All Warmed Up with the Strava Heatmap

Image Copyright: Maxim Kazmin / 123rf

Episode 13: All Warmed Up with the Strava Heatmap – Show Notes

Many people, civilians and military personnel alike, use fitness trackers every day to keep tabs on their health. They track everything from steps to heart rate to sleep cycles. With some manual input, they can also balance other aspects of personal health and diet. Trackers such as Fitbit, Jawbone, and even Apple Watches use apps tied to phones for display of statistics as well as additional tracking. One common element tracked is how far someone has traveled, which is accomplished using geo-positioning.

Strava, makers of an app that integrates across multiple trackers, encourages users to connect and log their running, swimming, bicycling, and other activities to then share with friends. After gathering data for a few years, they then released an interactive heatmap showing where users were active. This could be a great tool for finding new routes in your area or finding places to avoid when you want to run alone.

The unintended consequence of this was that it also highlighted where members of the armed forces, UN, or aid workers were stationed and moving around in hot zones around the world. This became of so much concern that the Pentagon has now revisited their policy regarding fitness trackers (yes, they are still allowed… sometimes). All because well-intentioned data analysts and visualizers wanted to provide more insight into patterns.

Additional Links on the Strava Heatmap

U.S. Soldiers are Revealing Sensitive and Dangerous Information by Jogging Washington Post article from January detailing how this story came to light.

Pentagon Restricts Use of Fitness Trackers New York Post article describing changes made by the Pentagon to ensure security following the Strava heatmap incident.

Episode Transcript

View Episode Transcript

Marie: Welcome to the Data Science Ethics Podcast. This is Marie and I’m here with Lexy and today we’re going to be talking about Strava and how the visualization of how people were using fitness trackers and those patterns actually lead to some potential security risks. How that information was found and then some of the responses that have come out since then.

So Lexy, when we saw this article, what was it about this story that really peaked your interest and made you think about some of the different data science ethics topics we’ve talked about before?

Lexy: This article came out as I was starting to think about setting up this podcast. This was a brand new occurrence that had happened. This was early in 2018 and it really made me think about not only what kinds of algorithms we use and how we gather data, but how we make that data available and some of the privacy implications that we have in terms of some of the things we’ve already talked about.

It definitely hearkens back to considering context. The fact that, normally, users have a fitness tracking app like this (and I fully admit I have a Fitbit on me at all times). Most people, like me, are civilians who use it just for wellness tracking, trying to get more fit, trying to make sure that their sleep is good and so forth. When you’re not in a military context, you don’t necessarily think about the same risks that others are taking.

That if a person who’s in the military has a Fitbit and it’s providing tracking to say how far they’ve gone in a day, how far they’ve run in a day, how many hours of sleep they got during what hours, when are they working out, what is their route for different patterns that they’re running or whatever it might be. To most people who are probably at fitness tracking companies, it doesn’t seem like a big deal. Of course people are doing this at a gym or around their neighborhood or whatever, but when your neighborhood is a military base, the context changes.

Because it’s a military application, obviously, there’s also anticipating adversaries. You literally have an adversary at that point that is at least somewhat clearly identifiable.

This really seemed to be at the confluence of context, adversaries privacy and data tracking, not necessarily as much algorithms, predictive capabilities. But when you think about it, the past predicts the future in most cases when we’re doing these sorts of predictions. And so if an adversary uses the data that you’ve seen in the past for how people have been running, where they’ve been, what their movements have been, they’re able to predict and use that information, those predictions, for potentially very bad purposes and it very much jeopardizes the security of forces and of people around the world who are trying to do good things.

Marie: For sure. The other piece of this story that was in the Washington Post that is very interesting is how is information came to light and how it was discovered and the steps that came after that.

