Ukrainian soldiers out running or cycling may have been providing the enemy with information about army positions and bases – without even realizing it.
Fitness workout tracking company Strava has updated its Global Heatmap, which shows the movement of people who use fitness devices such as Fitbit and fitness apps running on devices like smartphones and Apple Watch.
Strava has for the last eight years been using GPS satellite data to map the location and movements of 27 million people who use fitness trackers, amassing more than 13 trillion individual GPS data points.
People wear fitness trackers all day to measure their total step counts, and even during sleeping to track their sleep quality, meaning the maps can reveal far more than just their jogging routes. Soldiers appear to be no exception.
The Global Heatmap can be checked against the locations of known military bases; or areas in war zones. According to open-source intelligence researchers, the lines of activity extending out of bases and along front lines may indicate sentry and patrol routes – potentially useful information to an enemy.
Revealing data
The activities of Ukrainian soldiers deployed in the combat zones along the Donbas front line could also be tracked and mapped. For instance, the map shows intense movement of troops in the area around the ruined Donetsk Airport, where there was a bloody battle between the Ukrainian army and Russian-led forces three years ago.
More data that could show the movement of troops is easily found on Strava’s map all along the front line, on both sides.
However, as the Strava data set is older than Russia’s war on Ukraine, some data in eastern Ukraine probably dates from before the war. The ages of tracks on the map are not indicated, meaning they could have been made by a member of the public before the war, and not a solider.
As this story was published, Ukraine’s General Staff had not commented on the security implications of the Global Heatmap for Ukraine. Colonel Vasyl Labay, a spokesperson at the army’s press center, told the Kyiv Post on Jan. 29 that more inquiry into the issue was necessary. He added that according to army rules, Ukrainian servicemen engaged in combat zones are prohibited from using cellphones in order to prevent the enemy tracking their movements.
Using Strava’s data, Aric Toler, a researcher at open-source intelligence organization Bellingcat, claimed to have seen the tracks of a Russian soldier going through the Kuzminsky base – the largest of the new Russian bases that the Kremlin has built near the Ukrainian border since it launched its war on Ukraine in 2014.
A Russian soldier apparently went through the Kuzminsky base (largest of the new Russian bases near Ukrainian border) with their Strava tracking enabled. pic.twitter.com/4DdPfvvSkz
— Aric Toler (@AricToler) January 28, 2018
The location of most such sites is public knowledge, but the data like this could offer a mine of information about patterns of activity inside army bases, and sentry and patrol routes – information that could potentially be used in an attack.
Drone tracked
This is not the first time internet-based GPS tracking by mobile devices has revealed potentially sensitive military information. For instance, U.S. surveillance drones have several times been spotted over Ukrainian territory close to the war zone using information from the internet. The last time, on Jan. 8, a U.S. Global Hawk spy drone could be tracked by the public in real time on the Flightradar24 aircraft tracking website as it flew along the edge of the Donbas war zone.
But at the same time, the U.S. military has encouraged the use of Fitbits among its soldiers, and in 2013 supplied 2,500 of them as part of a pilot program to battle obesity in the army.
And while Strava’s map doesn’t necessarily reveal the presence of military installations to the world – in fact, some Twitter users pointed out that the data on the map might be “older than the Ukrainian conflict” itself – it does provide some additional information, revealing how people are moving in some areas, and with what frequency.
I know it feels like Eurasia has always been at war with Oceania, but the Strava data set is in fact older than the Ukraine conflict. These traces might be from a time when there was no frontline. https://t.co/9dPaiJB9Sd
— Antti Rasinen (@arsatiki) January 28, 2018
The map also demonstrates the need for more user awareness of the nature of the information that their device reveals to the outside world, given that Strava isn’t the only company that collects data about its users.
Christmas tree
The Global Heat Map was published in November 2017, updated with information collected from 2015 to September 2017. However, it was only in late January that a 20-year-old Australian student Nathan Ruser, who is studying international security and the Middle East, recognized its military intelligence significance.
“I wondered; does it show U.S. soldiers?” Ruser told the Washington Post. He said he zoomed in on Syria and “it sort of lit up like a Christmas tree.”
In war zones and deserts in countries such as Iraq and Syria, the heat map is almost entirely dark, apart from scattered dots and lines of activity.
Ruser started tweeting about his discovery, and soon so did data analysts, military experts, and former soldiers, combing the map for evidence of military activity.
The Strava data is like Christmas Day for OSINT Twitter
— Eliot Higgins (@EliotHiggins) January 29, 2018
The defense implications of Strava’s open-source data, originally intended for fitness enthusiasts, have created a buzz in the international media, with the Guardian, The Washington Post, Forbes, the BBC, and others publishing stories on Ruser’s find.