Fitness Tracker Data Exposes Military Operations, Shows What Damage That Can Be Done With 'Just Metadata'

(Mis)Uses of Technology

from the aggregated-damage,-individual-harms dept

Last November, Strava Labs released its “global heatmap” — a stockpile of data created by millions of health-conscious people worldwide. Strava Labs is the GPS brain many fitness trackers rely on, allowing devices to record billions of steps recorded by millions of users. The company pulls data from big players like FitBit and Jawbone, as well as having its own fitness-tracking app. Here’s what Strava Labs handed over to the general public:

1 billion activities

3 trillion latitude/longitude points

13 trillion pixels rasterized

10 terabytes of raw input data

A total distance of 27 billion km (17 billion miles)

A total recorded activity duration of 200 thousand years

5% of all land on Earth covered by tiles

Here’s what Strava’s activity data looks like transposed on a map.

All this metadata — anonymized GPS points — builds up quite a record of human movement. On top of tracking favorite jogging routes, the data is detailed enough to indicate where frequent exercisers live and work. This has been a problem for a few years now.

Two years before this data was published, Strava announced a new feature which allowed users to turn solo workouts into ad hoc competitions.

The new Strava Flyby feature enables users to see who they passed on runs and rides. Although this raises data protection concerns, and users should be aware of the change, it serves to connect the wider running and biking communities in an innovative way.

Andy Robertson covered this for Forbes in May of 2015. The Flyby feature connects users by providing them links to public profile pages of other users they’d “passed” during a run. The feature may not give users each other’s addresses, but users can assume their “competitors” work or live close by.

Strava does allow users to geofence “private” areas to prevent tracking in those areas. But it’s not a default option. If you don’t want to share every movement with Strava, you have to opt out. Most users don’t. And most users are seemingly unaware of how much data they’re leaving behind.

This “metadata” — something our government refers to as harmless when gathered in bulk — can result in real-world security issues. Conflict analyst Nathan Ruser was the first to point out how Strava’s data was making it easy for people to pinpoint military bases and operations.

Even though many of these bases can be viewed via Google Maps or other satellite imagery, those static images don’t contain a wealth of information on people’s movement in or near those bases. Movement info collected near foreign military bases, especially those located in war zones, creates even bigger problems. What may look like a jogging path to Strava’s database might actually be patrol routes or reconnaissance missions.

Strava’s data even provides info on human movements in places redacted from published satellite imagery.

This has prompted a response from US government agencies.

The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations.

[…]

“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” said the statement, which was issued in response to questions from the Washington Post.

“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” it added.

Somewhat ironically, the Pentagon handed out fitness trackers to military personnel as part of a program to fight obesity. One the plus side, they appear to be heavily-used. On the downside, they’re turned on and generating records of movement in areas the Pentagon would prefer civilians knew nothing about.

This again illustrates the threat posed by massive metadata collections. Those supporting surveillance methods like these claim data in bulk doesn’t violate anyone’s privacy. But the Strava data reveals a lot about fitness tracker users, even without releasing personally-identifiable info. In addition, fitness trackers are generating billions of third-party records that provide far more detailed records of movements than cell tower pings can. Even if the Supreme Court decides access to historical cell site location info requires a warrant, this tracking — which allows for opt-out — will have to be litigated as its own issue. Fitness devices may not be as ubiquitous as cellphones, but they are far from just a curiosity possessed by early adopters.

The lesson here isn’t the surprising amount of data fitness trackers generate. It’s the surprising amount of data every person generates during their day-to-day lives — all flowing to multiple companies and almost all of it no more than a subpoena away from ending up in the government’s hands.

Filed Under: fitness tracking, location data, metadata, military bases, national security
Companies: strava