Locating Secret Military Bases via Fitness Data

In November, the company Strava released an anonymous data-visualization map showing all the fitness activity by everyone using the app.

Over this weekend, someone realized that it could be used to locate secret military bases: just look for repeated fitness activity in the middle of nowhere.

News article.

Posted on January 29, 2018 at 2:17 PM • 43 Comments

Comments

echoJanuary 29, 2018 2:32 PM

I just read about this! Oh my word. I know it is not funny when something very real happens but a contender for the leaderboard. Who remembers UK official denials of a military base with a big sign outside saying "Secret Military Base"? Are there examples like this of of terrorists or adversaries. I sure they make absurd mistakes too.

VinnyGJanuary 29, 2018 3:18 PM

Just FYI, a couple of people had started a discussion of this issue at the tail end of the 26-Jan-2018 Friday squidfest.

Mervyn BickerdykeJanuary 29, 2018 3:41 PM

Military bases. These are the size of small towns and hard to hide. I doubt that their location is really "secret", if you would ask people living in the area. I'd say "undisclosed" location would probably be closer than "secret". You could probably as well find them on Google Earth by searching for visible bases or pixeled areas.

Of course it's different for the actual road layout inside the bases. And even worse that you can track movement of single users between bases.

NathanJanuary 29, 2018 3:52 PM

And turning off the data (or ending use of the devices) doesn't undo the harm. The sites are now mapped, including pattern of life data. Only new locations/routes can be protected from discovery.

Andrew YeomansJanuary 29, 2018 4:15 PM

There's also a beneficial side - these maps arguably make better footpath and cycle path maps than official ones, even in a well-mapped country like the UK.

I wonder when we will start to see deliberately deceptive routes being added to Strada, manipulating the app's GPS coordinates.

When Good Apps Go BadJanuary 29, 2018 5:56 PM

Nothing to hide at secret military base, nothing to fear at secret military base...

constantlyamazedJanuary 29, 2018 6:23 PM

I am only surprised that DoD security experts were surprised. I guess they didn't comprehend their cartoon based cyber security awareness and opsec training. This year's training had something to do with the Three Little Pigs and someone blowing your house down.

Ross SniderJanuary 29, 2018 7:33 PM

@echo

Right, it's just bulk collection of metadata, presumably with the ability to store and investigate the content. Nothing serious.

tyrJanuary 29, 2018 8:10 PM


The obvious use for this is to allow
the USA congress to find all of those
missing troops that DOD seems to have
misplaced.

The wonders of transparency never cease.

Clive RobinsonJanuary 29, 2018 8:24 PM

@ echo,

Are there examples like this of of terrorists or adversaries. I sure they make absurd mistakes too.

What you mean like,

1, Getting an order for twenty pizzas delivered?
2, Paying by credit card?
3, Taking a selfie next to a road sign?
4, Using a GPS enabled cellphone?
5, Having a unique tattoo that you show on camera in a popular TV series?
6, Taking a ride in a taxi where there is clearly a camera pointing into the passenger compartment?
7, Driving too fast through a speed camera trap?
8, Making an online video of yourself with stolen goods?

And many many more, too many infact to list... Yup they've done them all.

And those are the "sane mistakes" there are also others like believing putting lemon juice on your face would make you invisable to CCTV[1].

You would think that not doing these things would be common sense, but hey, who says criminals or terrorists are smart? If they were they would probably have picked a different occupation...

[1] Famous as this case became, nobody appears to have got to the bottom of why he believed it. The best guess is he heard somebody talking about using lemon juice for "invisable writing", maybe also pineapple juice to remove fingerprints. I dred to think just how much pain he went through spraying lemon juice on his face.

Clive RobinsonJanuary 29, 2018 8:36 PM

@ Mervyn Bickerdyke,

And even worse that you can track movement of single users between bases.

You forgot to mention "special Opps" and "Stake outs".

There is also the opportunity to tell from change of patterns when they are going from "barrack duty" to "Opperational Duty", even if they all take them off and leave them at home...

It's just another form of "Traffic Analysis". I'm guessing a smart student at a certain Israeli University will write it up as a paper and publish it soon ;-)

22519January 29, 2018 8:52 PM

In fact, there are many electronic trails indicative of the presence of U.S. military and government personnel.

If a small site in the middle of absolute nowhere is receiving 20 terabytes of porn every single day, to include Christmas, now you now know who it is.

Clive RobinsonJanuary 29, 2018 8:57 PM

@ Bruce,

In a way this is just the tip of the iceberg.

I suspect that "Pet Trackers" will be another example.

