Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy

AllTrails Data Exposes Precise Movements of Former Top Biden Official (vice.com) 47

An anonymous reader quotes a report from Motherboard: A security researcher appears to have tracked the physical location of a former top Biden administration official through his apparent usage of AllTrails, a popular hiking app with more than 30 million registered users. The AllTrails records appear to show the official visiting sensitive locations such as the White House, and also suggests the specific house where he or his family lives. By default, AllTrails users' activity is public for anyone to view, including completed trails, maps, and activities. But that convenience and focus on providing a social network style experience comes with potential risks around national security or privacy, depending on the particular user. Whether a public figure like a government official or celebrity, or someone at risk of stalking in general such as someone in an abusive relationship, AllTrails' privacy settings may be something users should consider.

"I found interesting results by searching near the Pentagon, NSA, CIA or White House and then looking at the user's other activity," Wojciech, the security researcher, told Motherboard in an email. Wojciech said they used their own open source intelligence platform as part of the investigative process. They said the tool supports Strava and another app called SportsTracker, and will include AllTrails itself soon. Wojciech sent Motherboard a link to what they believed to be the AllTrails profile of the former top Biden official. Motherboard is not naming the official because they did not respond to requests for comment, and their profile is still publicly accessible.

One trip to the White House in December recorded in AllTrails also shows a nearby apartment building he ended his journey at. More trips recorded that month show the official's other movements throughout Washington D.C. Much of the AllTrails activity relates to when this official was part of the administration. Motherboard searched through the official's AllTrails activity and found multiple hikes starting from the same location. Motherboard then queried public records and found this location was a house registered to the official's family, meaning AllTrails had helped identify where the official or his family may have been living. Motherboard also verified that the official does have an account on AllTrails by attempting to sign up to the service with the official's personal email address. This was not possible because the address was already registered to an account.

This discussion has been archived. No new comments can be posted.

AllTrails Data Exposes Precise Movements of Former Top Biden Official

Comments Filter:
  • Why would software by default allow someone to search a location for user activity and then see everything else they did? This is some epic creepy stalker s**t. I'm sure that it can be turned off, but it's probably buried in a settings menu. This is why we can't have nice things.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday March 09, 2023 @08:10AM (#63355619) Homepage Journal

      AFAICT, and I have used this software before, it's not tracking you any time you don't specifically ask it to do so. The purpose of sharing the trails by default is that the whole purpose of the platform is for people to be able to discover trails that they otherwise wouldn't know about. Some people have decided that the purpose of the platform is for them to log their own hikes, which is stupid. If you want to do that, you can do it without uploading anything to another site, and if your purpose is to not share the data then uploading it is insensible since then you have to trust someone else's security and yours.

      • by wings ( 27310 )

        AFAICT, and I have used this software before, it's not tracking you any time you don't specifically ask it to do so.

        This.
        Tracking either gets enabled by default at installation with a benign sounding click through notice or was enabled at the start of a hike and never disabled. It is too easy to forget about settings like this.

        • The problem is the "benign clickthrough" bull. Unless specifically asked, from the app being opened / watch app being opened and directly clicked, this -expletive- shouldn't even be allowed to track you. Like a lot of software it's counting on users being conditioned for their entire lives (in most cases) to click through all the little checkboxes for licensing and so on.

          Get a little something that makes it easy to sue them for stalkerish behavior and you'll watch App/Software design change VERY quickly.
          • I would agree with you if these were default settings on a cell phone out of the box from a factory but this is purpose-built tracking software that someone intentionally installed to use. It is not the company's fault if that person does not understand that software will do exactly what it was designed to do.

            AFAIK Android phones still do this automatically out of the box with Google Maps tracking and 99% of those users have no idea it's happening. I don't remember seeing much outrage about that over the

            • I believe that Android phones still only default to saving your tracks any time you're getting direction, but they do still harvest locations you've visited?

            • Depends on when it was installed and let's be honest: EULA's today are designed to generate information overload for a prescribed response: Getting the user to click yes or similar. Kind of like how UAC in Windows was useless because it came up all the time so people just clicked OK. Going back to the first clickthrough licensing that made you scroll to the bottom before clicking accept, to before when it was the first time someone made you click accept because you weren't buying software but a license to u
          • The problem is the "benign clickthrough" bull. Unless specifically asked, from the app being opened / watch app being opened and directly clicked, this -expletive- shouldn't even be allowed to track you. Like a lot of software it's counting on users being conditioned for their entire lives (in most cases) to click through all the little checkboxes for licensing and so on.

            Get a little something that makes it easy to sue them for stalkerish behavior and you'll watch App/Software design change VERY quickly.

