A cautionary tale of Big Data: Military shocked when Fitbit data highlights secret bases
Do you have a Fitbit? If so, you probably haven't thought much about all the data it's collecting as it gives you feedback on your heartrate on this morning's run. And you might not even be bothered too much that the software company that drives your Fitbit's geolocation, Strava, would throw all that data up on the web for everyone to see. And it probably doesn't matter much - not if you're just jogging around Central Park or Venice Beach.
But if you're jogging around a secret US military base in Somalia, it becomes a lot more problematic.
Strava's GPS tracking is used by Fitbit ($NYSE:FIT) and Jawbone and other devices. So they know where you've been. They thought an aggregate map - a Global Heat Map - would be a cool way to show off what they do. And it is, indeed, very cool. It doesn't show real-time images (that would be a scary violation of privacy), but it shows two years worth of theoretically anonymized activity, superimposed.
New York and LA and other big cities are a blaze of activity, and very pretty:
But Strava didn't think it through. Other areas are dark zones - especially war zones, like Syria and Afghanistan. And that's where the trouble begins.
Locals don't wear Fitbits, but US military personnel do. Hell, the military actually handed them out. The idea was to encourage better physical fitness, but they didn't encourage data hygiene as part of the process. Soldiers wore their fitbits when they went for a run. They wore their fitbits when they went on patrol. And they didn't turn off the data trackers.
Strava's Global Heat Map went up last November; it was only over the weekend that it attracted unexpected attention when a 20-year-old Australian student of international security and the Middle East at Australian National University, Nathan Ruser, tweeted this:
"This was really just a lucky find by someone who happened to understand what it meant," Ruser told Thinknum, modestly. But he has a bit of a following in the security world, and very quickly word spread. Security buffs started to take deep dives into the data ocean... turning up some things that probably have Centcom tearing its 5-star hair out, as well as the military commands of other nations:
Initial comments ran along the lines of "Well, at least they haven't compromised individual users". But the the thing about Big Data is.... it embeds a surprising amount of information that you can use to exrapolate backward. That's great for users of the Thinknum database, but less great for people trying to run security in the military. For example:
And also this:
The existing rules on the privacy settings to be applied to devices such as fitness trackers are being “refined” and commanders at bases are being urged to enforce existing rules governing their use, according to a statement from the Central Command press office in Kuwait.
“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” said the statement, which was issued in response to questions from the Washington Post.
“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” it added.
This can't possibly help Fitbit, which has been in trouble for the past year. It's been bleeding users, its revenue was down 36% last year, its stock is hurting (down a remarkable 1000 percent since its high of 47.60 two and a half years ago), and its latest offering, the semi-smartwatch Ionic, had disappointing holiday sales. This may be why Fitbit's own employees rate the companies prospects as barely better than 33% positive:
(For more on Fitbit's in-house problems, check out this Glassdoor evaluation, titled "RUN, do not walk, to the nearest exit."
Perhaps we'll all learn a lesson from this apparent debacle: Companies should either make this kind of tracking opt-in, rather than opt-out, or at least make it a lot more transparent up-front.
Or, at the very least, fitness buffs who are into the quantified self should be a whole lot more aware of the security implications of their data tracking.