When location-based fitness app Strava introduced its updated global heatmap back in November, everyone thought it looked pretty cool. The feature mapped the data broadcast by users and laid it out for all to see, giving everyone a visual of the places around the world where the app was being used the most.
Sounds like a pretty neat idea, right? Well, yeah, until you realise that quite a large chunk of Strava's users are military personnel working at sensitive locations.
The potential problem was exposed by researchers and journalists who cross-referenced areas of high activity on the heatmap with the locations of known US military bases and guess what. They matched up.
The seemingly innocuous app was sharing the locations and even names of military personnel - something that could have some pretty scary implications in the wrong hands.
The danger comes from potential enemies figuring out users' 'patterns of life', by tracking and even identifying military personnel as they go about their duties.
On Saturday afternoon, Nathan Ruser, a student studying international security at the Australian National University, began posting his findings to social media.
"Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option)," he wrote on Twitter. It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable."
In a series of images, Ruser pointed out Strava user activities potentially related to US military forward operating bases in Afghanistan, Turkish military patrols in Syria, and a possible guard patrol in the Russian operating area of Syria.
It was no time at all before other researchers followed suit, managing to identify a French military base in Niger, an Italian military base in Djibouti, and even CIA 'black' sites, using the data put out by Strava.
While it is true that many of the bases identified by journalists and researchers had already been revealed through publicly available sources, the real worry is that the information could be used to track 'interesting individuals' and follow them to potentially sensitive locations.
For example, Paul Dietrich, a researcher and activist, claimed to have used public data scraped from Strava's website to track a French soldier from overseas deployment all the way back home.
"It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who travelled a route, and trivially obtain a list of users," he wrote.
"This is the part that is perhaps most worrisome, that an individual's identity might be pullable from the data, either by combining with other information online or by hacking Strava - which just put a major bullseye on itself," says Peter Singer, strategist and senior fellow at New America, a think tank based in Washington, DC.
"Knowing the person, their patterns of life, etc., again would compromise not just privacy but maybe security for individuals in US military, especially if in the Special Operations community."
Strava have acknowledged the problem and CEO James Quarles issued a statement saying that they were working hard now to raise awareness of how privacy and safety features work.
"I'd like to take a moment to address the recent attention focused on Strava and our global heatmap," he said.
"We learned over the weekend that Strava members in the military, humanitarian workers and others living abroad may have shared their location in areas without other activity density and, in doing so, inadvertently increased awareness of sensitive locations.
"Many team members at Strava and in our community, including me, have family members in the armed forces. Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.
"We are committed to working with military and government officials to address potentially sensitive data. We are reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent.
"We continue to increase awareness of our privacy and safety tools and our engineering and user-experience teams are simplifying our privacy and safety features to ensure you know how to control your own data."
Featured Image Credit: PA