Mapping Spies Through Fitness Trackers And Phones: Privacy Is Dead Even For Those In the Shadows
- View Original
- July 20th, 2018
This past January a university student discovered that a global public fitness tracker map could be used to discern highly sensitive security information about the locations and movements of military, intelligence and other government personnel near highly security sensitive facilities. The source? The fitness trackers that have exploded in popularity and that many militaries actually even encourage their soldiers to wear, inadvertently broadcasting their classified locations and patterns of life to the public. Diving deeper, that same map and others like it can be used to retrieve the actual real-world names of individuals that can be tied back to their LinkedIn and Facebook accounts and even used to identify their home address by looking at where their jogging runs begin and end. Once again we are reminded that privacy is dead, even for those who live in the shadows.
When the first press coverage emerged this past January about how fitness tracking maps could be used to identify sensitive patterns of life around security installations like nuclear weapons facilities, forward military bases and the like, one of the key questions raised was just how the military and intelligence agencies could have let this happen.
Perhaps the more interesting story is that in the January case, the map itself had actually been publicly available for more than two months without any concerns until someone from a different discipline, an international security studies student, stumbled upon it and saw it from a different angle. This is a critical reminder of why companies must stop seeing the world through the narrow lens of technology and instead bring together those from other disciplines to help them understand how their data and technologies might be used for nefarious purposes. After all, if Facebook had just listened five years ago to the experts warning that it would be used for state-sponsored misinformation campaigns that could even impact elections, instead of blindly believing that technology would save the day, perhaps we would never have seen 2016’s Russian campaign.
It is also a reminder that seemingly innocent and innocuous data, like displaying aggregate fitness runs at population scale, can still reveal immensely sensitive and dangerous information.
Indeed, it is remarkable how many rooms I’ve sat in with some of our country’s supposedly best and brightest technical advisers on data security, only to bring the entire room to a standstill when I interject with the most basic of ways the proposed dataset or analytic system could be misused. Technologists can come up with truly brilliant and bleeding edge technological solutions, but they are rarely able to see beyond the code to understand how it might be misused or endanger its users.
As researchers have begun to dig into other fitness tracking maps, they’ve discovered a broad trend in the ability to uncover extraordinarily sensitive patterns of life and even tie individual routes back to the real life identities of those runners, their current state of health and even their home address and photos and details of their children. In our connected online world, all it takes is a few details to pull up someone’s entire professional history through LinkedIn and their personal life through Facebook and Twitter, etc.
The discovery of how easy it is to harvest this information raises the question of whether this past January’s public disclosure was the first time anyone on earth had thought of using fitness data for intelligence tracking or whether perhaps this was already a popular and easy source of data used by adversarial governments to track the intelligence and military forces of the world in realtime.
After all, Verizon did not apparently place any restrictions on who could purchase the realtime location information of its customers, meaning it could easily have been used as a spy tracking service, making it surprising indeed that the intelligence community did not take steps to mitigate its impact for its personnel or the ability of foreign adversaries to use those commercial tracking services against it.
Perhaps the bigger story is the lack of imagination among the world’s governments that enabled a world in which their personnel in security sensitive positions were permitted to live broadcast their locations to private companies in the first place. How many military commanders or counterintelligence officers sat down and inventoried all of the personal electronic devices their personnel were using in the field today and carefully thought through every possible misuse of those devices by foreign intelligence services?
How many of the devices soldiers and intelligence personnel take with them in their personal lives have GPS trackers, microphones, cellular connections, remotely updateable firmware and other vectors that could be used to compromise those devices and turn them into bugging devices or simply give away critical information during the individual’s daily life even if functioning correctly?
The failure of imagination by the military and intelligence communities that allowed fitness trackers to proliferate to such a degree in situations where they give away critical daily life patterns is both remarkable and inexcusable. Government personnel in sensitive security positions are only human after all, but if those individuals can endure the hardship of being away from their phones during the day in a SCIF, they can learn not to use their fitness trackers in the immediate vicinity of their workplaces.
It is remarkable that the US Government, for all its cyber prowess, has apparently been focused far too narrowly on offense, rather than defense. For all the US intelligence community’s efforts on digital modernization and all its public statements about its wealth of research into how the digital world is reshaping and impacting tradecraft, it seems no-one actually sat down to think about whether it was a good idea to have its personnel live streaming public blueprints of the pattern of life of their most sensitive and classified facilities and making it so easy to track down the actual individuals behind each fitness track.
Putting this all together, perhaps the biggest story here revolves around the duality of Silicon Valley needing to bring in experts outside the technology world to help it think in new and creative ways about how its data and tools can be misused, while the governments of the world need to bring in outside experts to help them think about how their inadvertent data exhaust can bring with it a wealth of unintended consequences. In short, as many of these stories go, we have a failure of imagination.