Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government Privacy Security United States

Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations (npr.org) 83

An anonymous reader quotes a report from NPR: Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers -- experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava -- which includes an option for keeping users' workout data private -- published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. Using data from fitness trackers such as the Fitbit, Strava's map shows millions of users' runs, walks, and bike trips from 2015 to September of 2017 -- and in some countries, the activities of military and aid personnel are seen in stark contrast, as their outposts shine brightly among the comparative darkness of their surroundings.
This discussion has been archived. No new comments can be posted.

Pentagon Reviews GPS Policies After Fitness Trackers Reveal Locations

Comments Filter:
  • by xxxJonBoyxxx ( 565205 ) on Monday January 29, 2018 @04:34PM (#56029377)
    If you wear a tracking GPS...it might track where you are. Film at 11.

    Just tell our soldiers and sailors that their comrade/shipmate's activities may conjure some inbound and the "new guy with the pretty watch" problem should take care of itself.
    • by hambone142 ( 2551854 ) on Monday January 29, 2018 @05:50PM (#56029835)

      Yup. It's kinda lame that the armed forces don't have enough foresight to predict that carrying devices that transmit location and logging in to websites that produce the same information might just reveal a person's location.

      It seems we've gotten a case of the "stupids" lately.

      • by rtb61 ( 674572 )

        More sensibly, it is kind of stupid for any military to allow their personal into the field with a non-military mobile phone with a specific range of set apps and fully encoded data transmissions. Don't let the military deploy with their personal phones, gather them up and replace them with durable military issue units and take out naughty apps and install military apps.

    • It's not just about a "pretty watch", this app is available on all the phones, which all have GPS.
      Unfortunately all soldiers, when not at home, would have to have military only approved personal gadgets with no personalized apps, or at least would be able to chose only from a set of pre-approved apps.

      Honestly, soldiers on duty install tracking apps with sharing default option and nobody had asked any questions till all their whereabouts were made public?
  • Even the external "secure" provision of cloud services itself allows predictive location of military and intel assets. Just the traffic flow itself allows you to pinpoint this, even if it's time-delay GPS data from "I turned my cell/smartphone/fitbit/watch off, sergeant!" health data.

    We can back extrapolate locations and pinpoint internal corridors and access points - for example, knowing people stop at a door for x minutes/seconds tells us what the security protocol is for the access point, and knowing the

  • ... is the lack of foresight on the part of American military.

    We used to be better than this.

    • I have a feeling that we ARE better than this when and where it really counts., but I do expect some additional "social media" direction to be given out that includes exercise tracking devices and cell phones.

      I'm pretty sure that if you are on active duty in a war zone, PT with your FitBit or Apple Watch isn't high on the list of desired activities. If you are on a recon team actually working, you won't be running the perimeter fence of the base three times a week and I doubt they will let you take your fit

      • by Kjella ( 173770 )

        I'm pretty sure that if you are on active duty in a war zone, PT with your FitBit or Apple Watch isn't high on the list of desired activities.

        Unless you're actually deployed on a mission isn't it mostly habit? You go for a jog for the same reason you do your push-ups and sit-ups, it's just the daily routine to stay in shape. Or it's base personnel who despite not being on the extreme front line feel the need to stay in shape, I don't think I've ever seen an obese high ranking officer even though they're just commanding people around.

        I know of an application that spoofs your cell phone's GPS receiver and can place you anyplace you want in the world. Seems like a way to provide any data you want to the application... Makes me wonder if the military isn't capable of making it appear like their resources are vastly different than they actually are.

        Well they could, but it's unlikely they could hide an entire base anyway. That doesn't mean they want to give away

        • As you say, it's unlikely you would be able to hide any kind of military installation anyway, and entry and exit points or sniper vantage points are all externally visible. I'm just guessing here but I'm pretty sure that if the adversary is capable of knowing the value of the information you outline, they are likely capable of doing the surveillance necessary to obtain it. Pattern of life data around any reasonable sized military base is pretty easy to obtain.

          That doesn't mean advisories wouldn't exploit t

          • by AHuxley ( 892839 )
            The location of a base is kind of easy to find given the interesting locals would notice. Who is on base, for how long and what their past was, thats the question that global digital tracking of people can make more interesting. Who stays on base with the fitness. Why wonders off base? Who uses a local gym? Who can be befriend? Who then shows up in another part of the world?
        • by AHuxley ( 892839 )
          Re "You go for a jog for the same reason you do your push-ups and sit-ups, it's just the daily routine to stay in shape."
          Look at what the average non special forces US mil person has to carry. All that water, food, weapons systems, batteries, communications. A lot of weight that needs a lot of strength and fitness in different climates and altitudes. To carry that amount of weight every mission, everyone has to keep fit and stay fit. A daily routine with some computer data per person would be supported
      • by AHuxley ( 892839 )
        Not everyone is doing active duty like the troops. A lot of contractors, experts and support staff are now used and they like their gym time.
        Re "military isn't capable of making"
        The NSA and GCHQ hope interesting people now start to scan each and every US base to try and build up a profile of fitness trackers?
        A digital trap to flush out interesting people trying to map out US forces digitally and globally?
        A cyber trap to see who responds in what way to the fitness tracker story? All US mil sites are aw
    • like invading italy and picking landing zones outside of air support range?

