Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations (npr.org)

← Back to Stories (view on slashdot.org)

Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations (npr.org)

Posted by BeauHD on Monday January 29, 2018 @09:30AM from the hide-and-seek dept.

An anonymous reader quotes a report from NPR: Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers -- experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava -- which includes an option for keeping users' workout data private -- published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. Using data from fitness trackers such as the Fitbit, Strava's map shows millions of users' runs, walks, and bike trips from 2015 to September of 2017 -- and in some countries, the activities of military and aid personnel are seen in stark contrast, as their outposts shine brightly among the comparative darkness of their surroundings.

47 of 83 comments (clear)

Min score:

Reason:

Sort:

If you wear a tracking GPS... by xxxJonBoyxxx · 2018-01-29 09:34 · Score: 5, Insightful

If you wear a tracking GPS...it might track where you are. Film at 11.

Just tell our soldiers and sailors that their comrade/shipmate's activities may conjure some inbound and the "new guy with the pretty watch" problem should take care of itself.
1. Re:If you wear a tracking GPS... by hambone142 · 2018-01-29 10:50 · Score: 3, Insightful
  
  Yup. It's kinda lame that the armed forces don't have enough foresight to predict that carrying devices that transmit location and logging in to websites that produce the same information might just reveal a person's location.
  It seems we've gotten a case of the "stupids" lately.
2. Re:If you wear a tracking GPS... by rtb61 · 2018-01-29 16:32 · Score: 2
  
  More sensibly, it is kind of stupid for any military to allow their personal into the field with a non-military mobile phone with a specific range of set apps and fully encoded data transmissions. Don't let the military deploy with their personal phones, gather them up and replace them with durable military issue units and take out naughty apps and install military apps.
  
  --
  Chaos - everything, everywhere, everywhen
3. Re:If you wear a tracking GPS... by AlwinBarni · 2018-01-30 02:42 · Score: 1
  
  It's not just about a "pretty watch", this app is available on all the phones, which all have GPS.
  Unfortunately all soldiers, when not at home, would have to have military only approved personal gadgets with no personalized apps, or at least would be able to chose only from a set of pre-approved apps.
  
  Honestly, soldiers on duty install tracking apps with sharing default option and nobody had asked any questions till all their whereabouts were made public?
Cloud data increases the risk by WillAffleckUW · 2018-01-29 09:39 · Score: 2

Even the external "secure" provision of cloud services itself allows predictive location of military and intel assets. Just the traffic flow itself allows you to pinpoint this, even if it's time-delay GPS data from "I turned my cell/smartphone/fitbit/watch off, sergeant!" health data.
We can back extrapolate locations and pinpoint internal corridors and access points - for example, knowing people stop at a door for x minutes/seconds tells us what the security protocol is for the access point, and knowing the elevation information from other ping services drops except at stairwells tells us what is and what is not secure within the installation.

--
-- Tigger warning: This post may contain tiggers! --
Disappointment ... by CaptainDork · 2018-01-29 09:40 · Score: 1

... is the lack of foresight on the part of American military.
We used to be better than this.

--
It little behooves the best of us to comment on the rest of us.
1. Re:Disappointment ... by known_coward_69 · 2018-01-29 10:05 · Score: 1
  
  like invading italy and picking landing zones outside of air support range?
2. Re:Disappointment ... by Kjella · 2018-01-29 11:05 · Score: 1
  
  I'm pretty sure that if you are on active duty in a war zone, PT with your FitBit or Apple Watch isn't high on the list of desired activities.
  Unless you're actually deployed on a mission isn't it mostly habit? You go for a jog for the same reason you do your push-ups and sit-ups, it's just the daily routine to stay in shape. Or it's base personnel who despite not being on the extreme front line feel the need to stay in shape, I don't think I've ever seen an obese high ranking officer even though they're just commanding people around.
  
  I know of an application that spoofs your cell phone's GPS receiver and can place you anyplace you want in the world. Seems like a way to provide any data you want to the application... Makes me wonder if the military isn't capable of making it appear like their resources are vastly different than they actually are.
  Well they could, but it's unlikely they could hide an entire base anyway. That doesn't mean they want to give away the exact scope or layout, entry/exit points etc. for snipers, someone to stage an assault, plant an IED or whatever.
  
