SINGAPORE: Concerns over the Strava fitness tracking app compromising military locations worldwide may extend to Singapore, but the way forward is to adapt rather than regulate, said security experts on Tuesday (Jan 30).
In November 2017, Strava tapped public user data to launch a global visual heatmap. The aim was to display popular exercise routes, but last weekend it was pointed out the heatmap also included military personnel running or cycling with their smartphones or fitness trackers such as Fitbit - thus exposing the location and layout of covert military bases globally.
Analysts further uncovered that a deeper dive could reveal the identities of these personnel, along with the dates of their activities within the camps.
In Singapore, some have already taken to social media with heatmap screenshots of locations such as the Ministry of Defence’s (MINDEF) headquarters at Gombak Base, training centres on Pulau Tekong and Paya Lebar Air Base.
Wrote one Muhd Amrullah on Facebook: “I spent less than 20 minutes figuring out the patrol paths, supply routes, trails and roads within Gombak Base, where the Ministry of Defence in Singapore is situated.
"Given the area is a highly sensitive place and Google Maps actually blurred out key details of the area since it's a red zone, you can still figure out and get lots of intel with the trove of data that recruits/staff share publicly everyday within … likely from their smartwatch or health trackers.”
Channel NewsAsia has contacted MINDEF and the Ministry of Home Affairs for comment.
Said Mr Foo Siang-tse, the managing director of security services provider Quann: “It is a serious security threat, if threat actors are able to obtain information about the layouts of army camps or even the routes of perimeter security patrols.
“They can also figure out where foot traffic is lighter, and therefore unguarded, leading to a higher possibility of a physical breach.”
But security and military expert Dr Graham Ong-Webb said that while there was “some concern”, he was “fairly confident things are still ok”.
“Yes, there may be a risk, because this heatmap creates a greater degree of transparency,” said the research fellow at Nanyang Technological University’s S Rajaratnam School of International Studies (RSIS).
“But does it tell you what kind of sensitive military equipment and technology exist inside the camps? No. Even if you know what’s inside, the question is can you get to it?”
Added Dr Ong-Webb: “There are already pre-existing risk mitigation measures within our camps to make sure sensitive technology and activities are not being leaked out to the public.”
“We have a layered security approach to help mitigate the risk of perpetration, attacks, compromise, breaches and so on - and it’s serving us well.”
"NO RUNNING AWAY FROM" SUCH TECH
In statements addressing the global outcry, Strava defended the heatmap as excluding “activities marked as private and user-defined privacy zones”.
But CEO James Quarles wrote in an open letter dated Jan 29 that the company would simplify these privacy settings and review features “to ensure they cannot be compromised by people with bad intent”.
He added Strava is “committed to working with military and government officials to address potentially sensitive data”.
This would be an option for governments around the world, along with a blanket ban on geolocating devices and apps, but experts noted that neither would be a long-term solution.
“We could get in touch with Strava to impose certain requirements, to block out certain spaces on our national map, and if they fail to do that we can not allow their products in to Singapore,” said Dr Ong-Webb. “But Strava isn’t the only one. There will be more and more of these geolocating services.”
“And it would be impossible to really ban or regulate such technologies. It’s an easy way forward - but not effective. Our military is highly networked and technologically-driven, and in terms of what it’s trying to achieve as a 4G armed forces, it would be regressive rather than progressive.”
Mr Foo agreed. Pointing to other applications such as Foursquare and Pokemon Go, he said: “It not be practical to ban the use of such devices or apps. Instead, facility owners have to recognise that it is not technology that is the issue but rather that people are the most vulnerable aspect of security.
“In this case, the crux is that device users need to be taught to enable the appropriate privacy settings so that such information is not shared openly.”
Added Dr Ong-Webb: “In the same way we have people turning off their camera phones in certain zones within camps, we could have certain measures in place where sensitive portions of a camp are non-negotiable and people will have to turn off their Fitbits, etcetera.
“Our policymakers have to start thinking of ways we can reduce risk, but we cannot find absolute solutions anymore. We’re going to have to adapt and adjust to the very pervasive reality of these kinds of technologies … There’s no running away from them.”
Cybersecurity expert Mr Eugene Tan, also of RSIS, said: "Even if we banned fitness apps, would the blackout area ... not become a sensitive area that raises suspicions? A ban would then be counter-productive.
"Having a blanket ban would be shortsighted because we should be able to use technology for our own good, like pace our runs, watch our heart rates, etc. These are the unintended consequences that all governments have to deal with, and not just Singapore."
"We need to more nimble around technology as a nation, and not jump to ban everything," he continued. "Technologies are going to evolve, and the challenge is how we live with them, not without."