Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations (npr.org)

Posted by BeauHD on from the hide-and-seek dept.

An anonymous reader quotes a report from NPR: Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers -- experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava -- which includes an option for keeping users' workout data private -- published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. Using data from fitness trackers such as the Fitbit, Strava's map shows millions of users' runs, walks, and bike trips from 2015 to September of 2017 -- and in some countries, the activities of military and aid personnel are seen in stark contrast, as their outposts shine brightly among the comparative darkness of their surroundings.

12 of 83 comments (clear)

  1. If you wear a tracking GPS... by xxxJonBoyxxx · · Score: 5, Insightful

    If you wear a tracking GPS...it might track where you are. Film at 11.

    Just tell our soldiers and sailors that their comrade/shipmate's activities may conjure some inbound and the "new guy with the pretty watch" problem should take care of itself.

    1. Re:If you wear a tracking GPS... by hambone142 · · Score: 3, Insightful

      Yup. It's kinda lame that the armed forces don't have enough foresight to predict that carrying devices that transmit location and logging in to websites that produce the same information might just reveal a person's location.

      It seems we've gotten a case of the "stupids" lately.

    2. Re:If you wear a tracking GPS... by rtb61 · · Score: 2

      More sensibly, it is kind of stupid for any military to allow their personal into the field with a non-military mobile phone with a specific range of set apps and fully encoded data transmissions. Don't let the military deploy with their personal phones, gather them up and replace them with durable military issue units and take out naughty apps and install military apps.

      --
      Chaos - everything, everywhere, everywhen
  2. Cloud data increases the risk by WillAffleckUW · · Score: 2

    Even the external "secure" provision of cloud services itself allows predictive location of military and intel assets. Just the traffic flow itself allows you to pinpoint this, even if it's time-delay GPS data from "I turned my cell/smartphone/fitbit/watch off, sergeant!" health data.

    We can back extrapolate locations and pinpoint internal corridors and access points - for example, knowing people stop at a door for x minutes/seconds tells us what the security protocol is for the access point, and knowing the elevation information from other ping services drops except at stairwells tells us what is and what is not secure within the installation.

    --
    -- Tigger warning: This post may contain tiggers! --
  3. Easy policy by Anonymous Coward · · Score: 5, Insightful

    No personal devices, done. 20 years ago they wouldn't have had cell phones, now they all do. If they are deployed, depending on where and what the mission is, they either get no contact with home or the internet, or they only get access to home and the internet via a shared workstation setup centrally located on the base. Anyone caught deploying with any sort of electronic device besides possibly an approved MP3 or DVD player should be subject to "other than honorable discharge". There is no reason for them to have them when deployed. You want to keep a secret you don't let people talk. Allowing people access to the internet will leak information 100% of the time.

    1. Re:Easy policy by DogDude · · Score: 2

      I think there's another side of this where keeping these people sane is a real issue.

      People who aren't "sane" without cell phones are not mentally healthy and shouldn't be part of the active military.

      --
      I don't respond to AC's.
  4. It's just metadata... by paulhar · · Score: 4, Insightful

    Governments are keen to tell us that metadata doesn't need protecting etc.
    Cake and eat it?

  5. Re:Blame democrat party. by somekind · · Score: 2

    You forgot: Claim of liberal media of the Russian hackers in many social media is spread of total lies.

  6. Even if the data were kept "private" by Strava by QuietLagoon · · Score: 3, Insightful

    ...Strava -- which includes an option for keeping users' workout data private...

    The data are still on Strava's servers. Do those servers pass the military security requirements for protecting troop locations? What else does Strava do with the data?

  7. Don't send them the data!! by Anonymous Coward · · Score: 4, Insightful

    strava.com allows the user to mark every run/ride/swim/etc as public or private. You'd think that members of the military would be smart enough and tech savvy enough to mark their uploads as private; yet here we are. This isn't a technology problem, it's simple user error.

    Yes, it's user error, but .. WHAT. THE. FUCK. The diagnosis is so wrong that .. that .. I can't think of a stupid metaphor, and I'm usually pretty good at stupid metaphors.

    Uploading sensitive information to a completely untrusted third party and then remembering to "mark it private" is like [oh good, I've still "got it" as long as a simile will suffice] sending plaintext email and being surprised that someone intercepted the plaintext because they weren't supposed to do that, shame on those naughty spies.

    Strava owes jack shit to the military, and therefore, the military has no reason to trust Strava (either their intent, nor the security of their database even if Strava's intent is good.)

    The correct thing to do is not send the data to third parties. It doesn't matter how you mark it, because even if you mark it private, you have still disclosed the sensitive information.

    This shouldn't be a surprise to anyone, anyway. The most common sense way for these devices to work is to transmit the data to the user's own computer. But so much of today's IoT is made to lock people in services for recurring revenue, that they're made to send data to company servers (a.k.a. "the cloud") instead. Users are supposed to Just Say No with their wallets but discouragingly, people are still buying this type of obvious garbage that they know is garbage before the sale.

    So yeah, I'd say user error. They shouldn't have bought the device, but they did. Then they allowed it to transmit their locations to third parties, which was a major major fuckup. Then ok, cherry on top, they didn't mark it private. But it was already a shocking display of stupidity long before that point.

    I really dislike this idea that the user is supposed to use some privacy setting to tell Strava "this is military data, so I humbly request that you please not share it with the enemy." So fucking wrong. Don't give the data to Strava in the first place.

  8. Re:Disappointment ... by AHuxley · · Score: 2

    The location of a base is kind of easy to find given the interesting locals would notice. Who is on base, for how long and what their past was, thats the question that global digital tracking of people can make more interesting. Who stays on base with the fitness. Why wonders off base? Who uses a local gym? Who can be befriend? Who then shows up in another part of the world?

    --
    Domestic spying is now "Benign Information Gathering"
  9. Re:In other news... by AHuxley · · Score: 2

    Re "There is suspicion that US Navy ships have been running into civilian ships because their navigation is different than the other ships."
    Thats due to not having the crew up to standard 24/7 while on duty. Just put more effort into finding people with the skills to learn who are not distracted.
    Technology has got better. Take time to educate and test the crew before letting them do "navigation".

    --
    Domestic spying is now "Benign Information Gathering"