  --
  Live today, because you never know what tomorrow brings
3. Re:Disappointment ... by bobbied · 2018-01-29 11:49 · Score: 1
  
  As you say, it's unlikely you would be able to hide any kind of military installation anyway, and entry and exit points or sniper vantage points are all externally visible. I'm just guessing here but I'm pretty sure that if the adversary is capable of knowing the value of the information you outline, they are likely capable of doing the surveillance necessary to obtain it. Pattern of life data around any reasonable sized military base is pretty easy to obtain.
  That doesn't mean advisories wouldn't exploit the web to obtain the data if they thought of it and had the means, but I seriously doubt this is a huge security issue in most cases...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
4. Re:Disappointment ... by AHuxley · 2018-01-29 12:15 · Score: 1
  
  Thats nice AC but with the fitness tracker you can start to build up a profile of US officers. Not just that a helicopter is been used.
  That officer, contractor can then be tracked around the world globally.
  People with no experience, new to the mil been used a lot? Decades of experience been sent out to a base/fort/camp?
  In the past someone would have to create a profile of the US command structure using local informants, spies, files and other methods.
  Now who does what exercise when can map out unexpected individuals.
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:Disappointment ... by AHuxley · 2018-01-29 12:22 · Score: 1
  
  Not everyone is doing active duty like the troops. A lot of contractors, experts and support staff are now used and they like their gym time.
  Re "military isn't capable of making"
  The NSA and GCHQ hope interesting people now start to scan each and every US base to try and build up a profile of fitness trackers?
  A digital trap to flush out interesting people trying to map out US forces digitally and globally?
  A cyber trap to see who responds in what way to the fitness tracker story? All US mil sites are awash with interesting consumer data, try and detect it...
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:Disappointment ... by AHuxley · 2018-01-29 12:29 · Score: 1
  
  Re "You go for a jog for the same reason you do your push-ups and sit-ups, it's just the daily routine to stay in shape."
  Look at what the average non special forces US mil person has to carry. All that water, food, weapons systems, batteries, communications. A lot of weight that needs a lot of strength and fitness in different climates and altitudes. To carry that amount of weight every mission, everyone has to keep fit and stay fit. A daily routine with some computer data per person would be supported by the need for people to be so fit and stay fit.
  
  --
  Domestic spying is now "Benign Information Gathering"
7. Re:Disappointment ... by AHuxley · 2018-01-29 12:33 · Score: 2
  
  The location of a base is kind of easy to find given the interesting locals would notice. Who is on base, for how long and what their past was, thats the question that global digital tracking of people can make more interesting. Who stays on base with the fitness. Why wonders off base? Who uses a local gym? Who can be befriend? Who then shows up in another part of the world?
  
  --
  Domestic spying is now "Benign Information Gathering"
ORDERS TO TROOPS: by kenwd0elq · 2018-01-29 09:42 · Score: 1

All military personnel must enable the "Privacy" mode on all portable electronic devices when out of CONUS. Because those privacy modes are disabled by default.
1. Re:ORDERS TO TROOPS: by sunderland56 · 2018-01-29 09:46 · Score: 1
  
  In this case, it is not the device itself - it is the web site.
  strava.com allows the user to mark every run/ride/swim/etc as public or private. You'd think that members of the military would be smart enough and tech savvy enough to mark their uploads as private; yet here we are. This isn't a technology problem, it's simple user error.
2. Re:ORDERS TO TROOPS: by guruevi · 2018-01-29 09:59 · Score: 1
  
  Given the amount of data, it seems like it defaults to "public-to-the-world" and not just "private to me (and my friends)" or "private" really means "we still collect and share your data, we'll just make sure it's anonymized". Who in their right mind would want to let the world know where they are regularly jogging, especially if you're away overseas in the military.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
3. Re:ORDERS TO TROOPS: by geekmux · 2018-01-29 10:45 · Score: 1
  
