Strava Heatmap Reveals Secret Military Base Locations and Soldier Patrol Routes
What happened
Strava released a global heatmap of GPS activity data aggregated from its fitness tracking app. Analysts discovered that in remote regions of Syria, Niger, and Afghanistan, the heatmap revealed the locations of previously undisclosed military bases and detailed patrol routes of soldiers using the app.[1]
What went wrong
Strava enabled activity data sharing by default, including for users at sensitive locations. Military and intelligence agencies had not prohibited fitness tracker use or configured devices to disable location sharing. The aggregated data product revealed individual behaviour through collective analysis.[1]
Lesson learned
Aggregated, anonymised data can reveal sensitive individual behaviour when correlated with geographic context. Organisations with location-sensitive operations must assess all internet-connected devices carried by personnel. Fitness apps must make privacy implications of global data aggregation clear to users.