Military personnel around the world have been publicly sharing their exercise routes online – including those inside or near military bases.
Online fitness tracker Strava has published a “heatmap” showing the paths its users log as they run or cycle.
It appears to show the structure of foreign military bases in countries like Syria and Afghanistan, as soldiers move around inside.
The US military is examining the heatmap, a spokesman said.
Air Force Colonel John Thomas, a spokesman for US Central Command, told the Washington Post that the US military was reviewing the implications.
Strava said it had excluded activities marked as private from the map.
Users who record their exercise data on Strava have the option of making their movements public or private. Private data, the company said, has never been included.
The appearance of military bases on the heatmap suggests that large numbers of military personnel across the globe have been publicly sharing their location data.
The latest version of the map was released in November 2017, but the implications for service personnel were only raised over the weekend.
Nathan Ruser, an Australian university student who first highlighted the issue, said he came across the map while browsing a cartography blog last week.
“I just looked at it and thought, ‘oh hell, this should not be here – this is not good,'” he told the BBC.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
End of Twitter post by @Nrg8000
The location of military bases is generally well-known, both from local knowledge and pre-existing satellite imaging tools like Google Earth.
Furthermore, concerns about Strava’s heatmap are mainly centred around the fact that it displays the level of activity – shown as more intense light – and the movement of personnel inside the walls.
It also appears that location data has been tracked in the area outside bases – which may show commonly-used exercise routes or patrolled roads.
Mr Ruser, 20, said he was shocked by how much detail he could see. “You can establish a pattern of life,” he said.
Big OPSEC and PERSEC fail. Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence. https://t.co/22h1Io6rpv
— Nick Waters (@N_Waters89) January 27, 2018
End of Twitter post by @N_Waters89
The app is far more popular in the West than elsewhere – which means foreign military bases stand out as isolated “hotspots” in the Middle East.
Other easily identifiable bases include those used by the US in Syria and Iraq, an RAF base in the Falklands, and one used by French forces in Niger.
In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable colouring for Iranian bases.
— Tobias Schneider (@tobiaschneider) January 27, 2018
End of Twitter post by @tobiaschneider
Millions of users track their location data with Strava while exercising, often using a fitness tracker worn on the wrist or a smartphone to automatically upload their location as they jog or cycle.
In an engineering blog post from November, Strava said the newest version of the map was built from one billion activities – some three trillion points of data, covering 27 billion km (17bn miles) of distance run, jogged, or swum.
If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2
— Nathan Ruser (@Nrg8000) January 27, 2018
End of Twitter post 2 by @Nrg8000
Strava released a brief statement highlighting that the data used had been anonymised, and “excludes activities that have been marked as private and user-defined privacy zones.”
“We are committed to helping people better understand our settings to give them control over what they share,” it said.
The settings available in Strava’s app also allow users to explicitly opt out of data collection for the heatmap – even for activities not marked as private – or to set up “privacy zones” in certain locations.
However there are now concerns around the security of the collected data, and the possibility for it to identify individual users.
Okay here is where things get problematic: Via Strava, using pre-set segments we can scrape location specific user data from basically public profiles (and yes those exist w/in bases and lead us straight so social media profile of service members). https://t.co/VDNBGcKvIY
— Tobias Schneider (@tobiaschneider) January 29, 2018
End of Twitter post 2 by @tobiaschneider
Mr Ruser, who is studying international security at the Australian National University, said anyone could have spotted the information.
“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed,” he said.
“Someone would have noticed it at some point. I just happened to be the person who made the connection.”