  • All military personnel must enable the "Privacy" mode on all portable electronic devices when out of CONUS. Because those privacy modes are disabled by default.

    • In this case, it is not the device itself - it is the web site.

      strava.com allows the user to mark every run/ride/swim/etc as public or private. You'd think that members of the military would be smart enough and tech savvy enough to mark their uploads as private; yet here we are. This isn't a technology problem, it's simple user error.

      • by guruevi ( 827432 )

        Given the amount of data, it seems like it defaults to "public-to-the-world" and not just "private to me (and my friends)" or "private" really means "we still collect and share your data, we'll just make sure it's anonymized". Who in their right mind would want to let the world know where they are regularly jogging, especially if you're away overseas in the military.

        • by arth1 ( 260657 )

          Given the amount of data, it seems like it defaults to "public-to-the-world" and not just "private to me (and my friends)"

          I can't say about Strava, but Polar defaults to everything being private, and you have to deliberately share data or make it public.

          Not that it should matter - if the options to make it private are there, we should expect anyone in secret locations to do so (or even better, don't log GPS coordinates at all). Why do we give them security clearance if they can't be bothered to take the simplest precautions?

          • by guruevi ( 827432 )

            The question is what does private really mean. Does it mean "we'll share it, it just doesn't have your personal details attached" or does it mean "it's completely shredded from our servers forever"

      • by Anonymous Coward on Monday January 29, 2018 @05:19PM (#56029691)

        strava.com allows the user to mark every run/ride/swim/etc as public or private. You'd think that members of the military would be smart enough and tech savvy enough to mark their uploads as private; yet here we are. This isn't a technology problem, it's simple user error.

        Yes, it's user error, but .. WHAT. THE. FUCK. The diagnosis is so wrong that .. that .. I can't think of a stupid metaphor, and I'm usually pretty good at stupid metaphors.

        Uploading sensitive information to a completely untrusted third party and then remembering to "mark it private" is like [oh good, I've still "got it" as long as a simile will suffice] sending plaintext email and being surprised that someone intercepted the plaintext because they weren't supposed to do that, shame on those naughty spies.

        Strava owes jack shit to the military, and therefore, the military has no reason to trust Strava (either their intent, nor the security of their database even if Strava's intent is good.)

        The correct thing to do is not send the data to third parties. It doesn't matter how you mark it, because even if you mark it private, you have still disclosed the sensitive information.

        This shouldn't be a surprise to anyone, anyway. The most common sense way for these devices to work is to transmit the data to the user's own computer. But so much of today's IoT is made to lock people in services for recurring revenue, that they're made to send data to company servers (a.k.a. "the cloud") instead. Users are supposed to Just Say No with their wallets but discouragingly, people are still buying this type of obvious garbage that they know is garbage before the sale.

        So yeah, I'd say user error. They shouldn't have bought the device, but they did. Then they allowed it to transmit their locations to third parties, which was a major major fuckup. Then ok, cherry on top, they didn't mark it private. But it was already a shocking display of stupidity long before that point.

        I really dislike this idea that the user is supposed to use some privacy setting to tell Strava "this is military data, so I humbly request that you please not share it with the enemy." So fucking wrong. Don't give the data to Strava in the first place.

        • Uploading sensitive information to a completely untrusted third party and then remembering to "mark it private"

          Strava has a global preference setting to mark all future uploads as private by default. Set it once, all future activity is private. No need to remember each time.

    • All military personnel must enable the "Privacy" mode on all portable electronic devices when out of CONUS. Because those privacy modes are disabled by default.

      I'm gonna take a wild guess that you've never actually served in the Armed Forces. If you did, you would realize this would never work.

  • Easy policy (Score:5, Insightful)

    by Anonymous Coward on Monday January 29, 2018 @04:47PM (#56029473)

    No personal devices, done. 20 years ago they wouldn't have had cell phones, now they all do. If they are deployed, depending on where and what the mission is, they either get no contact with home or the internet, or they only get access to home and the internet via a shared workstation setup centrally located on the base. Anyone caught deploying with any sort of electronic device besides possibly an approved MP3 or DVD player should be subject to "other than honorable discharge". There is no reason for them to have them when deployed. You want to keep a secret you don't let people talk. Allowing people access to the internet will leak information 100% of the time.

