An incident recently occurred when a French sailor on the only nuclear-powered aircraft carrier jogged, tracked his path with Strava, and set his profile to public.
Le Monde journalists overlaid this data with satellite imagery and showed that said nuclear-powered aircraft carrier was, indeed, chugging along in the Mediterranean near active operations near Iran.
France was already meant to be aware of this, as Strava's global heat map also outed military bases in 2018 and, also in 2018, the Pentagon banned deployed personnel from using geolocation apps.
450 soldiers. Public profiles. Sensitive bases.
Le Monde reported that there were 450 French soldiers over the last decade who were publicly tracking their workouts from sensitive areas. The French military responded, stating, "Appropriate measures will be taken by the command."
This isn't about the French military's account getting a spammy follow request on Strava. We default to putting everyone's location data online.
Strava technically is doing nothing wrong here. It asked a user if it was ok to share their jog publicly, and it was. It's public.
"Works as designed" is not "safe to use"
The problem is that "works as designed" and "safe to use" are not the same thing. All of these apps are trivially repurposable as intelligence tools given one oversharing user.
Engineers don't think about that. They aren't supposed to. They're supposed to design for the happy path: Someone logs their run, all their friends see it, everyone's happier and more motivated.
But the same data that shows how long your Sunday 5K was also shows a carrier strike group's patrol route. No amount of "please review our security recommendations" popups is going to fix a default of public.
The question isn't whether militaries should be banning fitness applications. The question is whether any application that makes highly accurate location data public should be defaulting to public.
The vast majority still do.
What's the most dangerous "works as designed" default you've seen in something you've built or used?
Top comments (0)