            Doubtful. People would just get use to clicking a different prompt.
            You really need to put some responsibility on users. It's not like granting permissions on android/isos is hidden in a 90 page EULA

            • Well, first we don't know when the software was installed. Pre or Post Apple tracking notification update. Second there was a timeframe where you didn't get "Only while using" on iDevices - that was left up to the app developer. That's before all the crap companies put in there to get you to click always allow.

              Basically all EULA's today are obfuscation by information overload to generate a prescribed response. The desired response is when someone sees "Accept" and/or "Always Allow" they blithely click on
        • Should officials even use apps that can track, or even have smart phones? I know it sounds silly, but remember when they were hesitant to allow Obama to keep a Blackberry. There are real security concerns here.

          I had a friend in an MMO who had to quit playing because his think tank was going to contract with the White House and so he was not allowed to have any aliases or alternate online personalities. I thought it was a bit odd, but there it is. So if a contractor has security checks and restrictions a

      • Also, a walk from my house to work isn't even a hike or a trail.

        • In DC there are many trails through parks. A majority of northern Virginia is a park with roads going through it. You can walk from anywhere in NoVA to K st and other political hot spots . Itâ(TM)s not uncommon to ride your bike to work and pass by your favorite senators or other elected officials.

          Just because your city is not walkable does not mean all cities are unwalkable

    • by geekmux ( 1040042 ) on Thursday March 09, 2023 @08:18AM (#63355633)

      Why would software by default allow someone to search a location for user activity and then see everything else they did? This is some epic creepy stalker s**t. I'm sure that it can be turned off, but it's probably buried in a settings menu. This is why we can't have nice things.

      "One trip to the White House in December recorded in AllTrails also shows a nearby apartment building he ended his journey at."

      Remember that these are individuals who possess the highest security clearances. There's a damn good reason "they" don't want you buried in massive debt with a gambling habit when handing you a Top Secret clearance. What the target knows or has, makes this a much larger concern regardless of obvious oversharing which may be by design.

      Just reading that single sentence makes me wonder if this individual is quite concerned about their spouse finding out about a DC apartment.

      • Just reading that single sentence makes me wonder if this individual is quite concerned about their spouse finding out about a DC apartment.

        I doubt that personally. When I was working a contract in the area I had an apartment because I didn't feel like dealing with gridlock or living in a hotel whenever I was in town.

      • by Dusanyu ( 675778 )
        Security Clarance just means you passed a basic background check and survived a 3 hour long interview. and these people probably got the VIP treatment and did not get exposed to the interview. the government just needs to do the smart thing and give dumb bureaucrats and idiotic politicians (read all of them) dumb phones. the kind with a wire that's attached to the wall.
        • by PPH ( 736903 )

          Security Cl[e]arance just means you passed a basic background check

          That depends on the type of security clearance. There are some projects where the customer (DoD) does not want foreign intelligence to even learn the identities of contractors assigned to it.

          At times, workers on Lockheed's skunk work projects were asked not to associate with co-workers outside of their facilities to prevent observers from drawing conclusions on how they were staffed and what might be going on.

        • Security Clarance just means you passed a basic background check and survived a 3 hour long interview.

          Ah, don't assume things still work like they did yesterday. There isn't really a periodic screening anymore that comes around every few years. You're put on Continuous Evaluation which basically means exactly what it sounds like.

          (Not like it's hard to monitor a country full of social media narcissists with security clearances.)

          • I would just make that security clearance just mean "your name never shows up in social media". Easy to search. And anyone able to pull of that trick in this day and age clearly gets security clearance. :-)

            • I would just make that security clearance just mean "your name never shows up in social media". Easy to search. And anyone able to pull of that trick in this day and age clearly gets security clearance. :-)

              Good luck finding that Boomer who still values privacy to come back to work.

              Everyone else is The Product.

    • I have not used Alltrails before, but similar "discoveries" have been made about other sites that let you track activities. I can't stress enough how this is a non-story.

      The last time some journalist started a tweet storm about "privacy" on Strava, his article was full of errors due to his misunderstanding of basic features of the site and how the privacy settings worked, resulting in a bad-faith "outrage cycle" that nerfed some very cool features of the site.

      To put it bluntly: Why is anyone surprised that

      • They're doing more than storing the data and sharing it with LE. They're making it publicly available.
        • Which I'm sure is all spelled out in the terms of service. I repeat myself: they signed up for and made use of a LITERAL position tracking app, so no one should be surprised that it's public and no one should write articles claiming "national security risks" when some guy decides to scrape a website.

      • by DarkOx ( 621550 )

        DC is the most spied on city in the world, full stop. There are literally eyes everywhere. However in days gone by it was still expensive, tedious and time consuming to put together a historical log of a person's usual daily activities.

