Get Ready for A New Chapter in Digital Security
People are more plugged in than ever before. They carry smartphones, they wear fitness trackers, they post their information to dozens of different sites, networks, and platforms all at once, and they rarely take steps to control that unceasing flow of information. Most of the time, that’s perfectly fine. It’s even expected. There are apps just for finding out the precise location of your friends or sharing their media viewing habits. We post pictures of our night out, tag the pub, and post pictures of exactly what we ordered and how we were dressed. We freely scream our demographics and our habits to anyone who happens to be listening. It’s all part of the web of always-on everyday life.
It’s not like we mind giving up a little privacy, if it means we get better service in the bargain. Maybe that pub, seeing how popular the nachos are on social media, decides to drop the price and make it a daily special. Maybe our clothing brands, seeing how often they’re represented in the dance-club crowd, bring out a new line of more practical options to cater to a demand they might not have seen otherwise.
That’s the thing with this new interconnected world of ours. The results of so many connections are often surprising, with new insights and developments sneaking out of unexpected corners. Such was the case with Strava this weekend, the “social network for athletes”, with egg on its face for accidentally exposing a wide variety of military secrets, potentially jeopardizing countless lives and accidentally sticking its foot in the mouth of geopolitics in general.
How did this happen?
In November of 2017, Strava released a global heatmap of the locations and exercise habits of its users. In particular, it showed popular jogging paths and running trails. All this data was, of course, anonymous, so no particular pixel could be tagged to any given user, but that doesn’t really matter when the identity can be inferred from context. A simple example: if I know it to be true that only one person in the State of Oregon is using Strava, then from this heatmap I could tell you what city she lives in and where she goes jogging. That’s spooky, but hardly a matter of national security.
It gets dangerous, though, when you combine two very important factors. First, soldiers (all over the world — not just in the US) use the app to help track their workouts and training sessions. Second, soldiers are often posted to bases (secret or publicly known), borders, disputed zones, embassies and consulates, and so on.
Nathan Ruser, a 20-year-old Australian student and analyst for the Institute for United Conflict Analysts, took to Twitter to point out a number of “clearly identifiable and mappable” military bases or patrol schedules that were visible from the heatmap. As well as a number of US military bases, Ruser identified a Turkish patrol North of Manbij, a Russian operation in Khmeimim, several operations support bases (“FOBs” for “forward operating base”) in Afghanistan, and a variety of jogging routes and trails in the vicinity of military bases and camps. If you wanted to plan an ambush, this heatmap is a practical field guide.
Adam Rawnsley, of the Daily Beast, noted activity around airports in Somalia, in particular the airport of the capital city, Mogadishu. Other Twitter users noted visible activity at Diego Garcia and Mount Pleasant (an RAF base in the Falkland Islands), among other known military sites, and went on to identify a suspected CIA base in Somalia, US special operations bases in Africa’s Sahel region, and a Patriot missile defense system site in Yemen.
Ruser isn’t thrilled with the lax state of milopsec (military operations security), Tweeting bleakly “I shouldn’t be able to establish any pattern of life info from this far away”, but somehow it gets worse.
So Much for National Security…
From the Strava site (remember, this is also a functional social network), it’s possible to identify individual users from that heatmap, who also posted profile pictures of themselves, on base, in military attire. As far as data mining software goes, we’ve got the tech today to pinpoint a particular user, on the heatmap, and tie that data into their military career, their posting and assignment, and more. It’s an extreme case, and purely hypothetical, but if someone looking for information were to know the precise habits, description, and location of someone in a sensitive position… well, so much for national security.
If the data isn’t anonymous, and Strava’s servers (which surely aren’t kept locked away behind military grade security protocols) do indeed log the geotagging data for particular users, then an enterprising individual could easily figure out precise timetables, and other tactical information.
When asked for a statement, Pentagon spokeswoman Maj. Audricia Harris was quoted as saying that “[the] DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”
Scott Lafoy, an open-source imagery analyst, was less forgiving. While he acknowledges that it’s too early to tell exactly how many vulnerabilities this heatmap reflects, “[the heatmap itself] is literally what 10,000 innocent individual screw-ups look like. A lot of it is going to be a good reminder to security services why you do opsec and why you do [take steps to] manage this sort of thing”. He went on to add that “everyone is going to really hope it doesn’t get a couple people killed in the meantime.”
There’s Sharing, and There’s Over-Sharing
Pentagon spokeswoman Harris was clear to state that “annual training for all DoD personnel recommends limiting public profiles on the internet, including persona social media accounts. Furthermore,” she went on to say, “operational security requirements provide further guidance for military personnel [and] recent data releases emphasize the need for situational awareness when members of the military share personal information.”
That brings us back to Lafoy’s ‘10,000 innocent screw-ups’. Sure, no one would voluntarily compromise their security, but most people just aren’t aware of the full scope of what and how they’re sharing.