Lexy: Yeah. Originally this heat map was published in, I think it was November of 2017. The way that it came to light that this was a potential security threat was that it was identified by an Australian college student who was studying international security and the Middle East. As they started to look through the heat map, they zoomed in on areas, for example, in Syria and Iraq and found areas that just lit up with users of fitness trackers. They were able to identify very clear paths, for example, tracing the outline of a military base that indicated the perimeter that someone could run. They were able to find areas where there were suspected activity and they could see routes that people were taking, for example, across a dam or other areas where there were suspected bases and they did see activity. Some of these were known areas, so some of the bases were known military installations, others were not necessarily known, but because this information had been tracked and the location, the GPS coordinates had been tracked so closely. They were able to see exactly where these people were.

Marie: As you were talking – some of the other things that were brought up in the article is it’s not just where people were working out. It could also be the routes that people took for a patrol or the routes that people took when they were checking on other resources like a water source or things like that. So as you mentioned a little bit ago, it’s not just about what people were doing. It’s about how that information could be used and those patterns could be used in potentially nefarious ways in the future.

The fact that this information was found by a college student and then the way that they were visualizing it helped to bring out these issues. I think it speaks a lot towards the power of visualization and how visualization can really help us understand data better.

Lexy: Absolutely. There are a lot of applications that are built around visualizing data science. It’s not something that I’m going to get into a tremendous amount here. There are plenty of podcasts and blogs and so forth out there that cover data visualization, but it is a very important factor to presenting information, whether it be part of data science or data analytics or anything in and around the use of data. The more you can visualize, the more people can understand it, for good or bad.

Most of visualizing of data is a good thing. You’re giving people insights into patterns and data or things that stand out in data. In this case, they’re doing exactly that, but there are people who would take that information and, as you mentioned, use it for nefarious purposes potentially to devastating effect.

In visualizing data. It’s always important to know your audience so that you know how to present information, what information to present. When you’re posting something publicly, your audience is anyone and everyone. And you have to be cautious about the data that you present to anyone and everyone because there are times, and this is one of them, where not all of that information should be available to all and sundry.

Marie: That’s a good segue into some of the press coverage that has happened over the last couple of months in terms of what the Pentagon and what the military has done to start addressing this issue.

Lexy: Some of the things that have happened since this all came to light back in January is that the Pentagon specifically has revisited its policies around fitness trackers and around some of the applications on mobile devices that gather information behind the scenes. In the case of the Strava App, there was the ability to elect to turn off it’s geolocation tracking. That requires a user to know that that setting exists and to alter that setting. What the military has tried to do is make at least the personnel going to specific areas, more aware of what information might be tracked. And now the Pentagon has essentially told their commanding officers at various installations that they are in charge to designate whether or not their personnel can or should be allowed to use personal cell phones, personal fitness trackers and so forth. Because this could potentially be data that’s gathered, transmitted, and then used.

Marie: A few years ago, the Pentagon actually encouraged military personnel to use fitness trackers and actually provided fitness trackers to a set group of personnel to help them with their P.T. and tracking their fitness and making sure that the fighting men and women stayed ready for military action. So this is an interesting evolution of having an issue, putting a solution in place, but then when you have another aspect to it, the way that you address the issue, the way that you optimize for solving that problem can be very different.

Lexy: The other part, to that end though, is it’s one thing to say “we’re going to give out Fitbits” and know that Fitbit has its app, that it’s tracking all of this information on and they can potentially tap into that information and download it for their personnel and so forth. It’s another when you think about all of the integrations that happen. So Fitbit integrates, for example, with hundreds of different applications including things like MapMyRun, MayMyFitness, which are all geo-coordinate-based tracking. All of these integrations pose a risk of data being duplicated and shared amongst a much broader community.

With the case of Strava, even though it was a Fitbit tracker or a Jawbone tracker or what have you, because a user had elected to integrate these applications now it’s no longer Fitbit or Jawbone. So even if the Pentagon had contracted with Fitbit to have these devices and be able to collect this information, because that integration exists, they don’t have control of what data is actually used where.