But there will be others, such as medical implants.

For instance a company called Medtronic Inc makes a series of medical implants using "Bluetooth" to talk to a base unit that sends data back via the cellular radio network. With in effect no real security...

As such these devices are more intrusive than the "ankle bracelets" people under "House arrest" wear.

We realy need to be thinking policy through on such devices. They might save the Medical Insurance market money but at what cost to society.

Not wishing to frighten anyone but we know that sex offenders and stalkers have become quite technically adept, more so than terrorists or even LEO's. History shows that such knowledge gets spread, which begs the question of what are we going to see in the next five to ten years?

goppa catch 'em allJanuary 29, 2018 8:59 PM

and here i thought china was worried about some not so random japanese tech company playing patsy kline over and over the radio1 channels.

dod you get that thing i sent you?

22519January 29, 2018 11:43 PM

This incident goes to show that path of electrons cuts both ways in electronic surveillance.

This discovery is actually a very serious event. First, it shows that people on the inside are not thinking very hard about security. Secondly, it exposes secret facilities. There is no reason to expect that secret facilities are all owned and operated by vanilla military types, nor do they all belong to the West. But in this case, most of the people who exercise certainly are Western.

This kind of tracking could be done in other ways. As public information, it would be interesting to see aircraft tracked globally--all types, to include small planes and helicopters. And, best of all, it would be fascinating to see a beacon put inside that little fork one uses to scrape lobster meat out of lobster tail. If we could get reliable data on how each fork moves in space during dinner, its depth of penetration, eagerness of movement, the facility of use, we could track the course of the U.S. defeat in Afghanistan.

Unfortunately, we no longer have the opportunity to look at such data from Benghazi, which would have been telling.

Wesley ParishJanuary 30, 2018 1:05 AM

I'm sure the great Australian writer of the 1960s, Afferbeck Lauder, will have something to say about this topic, and indeed, he does. If you will now open your copies of Let Stalk Strine to page 21, we will read together the lesson for this occasion:

Mary Header little lamb;
An intellectual nit.
It never passed its first exam
Because it couldn't sit

So Mary Header little lamb
With vedgies and mint sauce.
"Oh dearest lamb," she cried, "I am
As hungry as a horse."

I think the likelihood is quite high that the so-called "terrorists" will just ignore this, because they don't have the resources or the energy to deal with it.

On the other hand, the US, with its usual flair, has given itself to its Great Power adversaries rather like a girl lying down for a gang-bang at a bike gang headquarters. I expect the nations who are hosting these "secret bases" so-called, are not too comfortable with them, so that is part of the reason why they are "secret". It's part of that same style the US perfected against the USSR during the Cold War in Europe; it's one the US has no conceivable defense against; you can't argue that a "secret base" whose existence is unknown to the taxpayers who fund it, is a shining example of "transparency at its best", can you?!?

Jon (fD)January 30, 2018 1:32 AM

@ Clive Robinson

5a) Having a unique tattoo that identifies you as a wanted man from a Japanese criminal syndicate.

all together now, "OpSec Is Hard". J.

Alan BragginsJanuary 30, 2018 1:49 AM

I'm still waiting to see analysis of the data and Strava's security policy that can distinguish between:
* Not all users thought about privacy implications of agreeing to share data, even military personnel who perhaps should know better
* The policy was unclear and as a result even users who thought about privacy leaked information they didn't expect to, but the data does reflect user choices
* Strava's anonymisation was flawed, and indirectly leaks information that users might reasonably have expected not to be shared given their choices - I think this is potentially the most interesting one
* Strava shared unanonymised data that users had explicitly told them not to share - this would be the most serious case, but seems unlikely - I've seen one user on a cycling forum comment, with no details, that their data from inside their privacy zone was on the heatmap and a reply saying "are you sure, mine isn't, check your settings".

I have seen evidence that the policy was unclear - the default is to share, and there are more settings that have to be changed than a user might expect:
https://qz.com/1042852/using-a-fitness-app-taught-me-the-scary-truth-about-why-privacy-settings-are-a-feminist-issue/
https://qz.com/1191431/strava-privacy-concerns-here-is-how-to-safely-use-the-app/

I haven't yet seen any discussion of de-anonymisation that doesn't amount (as far as I can tell) to "if users haven't chosen to stay private, you can search for them using the heatmap as a starting point". http://www.wired.co.uk/article/strava-military-bases-area-51-map-afghanistan-gchq-military

Of course it's possible that anyone who has found flaws in the anonymisation is giving Strava time to fix them before going public. It's also possible that there aren't any such flaws, and the only moral is "privacy settings need a good UI". Which is important, but not new.