  All military personnel must enable the "Privacy" mode on all portable electronic devices when out of CONUS. Because those privacy modes are disabled by default.
  I'm gonna take a wild guess that you've never actually served in the Armed Forces. If you did, you would realize this would never work.
4. Re:ORDERS TO TROOPS: by arth1 · 2018-01-29 11:43 · Score: 1
  
  Given the amount of data, it seems like it defaults to "public-to-the-world" and not just "private to me (and my friends)"
  I can't say about Strava, but Polar defaults to everything being private, and you have to deliberately share data or make it public.
  Not that it should matter - if the options to make it private are there, we should expect anyone in secret locations to do so (or even better, don't log GPS coordinates at all). Why do we give them security clearance if they can't be bothered to take the simplest precautions?
5. Re:ORDERS TO TROOPS: by AHuxley · 2018-01-29 13:06 · Score: 1
  
  AC if the mil bans the new digital devices on base then troops wonder around off base talking to spies about how bad the conditions are.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:ORDERS TO TROOPS: by guruevi · 2018-01-30 05:01 · Score: 1
  
  The question is what does private really mean. Does it mean "we'll share it, it just doesn't have your personal details attached" or does it mean "it's completely shredded from our servers forever"
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
Easy policy by Anonymous Coward · 2018-01-29 09:47 · Score: 5, Insightful

No personal devices, done. 20 years ago they wouldn't have had cell phones, now they all do. If they are deployed, depending on where and what the mission is, they either get no contact with home or the internet, or they only get access to home and the internet via a shared workstation setup centrally located on the base. Anyone caught deploying with any sort of electronic device besides possibly an approved MP3 or DVD player should be subject to "other than honorable discharge". There is no reason for them to have them when deployed. You want to keep a secret you don't let people talk. Allowing people access to the internet will leak information 100% of the time.
1. Re:Easy policy by quantaman · 2018-01-29 10:37 · Score: 1
  
  No personal devices, done. 20 years ago they wouldn't have had cell phones, now they all do. If they are deployed, depending on where and what the mission is, they either get no contact with home or the internet, or they only get access to home and the internet via a shared workstation setup centrally located on the base. Anyone caught deploying with any sort of electronic device besides possibly an approved MP3 or DVD player should be subject to "other than honorable discharge". There is no reason for them to have them when deployed. You want to keep a secret you don't let people talk. Allowing people access to the internet will leak information 100% of the time.
  I think there's another side of this where keeping these people sane is a real issue. If you look at the Bowe Bergdahl case one thing that's clear is the kid made some extremely poor decisions, and a big reason seems to be he was socially isolated and more-or-less lost his mind. His reaction was clearly an outlier, but I have no doubt there's a lot of other bad decision making and discipline issues that come from a result of the psychological stress people are under.
  So take away their internet and Smartphones when absolutely necessary, but replace them with some other kind of distraction. Don't expect them to be perfect automatons who don't require recreation.
  
  --
  I stole this Sig
2. Re:Easy policy by DogDude · 2018-01-29 10:44 · Score: 2
  
  I think there's another side of this where keeping these people sane is a real issue.
  
  People who aren't "sane" without cell phones are not mentally healthy and shouldn't be part of the active military.
  
  --
  I don't respond to AC's.
3. Re:Easy policy by thegarbz · 2018-01-29 10:51 · Score: 1
  
  You want to keep a secret you don't let people talk.
  You're assuming that this is a secret, rather than large obvious forward outposts that were blown up figuratively by internet armchair doomsayers.
4. Re:Easy policy by Anonymous Coward · 2018-01-29 11:30 · Score: 1
  
  It's somewhat important that soldiers have comparable lives and capabilities that we have. Their alienation will result in all sorts atrocities. Letting soldiers feel and sense how we at home are, is an important aspect of forming and shaping their morality.
  Surely we can allow them to have similar connected capabilities while still being secure in their (general) coms?
  If not, then we made stupid technology indeed.
5. Re:Easy policy by AHuxley · 2018-01-29 12:50 · Score: 1
  
