Soldiers using fitness tracking devices inadvertently revealed the locations of U.S. military bases — including classified ones — and the incident has lessons for anyone with a smartphone.
The locations of several U.S. military bases were exposed through data from Strava, a San Francisco-based GPS tracking company, representing a “clear security threat,” according to one security analyst, the Washington Postreported.
The Strava app is used with phones and popular devices like Jawbone, Fitbit
and Vitofit. Its public “heat maps,” which show where there is high concentration of activity, revealed locations where troops were using it to train in Somalia, Niger, Syria and Afghanistan.
Fitness tracking companies can pinpoint where people live, how often they sleep, and even when they are engaged in sexual activity.
Military bases aren’t the only locations at risk of being exposed, a Feb. 7 study from mobile security firm Wandera found. It showed a security flaw in Strava’s privacy zone feature that can triangulate the exact home address of users. Strava’s “privacy zone” tool lets users stop the app from tracking their activities around a specific address, presumably their home or workplace. Wandera researchers found that it’s possible to triangulate the exact location of a person’s address using the end points of users’ activities. Strava did respond to requests for comment regarding either of these security breaches.
These issues have underscored the importance of companies clearly explaining to consumers what data is shared on apps, said Mark Testoni, chief executive officer and president of SAP National Security Services in Virginia. He said there should be labels on apps regarding privacy, similar to nutritional labels on food.
Don’t miss: 5 apps for spying on your spouse
Fitness tracking companies can pinpoint where people live, how often they sleep, and even when they are engaged in sexual activity based on data collected, said Mark Weinstein, a privacy advocate and chief executive officer of social network MeWe. Allowing apps to access photos is perhaps the most egregious permission, said George Avetisov, chief executive officer at HYPR, a security company based in New York. Apps use facial recognition technology and, in theory, can track you and who you spend time with.
Access to photos may be the most egregious permission. Apps use facial recognition technology and can, in theory, track who you spend time with.
Case in point: Uber’s “God view” let employees display the movements of specific users. The company reportedly used the tool as a “party trick,” showing guests at a launch party a screen that showed all rides happening at a given time. An Uber executive also admitted to tracking the rider logs of a BuzzFeed News reporter. following these reports, the company agreed to pay a $20,000 fine.
Testoni said there should be labels on apps regarding privacy, similar to nutritional labels on food. “We do not want to put people in harm’s way,” he said. “We have to look at this through a public policy perspective and make consumers more aware of the data being collected on us daily.”
Such a measure could be far away, experts say. In April 2017, Congress approved a reversal of protections implemented under the Obama administration that prevented internet service providers from collecting data from users. Now, corporations are more easily able to track user habits.
Here are some measures to minimize risk of sharing sensitive information:
Read the terms of service
If you gloss over terms of service after downloading an app, you aren’t alone: 91% of users accept legal terms and conditions without reading them, one 2017 study from U.K. tax services company Deloitte found. This is a dangerous habit and an easy way to sign away your privacy, Weinstein said. “Scan them and look for things that jump out like location services,” he said.
Check other permissions granted to services
Within the terms of service on apps — often on a separate prompt screen — companies ask users permission to access features beyond location, including microphone, photos, camera, and contacts. Weinstein said to deny access to as many of these as possible, especially if the app is from a small or unknown company.
Some apps allow users to enable microphone and other features only while using it, which decreases the amount of data collected at other times. That would be a wise move, Avetisov said. “Are these apps pulling this data maliciously? The truth is that most app users are allowing this data to be used the moment that approve the app’s permission settings,” he said.
Never sign in with Facebook or other connectable accounts
Although convenient, signing into apps with existing accounts on Google or Facebook puts users at higher risk for hacking and provides more data to those companies to track and sell, Mark Weinstein said. Make a separate log in and password for every single account, and use a password manager to keep track of them.
Turn off your location services when not using them
If you’re not using your app to hail a ride or find a restaurant, consider turning off location settings completely. On Apple
devices, users can go to “settings,” “privacy.” It will cut down on tracking and save battery power. For Android
devices, go to “settings,” “location,” “Google location settings.” That simple maneuver would have helped those U.S. military personnel protect their location.