Troops not at risk over Strava breach: Australian Defence Force

The Australian Defence Force (ADF) has downplayed the risk of fitness app Strava breaching the operational security of Australian soldiers.

Strava, a social network for runners and cyclists to track their workouts via satellite navigation, released a heat map in November last year showing the activity of its users worldwide.

The data can be cross-referenced with Google Maps, and has shown jogging routes of soldiers at US military bases in the Middle East and Afghanistan.

The heat map came to prominence after Australian student Nathan Ruser questioned the operational security of those sharing data with the company.

Strava's app requires users to opt out of heat map data sharing by default, meaning many users could be unwittingly sharing their location data.

Journalist for Radio Free Europe Christopher Miller showed how the Strava data could possibly be used to see how military forces moved in eastern Ukraine.

Ned Price, a former special assistant to President Obama, tweeted: "The map was released months ago, but capable adversaries have almost certainly harvested this data for years. Imagine how many similar data sources are out there we're ignorant of [because] it's not posted online."

The Australian Defence Force said on Tuesday it is aware of the possible risks of the collection of location data through personal electronic devices and applications, but denied there is a risk.

"The circumstances of this application do not constitute a security breach," a spokesman said in a statement.

Defence said all personnel undergo annual mandatory security training, which includes cybersafety awareness.

"On operations, the online presence of Australian Defence Force personnel and their use of electronic devices is managed in accordance with operational security requirements developed for each activity," the spokesman said.

"Many of these devices and activities are important to the quality of life of Defence staff."

Defence Industry Minister Christopher Pyne said the department is preparing a report for the government on the matter.

Security researcher Steve Loughran showed that it is possible to glean personal data from Strava by creating a map segment and waiting a day for a leaderboard to be associated with the segment, which would then reveal the names of users who have been on that part of the world.

"I've removed the segment," Loughran wrote. "Some people's names were appearing there, showing that, yes, you can bootstrap from a heatmap to identification of individual people who have run the same route."

According to Loughran, while individual users can mark areas private to prevent appearing in leaderboards, a system-wide solution will be needed for government installations.

"I don't know what Strava will do long term, but to stop it reoccurring, they'll need to have a way to mark an area as 'private area for all users'. Doable. Then go to various governments and say, 'Give us a list of secret sites you don't want us to cover'. Which, unless the governments include random areas like mountain ranges in mid Wales, is an interesting list of its own."

Strava is far from the only fitness app to collect and share location data. ZDNet's Matthew Miller has a privacy setting guide for users of Strava, Garmin, Fitbit, and Runkeeper.

Defence gets new cyber command

On Tuesday, the ADF announced the creation of its new Defence Signals Intelligence (SIGINT) and Cyber Command, which will house the Australian Signals Directorate, Joint SIGINT Unit, and Joint Cyber Unit.

"The new command arrangements will support a more coherent military workforce, and create an organisational structure to support the future growth of our military cyber workforce, which was outlined in the 2016 Defence White Paper," Chief of Defence Force Air Chief Marshal Binskin said.

The new command will be headed by Royal Australian Navy Commodore James McCormack.

With AAP

Related Coverage

How Strava's "anonymized" fitness tracking data spilled government secrets

Analysis: Strava may "anonymize" the user, but that isn't helpful when that user inadvertently reveals the location of sensitive government facilities.

Strava lesson: Share fitness data online? Check these privacy settings now

Millions of people mount wearables on their wrist daily and share data collected with the public, friends, and family. With the recent Strava heatmap news, it's time to check your privacy settings and confirm how and where that data gets shared.

Hidden US military bases revealed by fitness app, shows need for IoT policy (TechRepublic)

Data on soldier's running patterns, captured by fitness app Strava, details the whereabouts of secret military bases.

Windows 10 user data collected by Microsoft must be protected at all costs (TechRepublic)

New tools from Microsoft reveal what data the company collects from Windows 10 users. But the question remains: What is Microsoft doing to protect that data once it has it?

France tells WhatsApp to stop sending user data to Facebook

France lays down another European challenge to WhatsApp's data sharing with Facebook.