The locations of military bases and soldiers around the world have been inadvertently published by a fitness app.
A heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows activity in and around military bases, suggesting users are soldiers on active duty.
And people who create a free account can find other users who regularly use certain routes, potentially alerting terrorists or foreign powers to soldiers on active duty.
Potentially sensitive locations in the UK include the Sandhurst military academy, GCHQ and HMNB Clyde, where the navy stores its nuclear weapons.
READ MORE: Plans for 1000 new construction jobs in £500m Faslane project
A Strava spokesman said the heatmap "excludes activities that have been marked as private and user-defined privacy zones".
"We are committed to helping people better understand our settings to give them control over what they share," they added.
Anyone can create an account for free and find routes, or "segments" around military bases.
The app also shows which users have publicly recorded their times on certain routes and many people on Twitter have pointed out that anyone could use such information to find other social media profiles for soldiers.
Nathan Ruser, a student from Canberra in Australia, identified what he believed was a regular jogging route for soldiers in Afghanistan.
"Hopefully it's a learning experience for the different military communities and they can toe that line between convenience and security," he told the Sydney Morning Herald.
READ MORE: Plans for 1000 new construction jobs in £500m Faslane project
Others identified a US base in Nigeria and app users at Bagram air base in Iraq.
Writing for the website The Daily Beast, international security expert Jeffrey Lewis showed how anyone could identify users at a military base in Taiwan and potentially find other bases as a result.
"If our user casually jogging by Taiwanese missiles day after day suddenly appears deployed to a new location, well that's very interesting if you are targeting missiles for China's Rocket Force," he wrote.
Users are able to make their data private, but Mr Lewis also raised concerns about whether data which has been set to private could be hacked.
Strava published a major update to the heatmap in November 2017, including "six times more data than before", but investigators only spotted the security breach this weekend.
An MOD spokesman said: "The MOD takes the security of its personnel and establishments very seriously and keeps them under constant review.
"However, for obvious reasons we do not comment on our specific security arrangements or procedures."
READ MORE: Plans for 1000 new construction jobs in £500m Faslane project
APP companies are failing to protect people's privacy and security by not considering the unintended consequences of what is published collectively online, a cyber expert has claimed.
The warning came after locations of military bases and soldiers around the world were inadvertently published by a fitness app.
The heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows activity in and around military bases, suggesting users are soldiers on active duty.
And people who create a free account can find other users who regularly use certain routes, potentially alerting terrorists or foreign powers to soldiers at military bases.
Potentially sensitive locations in the UK include the Sandhurst military academy, GCHQ and HM Naval Base Clyde, where the navy stores its nuclear weapons.
The Faslane base has been the focus of security breach concerns before and in 2015 a Royal Navy submariner claimed safety procedures around the Trident nuclear programme at the base mean it could be "infiltrated by a terrorist".
Dr Mike Just, Associate Professor and deputy head of computer science at Heriot Watt University, who is also a cyber security expert with the Scottish Informatics and Computer Science Alliance, said planning how apps work should include examining such unintentional uses.
He said: "Companies need to do better at protecting the data that they collect from us.
"It's not enough to give individuals choice about how they can protect their data.
"From this apparent data exposure example, we can see the potential risks from sharing data without consideration of the patterns that can be deduced."
READ MORE: Plans for 1000 new construction jobs in £500m Faslane project
Professor Chris Johnson, head of computing at Glasgow University and also a SICSA cyber security expert, said the Strava incident "is concerning because it’s part of a wider problem in maintaining security when so many devices and apps disclose potentially sensitive information".
Using the Strava app, anyone can create an account for free and find routes, or "segments" around military bases.
Faslane shows some activity on the heatmap.
The app also shows which users have publicly recorded their times on certain routes and many people on Twitter have pointed out that anyone could use such information to find other social media profiles for soldiers.
So-called "patterns of life" started to emerged for users and Nathan Ruser, a student from Canberra in Australia, identified what he believed was a regular jogging route for soldiers in Afghanistan.
International security expert Jeffrey Lewis said anyone could identify users at a military base in Taiwan, for example, and potentially find other bases as a result.
He said: "If our user casually jogging by Taiwanese missiles day after day suddenly appears deployed to a new location, well that's very interesting if you are targeting missiles for China's Rocket Force."
Users are able to make their data private, but Mr Lewis also raised concerns about whether data which has been set to private could be hacked.
Others identified a US base in Nigeria and app users at Bagram air base in Iraq.
Strava published a major update to the heatmap in November 2017, including "six times more data than before", but investigators only spotted the security breach this weekend.
A Strava spokesman said the heatmap "excludes activities that have been marked as private and user-defined privacy zones".
He added: "We are committed to helping people better understand our settings to give them control over what they share."
READ MORE: Plans for 1000 new construction jobs in £500m Faslane project
An MOD spokesman said: "The MOD takes the security of its personnel and establishments very seriously and keeps them under constant review.
"However, for obvious reasons we do not comment on our specific security arrangements or procedures."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel