Twenty-year-old college student Nathan Ruser has an interest in the Syrian conflict and an affinity for maps.
It’s this combination that led him to discover the potential security risks posed by fitness app Strava.
On Saturday, the Australian came across a tweet of Strava’s global heatmap, which was originally published in November 2017. Ruser noticed lit up in areas in regions of Syria and the Sahara, often not occupied by civilians, that indicated the presence of security forces working out near military bases and other sensitive locations.
His findings went viral over the weekend, exposing remote areas and conflict zones where military personnel and government officials are seemingly present. This sensitive information could be used to track the running routes and identify locations where personnel are deployed.
Strava, which allows users to share their running routes, tracks location data using GPS from Fitbit devices, smartphones, and other health tracking devices.
Ruser, who is studying international security and Middle Eastern studies at Australian National University, said he noticed the fitness activity “pretty much the second I scrolled over Syria.”
“It is a bit surprising that it sort of sat there [for months],” Ruser said. “[The map] had that incredible amount of data that is quite sensitive.”
Although Strava users can disable activity sharing, it appears those users did not.
The heatmap included a total of one billion global activity data points made public by Strava user’s through September 2017. The company said it has tens of millions of users.
Ruser, who became interested in Syria’s state of affairs in 2014 as a distraction from high school studies, initially hesitated about tweeting the findings. He even deleted his first tweet and later decided to repost it.
“If soldiers use the app like normal people do by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn’t be able to establish any Pattern of life info from this far away,” read one of Ruser’s tweets.
His tweets captured the attention of journalists.
“It got a lot more traction than I would have expected,” said Ruser, who expected interest among data analysts, not mainstream media. “But I hoped that someone who has the power to address it could fix it in some way.”
Ruser said he has not been contacted by Strava or military officials.
In a statement to CNN, Strava said the company is “committed to helping people better understand” its privacy settings.
“Our global heatmap represents an aggregated and anonymized view of over a billion activities uploaded to our platform. It excludes activities that have been marked as private and user-defined privacy zones,” the statement said.