  A high wage for a contractor won't cover not having their comforts. The people with the skills needed for missions just expect to keep their digital lifestyle with them in the US mil at any location.
  They want their digital files, images, music, internet, digital fitness data. If the contractor is stopped from having that lifestyle they have hours to ponder the mission and their role. Instead of just enjoying digital entertainment, looking over their fitness data that person with skills then has free time to find a human friend to talk with.
  All around every US mil base a lot of very friendly people are waiting to listen, chat, talk, befriend and get to know anyone who wants/needs to talk.
  A lot of anthropology and human studies went into why people start sharing secrets and talking to strangers when they have jobs that should not be talked about.
  Wages and conditions have to be good and then humans are happy to keep secrets.
  The US and UK mil totally relaxed their digital device policy so their troops and contractors could enjoy good conditions and not be tempted to wonder around looking for random people to talk to about poor working conditions.
  Better to have the smart person with skills on base enjoying a digital movie than in a town talking with a new friend about all the bad rules and regulations and other topics.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:Easy policy by gurps_npc · 2018-01-29 13:00 · Score: 1
  
  Change to "No personal devices" but give them military issue for civilian use.
  Specifically, a cellphone with a location chip built by an american company,programmed by a company, to stop tracking GPS when you are on duty.
  
  --
  excitingthingstodo.blogspot.com
7. Re:Easy policy by darkwing_bmf · 2018-01-29 15:59 · Score: 1
  
  No personal devices, done.
  Nice try AC, but many of those fitbits were government issued, in a move to encourage more exercise.
  https://www.military.com/daily...
It's just metadata... by paulhar · 2018-01-29 09:50 · Score: 4, Insightful

Governments are keen to tell us that metadata doesn't need protecting etc.
Cake and eat it?
1. Re:It's just metadata... by 93+Escort+Wagon · 2018-01-29 10:11 · Score: 1
  
  Governments are keen to tell us that metadata doesn't need protecting etc.
  Cake and eat it?
  The government will want to protect the privacy of the metadata while providing easy access to the data by the government. ... but that won't be a back door, no sirree bob, since back doors are BAD. They don't want a back door - they just want a way to get at the data whenever they want.
  
  --
  #DeleteChrome
2. Re:It's just metadata... by KingMotley · 2018-01-29 11:30 · Score: 1
  
  Backdoors are bad for everyone. I recommend building a front door instead. Faster to get in and out too since you don't have to walk around the building.
Re:Blame democrat party. by somekind · 2018-01-29 09:52 · Score: 2

You forgot: Claim of liberal media of the Russian hackers in many social media is spread of total lies.
Even if the data were kept "private" by Strava by QuietLagoon · 2018-01-29 10:09 · Score: 3, Insightful

...Strava -- which includes an option for keeping users' workout data private...
The data are still on Strava's servers. Do those servers pass the military security requirements for protecting troop locations? What else does Strava do with the data?
1. Re:Even if the data were kept "private" by Strava by thegarbz · 2018-01-29 23:51 · Score: 1
  
  Is it at all relevant? So far I have seen little uproar over the incident which as done little more than light up bases that no one was putting any effort into hiding in the first place.
Don't send them the data!! by Anonymous Coward · 2018-01-29 10:19 · Score: 4, Insightful

strava.com allows the user to mark every run/ride/swim/etc as public or private. You'd think that members of the military would be smart enough and tech savvy enough to mark their uploads as private; yet here we are. This isn't a technology problem, it's simple user error.
Yes, it's user error, but .. WHAT. THE. FUCK. The diagnosis is so wrong that .. that .. I can't think of a stupid metaphor, and I'm usually pretty good at stupid metaphors.
Uploading sensitive information to a completely untrusted third party and then remembering to "mark it private" is like [oh good, I've still "got it" as long as a simile will suffice] sending plaintext email and being surprised that someone intercepted the plaintext because they weren't supposed to do that, shame on those naughty spies.
Strava owes jack shit to the military, and therefore, the military has no reason to trust Strava (either their intent, nor the security of their database even if Strava's intent is good.)
The correct thing to do is not send the data to third parties. It doesn't matter how you mark it, because even if you mark it private, you have still disclosed the sensitive information.
This shouldn't be a surprise to anyone, anyway. The most common sense way for these devices to work is to transmit the data to the user's own computer. But so much of today's IoT is made to lock people in services for recurring revenue, that they're made to send data to company servers (a.k.a. "the cloud") instead. Users are supposed to Just Say No with their wallets but discouragingly, people are still buying this type of obvious garbage that they know is garbage before the sale.
So yeah, I'd say user error. They shouldn't have bought the device, but they did. Then they allowed it to transmit their locations to third parties, which was a major major fuckup. Then ok, cherry on top, they didn't mark it private. But it was already a shocking display of stupidity long before that point.
I really dislike this idea that the user is supposed to use some privacy setting to tell Strava "this is military data, so I humbly request that you please not share it with the enemy." So fucking wrong. Don't give the data to Strava in the first place.
1. Re:Don't send them the data!! by sunderland56 · 2018-01-29 12:37 · Score: 1
  
