[iser]

https://twitter.com/kevinkiklee/status/957629856518459392

I just created an overlay of Google Maps and Strava Heatmap of the forward operating base I was at in Afghanistan. The heatmap clearly shows the layout of the base.

That base has been in operation for at least 6-8 years, and it is well-developed. The up-to-date satellite imagery of the area is not available on Google Maps for a good reason, and Strava just released it.

I imagine that this heatmap has been thoroughly scraped already.

* I was deployed to Afghanistan from 2011-2012.

edit: initially mis-typed '2011-2102' =D

edit2: A well-established military base, even in a combat zone, has access to wifi and cellphone network. We are constantly training physically, and we like to keep track of ourselves. We were early adopters of fitness trackers, and I used a couple of them myself also.

[notatoad]

>Strava just released it.

Strava didn't release it. It's not strava's job to stop you from uploading sensitive information. Strava does not have a security clearance. Military personell released it to strava. Surely the military already has rules about not uploading GPS tracks of their bases to random websites?

[smallnamespace]

Surely the issue is not that Strava decided to release sensitive information, or the military decided to release sensitive information, but that neither actor realized that they were in aggregate revealing sensitive information ahead of time.

If one guy runs around a base using Strava, that's not an issue. If a few hundred do, then it lights up on the map. But realizing that is a potential issue ahead of time and then proactively addressing it is the challenge.

[notatoad]

>neither actor realized that they were in aggregate revealing sensitive information ahead of time.

right, but what i'm saying is that i don't believe this. I'm sure every military has rules about uploading GPS tracking of soldier's movements to civilian websites, and those rules are being disobeyed or not being enforced.

and if the military doesn't care, i'm not sure why strava (or HN) should.

[carbocation]

I'm surprised that using a GPS tracking tool is permitted in forward operating bases. I guess I would think that if one guy runs around the base with Strava, it actually is an issue.

[Humdeee]

I imagine many of these soldier's higher ups are unaware that such networked 'workout by GPS' services exist to provide insight beyond a personal means. If so, I wonder why soldiers were permitted to run with GPS watches or phones.

Many professional endurance based athletes also do not track using GPS for similar reasons. Openly sharing training programs is an advantage to opposition and their coaches. Especially with Strava, where people are searchable by name like facebook.

[zimpenfish]

> Many professional endurance based athletes also do not track using GPS for similar reasons.

That might need a citation. They might not be using Strava and posting them publically (although a lot of pro cyclists do) but instead use something like Training Peaks for communication with coaches etc.

[Humdeee]

I would wager that many, many more professional athletes and teams all over the world do not use GPS over those that do. Do you really see the thousands of coaches all over the world backing up their athletes data to the cloud or using some company platform and making sure every workout is on private mode? Or do you see pen and notebook, excel docs, and local hard drive folders full of manually written logs? The world extends far beyond the borders of 'mericuh.

[mxfh]

What would be the bigger security risk? Uploads of ambivalent track data or the existence of a dataset of geofenced high importance areas shared with private companies?

[JohnStudio]

It's sort of in that realm of de-identified personal data. I think that location data is right up there with physical address. It's because one doesn't have to take a very large stretch to identify your house ... from cross-identified information publically on the WWW and use it maliciously with this. with basic code skills. (I just did)

[gaius]

Strava has a “privacy zone” but you have to update the centre of the zone yourself.

[Humdeee]

It also has a setting for private and public workouts that can be set as default. Whether or not a private workout adds to global heatmap data, I am unsure...

[gaius]

It does not, nor will it count towards challenges, so if you’re into that (which I am so I can’t really fault anyone else) you are incentivised to be public

[JohnStudio]

I call this data scrapping .. two sets of data, and making correlations is my primary job function. I can't tell you how easy it is to take static data and make it dynamic with a series of algorithms that are well thought out, for correlation longitudinal goals.

[maxerickson]

So what other internet services have deployed soldiers sent sensitive location data to?

Does each internet service need to proactively hire someone with clearance and coordinate hiding of sensitive information with the US military?

[iser]

We were on a separate network from the secured military network, but we had complete and free access to the internet when I was there 6 years ago. Even in the most remote combat operating posts, we had access to wifi.

Not sure if this can be solved from the civilian side. There is just too much information being transmitted out of a combat zone, and I think it has to be controlled from the source. Certain sites need to be just blocked in combat zones. Rather, we need to only have a list of allowed sites.

I know how much it sucks in a combat zone, and I know how much that internet connection makes someone feel like they are still part of the civilization. However, some data just should not be transmitted out of it, and it needs to be heavily controlled.

[znfi]

In this particular case I'm not sure that blocking internet access at the base will solve much since the data is stored on the device, and it's enough to bring the device to a location with internet access?

Basically people go home or whatever and plug in their Garmin and then it'll just upload the last 6 months of data, and there is the same issue.

[pbhjpbhj]

Why do deployed soldiers need personal fitness trackers (or what did you mean by a Garmin). Surely anything with a GPS or other wireless network abilities is an affront to opsec I'd imagine?