For instance, no one would ever post “Hi, my name is Andrew McLoughlin, and I live at 100 Maple Street. My bedroom window faces East.” That would be insane. But how many of us lie in bed, and post “#Blessed!” from our smartphones without even pretending to disable our location tagging? A set of GPS coordinates, and a quick trip to Google Street View, maybe a detour to the municipal offices to examine the plans of the house, and suddenly that post takes on a whole new character.
And that’s just Instagram.
Now, it’s easy to poke fun at embarrassing government gaffes (They should have known better! “Military Intelligence” am I right?) but it’s scary when it’s you who gave too much away.
Are you using your Fitbit as a sleep tracker? Did you log into Netflix at the AirBnB’s? Did you save your home and work addresses as shortcuts in Google Maps, to save time on your commute?
Take inventory: how many different ways have you identified yourself, your personal data, online in the past 96 hours? Don’t limit it to social media, but look at everything from profiles and browsing habits to hardware and network activity.
No matter how many you counted, you can be sure you didn’t get them all. In the past few years, we’ve seen:
-Google Street View mappers intercepting and logging data packets (that is, web traffic) from unsecured wi-fi networks as it passes
-Sites tracking individual users from just their computer specs (screen resolution, monitor type, operating system, browser build, default language, security preferences, wi-fi antenna, network speed, and so on)
-Security breaches and leaks of confidential information
-PayPal and the rise of ecommerce
-More sites asking users to create a profile tied to an email address (always keep a burner, ladies and gents!)
-the ubiquity of the smartphone
-the rise of the always-on generation
Big Data or Big Brother?
When digital marketers, data analysts, tech giants, programmers, data miners, investors, or interested parties talk about “big data”, this is the pool to which they refer. You leave hundreds or thousands of footprints all over cyberspace every day, but only a handful are deliberate. Think of your interactions with cyberspace like walking through a wheat field. No matter how careful you are, there will always be a trail of bent stalks and footprints. Except in our metaphor, the wheat is actively trying to get in your way, to help you leave a bigger trace, and the farmer is keeping a record of your activities.
Just recently, we told you that big data was getting bigger. People are sharing more than ever before (deliberately and indeliberately both), more and better systems are collecting that data, and the tools to parse such massive repositories of data are finally being field tested and will soon become regular consumer technologies. As far as privacy and security go, it’s going to get worse before it gets better.
What Can We Do about It?
It’s impractical to stop sharing, in the same way that it’s impractical to live completely off the grid. It can be done, but so much is lost in the bargain that it’s hardly worthwhile. The best thing you can do is to try to control the flow of information you put out. Sign up for different profiles with different email addresses. Dedicate one email address only to online purchases, for shipping, and keep your address and physical location data away from the others.
If you’re signing up for a smaller site, use a burner address. Disable location services whenever you’re not using them. Use a VPN to mask your IP address whenever practical. Get rid of the Facebook app (and any other apps) if you can access those services through your browser instead. If you work in any kind of sensitive industry, keep a separate device (an old cell phone, or a tablet, even) for work, and never use that device for any of your personal profiles. It’s not much, but it’s a start.
How to Practice Responsible Digital Marketing
Since our industry began, the big push in digital marketing has been for more data collection, more data mining, more sources and paper trails. That was useful to a point, and that push took us a long way, but the waves are starting to break. We have lots of data, and only a fraction of it was given to us voluntarily. There’s something that doesn’t sit quite right about marketing content or selling products to consumers under false pretenses, and right now we have them at a significant disadvantage.
We talk a lot about transparency, but we rarely consider the inherent power dynamic that our work comes with. Our work is dangerously close to espionage. When we do our job well, we learn about our audience and we find a way to produce content that will make a meaningful difference in their lives. If we’re not vigilant, and respectful, our job is more about spying on customers and using that information to sell them things. It’s a fine balance, but a tremendously important one.
Being more open about the kind of data we collect, how we process it, and what steps we take to keep it anonymous is an imperative for any good digital marketing agency, just as its incumbent upon any social network or app to be clear about the potential risks with using the service.
Bottom line: Deception is bad business.
We learned almost half a decade ago that link farming and spammy content were hurting the industry as a whole, so we moved away from these practices. We may be coming up on another learning experience, and we owe it to ourselves as well as to the internet as a whole to govern ourselves with decorum during this transition.
Colibri Digital Marketing
We’re the San Francisco Digital Marketing agency in the heart of Silicon Valley. We’ve got our fingers on the pulse of the tech industry, and the responsible use of personal data is something we put a lot of stock in. We’ve got a track record of superb digital marketing service for our clients.
Curious how your digital presence is holding up? Click below, and schedule your free digital marketing strategy session!
Originally published at colibridigitalmarketing.com on February 3, 2018.