Today, we want to talk a bit about security and technology. The “Internet of Things (IOT)” is a favored buzz word right now in technology and technology investing. This term describes the now nearly ubiquitous internet connected devices, often GPS-enabled. Smart and connected devices today are cheap and readily available, but do people really think about the security implications inherent to them?
We are enthusiastic users of Fitbit’s fitness monitors. Not as flashy as an Apple watch but nearly as useful. Their social network also allows you to encourage your friends to exercise and who couldn’t use a bit more physical activity (and motivation). Strava is an app that similarly can be used to track and share workouts and routes. We’ve used it to find interesting hikes and bicycle rides.
However, last year, Strava, as a data exercise, released an aggregate of all the routes their users had taken.
The map is anonymous but when used creatively, it was an enormous violation of its users’ expectations of privacy. Since Strava is more often used by fit people from the U.S., the global map naturally skewed to the activity of fit, younger people from the U.S. There were interesting concentrations of activity of fit, younger people from the U.S. in Afghanistan, Syria and other known military bases (since U.S. soldiers also tend to be fit, younger people from the U.S.). Once people realized this, the hunt was on for areas of U.S. military activity. We can see not only the general location of the users, but also the specific paths they followed. This could be very useful to someone who was interested in the patrol routes of a military outpost. Some areas of the map even showed activity near rumored or denied military bases.
An example of the Strava data showing an undisclosed U.S. military facility in Nevada is below. Just kidding! It’s actually the annual Burning Man festival but it demonstrates the point.
Others noticed that you could find individual homes. In the image below, we can see a home in Salem, Oregon; likely showing the occupants’ preferred cycling route. From a similar map, I located the house of an acquaintance from his general address and knowing he is a triathlete. A thief might be interested to note the homes of triathletes as they tend to be full of very expensive bicycles.
Similar data is used by Google to produce their estimates of the time spent at restaurants and other points of interest. Waze, an excellent routing application, uses similar data to estimate traffic.
This sort of data is collected by GPS-enabled devices everywhere. We tend not to think about it much. If it can be accessed by hackers, leaked out of a badly designed application or is released thoughtlessly by the companies that collect it, then the data can be used in unintended ways.
However, before you blame young, uninformed soldiers for thoughtlessly leaking sensitive data, consider this - Patrick Shanahan, the Deputy Secretary of Defense for the U.S., was also a leaker. He wore a Fitbit up until a few weeks ago.