WaelJanuary 30, 2018 1:54 AM

@tyr,

The obvious ...

defense is to distribute free devices to the population :) I want my device right now. I promise I'll stop eating lots of chocolates and start jogging. If you give me a high-end device, I may jog at the location of your choice, too. You know, I wouldn't mind jogging in Japan this summer. I haven't been to Kyoto during cherry blossom season yet :(

DroneJanuary 30, 2018 2:28 AM

So we let our war-fighters wear personal real-time trackers that are made-by, and report directly to the enemy - and we are SURPRISED with the bad outcome?! Geeez... We're DONE FOR.

a bJanuary 30, 2018 3:09 AM

This is what you get for blindly clicking "next" until the app is installed. The app is specifically designed to track your position online so others can compete with your time on the same track. There are privacy zones (to hide your precise address) and private mode (not sending it online), but who has the time to really understand the app, right?.

WaelJanuary 30, 2018 3:10 AM

Jogging cadence matters!

I don't know, but I've been told
Take a Fitbit you're now enrolled

You ain't got nothin' to worry about
We'll keep it warm when you jog out

Starva's watching on the map
Tell them we don't give a crap

Sound off! / 1,2
Sound off! / 3,4
Cadence count! / 1,2,3,4,1,2...3,4!

...

[Could have been longer, but I have a mental block and the rest is pretty dirty]

@Wesley Parish,

Let Stalk Strine

My kind of book.

Bong-Smoking Primitive Monkey-Brained SpookJanuary 30, 2018 3:23 AM

Cadence count! / 1,2,3,4,1,2...3,4!

Wrap the ph***r on you wrist
Or your sergeant will get pissed.

Left! Right, Left... left... left...

CarlJanuary 30, 2018 4:56 AM

Most don't understand this information can be compiled, about any individual, without an app (e.g., Strava, Garmin Connect, etc.) and I'm sure this data is collected from every smartphone already...there's a pattern here.

Time After Time AgainJanuary 30, 2018 6:13 AM

Who thinks the USA military would win a war against potent adversaries like China and Russia?

Here 'smart' phone addiction severely degrades our national security.

Op-Sec Starts at the Top
The White House Chief of Staff (another military man) could not figure out WHY his phone wasn't working properly for many months. Then it took the White House over a year to ban personal phones.

An incidentally how hard it is to control Twitter addictions?

Other National Security Addictions
No wonder cheap deadly Fentanol is flooding the American market. We are under attack just not by bullets and bombs. 60,000 dead in 2016 alone. I’m greatly saddened and ashamed of my country for its selfishness, arrogance, meanness yet sheer stupidity.

Nickie HalflingerJanuary 30, 2018 9:38 AM

@22519 " As public information, it would be interesting to see aircraft tracked globally--all types, to include small planes and helicopters."

Here's an interesting site with ships' locations mapped: https://www.marinetraffic.com/

Large yachts up to freighters and military ships from what I have seen. Even had the Russian ship off the coast of NC when I was down there.

AnonJanuary 30, 2018 11:11 PM

Talking about "user anonymization" seems pretty pointless when it doesn't matter WHO the data belongs to; the mere fact of it being accessible is already unacceptable, especially when it concerns base locations and personnel movements.

Anyone who wants to figure out who these tracks belong to, already have too much data to conduct recon with.

I'm rather surprised military users particularly have not been warned not to use these devices.

Richard KJanuary 31, 2018 8:16 AM

The issue here is not just the *existence* of a "secret" base, but where people go within it, and where they go near it. The base may be miles across, and its existence well-known locally, but if there is an area (perhaps quite small) within it where a lot of people congregate (or run round) then that would seem to be a likely candidate target. Either a target for physical attack, or just an indication to the adversary of where within the base they should be concentrating their intelligence gathering.

Mr HinkyJanuary 31, 2018 1:27 PM

How big is the functional part of a fitbit?
some people like to know where some people are.

Just passin' thruJanuary 31, 2018 4:10 PM

Another interesting thing this can be used for is to find sham defense sites.

For example, on San Clemente Island off the Southern Calif. coast, there is what looks like a poorly maintained dirt runway with a number of (fake?) jets parked on it. The Strava data shows nobody goes there.

Also, such data could be used to choose a rarely visited/populated location to infiltrate agents or land imigrants.

Another KevinJanuary 31, 2018 4:37 PM

I suspect that this is largely a non-story.

Of course runners will run along roads.

Roads are pretty visible from above.

