It started off innocently enough. A fitness tracking company released a map of where people wearing Fitbits and other exercise logging devices run, walk, cycle and even ski.
But now, the Defense Department is scrambling to review its wearable device policy after the map, published by Strava, exposed military bases and troop movement trends.
“We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required,” Col. Robert Manning III, director of Defense Operations, said during a Jan. 9 press conference at the Pentagon. “And if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”
Using data from fitness trackers, Strava’s map shares 13 trillion GPS points from their users from 2015 to September 2017.
Strava gives its users the option to turn off tracking whenever they’d like.
“When you have big data or large sets of disparate data, you can infer a great deal of meaning from them that is not originally intended or even anticipated that the data could illuminate,” said Ajay K. Gupta, program chair for computers, networks and cybersecurity at the University of Maryland, University College.
The White House expressed some concern over the map as a national security issue, but also cautioned not to rein in the technology too much.
“Strava heat map forces all to look at risks of big data analytics. It goes well beyond fitness trackers. Security and operational security need to be considered in our new reality. While policy evolution is needed, it is important to make good security policy balanced by not over reacting too,” Rob Joyce, special assistant to the president and cybersecurity coordinator for the National Security Council, tweeted Jan. 29.
Joyce said it was clear the heat map is a security risk and the White House will be working closely with DoD to shore up any shortcomings in its policy.
Manning said Defense Secretary Jim Mattis has been very clear that the military should not do anything to reveal U.S. capabilities to give the enemy any advantage.
In May 2016, the Marine Corps authorized wearable fitness devices in Marine facilities.
The Air Force also authorized personal fitness devices.
In 2016, the Air Force warned users about the national security implications of wearing fitness trackers or installing them on phones.
“Geolocation is another concern for smartwatches because many wearers do not realize it is taking place. Many applications, such as those that track running routes or social media, can reveal a person’s location. Settings in various apps using location services do the same thing, commonly embedding locations in photos,” a Feb. 8, 2016, Air Force press release prophetically announced.
Gutpa said the Strava incident shows the need for a middle ground for data privacy.
“There’s got to be ways to engage in social media that restricts an individual person’s social media and related activities from being centrally logged and captured and those types of log devices would apply to the military, but also to anybody who values their privacy maybe over some other function,” Gupta said.
He added DoD may consider flooding data sources with fake data in the meantime to through off enemies.
The fake data would populated the map in other areas around the base, throwing off the potential for adversaries to gain insights.