Fitness trackers are just the latest headache for the Pentagon when it comes to the potential security risks of US troops using popular apps and devices.
Defense Secretary Jim Mattis is ordering a review of how US military personnel use wearable technology, the Pentagon said Monday. This comes after a map published by a popular fitness app raised concerns that troops could inadvertently expose potentially sensitive locations and activities by recording their runs.
But that's only the latest possible security breach the Pentagon has dealt with from personal electronics. In recent years, widely used social apps, games, and devices have been popping up faster than the military’s guidelines regulating their use can keep up with them.
"Is a badge on Foursquare worth your life?" the US Army tweeted in 2012 as part of a campaign to raise awareness about the risks of geo-tagging for military personnel.
One example the Pentagon pointed out was an incident from 2007, when soldiers at a base in Iraq took a photo of a newly arrived fleet of helicopters. Once they were posted on the internet, “the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches,” a Pentagon official warned in an article at the time.
In 2016, the Pentagon had to urge US troops and other military personnel not to play Pokémon Go on cell phones issued to them by the Defense Department over concerns that the app could be used for foreign spying. The game collected data that could be used to pinpoint secure and sensitive facilities, an internal memo said.
Last summer, a report released by the Government Accountability Office highlighted the risks posed by smart televisions, which “could secretly record conversations of DOD personnel … potentially eavesdropping [on them] or sending recordings of these conversations to third parties.”
The GAO report also cautioned that gaming apps that could “collect location and photographic data on DOD personnel or units … have raised DOD operations security risks.” The analysis found that “some gaps remain” in the Pentagon’s policies and guidance.
The previous year’s report had also warned, using an abbreviation for "internet of things," that “information collected through various IoT devices and then aggregated could inform adversaries about DOD capabilities or deployments.”
At the same time, the military has embraced these technologies, from smartphones to fitness trackers. As part of a pilot fitness program in 2013, the Army distributed 2,200 Fitbit wristbands to soldiers to stay in shape. Four years later, it has to again tighten its guidelines to limit potential security risks.
“Secretary Mattis has been very clear about not highlighting our abilities to aid the enemy or give the enemy any advantage,” Army Col. Rob Manning, a Pentagon spokesperson, told reporters Monday. “That would be our approach going in on this as well.”
The global heat map published by popular fitness tracking app Strava is made up of more than 1 billion activities logged by users, including US military personnel who are easy to spot in remote war zones. Although the map was published last November, it didn’t garner widespread attention until a series of tweets by 20-year-old Australian student Nathan Ruser last weekend, pointing out that US bases were “clearly identifiable and mappable.”
Security analysts, journalists, and internet sleuths jumped on the chance to scroll through the map’s data, pointing out everything from jogging routes around a suspected CIA base in Mogadishu, Somalia, to French military bases in Niger.
More important than the locations of military sites, which were already viewable on Google Maps, the bright red and yellow paths can provide information on users’ movement and routines.
The Pentagon is not aware of any data on the map compromising the security of any US personnel or sites, Manning said Monday.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” he said. "We are going to take a look at the Department-wide policy to ensure that we have operational security and force protection.”
Strava does let users opt out of sharing their data, an option apparently not used by many service members at sensitive military sites. The company said that the map excluded data that users had marked as private.
The Pentagon’s review will look at its existing policies and determine whether stricter guidelines are needed when it comes to wearable fitness trackers. Pentagon officials on Monday said that the US military has regular training for service members on data security and restricting their use of social media when they are deployed to certain locations.
While news of the data revealing “secret” US military bases made headlines, the locations could previously be found using satellite imagery for those who knew where to look. However, those images would only show the outlines of physical structures and roads. Strava’s data provides more information by making it easier to see movement, commonly used paths, and recurrent routines. The brightness of the lines can also reveal how frequently a path is used. While major urban areas around the world are bright with densely overlapping lines, in places like Iraq and Syria, the lit-up outposts where troops are using fitness trackers are conspicuously easy to spot.
Strava’s map includes more than 16 million miles of user-logged data, comprising over 1 billion activities around the globe, according to the company.
Vera Bergengruen is a Pentagon reporter for BuzzFeed News and is based in Washington, DC.
Contact Vera Bergengruen at email@example.com.
Got a confidential tip? Submit it here.