) might be able to follow a target without being seen, but an jilted lover would probably not. So the victim is aware that they are being observed, and by who.
In this case, the victim cannot see who is looking at the track, and cannot take evasive actions.
What have you actually learned? That somebody you don't know anything else about lives in that house? Presumably, you could have assumed that somebody you know nothing else about lives in that house. Somebody you don't know anything else about lives in every house.
I actually share your intuition that this is somehow terribly revealing, but I think this is a broken intuition that needs to be updated for a more technological age.
I've heard about similar issues in a somewhat older context; it took some training work to get 18-21-year-old Israeli draft soldiers to stop creating Facebook groups that reflected their unit structure, or at least to obfuscate the names. And there's been a lot of interesting work done by e.g. bellingcat.com to identify the exact Russian Army units and soldiers operating in Ukraine based on social media pictures taken out of theater.
OSINT is a very big field in military intelligence; with the amount of information everyone pumps out about themselves, some leakage of militarily sensitive information is bound to happen. As an organization defending against this type of espionage, you just have to try to minimize the leakage.
I’ve been fascinated by OSINT recently, not least for the amazing journalism bellingcat produces. Their investigations into Russian attack on MH17 and the coup attempt in turkey have both been some of the best journalism I’ve read.
Just started, and already found a patrol route of Pakistan army, although it was quite obvious one, going parallel to a border river. Hope they don't take this down, it's going to entertain me for many days to come.
On a more serious note though, this is an good example of how important it is to control our own data. It only makes me take even more efforts to secure my data and to try to make less of it available to others.
We really need to convert Internet to what it was meant to be, a "decentralised system"
The most interesting thing I stumbled across so far is Detroit, where people don't run in huge swaths of the neighborhoods. I'm familiar with the city so I expected dead zones, but nothing like this.
More accurately it's where people don't send their tracking data. Plausible to also say that it's where people don't own this tracking software/device at all. However it seems like a gigantic stretch to derive that there's no running going on.
In the US, it's almost entirely rich, white people that upload data to strava. You can easily see racial/economic divisions in any major united states city. Baltimore is a great example[1]; white people live in the center but not on the east or west sides (Canton excepted).
You can find out certain routes Pine Gap(NSA spy base) employees take. You can even pinpoint which buildings in their spy base have higher security clearances. You can even see them patroling and exploring their land, and someone randomly running in a circle.
At Apple Park (AC 2), the spaceship footprint is still invisible as of the date of this data. Next year it should be clearly visible. (Sorry, off topic with respect to the "military base" in title, just having fun browsing the data).
Some other fun (but not so secret) things to look at: research stations in Antarctica, tourism in North Korea (as well as some officials traveling it seems; some tracks cross the DMZ), your own garden if you have one. There's even a track at the Area 51.
How did no one working at Strava think about the implications of releasing this data? Zero scrutiny? I am sure there are some very interesting locations on there... reading through the twitter thread it would seem so
You know what else is public , insecure information? Maps. Pictures. Roads. Physically going to a location and seeing a driveway.
Yes, there is a bright line on Strava that leads from a spiderweb of trails in the park right to the door of my private, personal house! My neighbors don't run often, but I post on Strava 5 days a week, so my driveway stands out like a yellow arrow. You could learn, from the Strava dataset, that someone (me) lives in my house. Gasp! /s.
Of course someone lives in my house. It is not news to anyone local. My address is on the map, and it's pretty obvious that someone lives here if you drive by and see it.
What damage has Strava done by releasing this data? Humans that post on Strava are not hermits, trying to remain secret in their underground hideouts in the middle of nowhere. We live in houses, or on giant military bases...we're not exactly hidden.
I don't see how it's Strava's fault. Surely if it's sensitive information then it's the military personnel who are at fault for uploading the data to a public website.
To be honest I'm more concerned personal devices were allowed at these locations. That and somebody posting it on Twitter instead of disclosing it responsibly to the parties involved. Sure it's not his fault, but he doesn't need to make it worse.
It would be scary if someone found a flaw in their API or data that exposed who went where from where everyday. It may not be stored that way but people who work at secure locations aren't allowed to bring in cell phones or workout watches but they still bring them to the parking lot showing who works where. If a flaw like this is discovered it would obviously be bad.