[Johnny555]

"need" or "want"? I'm sure they don't "need" them any more than anyone else, but I'm also sure they "want" them for the same reason as everyone else that wants them -- for fitness tracking.

[chrisseaton]

> Why do deployed soldiers need personal fitness trackers

To track their personal fitness while deployed?

[pbhjpbhj]

I was hoping for something a little more inciteful ;o)

My imagination of how an army is run requires careful maintenance of fitness of soldiers, so use of PT instructors, regular monitoring of fitness metrics. It also has dieticians to monitor food production/intake. Opsec would probably deny any personal electronic devices.

If a deployed soldier needs to track their personal fitness then that suggests a deficiency - fitness of sisters must be of prime importance during deployment? There seems no reason that soldiers wouldn't have a fitness record they could access that included all food intake, mandated exercise, regular weight monitoring, blood pressure, and whatever.

Of course, the use of personal fitness devices suggests my conception is wildly off how a deployed corpus of soldiers is actually run.

[JohnStudio]

They are not robots. Why do they need iPads? Why do they need personal phones? Not being snide, but when on deployment they have a LOT of tech tools, just like any other demographic of folks. It's just a thing ...

[notatoad]

tracking fitness and tracking location aren't the same thing.

[znfi]

Well, the data does not just appear on strava all by itself. I made an assumption that a non-neglible fraction of the data uploaded was from Garmins/fitness trackers or similar devices (like watch for tracking your running etc).

I guess people could also be using their smartphone app, which I am less familiar with. If I'm misunderstanding what the source of the data is I apologize.

[rhizome]

Doesn't the UCMJ already cover "information being transmitted out of a combat zone?"

[wbl]

I don't think that's the right response, especially not now. Tell soldiers not to bring online fitness trackers, and then punish the ones who forget.

[rhizome]

I'm saying it doesn't really seem to be a Strava problem, and that the problem on the military side likely already has a solution in place.

[JohnStudio]

It's a platform problem. The cross-availability of information on let's say ... Google Android. They can use a microphone, wifi signal analysis, and other techniques that make your GPS coordination data moot. What's getting more complex is the data itself, and how it be sorted and moved around the need for actual location data. That's why I think the "disable GPS / Location" actions in Android (and macOS) needs to be more granular. When we say "don't track me" .. it means ... on everything and protect the information from software in silos. It goes against the grain of security vs. usability .. but its gonna happen by will of the people.

[iser]

I believe it covers sensitive materials only. Soldiers should not be punished through UCMJ for using Strava. That's ridiculous. Strava just should not be accessible within Afghanistan.

[avar]

A country of 30 plus million shouldn't be able to use an app because some soldiers deployed there are bad at opsec?

[iser]

My apologies. I meant just the military members, not the country itself.

[JohnStudio]

So let me ask you .... how do IT folks actually handle this type of situation? The experience required for systems work both in the field and base are both between making soldiers at home, in combat zones, and also keeping them safe. It's something that requires a LOT of experience on new tech to really stop/filter/protect against situations where data is being transferred off base. There is also the STORED perspective. That data may not be transmitted ON base .. it could be transferred over a wifi at something like the "sister's house" or some other place you never expected on an open network for wifi with that device. It's nearly impossible to stop this. It's like White House leaks .. when there is a way to transmit, it will be used.

[tenaciousDaniel]

Exactly. I'm all for constructive criticisms to make technology better, but these services (like Strava) are reaching millions of people. We're only talking about this military base issue because we became aware of it. How many other externalities are waiting out there for us to find? We really can't expect tech companies to proactively account for all of them; that's literally impossible.

In this case, the sensitive data being uploaded is entirely the fault of the user. I'm actually shocked that soldiers would track a run around a military base. It takes about 10 seconds of thought to realize how bad of an idea that is.

[nickvbreda]

100% behind your point. You are so much putting yourself and others in danger with using internet connected devices. Why don't you only use VPN secured services to text. Fitness tracking is like a luxury problem that puts alot of people at risk.

[givinguflac]

That’s one hell of a deployment duration! :)

[cafard]

Not to be flippant, but is there anyone with an interest in the base--hostile or just curious--who doesn't already know where it is?

[gonehome]

Could you get in trouble for posting this given rules around security clearances?

[fjsolwmv]

Since the military don't care about soldiers constantly broadcasting their locations, why would anyone HN post matter?

[iser]

Everything shown in the Afghanistan heatmap is a military base.

The locations of these bases are not secrets, and the locals already know the layout thoroughly. What I am concerned about is that Strava released this data in such an easily accessible format, and also, whether they even had an internal conversation about managing sensitive material.

[pc86]

> whether they even had an internal conversation about managing sensitive material

Probably not, because that's not their job. A service like Strava should not have confidential or sensitive material uploaded to it (obviously), but it's not on Strava to make sure the data it has is not confidential or sensitive.

[jahmed]

Also easily spotted are military outposts littered across North Africa.

[kpU8efre7r]

What was the base called?