    • No personal devices, done. 20 years ago they wouldn't have had cell phones, now they all do. If they are deployed, depending on where and what the mission is, they either get no contact with home or the internet, or they only get access to home and the internet via a shared workstation setup centrally located on the base. Anyone caught deploying with any sort of electronic device besides possibly an approved MP3 or DVD player should be subject to "other than honorable discharge". There is no reason for them to have them when deployed. You want to keep a secret you don't let people talk. Allowing people access to the internet will leak information 100% of the time.

      I think there's another side of this where keeping these people sane is a real issue. If you look at the Bowe Bergdahl case one thing that's clear is the kid made some extremely poor decisions, and a big reason seems to be he was socially isolated and more-or-less lost his mind. His reaction was clearly an outlier, but I have no doubt there's a lot of other bad decision making and discipline issues that come from a result of the psychological stress people are under.

      So take away their internet and Smartphon

      • by DogDude ( 805747 )
        I think there's another side of this where keeping these people sane is a real issue.

        People who aren't "sane" without cell phones are not mentally healthy and shouldn't be part of the active military.
    • You want to keep a secret you don't let people talk.

      You're assuming that this is a secret, rather than large obvious forward outposts that were blown up figuratively by internet armchair doomsayers.

    • by Anonymous Coward

      It's somewhat important that soldiers have comparable lives and capabilities that we have. Their alienation will result in all sorts atrocities. Letting soldiers feel and sense how we at home are, is an important aspect of forming and shaping their morality.

      Surely we can allow them to have similar connected capabilities while still being secure in their (general) coms?

      If not, then we made stupid technology indeed.

    • by AHuxley ( 892839 )
      A high wage for a contractor won't cover not having their comforts. The people with the skills needed for missions just expect to keep their digital lifestyle with them in the US mil at any location.
      They want their digital files, images, music, internet, digital fitness data. If the contractor is stopped from having that lifestyle they have hours to ponder the mission and their role. Instead of just enjoying digital entertainment, looking over their fitness data that person with skills then has free tim
    • Change to "No personal devices" but give them military issue for civilian use.

      Specifically, a cellphone with a location chip built by an american company,programmed by a company, to stop tracking GPS when you are on duty.

    • No personal devices, done.

      Nice try AC, but many of those fitbits were government issued, in a move to encourage more exercise.

      https://www.military.com/daily... [military.com]

  • by paulhar ( 652995 ) on Monday January 29, 2018 @04:50PM (#56029509)

    Governments are keen to tell us that metadata doesn't need protecting etc.
    Cake and eat it?

    • Governments are keen to tell us that metadata doesn't need protecting etc.
      Cake and eat it?

      The government will want to protect the privacy of the metadata while providing easy access to the data by the government. ... but that won't be a back door, no sirree bob, since back doors are BAD. They don't want a back door - they just want a way to get at the data whenever they want.

      • Backdoors are bad for everyone. I recommend building a front door instead. Faster to get in and out too since you don't have to walk around the building.

  • by QuietLagoon ( 813062 ) on Monday January 29, 2018 @05:09PM (#56029625)

    ...Strava -- which includes an option for keeping users' workout data private...

    The data are still on Strava's servers. Do those servers pass the military security requirements for protecting troop locations? What else does Strava do with the data?

    • Is it at all relevant? So far I have seen little uproar over the incident which as done little more than light up bases that no one was putting any effort into hiding in the first place.

  • Oh and by the way -- don't Russians run?
    • Maybe they are smarter and don't bring their devices on deployment to missions requiring secret clearance.

    • by AHuxley ( 892839 )
      Russians know what happen the last time they let random Western consumer devices on their bases.
      Russian spies deep in the US/UK gov/mil saw much more new and different data was been gather about all kinds of sites all over Russia.
      No more consumer spies on base, in the sub.
  • Create a law were companies can not share data --- fixed
  • by Anonymous Coward

    And here I GENUINELY thought when soldiers were sent to "off the map" places they had to leave all that stuff at the main base in the US where they left from. I thought it was something like prison. It makes no logical sense to use a mobile device at these bases that are supposed to be hidden. If I check my phones location history it will tell me exactly where I was, how long I was there and what other places I might visit next time in the area once it gets a data connection. Hell even logging on to som

  • If I understand correctly, there's nothing wrong. It's IOT devices that send everything to a remote that isn't under the user's control.

No spitting on the Bus! Thank you, The Mgt.

Working...