Would be good to read what steps Strava uses to anonymize this data prior or shortly following upload.
I'm also hoping they put some logic to prevent a single device trace from showing up on the heatmap regardless of frequency, and that 2 devices would need to converge within a radius for there to be a trace, but that might be wishful thinking.
Just how much useful military information can soldiers haemorrhage from their cellphones? Imagine somebody being convicted of war crimes in an international tribunal because some recruit forgot to turn off their automatic geo-locating Candy Crush notifications. This is quite the brave new world we are entering.
Websites are like salespeople and the police: they can and will use your data against you.
The first time I was told about Strava, I immediately dismissed it as useless. (After all, what service could they possibly provide when I'm unwilling to tell them precisely where I go to work out?) I almost gave a quizzical look to my conversation partner, but that would have given him more insight into my thoughts than I cared to share, so I surpressed the expression.
[+] [-] iser|8 years ago|reply
I just created an overlay of Google Maps and Strava Heatmap of the forward operating base I was at in Afghanistan. The heatmap clearly shows the layout of the base.
That base has been in operation for at least 6-8 years, and it is well-developed. The up-to-date satellite imagery of the area is not available on Google Maps for a good reason, and Strava just released it.
I imagine that this heatmap has been thoroughly scraped already.
* I was deployed to Afghanistan from 2011-2012.
edit: initially mis-typed '2011-2102' =D
edit2: A well-established military base, even in a combat zone, has access to wifi and cellphone network. We are constantly training physically, and we like to keep track of ourselves. We were early adopters of fitness trackers, and I used a couple of them myself also.
[+] [-] notatoad|8 years ago|reply
Strava didn't release it. It's not strava's job to stop you from uploading sensitive information. Strava does not have a security clearance. Military personell released it to strava. Surely the military already has rules about not uploading GPS tracks of their bases to random websites?
[+] [-] maxerickson|8 years ago|reply
Does each internet service need to proactively hire someone with clearance and coordinate hiding of sensitive information with the US military?
[+] [-] givinguflac|8 years ago|reply
[+] [-] cafard|8 years ago|reply
[+] [-] gonehome|8 years ago|reply
[+] [-] jahmed|8 years ago|reply
[+] [-] kpU8efre7r|8 years ago|reply
[+] [-] mixologic|8 years ago|reply
[+] [-] myth_buster|8 years ago|reply
[+] [-] natch|8 years ago|reply
https://labs.strava.com/heatmap/#14.20/100.20693/40.99133/ho...
[+] [-] dalemyers|8 years ago|reply
[+] [-] miahi|8 years ago|reply
[+] [-] milofeynman|8 years ago|reply
https://i.imgur.com/R3j3jXA.png
I've found a couple of these nearby.
[+] [-] walshemj|8 years ago|reply
[+] [-] tripzilch|8 years ago|reply
I am reminded of the Dutch "first name database". It's a neat little website showing data (collected by the government/administrative/statistics dept). You can look up any first name in the Netherlands (17M ppl, FYI) and see how many people share this name. You can also see historical data how usage of the first name tracks through time.
AND, this is the crucial bit, you can also see a nice heat map of the geographical distribution for this first name, per municipality.
HOWEVER, and this is where it gets relevant to Strava. They simply won't show the geographical distribution heat map for names that are very rare. If a first name is not nationally rare, but it is in a certain municipality, they will also round it down to zero. Finally, if there's only 5 or less people in NL with that name they won't even show the full total (regardless of location).
Strava could, and IMHO should have done that for regions where only a single (or just a few) individual accounts run a track.
[+] [-] stctgion|8 years ago|reply
[+] [-] rmc|8 years ago|reply
Yes. But in that case, the person being followed can tell that they are being followed. A spy (MI6/CIA/etc) might be able to follow a target without being seen, but an jilted lover would probably not. So the victim is aware that they are being observed, and by who.
In this case, the victim cannot see who is looking at the track, and cannot take evasive actions.
[+] [-] dionidium|8 years ago|reply
I actually share your intuition that this is somehow terribly revealing, but I think this is a broken intuition that needs to be updated for a more technological age.
