The first rule of operational security, according to a major 2014 revision to Army regulations, is to maintain “essential secrecy” by “the denial of critical information to adversaries” like force strength, capabilities, objectives, and, most importantly, position. But all of the Defense Department’s opsec planning appears no match for a $100 consumer fitness wristband — an apparent security oversight that could put U.S. troops in danger downrange.
First noticed by Middle East analyst Nathan Ruser on Saturday, an online map published by Strava, a company that gathers data on consumer fitness gadgets like FitBit, Jawbone, and app-enabled smartphones through GPS tracking, appeared to show the locations and behavior of U.S. military personnel deployed downrange.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
According to the Washington Post, Strava’s Global Heat Map isn’t live — first unveiled in November 2017, it’s based on 13 trillion GPS data points collected over a two-year period through that September — but it purports to reveal Marine Corps firebases in the deserts of Syria, a Patriot missile defense battery in Yemen, and U.S. special operations forces deployed near a previously unknown U.S. installation in Niger. And it isn’t just U.S. forces exposed by their own fitness gadgets: According to the Daily Beast, the Strava data even appears to reveal a major security flaw in Taiwan’s missile command center. The data hosted on Strava’s site is specific enough that it identified more than 50 U.S. service members by name based on their jogging runs in the area surrounding a remote air base in Afghanistan.
Although the Strava tool doesn’t offer a real-time view of the battlespace, it certainly exacerbates fears that U.S. military personnel might end up vulnerable thanks to their unsecured consumer tech. In 2016, a pro-Russian hacker group used a malicious Android app as a Trojan horse to track the locations of Ukrainian artillery units amid simmering tensions on the border between the two countries; as recently as October 2017, U.S. troops deployed with NATO in Poland and the Baltics reported that the Russian military had purportedly used surveillance drones to attempt to access geolocation data stored on personal smartphones.
While the revelation that U.S. troop locations are so easily exposed by consumer technology is embarrassing, it isn’t nearly as embarrassing as the DoD’s apparent lack of foresight regarding the security breach. Not only has Strava in particular been in the public consciousness as early as 2014, when data first entered into domestic court proceedings surrounding pedestrian accidents, but the Pentagon has been thinking critically about OPSEC issues posed by personal technology for at least a decade as the rise of smartphones and social media made consumer GPS tracking and location-sharing apps a major security concern. In 2007, photos of several brand-new AH-64 Apache helicopters on the flight line of a U.S. military installation in Iraq, taken by Army soldiers and uploaded to the Internet, ended up revealing the exact latitude and longitude of aircraft within the compound’s perimeter, allowing enemy insurgents to destroy several with precise mortar strikes from a safe distance.
Considering that deriving location data from a photo is relatively simple even for the uninitiated, the Pentagon offers a whole raft of training and education materials regarding OPSEC and INFOSEC risks and vulnerabilities on every communications platform from social media to smartphones. But the DoD doesn’t appear to have extended the same scrutiny to the data collected by GPS trackers like Jawbone and FitBit. Indeed, the Army began issuing commercial FitBit Flex bands to soldiers at several bases in 2013 in an effort to fight obesity and improve overall fitness. Hell, even former NSA director Michael Hayden stated plainly in April 2014 that “we kill people based on metadata.” When, then wouldn’t our enemies?
When reached by Task & Purpose, Pentagon spokesman Maj. Audricia Harris said that annual DoD OPSEC training “recommends limiting public profiles on the internet, including personal social media accounts,” and that the Pentagon’s current OPSEC requirements “provide further guidance for military personnel supporting operations around the world.” Apparently, other GPS-enabled devices are not a major part of that conversation, a major problem given the growing ecosystem of consumer software that track your every move. And while a 2016 Marine Corps guidance explicitly states that Bluetooth and GPS-enabled personal fitness devices are only prohibited at facilities if they utilize “cellular or Wi-Fi, photographic, video capture/recording, microphone, or audio recording capabilities,” that conversation clearly needs to happen again.
But despite the existence of this backdoor into U.S. military locations, the Pentagon appears set on using the Strava debacle to take a long, hard look at its current OPSEC environment. Officials announced on Jan. 29 that the Pentagon would conduct a review of wearable electronic devices and smartphones, although they did not provide any specifics on the scope and duration of the review.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Harris told Task & Purpose. “DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”
“Operational security and force protection requires constant vigilance,” Pentagon spokesman Col. Rob Manning told reporters during a press briefing on Jan. 29. “Secretary Mattis has been very clear about not highlighting our abilities to aid the enemy or give the enemy any advantage. That would be our approach going in on this as well.”
In the meantime, Strava has a better suggestion for U.S. military personnel: Take five seconds and just opt out of sharing your data with us!
“We are committed to helping people better understand our settings to give them control over what they share,” the company told The Guardian in a statement on Jan. 29. “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear.”
Task & Purpose Senior Pentagon correspondent Jeff Schogol contributed reporting.