This isn't even "deanonymization" in the sense of "performing statistical inference to re-associate different pieces of data." It's "you ask the company to give you personally identifiable data, and it does so."
Strava is a public-by-default social networking website that happens to focus on athletics. Given that, it's no surprise some users happen to work in the military (they're also on Facebook).
It seems like the various militaries need to do a better job of informing and enforcing social media policy, including auditing websites like Strava. You could also argue that Strava should be private by default, but I don't think you'd have much success persuading them of that.
The US did audits and actually issued 20000 + 2000 Fitbits at minimum in trial programs.
Strava is the least of their problems. Despite all news articles in the last day I didn't come a cross a single previously unknown site mentioned in any of the stories. All those "experts" did, was showing known locations with a novelty overlay.
The heatmap is the graphic and interactive part that makes the story digestable, but there is no actual hard news in there. The story usually then shifts to being able to track users across bases, which is nothing exclusive to strava and mostly speculative when it comes to discovering actually secret deployments.
In the case of HMNB Clyde, that place also exists on instagram, which I find way more discerning, since by default geo-located pictures are even less obvious than a share my GPS-Track of my sports activities as default setting.
Even the knowledge of exact guard patrol routes and possibly even timings inside a known military base can be extremely helpful information for someone planning an attack. Best part: you don't even have to place a scout in physical proximity as preparation and risk discovery. So this is less than ideal for military organizations.
You're totally right of course and I think it's pretty shocking that military personnel aren't aware they are broadcasting their location out to the web. Complete opsec failure.
They are, they just don't care. The State Dept will likely issue a ban on their facilities which personnel will adhere to. Other military installations like Special Forces bases or regular Army bases overseas probably will issue a memorandum ("Be Vigilant!"), but I predict they won't stop using the devices. State Department facilities are the only places that they try to hide from others. Not that people and equipment are operating out of them (because that's impossible), but that they are State Department facilities to begin with.
Well, a route taken regularly at 3 am is almost certainly not someone taking an off duty stroll. I do not know if you can readily figure that out from the data available through Strava. But if you can, this is bad.
How can you be so sure?
Patrol shifts are normally rotated to prevent exactly that among other reasons, while someone having a regular non-patrol late shift (or early) and doing his exercise regularly at 3 am is also not unheard of.
You might be able to, but even then it is more likely to be a person doing exercise on a device with the wrong time zone than it is to be someone on patrol.
To reiterate: Strava isn't always on. These are activities people have actively chosen to log. The chance of it being someone out on patrol is... not high.
Having to actively log the data is interesting. I agree with your conclusion there.
However, GPS is primarily a very high precision time signal, from which the current location is reconstructed. Basically, a properly designed software would do the proper time zone adjustment based on that, so the data should ideally be in local time everywhere without exception. Everything else would be a bug in my book.
I couldn't think of any other good title. It's going from a heatmap to identifying individuals, who, if they didn't use an alias, are now identified. And of the 16 people faster than me on that circuit, 14 used full names.
Gave the map of the route to fake. Without that you'd need time to trace round buildings and training areas you see in satellite pics. Which is the kind of thing governments have the time to do (imagine mapmyride seeing an uptake in users in N Korea); I didn't.