[+] [-] azernik|8 years ago|reply
OSINT is a very big field in military intelligence; with the amount of information everyone pumps out about themselves, some leakage of militarily sensitive information is bound to happen. As an organization defending against this type of espionage, you just have to try to minimize the leakage.
[+] [-] travmatt|8 years ago|reply
[+] [-] RandomCSGeek|8 years ago|reply
On a more serious note though, this is an good example of how important it is to control our own data. It only makes me take even more efforts to secure my data and to try to make less of it available to others.
We really need to convert Internet to what it was meant to be, a "decentralised system"
[+] [-] chatmasta|8 years ago|reply
[+] [-] ithinkso|8 years ago|reply
https://labs.strava.com/heatmap/#14.32/86.87956/27.98295/hot...
https://www.google.pl/maps/@27.9786991,86.8796431,8552m/data...
[+] [-] gruez|8 years ago|reply
can anyone explain what happened here?
[+] [-] kebman|8 years ago|reply
[+] [-] wott|8 years ago|reply
[+] [-] jpindar|8 years ago|reply
[+] [-] brohoolio|8 years ago|reply
https://labs.strava.com/heatmap/#9.47/-83.46871/42.45553/hot...
[+] [-] Strom|8 years ago|reply
More accurately it's where people don't send their tracking data. Plausible to also say that it's where people don't own this tracking software/device at all. However it seems like a gigantic stretch to derive that there's no running going on.
[+] [-] llimllib|8 years ago|reply
[1]: https://i.imgur.com/RXSfgz1.jpg
[+] [-] dboshardy|8 years ago|reply
https://labs.strava.com/heatmap/#11.21/-87.71493/41.82594/ho...
[+] [-] throaj19s9a|8 years ago|reply
[+] [-] natch|8 years ago|reply
https://labs.strava.com/heatmap/#16.00/-122.01101/37.33445/h...
[+] [-] natch|8 years ago|reply
https://labs.strava.com/heatmap/#14.28/-105.45449/36.58046/h...
Heavy straight lines are lifts.
[+] [-] hex12648430|8 years ago|reply
[+] [-] ziggyd|8 years ago|reply
[+] [-] orliesaurus|8 years ago|reply
[+] [-] LeifCarrotson|8 years ago|reply
Yes, there is a bright line on Strava that leads from a spiderweb of trails in the park right to the door of my private, personal house! My neighbors don't run often, but I post on Strava 5 days a week, so my driveway stands out like a yellow arrow. You could learn, from the Strava dataset, that someone (me) lives in my house. Gasp! /s.
Of course someone lives in my house. It is not news to anyone local. My address is on the map, and it's pretty obvious that someone lives here if you drive by and see it.
What damage has Strava done by releasing this data? Humans that post on Strava are not hermits, trying to remain secret in their underground hideouts in the middle of nowhere. We live in houses, or on giant military bases...we're not exactly hidden.
[+] [-] _Wintermute|8 years ago|reply
[+] [-] snowpanda|8 years ago|reply
[+] [-] cdevs|8 years ago|reply
[+] [-] tgtweak|8 years ago|reply
I'm also hoping they put some logic to prevent a single device trace from showing up on the heatmap regardless of frequency, and that 2 devices would need to converge within a radius for there to be a trace, but that might be wishful thinking.
[+] [-] samstave|8 years ago|reply
[+] [-] _Wintermute|8 years ago|reply
[+] [-] shiado|8 years ago|reply
https://www.youtube.com/watch?v=2zssIFN2mso
Just how much useful military information can soldiers haemorrhage from their cellphones? Imagine somebody being convicted of war crimes in an international tribunal because some recruit forgot to turn off their automatic geo-locating Candy Crush notifications. This is quite the brave new world we are entering.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] adamtj|8 years ago|reply
The first time I was told about Strava, I immediately dismissed it as useless. (After all, what service could they possibly provide when I'm unwilling to tell them precisely where I go to work out?) I almost gave a quizzical look to my conversation partner, but that would have given him more insight into my thoughts than I cared to share, so I surpressed the expression.
[+] [-] starpilot|8 years ago|reply
[+] [-] pella|8 years ago|reply
see OpenStreetMap key:military:
https://wiki.openstreetmap.org/wiki/Key:military
https://taginfo.openstreetmap.org/keys/military#values