Hacker News new | ask | show | jobs
by Grollicus 2221 days ago
This reminds me of an experiment I'd like someone to run on Strava. They had this big scandal some time ago where People identified US military bases simply by having a lot of activity in an otherwise empty area.

Now they've added some mojo to prevent this but still sell location data.

So how about running the same attack but instead of using the browser and their own website just use the bought location data.

I suspect they didn't fix that as I've disabled appreaing on their heatmap but they still sold my location data when I forgot to disable my vpn during a run some time ago.
5 comments
willvarfar 2221 days ago
It wasn't just the US military. There were plenty of jogging circuits around strange desert installations in Syria by joggers who had recently jogged around military bases in Russia, at a time when Russia was claiming no deployments and only observers and things.

There were also armchair people wondering about other tracks in various places in the world.

link
iamacyborg 2221 days ago
If anyone's interested in how this data can be used, this article breaks it down quite nicely.

https://www.bellingcat.com/resources/how-tos/2018/01/29/stra...

link
snorremd 2221 days ago
Not only could you see bases because of activity around an otherwise empty area. You could almost pinpoint the exact shape of the bases perimeter because soldiers would prefer to jog along the inside of the perimeter. Smartphones and location based apps and services are a security nightmare.
link
nxpnsv 2221 days ago
Seems to me the scandal is that US military bases allowed people in protected areas to upload GPS traces of their activities, more so than strava showing these along with millions of other traces in their activity maps...
link
pbhjpbhj 2221 days ago
Or that soldiers aren't trained well enough in SECOPS that they won't give away base details just to track their own fitness.

What's the punishment for having GPS tracking devices on a military base?

Bet they all love their free USB drives sent from a friend they forgot they had, too.

Hope they're epoxying the USB connections on their Win95 nuclear submarines.

link
notkaiho 2221 days ago
Well, yes, but also that Strava takes this hands-off approach like they're not responsible for the data they collate
link
nelaboras 2221 days ago
What should strava do? Ask each country in the world which areas they want censored?(nuclear power plants, parliament buildings, boarding schools for rich kids, ...?)
link
toyg 2221 days ago
Pretty sure that’s how it will end up being, eventually, in the same way GoogleMaps had to buckle.

I can see the smartest countries providing a standard webservice: you-private-company-using-geolocation will have to query a certain area, and get back a shape that you must blur or otherwise suppress. Access to the service should be heavily logged / throttled to avoid mass-scanning, and obviously “customers” will be vetted and forced to sign onerous NDAs. You don’t like the service constraints? Tough shit, here is a law that says use it or be fucked.

link
nxpnsv 2219 days ago
How about a "dont record where you shouldn't" clause in TOS... probably there already is one...
link
notkaiho 2220 days ago
Or, you know, they could not make it public by default :)
link
mathieuh 2221 days ago
You can add privacy zones around locations so when people look at your activities your line just disappears inside the radius of your privacy zones.

I have ones around my home and where I work. No idea if that affects whatever data they sell (I doubt it, since you can still the full activity yourself even with a privacy zone), but stops people finding where you live/work and nicking your bike

link
egwor 2221 days ago
The fact that an area is made private is also a piece of information. I was thinking that you could use that to track down sensitive areas.
link
muldvarp 2221 days ago
Unless I'm missing something you can easily triangulate the center point of the private area.
link
ashtonkem 2221 days ago
That’s effective on an individual level, but tricky to enforce at an organizational level. It’s not like it would be wise for the DoD to log into Strava and setup a privacy fence around every sensitive location.
link
bluntfang 2221 days ago
you're essentially telling strava that the privacy area is very important to you (ie your home, work, etc) and they are probably selling that fact.
link
pbhjpbhj 2221 days ago
What a great signal for thieves too - this user has enough disposal income to have a fitness device, and is worried about being tracked, they must have good stuff.

Presumably you could filter by average speed and only get people with expensive bikes too.

link
sitkack 2221 days ago
You could also tell who from the public data has a private area, how long they are in it and when they leave it. You could do graph analysis to find folks on 20k bikes (correlate by zipcode) traveling at > 20mph with other folks that also have privacy areas.

If you find that > 3 of folks in that clique are close together and somewhere else, probably having a group event, many of them may not be in their "privacy area".

Anything that collects your location data is a shtshow when it comes to operational security. Even having one friend with poor GNSS hygiene can expose an entire network of relationships.

link
thinkling 2221 days ago
> Now they've added some mojo to prevent this but still sell location data.

Strava publish a "heat map" that shows aggregated activity of all their users. It's useful for finding common running/biking routes in areas you don't know well. That's how the military bases were found.

https://www.strava.com/heatmap#7.00/-120.90000/38.36000/hot/...

EDIT: I forgot that Strava do sell heatmap data to government transportation departments and such so I fixed the comment.

link