Strava is a popular fitness route-tracker focused on sharing the maps of your workouts with others; last November, the company released an "anonymized" data-set of over 3 trillion GPS points, and over the weekend, Institute for United Conflict Analysts co-founder Nathan Ruser started a Twitter thread pointing out the sensitive locations and details revealed by the release.
Because Strava is used by military personnel — including pilots, who appear to leave it running while they are flying on military missions — the data shows the locations of military bases (including some that were heretofore secret) around the world. The data reveal the individual routes run by military personnel overseas, and isolate individual routes between sparsely located houses.
There is probably more to be found in the data. A time-series would reveal still more.
It's an excellent cautionary tale about the risks of re-identification attacks. It would be really, genuinely useful and beneficial if there was a way to de-identify large data-sets and make them available for study, innovative new uses, and scientific research, but wanting it badly is not enough. Regrettably, there's plenty of policy that starts from the principle that we need de-identified data and the proceeds to say, "Once your data has been de-identified to the standard of industry best practices, you can do whatever you want with it." This faith-based policy-making creates an industry-sized loophole in the otherwise excellent and comprehensive European General Data Protection Regulation.
It's important to keep stories like this in mind when we have these policy discussions that assume that there is such a thing as de-identification.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
Not just US bases. Here is a Turkish patrol N of Manbij pic.twitter.com/1aiJVHSMZp
— Nathan Ruser (@Nrg8000) January 27, 2018
You can see the Russian operating area in Khmeimim, but also the guard patrol to the NE. pic.twitter.com/iWiX5Kozc1
— Nathan Ruser (@Nrg8000) January 27, 2018
If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2
— Nathan Ruser (@Nrg8000) January 27, 2018
You can see individuals that are using Strava by zooming it to houses that have a short line. Strava gives the ability to set up privacy zones, but it's not on by default. pic.twitter.com/azqZFXiVQZ
— Brian (@BrianHaugli) January 28, 2018
It would appear aircrew wear/carry strava devices whilst flying. pic.twitter.com/zxyggqFzu3
— Dan (@Intrepid_Sailor) January 27, 2018
At the border between Rwanda & Uganda & DR Congo (in Africa)
what does this screenshot tells us @Nrg8000? pic.twitter.com/U4zjOelvca— KAMANZI Vénuste (@VenusteKAMANZI) January 29, 2018
Also shows RAAF bases & patrolled areas… Crap… pic.twitter.com/7UpOrDh5mk
— TechieTiger ?? (@Techie_Tiger) January 29, 2018
It's fascinating, that there are also gps points in the #Antarctic . Is there a hidden base? ? pic.twitter.com/9UNUGJKeEy
— Herr W aus B (@_hwab_) January 29, 2018
Fitness tracking app Strava gives away location of secret US army bases | Technology [Alex Hern/The Guardian]
