along the DMZ in South Korea. leading to a bunker in Libya. used by Russian diplomats in Damascus.
These are just some of the discoveries made in January, when it came out that Strava’s —an anonymized, publicly available aggregation of workouts from millions of users—had around the world.
In response, the Pentagon announced a new policy last week: Effective immediately, all active duty Department of Defense personnel are prohibited from using tracking functions on their phones and devices in Operational Areas (any place where the military is conducting a specific mission). Commanders can allow use on a case-by-case basis only after doing a security survey.
“These geolocation-enabled devices can share information about users’ location with third parties, and this poses a significant security risk to the user and our military operations,” Pentagon spokesperson Major Audricia Harris told Bicycling by phone. “The good thing about this policy is it does give commanders some flexibility about how they need to implement the policy about mitigated risk.”
According to Harris, mandatory cybersecurity training will now include information on fitness trackers and other geolocation capable tech. The DoD also updated a policy clarifying that personal devices, regardless of their features, are prohibited in “secured areas.”
Nothing directly connects the Pentagon’s policy shift to the incident with Strava’s Heatmap. But it’s by far the most high-profile case of security issues coming into play when popular fitness apps like Strava meet military secrecy.
Officials weren’t completely blind to the looming security threat. A 2017 Government Accountability Office report noted “the geolocation capability of some IoT [Internet of Things] devices as a particular concern—specifically, how the location of troops or personnel could be revealed.”
Then came Nathan Ruser, now a writer with the Australian Strategic Policy Institute, who about the Heatmap’s embarrassing oversight. Others soon joined in, and, using the Heatmap, existing knowledge of military bases, and other satellite mapping services, traced the locations and behavior of soldiers around the globe.
A firestorm of media coverage and analysis followed. Strava responded by saying it would investigate how its platform interacted with sensitive military information. A month later, it quietly tweaked its privacy settings to make it .
, Defense Secretary James Mattis ordered a policy review following the scandal, and at one point considered banning all smartphone use for DoD personnel. For now, top brass has settled for a ban on geolocation services.
Strava does have a option, which allows users to hide the beginning and end of a workout, often a home or workplace. The platform’s default settings stay true to its core purpose as a social network, making everything public. But the company stresses it does not and has never tracked activity in the background, nor does it include private activities in the Heatmap. When reached for comment, a member of the Strava team referred Bicycling to the company’s most recent .
According to , Strava is willing to work with government and military officials “to address sensitive areas that might appear.” Harris declined to confirm or deny between Strava and the Pentagon. “We do value our relationship with the industry,” she said, “but we also value the need to mitigate the risk to our military personnel and operations.”