Fitness App Strava Gives Away Location of Foreign Leaders, Report Finds

French newspaper Le Monde found that the fitness app Strava can easily track confidential movements of foreign leaders, including U.S. President Joe Biden, and presidential rivals Donald Trump and Kamala Harris. The Independent reports: Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community. Le Monde also found Strava users among the security staff for French President Emmanuel Macron and Russian President Vladimir Putin. In one example, Le Monde traced the Strava movements of Macron's bodyguards to determine that the French leader spent a weekend in the Normandy seaside resort of Honfleur in 2021. The trip was meant to be private and wasn't listed on the president's official agenda.

Le Monde said the whereabouts of Melania Trump and Jill Biden could also be pinpointed by tracking their bodyguards' Strava profiles. In a statement to Le Monde, the U.S. Secret Service said its staff aren't allowed to use personal electronic devices while on duty during protective assignments but "we do not prohibit an employee's personal use of social media off-duty." "Affected personnel has been notified," it said. "We will review this information to determine if any additional training or guidance is required." "We do not assess that there were any impacts to protective operations or threats to any protectees," it added. Locations "are regularly disclosed as part of public schedule releases."

In another example, Le Monde reported that a U.S. Secret Service agent's Strava profile revealed the location of a hotel where Biden subsequently stayed in San Francisco for high-stakes talks with Chinese President Xi Jinping in 2023. A few hours before Biden's arrival, the agent went jogging from the hotel, using Strava which traced his route, the newspaper found. The newspaper's journalists say they identified 26 U.S. agents, 12 members of the French GSPR, the Security Group of the Presidency of the Republic, and six members of the Russian FSO, or Federal Protection Service, all of them in charge of presidential security, who had public accounts on Strava and were therefore communicating their movements online, including during professional trips. Le Monde did not identify the bodyguards by name for security reasons.

is it really the app's fault?

[SeaFox]

It's just doing its job tracing your workout route. Seems to me the real issue is Secret Service people carrying personal devices while on the job, or using work phones that are not managed properly when it comes to restricting app installs.

Physical security

[will4]

No compromisable devices allowed past the security checkpoint. In this case, no non-government issued clean phones allowed in or around any government leader, their car, their airplane, their summer home, ...

Re:Physical security

[Baron_Yam]

If you can get access to the cell towers near where you expect a VIP, it wouldn't take long to link particular signals to particular people. Once you've tagged a phone in your database, you can follow that person as long as the phone is on and able to be seen by the local towers. Even with location services off, you can triangulate well enough to follow a motorcade or tell when someone is stepping outside a building.

And (engaging Evil Genius mode), you could theoretically rig a drone carrying a small explosive to target the signal of your choice much like a missile can follow an IR designator. There are already drones out there that look like birds - multiple companies make them for surveillance. Do you think protection details are looking for suspicious seagulls 500 feet above them?

Re: Physical security

[pitch2cv]

Not sure why parent is modded insightful: it is kinda besides the issue at hand, even.

Security details voluntarily and publicly sharing their locations on social media and sports trackers shows they skipped the best part of OpSec training.

No need for anyone to fly drones overhead or pwn celltowers. Hell, I want to do all this from my sofa, right.

Next, one could ask why anyone needs tracking apps that sell or plainly publish users locations. What's wrong with OpenTracks? I guess those people just want to be

Re:

[serafean]

> If you can get access to the cell towers near where you expect a VIP

You don't even need that. Knowing the IMSI and getting access to the SS7 network (From almost anywhere) is enough. That reportedly costs about 10k.

Re:

[mjwx]

If you can get access to the cell towers near where you expect a VIP, it wouldn't take long to link particular signals to particular people. Once you've tagged a phone in your database, you can follow that person as long as the phone is on and able to be seen by the local towers. Even with location services off, you can triangulate well enough to follow a motorcade or tell when someone is stepping outside a building.

And (engaging Evil Genius mode), you could theoretically rig a drone carrying a small explosive to target the signal of your choice much like a missile can follow an IR designator. There are already drones out there that look like birds - multiple companies make them for surveillance. Do you think protection details are looking for suspicious seagulls 500 feet above them?

Key word... "if".

Mobile phone towers are incredibly secure. If you can get unfettered access to the network of them, to the back end, there's a lot you can do. However there are easier ways. You don't need access to the VIP's phone, what you need is to compromise the deputy vice media intern who's published all over their social media feed that they'll be following around some media flunky who's following around HASHTAG VIP (even though their sole job will be to get coffee for some hack).

The jewels ar

Re:

[Antique Geekmeister]

Except when they're not. The ability to tap them and to replace them for "law enforcement agencies" is a mandated design requirement.

