Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations (npr.org)

Posted by BeauHD on from the hide-and-seek dept.

An anonymous reader quotes a report from NPR: Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers -- experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava -- which includes an option for keeping users' workout data private -- published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. Using data from fitness trackers such as the Fitbit, Strava's map shows millions of users' runs, walks, and bike trips from 2015 to September of 2017 -- and in some countries, the activities of military and aid personnel are seen in stark contrast, as their outposts shine brightly among the comparative darkness of their surroundings.

6 of 83 comments (clear)

  1. If you wear a tracking GPS... by xxxJonBoyxxx · · Score: 5, Insightful

    If you wear a tracking GPS...it might track where you are. Film at 11.

    Just tell our soldiers and sailors that their comrade/shipmate's activities may conjure some inbound and the "new guy with the pretty watch" problem should take care of itself.

    1. Re:If you wear a tracking GPS... by hambone142 · · Score: 3, Insightful

      Yup. It's kinda lame that the armed forces don't have enough foresight to predict that carrying devices that transmit location and logging in to websites that produce the same information might just reveal a person's location.

      It seems we've gotten a case of the "stupids" lately.

  2. Easy policy by Anonymous Coward · · Score: 5, Insightful

    No personal devices, done. 20 years ago they wouldn't have had cell phones, now they all do. If they are deployed, depending on where and what the mission is, they either get no contact with home or the internet, or they only get access to home and the internet via a shared workstation setup centrally located on the base. Anyone caught deploying with any sort of electronic device besides possibly an approved MP3 or DVD player should be subject to "other than honorable discharge". There is no reason for them to have them when deployed. You want to keep a secret you don't let people talk. Allowing people access to the internet will leak information 100% of the time.

  3. It's just metadata... by paulhar · · Score: 4, Insightful

    Governments are keen to tell us that metadata doesn't need protecting etc.
    Cake and eat it?

  4. Even if the data were kept "private" by Strava by QuietLagoon · · Score: 3, Insightful

    ...Strava -- which includes an option for keeping users' workout data private...

    The data are still on Strava's servers. Do those servers pass the military security requirements for protecting troop locations? What else does Strava do with the data?

  5. Don't send them the data!! by Anonymous Coward · · Score: 4, Insightful

    strava.com allows the user to mark every run/ride/swim/etc as public or private. You'd think that members of the military would be smart enough and tech savvy enough to mark their uploads as private; yet here we are. This isn't a technology problem, it's simple user error.

    Yes, it's user error, but .. WHAT. THE. FUCK. The diagnosis is so wrong that .. that .. I can't think of a stupid metaphor, and I'm usually pretty good at stupid metaphors.

    Uploading sensitive information to a completely untrusted third party and then remembering to "mark it private" is like [oh good, I've still "got it" as long as a simile will suffice] sending plaintext email and being surprised that someone intercepted the plaintext because they weren't supposed to do that, shame on those naughty spies.

    Strava owes jack shit to the military, and therefore, the military has no reason to trust Strava (either their intent, nor the security of their database even if Strava's intent is good.)

    The correct thing to do is not send the data to third parties. It doesn't matter how you mark it, because even if you mark it private, you have still disclosed the sensitive information.

    This shouldn't be a surprise to anyone, anyway. The most common sense way for these devices to work is to transmit the data to the user's own computer. But so much of today's IoT is made to lock people in services for recurring revenue, that they're made to send data to company servers (a.k.a. "the cloud") instead. Users are supposed to Just Say No with their wallets but discouragingly, people are still buying this type of obvious garbage that they know is garbage before the sale.

    So yeah, I'd say user error. They shouldn't have bought the device, but they did. Then they allowed it to transmit their locations to third parties, which was a major major fuckup. Then ok, cherry on top, they didn't mark it private. But it was already a shocking display of stupidity long before that point.

    I really dislike this idea that the user is supposed to use some privacy setting to tell Strava "this is military data, so I humbly request that you please not share it with the enemy." So fucking wrong. Don't give the data to Strava in the first place.