On paper, it sounds like a great idea. The fitness app Strava, available for both iOS and Android , launched a giant, updated map of its users' fitness activities this past November. The map shows all the fun places around the world where people use the app to exercise. And since the map is a heatmap, you can also see the degree of exercise activity around a particular area—for example, if there's a running route in your neighborhood that's exceedingly popular, it would appear much more prominently on Strava's data visualization than your occasional jogs around the block.
The problem? Strava, which tracks your outdoor workouts via GPS, has also made it very, very easy to find hidden American military bases overseas.
"Strava released their global heatmap. 13 trillion GPS points from their users," tweeted Nathan Ruser, an analyst at the Institute for United Conflict Analysts yesterday. "It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable."
"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any pattern of life info from this far away," he added.
What's even more interesting, notes The Guardian, is that Strava's data actually makes it possible to make a reasonable guess about the location of military bases that otherwise wouldn't appear using conventional techniques, such as pulling up a web-based mapping service and using that to scan satellite images for military infrastructure.
"Zooming in on one of the larger bases clearly reveals its internal layout, as mapped out by the tracked jogging routes of numerous soldiers. The base itself is not visible on the satellite views of commercial providers such as Google Maps or Apple's Maps, yet it can be clearly seen through Strava," writes The Guardian's Alex Hern.
"Outside direct conflict zones, potentially sensitive information can still be gleaned. For instance, a map of Homey Airport, Nevada – the US Air Force base commonly known as Area 51 – records a lone cyclist taking a ride from the base along the west edge of Groom Lake, marked on the heatmap by a thin red line," he adds.
To Strava's credit, the company does have a number of options for users if they don't want their outdoor exercises tracked, even anonymously. Users can set up privacy zones so others can't see when they start or end a workout within a certain radius of important locations—like their homes or apartments. They can also opt out of Strava's Metro and Heatmap tracking, the very issue at hand, but they have to actively make that selection. Otherwise, users contribute to Strava's anonymous heatmap by default, which can lead to some thorny issues.