Re:

[timeOday]

Not "while on the job," but off hours while on travel for a job.

Re:

[Askmum]

Of course it's not the app's fault. TFA does not put any blame on Strava. Clearly the problem lies with the users who have their data public when they shouldn't.

Mind you, it's not like they haven't been warned. In 2018 there was an article that Strava was giving away locations of U.S. military bases [theguardian.com] due to soldiers having public profiles. So, stupid comes as stupid does.

Phones track you

[FeelGood314]

If you have a job that requires any degree of secrecy leave your phone at home. You can actually live with out it. How many military personnel give away their movements? How many government workers with security clearance routinely talk about secrets on their cell phone with the only authenticating feature of the person they are talking to being the phone number?

No Shit

[MDMurphy]

This came up years ago with military members having their location outed. Especially with Stava being a "social" app designed for sharing your location. If Secret Service agents are using this when location is sensitive they are just incompetent.

Re:

[MDMurphy]

Only 6 years ago. Probably still waiting for the memo. https://tech.slashdot.org/stor... [slashdot.org]

Re:

[Vegan Cyclist]

The weird thing is you can set both your profile and your activities to 'Private', so this is really just a lapse in judgement.

Although the dopes at Strava would still have access to your activity data.

(I say dopes because whoever is running the site has been doing a terrible job. One example: some 'bad URLs' were posted, and so NO URLs are allowed on the site/app. They originally blocked THEIR OWN URL for the first few weeks, so you couldn't even post a link to another Strava segment, route, activity, user

Re:

[VeryFluffyBunny]

Hang on, so it's our fault that these tech corporations have us all under constant surveillance? Suddenly, it's only an issue when employees who hang out with "important" people get tracked. Surely, there must be some easy, simple, legislative way to stop this?

Re: Phones track you

[pitch2cv]

so it's our fault that these tech corporations have us all under constant surveillance?

In the end, yes. By ticking 'I agree' time on time again. Peer pressure, convenience, ignorance. That's how we end up here.

That's also the solution for those who want. Those do not agree, do not succomb to peer pressure, DIY their own or adopt free/open solutions.

What is to outlaw? Big Corp's entire business model?

Re:

[VeryFluffyBunny]

Well, it's possible for our politicians to see the inherent issues with corporate blanket surveillance & simply outlaw it, you know?

I use Strava

[bobbutts]

The workout analysis is cool but it's obviously a privacy problem just like the other social workout apps. The first thing I did to my fake name account with throwaway email is set all my activities to private.

Le Monde kinda gave the game away...

[shilly]

... by not publishing the agents' names, but publishing schedules, Le Monde have themselves demonstrated that knowing a leader's location is a lot less of a deal than knowing the names of the leader's bodyguards. Which they had to know in order to track them on Strava. And we have known forever that possessing higher-grade intel is an easy way to access lower grade intel. I'll bet Le Monde could use the bodyguards' names to track down all sorts of private info that could be used by a bad actor, eg family de

Re:

[ArsenneLupin]

Possibly they figured out those names by first checking known trips of those leaders. i.e. are there always the same people jogging nearby where the targeted leader happen to be.

At least Strava knows where Biden is...

[ReadHerring]

because he certainly does not.

Re:

[drinkypoo]

Biden knows where he is — not in the race.

Now if only Trump knew [newrepublic.com] perhaps we wouldn't all know about his decline. TDS apparently stands for Trump's a Dementia Sufferer.

I don't see the problem

[DarkLordBelial]

They all seem intent on tracking our every move. What's good the goose is good for the gander.

This has been known

[Alypius]

FFS, we knew this six freaking years ago. [wired.com] I briefed an entire base on how to change the settings and why this was important (yes, I got pushback from people who ought to have known better until I showed them the heat maps). This is OPSEC 101 and honestly displays utter incompetence from so-called "security" professionals.

Blame Steve Jobs and there's and app for that

[Big Hairy Gorilla]

Stop thinking for yourselves people.
Just get an app!

There is no commercial software that isn't parasitic and a trap.
You are getting sleeeepy now... ooo eee oo eee... you will tell us EVERYTHING...

Stop using this bullshit people, just count your own number of laps and how far you ran. Oh ? that's too hard for you?
I'm not surprised. The smarter the tool the dumber the operator.

Now get out of my jello tree.

And Strava shares all this data?

[0xG]

Do they not keep the data private?

IIRC there was a guy who was arrested because Strava tracked him riding his bike past a B&E site.

Anyways, only a fool uses their real personal data when signing up.

French precedent

[manu0601]

Some agents of french forgein secret service DGSE got burned by this exact same problem a few years ago. They were spotted running from and to DGSE headquarters in Paris, and then abroad while on covert mission.