        For all of those reasons you had to first identify the person(s) for whom that was even worth doing.

        Let's look at an example. Would say a DOT official or even the transport secretary ordinarily have been a target for say Russia or the PRC? maybe maybe not. However what if s

        • I think the citizens of Pyongyang might beg to differ.

          Nothing you're describing can't already be done with other data. I can purchase public cell tracking data and determine who "went on vacation" after a train derailment. I don't need meter-accurate gps data for that. Hell, you can probably passively monitor cell transmissions in an area and track people that way, no stingray needed.

          Activity trackers aren't going to matter if you want to "proffer the idea a president is stacking his cabinet with lazy inept

          • by DarkOx ( 621550 )

            I think the citizens of Pyongyang might beg to differ.

            Thanks you have proven my point. Getting good intelligence insights on anything going on in DPRK is incredibly hard. One of the reasons is so little SIGINT comes out of the place.

            Its one of the things that really works to bolster the security posture of that regime. Why would we want America to be less safe?

    • If you forget to turn it off after a hike it tracks the drive home or wherever you go. As a hiker I can confirm that it's really easy and annoying to forget to turn off tracking. I used Alltrails for a very short time before getting disgusted by their utter lack of privacy. They also charge for offline maps which is the one thing that might save a life in an emergency. Awful app with no thought about user safety in terms of privacy or natural dangers. I switched to an offline program for tracking myself
      • Yes, people leave apps running all the time. And the app developers could probably fix it by intelligently looking for people "walking" at 60 miles per hour. But they don't. It's annoying for competitive activities, too. Only recently did Strava even start considering it.

        Anyway, it's just ridiculous for people to make a big deal about your activities being public. They literally signed up for that!

    • > This is some epic creepy stalker s**t.

      That's how we feel about the NSA Snowdon leaks as well.

      'Special Pleading' on the 'Divine Right of Kings' isn't going to survive the 21st century.

      We already know that when spooks want to stalk their ex they 'just' ask a 5-eyes buddy to do the query for them.

      Hell, we just found out yesterday they blatantly defraud the court, destroy evidence, and withhold exculpatory information as a matter of course so banal that they now put evidence destruction requests in office

  • Here we have a senior government staffer who doesn't understand security. They've left their tracker running when they shouldn't have done, and so have given away a whole load of information that no one else should ever find out.

    Trot this guy out any time someone start talking about national ID cards. Also, maybe send them on some security training, because they clearly don't understand what information is sensitive, what isn't, and how to safeguard it.

    Also, Alltrails better be American. If they're Chinese,

    • by Comboman ( 895500 )

      >>Here we have a senior government staffer who doesn't understand security. They've left their tracker running when they shouldn't have done, and so have given away a whole load of information that no one else should ever find out.

      White House visitor logs [whitehouse.gov] are publicly available information. Nothing has been revealed that couldn't be determined in other ways.

      • by Entrope ( 68843 ) on Thursday March 09, 2023 @08:44AM (#63355675) Homepage

        Staff don't get listed in visitor logs. Their home addresses don't get listed. The paths they use to get between home and work are not listed. Other places they frequent are not listed.

        Why do you lie like that? It's not remotely plausible, and just makes you look like a tool.

        I don't know about White House staffers, but a bunch of government contractors who never have to set foot in government buildings still get frequent defensive security briefings that explain the dangers of allowing social media to share this kind of information, of various habits that expose one to crime or other hazards, and more. This is a pretty astounding security fail.

    • Re: (Score:1, Flamebait)

      by Train0987 ( 1059246 )

      Here's the thing. The cell phone in everybody's pocket right now already does the exact same thing that this purpose-built trail tracker software does, you just aren't aware and don't have access to the mapping tools the govt's law enforcement and intelligence agencies have access to.

      • Probably at a lower level of precision but yeah. Alltrails is especially awful though. They really push people into publicly posting everything. Having a bunch of data is their competitive advantage so they do everything they can to get users to post it.
  • by PPH ( 736903 ) on Thursday March 09, 2023 @11:57AM (#63356185)

    He's always out hiking the Appalachian Trail. It's probably common knowledge.

    • He's always out hiking the Appalachian Trail. It's probably common knowledge.

      Did the app track some side trips to Argentina?

  • by NotEmmanuelGoldstein ( 6423622 ) on Thursday March 09, 2023 @04:28PM (#63356837)

    ... risks around national security or privacy ...

    This is the result of a culture deeming privacy 'for sale': From data-harvesting by operating systems, subscriber's blindly clicking permissions to log-files and personally-identifying information, to businesses buying and selling that data, to a government refusing to protect data except medical data and VCR rental-history.

If all else fails, lower your standards.

Working...