The OPSEC Nightmare of Fitbits and Geotagging

Intelligence

U.S. Air Force photo

Let’s review a list of things not to do in a combat zone: draw an operational map in the sand on live television; wander off your post to conduct personal negotiations with the Taliban; copy the entire contents of the SIPRNet to CDRs, label them “Lady Gaga,” and give them to Wikileaks; and use personal fitness devices that can inadvertently reveal information about your unit’s location, structure, and activities.

We broadly categorize these measures as OPSEC, operational security. And in an era of ever more connected devices and big data mining, the lesson is more important than ever. But apparently still not getting through.

The now infamous Fitbit heat map

This has once again been made apparent thanks to technology company Strava, which tracks the usage of personal fitness devices such as the Fitbit. It published a fascinating “heat map” of all the places people wearing these devices — and who neglected to turn off the feature that shared this data with others — have been going.

The data isn’t live, and it doesn’t identify individuals, but it is a classic case of putting puzzle pieces together. Like, for instance, along the Somali coast near Mogadishu. I wonder who would be constantly going in circles around that area? Or this data from my old stomping grounds of Chapman Airfield and FOB Salerno in Khost, Afghanistan. In other locations, the Washington Post was able to identify likely patrol routes around other remote bases based on the patterns identified by Strava.

The locations of these FOBs are not a secret, at least to the people who live there. It’s pretty hard to hide an American base in a place like Somalia. But these geolocation maps give our enemies the data necessary to refine their targeting.

Rapid advancement since 9/11/2001

The technological changes we’ve experienced since the onset of the war in Afghanistan are tremendous. Cell phones with cameras first appeared in 2000, but not many people had them at first. In 2002, we were so concerned over OPSEC in Afghanistan that our interpreters didn’t know our last names and we burned the labels on our care packages, for fear that al Qaeda would find out who we were and where we lived, enabling them to pay our families an unannounced visit.

It seems excessive now, but at the time, the concern was very, very real.

Even as camera phones became more widespread, there was no GPS chip in the phones to attach geolocation information to photos. The original iPhone was introduced fewer than 11 years ago, sans GPS chip. That feature had to wait for the release of the iPhone 3G, which debuted a year later, in 2008, at the height of the Iraq “surge.” Suddenly everyone was a walking, inadvertent OPSEC challenge.

Smartphone cameras, and many standalone cameras, shared the “feature” of including the precise location where the photograph was taken in its metadata. When combined with the growing popularity of social media at the same time, it presented an OPSEC nightmare. Anyone using rudimentary software could open a photo and determine the exact location of the chow hall inside a your Forward Operating Base.

Now with Fitbit, and apparently with the unwitting assistance of the Department of Defense who gave out 25,000 of them in a fitness experiment, we’ve been aggregating data about our movements. That’s not good OPSEC. Turn the data sharing off, please.

Tom McCuin is a strategic communication consultant and retired Army Reserve Civil Affairs and Public Affairs officer whose career includes serving with the Malaysian Battle Group in Bosnia, two tours in Afghanistan, and three years in the Office of the Chief of Public Affairs in the Pentagon. When he’s not devouring political news, he enjoys sailboat racing and umpiring Little League games (except the ones his son plays in) in Alexandria, Va. Follow him on Twitter at @tommccuin

More in Intelligence