One of the things we were talking about, just kind of sidebar before we started recording today, was the possibility of potentially taking something like Fitbit and instead of just saying, “well, we’re going to hand out Fitbits and we’re going to use the standard Fitbit App.” What if the Pentagon had said, “hey Fitbit, we want to use your tracking devices, but we need to lock down the security of the information that’s gathered. Can we get a version of this where that data can’t be shared? Those integrations are not enabled or what have you.” And, Marie, you brought up a great point that those types of contracts are often the ones that civilians bemoan when it comes to overages in government contracts and time spent and money spent and so forth.

Marie: Yeah, potentially. And the examples that I’ve heard from people that I know in the military are just examples of there are certain things that are currently available in the civilian world that might provide a better user experience or are just better in terms of what they’re able to deliver in terms of a service versus things that the military has maybe contracted. And because it’s a military contract, it might not be able to have the same innovation cycles that something in the civilian world does. So just the idea that you need to build something for the military or can the military use things that are already in the civilian world is an applicable debate in terms of the money spent and also the return on that investment from that money spent.

Lexy: But to your point earlier, it also allows you to optimize against both the need for the service and the need for security. Whereas in the civilian world, you don’t have necessarily the same concerns as you would have in the military to make sure that you’re optimizing on both sides.

Marie: Absolutely, and I think that’s where, Lexy, your point to this was it really depends on how the contract is written. If somebody is applying for a contract and it basically says we want you to create a new Fitbit but have a secure infrastructure that’s much different than maybe saying I want something that can track user activity and I want it to be able to visualize where people are running, but maybe they don’t scope it as well as what already exists.

Since the Pentagon has put in new regulations, it’ll be interesting to see how those impact in the future and if this type of project were trying to be duplicated, let’s say in 2019, if they’re going to be able to see a drastic decrease in terms of where Fitbit’s are being used and where this type of data is being tracked. Anybody that’s looking for a thesis for 2019 – that might be an interesting followup.

Lexy: The other thing that springs to mind is that there are larger organizations, like Google Earth for example, where they take specific precautions working with the government to ensure that they don’t give away locations of military installations. There have been instances where people have specifically masked what’s been shown, so they’ll put imagery on a rooftop to try to mask what’s actually underneath or Google has specifically blacked out certain things or essentially mapped over certain things to make sure that they’re not giving away secret information

Marie: Or mapped around it like with Google street view and not having their vehicles go into certain places.

Lexy: Exactly.

In this case, Strava didn’t have the same high profile that Google does and when they provided this information, it was without checking with governments or without checking with different groups that would have concerns in these ways. Since that all came out, they started having those conversations with the government, with the UN, with these aid organizations and so forth, so that they could potentially mask it later. I’m not sure to be perfectly honest, if they went back and edited those heat maps to make sure that they couldn’t tell where some of that data had been and kind of blocked that out or if they just let it be because it was already out there and that point. It’s already been in the world on the Internet. We’ve talked about the fact that once it’s online, it’s pretty much there forever. It would be very interesting to me if they revise that to see if they remove those areas that were seen as potential security threats and slash or mask the information in some way.

Marie: Maybe even tying it back to what we were just discussing before. That is a much more elegant solution in terms of how do you give personnel access to things that can help them with their fitness tracking. Make sure that they’re not getting out of shape and not able to respond to the needs of their military physician. At the same time, allowing industry to innovate and come up with solutions that give military personnel access to the latest technology well, so keeping them safe and secure. So that’s an interesting development in terms of how they were contacted and potentially the types responses that they could have to this type of information being under their control.

Thanks everybody for joining us for this quick take about Strava and fitness trackers being used by military personnel around the world. Again, you have been listening to the Data Science Ethics Podcast.

Lexy: Thanks very much.

We hope you’ve enjoyed listening to this episode of the Data Science Ethics podcast. If you have, please like and subscribe via your favorite podcast App.

Join in the conversation at datascienceethics.com, or on Facebook and Twitter at @DSEthics where we’re discussing model behavior. See you next time.

This podcast is copyright Alexis Kassan. All rights reserved. Music for this podcast is by DJ Shahmoney. Find him on Soundcloud or YouTube as DJShahMoneyBeatz.