Aerial and satellite images are pretty ubiquitous.

And if there is a large number of personnel and a large amount of materiel, the movements are pretty darned obvious from the surrounding countryside.

The fact that a certain Great Power maintains a base in Big Empty Spot is darned difficult to conceal.

Although I could pretty easily contrive a movie plot around sensitive location information leaking through Strava.

vas pupFebruary 1, 2018 10:20 AM

@all: you could analyze mental health problems of military personal as well - see below

Clues to the state of your mental health may be hiding in plain sight – in the tweets you send and the Facebook updates you post:

http://www.bbc.com/future/story/20180201-how-your-social-media-betrays-your-mood

“There it is in your Facebook timeline or Instagram gallery – a digital footprint of your mental health.
It’s not hidden in the obvious parts: the emojis, hashtags and inspirational quotes. Instead, it lurks in subtler signs that, unbeknownst to you, may provide a diagnosis as accurate as a doctor’s blood pressure cuff or heart rate monitor.
It also means the platform has important – and potentially life-saving – potential. In the US alone, there is one death by suicide every 13 minutes. Despite this, our ability to predict suicidal thoughts and behavior has not materially improved across 50 years of research. Forecasting an episode of psychosis or emerging depression can be equally challenging.
But data mining and machine learning are transforming this landscape by extracting signals from dizzying amounts of granular data on social media. These methods already have tracked and predicted flu outbreaks. Now, it’s the turn of mental health.
Studies have found that if you have depression, your Instagram feed is more likely to feature bluer, greyer, and darker photos with fewer faces. They’ll probably receive fewer likes (but more comments). Chances are you’ll prefer the Inkwell filter which converts color images to black and white, rather than the Valencia one which lightens them.
Researchers from Harvard University and the University of Vermont used these techniques in their recent analysis of almost 44,000 Instagram posts. Their resulting models correctly identified 70% of all users with depression. compared to a rate of 42% from general practitioners. They also had fewer false positives (although this figure drew from a separate population, so may be an unfair comparison). Depressive signals were evident in users’ feeds even before a formal diagnosis from psychiatrists – making Instagram an early warning system of sorts.
Meanwhile, psychiatrists have long linked language and mental health, listening for the disjointed and tangential speech of schizophrenia or the increased use of first-person singular pronouns of depression. For an updated take, type your Twitter handle into AnalyzeWords. It’s a free text analysis tool which focuses on junk words (pronouns, articles, prepositions) to assess emotional and thinking styles. From my 1017 most recent words on Twitter, I’m apparently average for being angry and worried but below average on being upbeat – I have been pretty pessimistic about the state of the world recently. Enter @realdonaldtrump into AnalzyeWords and you’ll see he scores highly on having an upbeat emotional style, and is less likely than average to be worried, angry, and depressed.
researchers at Harvard University, Stanford University and the University of Vermont extracted a wider range of features (mood, language and context) from almost 280,000 tweets. The resulting computational model scored highly on identifying users with depression; it also was correct in about nine of every 10 PTSD predictions.
Reservations persist more broadly in this field, though, especially around privacy. What if digital traces of your mental health become visible to all? You might be targeted by pharmaceutical companies or face discrimination from employers and insurers. In addition, some of these types of projects aren’t subject to the rigorous ethical oversight of clinical trials. Users are frequently unaware their data has been mined. As privacy and internet ethics scholar Michael Zimmer once explained, “just because personal information is made available in some fashion on a social network, does not mean it is fair game for capture and release to all”.
Data mining and machine learning offer the potential for earlier identification of mental health conditions. Currently, the time from onset of depression to contact with a treatment provider is six to eight years; for anxiety, it’s nine to 23 years. In turn, hopefully we’ll see better outcomes. Two billion users engage with social media regularly – these are signals with scalability. As Mark Zuckerberg wrote recently while outlining Facebook’s AI plans, “there have been terribly tragic events – like suicides, some live streamed – that perhaps could have been prevented if someone had realized what was happening and reported them sooner.”
Mental health exists between clinic appointments. It ebbs and flows in real time. It lives in posts and pictures and tweets. Perhaps prediction, diagnosis and healing should live there, too.”

Sancho_PFebruary 1, 2018 1:11 PM

@Another Kevin

”Roads are pretty visible from above. Aerial and satellite images are pretty ubiquitous.”

Yes but after more than 15 years of winning the war against terror aerial and satellite images are still pretty worthless.
No progress since reading Russian licence plates in the ’50ies.

Fitness tracker will do the trick, but first we have to land them obesity!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.