  Uploading sensitive information to a completely untrusted third party and then remembering to "mark it private"
  
  Strava has a global preference setting to mark all future uploads as private by default. Set it once, all future activity is private. No need to remember each time.
Surveillance of the Fittest by Mister+Liberty · 2018-01-29 10:51 · Score: 1

Oh and by the way -- don't Russians run?
1. Re:Surveillance of the Fittest by CanadianMacFan · 2018-01-29 12:13 · Score: 1
  
  Maybe they are smarter and don't bring their devices on deployment to missions requiring secret clearance.
2. Re:Surveillance of the Fittest by AHuxley · 2018-01-29 13:09 · Score: 1
  
  Russians know what happen the last time they let random Western consumer devices on their bases.
  Russian spies deep in the US/UK gov/mil saw much more new and different data was been gather about all kinds of sites all over Russia.
  No more consumer spies on base, in the sub.
  
  --
  Domestic spying is now "Benign Information Gathering"
Strava or it didn't happen. by ByTor-2112 · 2018-01-29 12:16 · Score: 1

n/t
Re:In other news... by AHuxley · 2018-01-29 12:57 · Score: 2

Re "There is suspicion that US Navy ships have been running into civilian ships because their navigation is different than the other ships."
Thats due to not having the crew up to standard 24/7 while on duty. Just put more effort into finding people with the skills to learn who are not distracted.
Technology has got better. Take time to educate and test the crew before letting them do "navigation".

--
Domestic spying is now "Benign Information Gathering"
Re:In other news... by AHuxley · 2018-01-29 13:03 · Score: 1

Re "I don't know if these limits exist in more current devices as people simply stopped talking about them."
Fake mobile phone masts spy on your calls
http://www.telegraph.co.uk/new...
Lots of digital news is around AC. Lots of data to collect from different consumer devices wondering around.

--
Domestic spying is now "Benign Information Gathering"
Easy fix by OppMan29 · 2018-01-29 14:00 · Score: 1

Create a law were companies can not share data --- fixed
Re:In other news... by grim4593 · 2018-01-29 14:01 · Score: 1

GPS does work in an airplane, I've used it on a commercial airliner. Speed, location, and direction were correct but I didn't check altitude.
Mind= blown. by Anonymous Coward · 2018-01-29 15:46 · Score: 1

And here I GENUINELY thought when soldiers were sent to "off the map" places they had to leave all that stuff at the main base in the US where they left from. I thought it was something like prison. It makes no logical sense to use a mobile device at these bases that are supposed to be hidden. If I check my phones location history it will tell me exactly where I was, how long I was there and what other places I might visit next time in the area once it gets a data connection. Hell even logging on to something like facebook or google will geo-track you.
I thought they were only allowed to use the computers on base because they encrypted the internet data or something to prevent geo-tracking. It is the military, they are capable of at least that aren't they?
My understanding was you sign up for a free ride with the military (paid school, salary, housing, etc.) in exchange for giving your dedication AKA you are going to an "open prison" its just run by the military because they aren't giving free handouts.
Re:In other news... by grim4593 · 2018-01-30 13:41 · Score: 1

I used my cell phone with the CoPilot GPS app.
GPS isn't the problem. by DeVilla · 2018-01-30 16:11 · Score: 1

If I understand correctly, there's nothing wrong. It's IOT devices that send everything to a remote that isn't under the user's control.