The Chinese philosopher Laozi gave this saying to history…”A journey of a thousand miles begins with a single step.”  Two thousand five hundred years later, give or take a century, modern technology makes it simple to count those steps. And, thanks to companies like Fitbit, counting to 10,000 steps each day has become something between a relatively common practice and a maniacal pursuit, depending on one’s personality and predilections. And, as so often the case, the practice has produced unforeseen consequences, some of which have now become a military vulnerability.

Writing in Wired, Jeremy Hsu offered a fascinating look at the way a seemingly innocent fitness craze can morph into something potentially far more sinister. A San Francisco based company called Strava offers a website and mobile application aimed at connecting athletes around the world. It enables users to track their activities and share their workouts with friends. It tracks all kinds of metrics, and even offers a “suffer score.”  Just the kind of thing to engage highly competitive individuals, like, say, military personnel. What could possibly go wrong?

Well, Strava publishes a “heat map,” which shows the clusters of activity associated with highly active people who are contributing their data. An Australian college student studying the map noticed that it appears there was really substantial activity in certain areas of Afghanistan, and Iraq, and other areas where there were American military bases. Soon, other analysts saw activity that could be associated with French and Italian military bases, and even CIA “black sites.”

As if this weren’t enough, Hsu points out… “the bigger worry from an operations security standpoint was how Strava’s activity data could be used to identify interesting individuals and track them to other sensitive or secretive locations.”  Capturing the concern that has arisen,  Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, CA said  Strava “is sitting on a ton of data that most intelligence entities would literally kill to acquire.”

Naturally, the Department of the Defense and the CIA are studying the issue closely, and who knows, they might even find some strategic advantage. But in the meantime, another timely reminder that no matter how fit you are, the cyber world can be a very difficult place to traverse.

By Tom Davis, SDI Cyber Risk Practice

January 31, 2018