Fitness Tracker Data Exposes Military Operations, Shows What Damage That Can Be Done With 'Just Metadata'

from the aggregated-damage,-individual-harms dept

Last November, Strava Labs released its "global heatmap" -- a stockpile of data created by millions of health-conscious people worldwide. Strava Labs is the GPS brain many fitness trackers rely on, allowing devices to record billions of steps recorded by millions of users. The company pulls data from big players like FitBit and Jawbone, as well as having its own fitness-tracking app. Here's what Strava Labs handed over to the general public:

1 billion activities

3 trillion latitude/longitude points

13 trillion pixels rasterized

10 terabytes of raw input data

A total distance of 27 billion km (17 billion miles)

A total recorded activity duration of 200 thousand years

5% of all land on Earth covered by tiles

Here's what Strava's activity data looks like transposed on a map.

All this metadata -- anonymized GPS points -- builds up quite a record of human movement. On top of tracking favorite jogging routes, the data is detailed enough to indicate where frequent exercisers live and work. This has been a problem for a few years now.

Two years before this data was published, Strava announced a new feature which allowed users to turn solo workouts into ad hoc competitions.

The new Strava Flyby feature enables users to see who they passed on runs and rides. Although this raises data protection concerns, and users should be aware of the change, it serves to connect the wider running and biking communities in an innovative way.

Andy Robertson covered this for Forbes in May of 2015. The Flyby feature connects users by providing them links to public profile pages of other users they'd "passed" during a run. The feature may not give users each other's addresses, but users can assume their "competitors" work or live close by.

Strava does allow users to geofence "private" areas to prevent tracking in those areas. But it's not a default option. If you don't want to share every movement with Strava, you have to opt out. Most users don't. And most users are seemingly unaware of how much data they're leaving behind.

This "metadata" -- something our government refers to as harmless when gathered in bulk -- can result in real-world security issues. Conflict analyst Nathan Ruser was the first to point out how Strava's data was making it easy for people to pinpoint military bases and operations.

Even though many of these bases can be viewed via Google Maps or other satellite imagery, those static images don't contain a wealth of information on people's movement in or near those bases. Movement info collected near foreign military bases, especially those located in war zones, creates even bigger problems. What may look like a jogging path to Strava's database might actually be patrol routes or reconnaissance missions.

Strava's data even provides info on human movements in places redacted from published satellite imagery.

This has prompted a response from US government agencies.

The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations.

[...]

“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” said the statement, which was issued in response to questions from the Washington Post.

“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” it added.

Somewhat ironically, the Pentagon handed out fitness trackers to military personnel as part of a program to fight obesity. One the plus side, they appear to be heavily-used. On the downside, they're turned on and generating records of movement in areas the Pentagon would prefer civilians knew nothing about.

This again illustrates the threat posed by massive metadata collections. Those supporting surveillance methods like these claim data in bulk doesn't violate anyone's privacy. But the Strava data reveals a lot about fitness tracker users, even without releasing personally-identifiable info. In addition, fitness trackers are generating billions of third-party records that provide far more detailed records of movements than cell tower pings can. Even if the Supreme Court decides access to historical cell site location info requires a warrant, this tracking -- which allows for opt-out -- will have to be litigated as its own issue. Fitness devices may not be as ubiquitous as cellphones, but they are far from just a curiosity possessed by early adopters.

The lesson here isn't the surprising amount of data fitness trackers generate. It's the surprising amount of data every person generates during their day-to-day lives -- all flowing to multiple companies and almost all of it no more than a subpoena away from ending up in the government's hands.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fitness tracking, location data, metadata, military bases, national security
Companies: strava


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 29 Jan 2018 @ 12:01pm

    All that's going to happen is the military will ban or "issue guidance" on using fitness trackers in and around military and civilian contractors under its authority.

    The government will still demand access to any 'metadata' they can get their grimy claws on, and may very well get enhanced powers of surveillance to open up even more of this kind of collection. If the FBI had its way, J Edgar would be a saint.

    link to this | view in thread ]

  2. icon
    Roger Strong (profile), 29 Jan 2018 @ 12:17pm

    Strava's data even provides info on human movements in places redacted from published satellite imagery.

    Area 51 aka Groom Lake has pretty good satellite imagery - mapped onto 3D terrain - published via Google Earth.

    What it doesn't have is the 3D buildings - created with LIDAR and aerial photography from four different directions - that you see in cities and popular tourist spots on Google Earth. And no StreetView.

    link to this | view in thread ]

  3. icon
    Roger Strong (profile), 29 Jan 2018 @ 12:24pm

    Re:

    All that's going to happen is the military will ban or "issue guidance" on using fitness trackers in and around military and civilian contractors under its authority.

    Well. Until someone uses the metadata to link the bases to nearby red light districts. THEN you'll see a knee-jerk reaction.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 29 Jan 2018 @ 12:30pm

    Re: Re:

    No one wants to see that type of jerking action

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 29 Jan 2018 @ 12:31pm

    Re:

    I think someone also mentioned that unfortunately there doesn't seem to be data coming from north Korea's nuclear facilities.

    link to this | view in thread ]

  6. icon
    Roger Strong (profile), 29 Jan 2018 @ 12:42pm

    Re: Re: Re:

    There were so many things I could have added to that post but didn't.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 29 Jan 2018 @ 12:47pm

    HA! This confirms my neighbor has been stealing our dog food! Straight line across the field to her front door! BITCH!

