A map showing paths taken by users of an exercise tracking app reveals potentially sensitive information about American and allied military personnel in places including Afghanistan, Iraq and Syria.
While some bases are well known to groups that want to attack them, the map also shows what appear to be routes taken by forces moving outside of bases -- information that could be used in planning bombings or ambushes.
The map, made by Strava Labs, shows the movements of its app users around the world, indicating the intensity of travel along a given path -- a "direct visualization of Strava's global network of athletes," it says.
Routes are highlighted over large parts of some countries, but in others, specific locations stand out.
The map of Iraq is largely dark, indicating limited use of Strava's app, but a series of well-known military bases where American and U.S.-led anti-jihadist coalition forces have been deployed are highlighted in detail.
These include Taji north of Baghdad, Qayyarah south of Mosul, Speicher near Tikrit and Al-Asad in Anbar Province.
Smaller sites are also highlighted on the map in northern and western Iraq, indicating the presence of other, lesser-known installations.
More dangerously, stretches of road are also highlighted, indicating that Strava users kept their devices on while traveling, potentially providing details about commonly-taken routes.
In Afghanistan, Bagram Air Field north of Kabul is a hive of activity, as are several locations in the country's south. And in Syria, Qamishli in the northwest, a stronghold of U.S.-allied Kurdish forces, is clearly visible.
Tobias Schneider, a security analyst who was among the group of people who discovered that the map showed military bases, noted that it indicated military sites in Syria, as well as the Madama base used by French forces in Niger.
"In Syria, known Coalition (i.e. U.S.) bases light up the night. Some light markers over known Russian positions, no notable coloring for Iranian bases," Schneider wrote on Twitter.
"A lot of people are going to have to sit thru lectures come Monday morning," he wrote, referring to soldiers likely to be taken to task for inadvertently revealing sensitive information while trying to keep in shape.
The issue could have been fairly easily avoided: According to Strava, "athletes with the Metro/heatmap opt-out privacy setting have all data excluded."
Fitness and social media company Strava releases activity heat map. Excellent for locating military bases (h/t to @Nrg8000). https://t.co/n5RWcI7BJF pic.twitter.com/7zzNcYV42e
— Tobias Schneider (@tobiaschneider) January 27, 2018
In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable colouring for Iranian bases.
— Tobias Schneider (@tobiaschneider) January 27, 2018
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2
— Nathan Ruser (@Nrg8000) January 27, 2018