The locations and layouts of U.S. military bases in countries like Syria and Afghanistan have been revealed by Strava heatmaps …

Strava allows users to capture maps of the routes followed while carrying out exercise like jogging, which are publicly visible if set to Public rather than Private. The most popular routes in any given area then form heatmaps, which effectively reveal not only the locations of military bases, but effectively create digital maps of their layouts.

The Washington Post says that while heatmaps are harmless in urban areas, they can be a major security risk in war zones.

Much of the data is likely to have been uploaded from Fitbit devices, which military personnel are encouraged to use as part of a fitness regime.

“Big OPSEC [operations security] and PERSEC [personal security] fail,” tweeted Nick Waters, a former British army officer who pinpointed the location of his former base in Afghanistan using the map. “Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.”

The security risk was first identified by Nathan Ruser.

Both the U.S. military and Strava say they are addressing the problem.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

“I wondered, does it show U.S. soldiers?” Ruser said, and he immediately zoomed in on Syria. “It sort of lit up like a Christmas tree.”

While the specific risk of Strava heatmaps is more easily recognized with the benefit of hindsight, I agree with my colleague Michael Potuck who observed that it’s surprising soldiers on postings in sensitive areas are allowed to keep location services switched on on their personal devices. There are many apps that automatically include location data in their uploads.

Strava issued a statement overnight saying that it is “committed to working with military and government officials to address sensitive areas that might appear.” An earlier company statement had urged its subscribers to check their privacy settings and provided a link to a site that explained how to do that.