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 29 Jan 2018 @ 1:08pm

    The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations.

    Does that mean there wasn't a strict rule set on outside technology already? I've worked at burger joints with better security protocols than these military bases.

    link to this | view in thread ]

  9. icon
    ECA (profile), 29 Jan 2018 @ 1:22pm

    Re:

    fOR A FEW THAT DONT SEE THE PROBLEM..

    Fitbit and others connect to your CELLPHONES, and then the data is sent from there..

    A bit of thinking and you could Pick up any person you wanted..

    Then there is the idea that DOES THIS DEVICE TURN OFF??
    Track your car??

    TO MUCH TECH!!

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 29 Jan 2018 @ 1:24pm

    Re: Re:

    Have you seen Kim Jong-Un? I doubt he jogs much.
    And the rest of the population is on a strict healthy diet, so they don't need it either.

    link to this | view in thread ]

  11. icon
    Roger Strong (profile), 29 Jan 2018 @ 1:34pm

    Re:

    Imagine the guidelines they'd be quickly revising today if Google Glass had taken off.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 29 Jan 2018 @ 1:42pm

    Re:

    So the collar is tied to their dog?

    :p

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 29 Jan 2018 @ 1:54pm

    Re: Re: Re:

    I doubt their diet is all that healthy

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 29 Jan 2018 @ 1:58pm

    Re: J Edgar's canonization

    St. Edie of the All-Invasive Omniscience

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 29 Jan 2018 @ 2:03pm

    Re: Re:

    How about metadata on places where many people go, and then each turns off their fitness tracker? That could be interesting, because apart from "high-security" installations, where would you ever see more than 10 people who always turn off their trackers when crossing the line?

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 29 Jan 2018 @ 2:06pm

    Re:

    Does that mean there wasn't a strict rule set on outside technology already?

    As a thought experiment, what if Strava hadn't released this data publically? They'd still have all of it, and the military wouldn't have revised those guidelines. If banks and Bitcoin exchanges can be hacked, there's no reason to think Strava would be the only one with the data (assuming they don't sell it outright).

    link to this | view in thread ]

  17. icon
    That Anonymous Coward (profile), 29 Jan 2018 @ 2:57pm

    From the government who is sure tech can make good guy only breakable encryption we bring you OPSEC fail!!!!
    Perhaps they should focus on themselves before demanding the world conform to their dreams.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 29 Jan 2018 @ 3:43pm

    Re: Re:

    Fitbit and others connect to your CELLPHONES, and then the data is sent from there..

    I hate to tell you this, but cellphones also track you. So fitbit and other devices aren't necessary for tracking.

    What is more interesting are the places where the devices aren't tracking (as they are removed or forced off.)

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 29 Jan 2018 @ 5:02pm

    Whit I can not understand is why anyone would buy any device that tracks them in any format but then again too old to understand anything past vacuum tubes.

    link to this | view in thread ]

  20. icon
    JoeCool (profile), 29 Jan 2018 @ 5:35pm

    Re: Re: Re: Re:

    Yeah, more like starvation level rations.

    link to this | view in thread ]

  21. icon
    JoeCool (profile), 29 Jan 2018 @ 5:40pm

    Re:

    Actually, it's great for actual joggers. Not only do you get your stats on how far you went and such, but it could possibly save your life if you were attacked or had a health problem while jogging. For everyone else, it's just yet another way for Big Brother to watch your every move.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 29 Jan 2018 @ 7:02pm

    "But metadata doesn't matter. Nobody should care if the NSA vacuums it all up!" screamed MyNameHere, stamping his feet. "I bet you're not that interesting to get noticed anyway! You should be honored!"

    link to this | view in thread ]

  23. icon
    Narcissus (profile), 29 Jan 2018 @ 11:28pm

    At this point I'm just very surprised they didn't immediately arrest Adam Rawnsley as the one who exposed sensitive information.

    link to this | view in thread ]

  24. identicon
    Christenson, 29 Jan 2018 @ 11:31pm

    Geeze, can't you guys even make this stuff *hard*?

    That is, can't you even make breaking opsec hard? lol

    Between this and meltdown/spectre, it's clear we need some fundamental rethink about how to get computers to encapsulate information.

    In particular, let's look at the secret installation problem....if i know X is a secret installation (as with Taiwan's mobile missile launcher site), and I track all the phones that visit that site, and chain to wherever else those phones go, or don't go....

    link to this | view in thread ]

  25. icon
    PaulT (profile), 30 Jan 2018 @ 3:09am

    Re: Re: Re:

    Yeah, that was my first thought - if you're that paranoid about Fitbits tracking data, why do you have a phone that can be used to track you better in the first place? In fact, given that many such devices don't have built in GPSes and depend on a phone connection to give accurate reporting and/or sync with a remote server, having a Fitbit and not a phone is probably far safer for you than having a phone but no Fitbit.

    ECA sometimes brings up good points, but his ranting and random capitalisation undermines them almost as much as his insisting on going to illogical extremes every time. He's not a troll, but I tune him out for those reasons most of the time.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.