Mapping More Than Miles: Strava and the Age of Open-Source Intelligence

Previously the domain of human spies, intercepted communications, and old-school satellites, intelligence work today increasingly depends on piecing together trails of data that individuals, apps, and platforms leave online. This approach, known as open-source intelligence, now accounts for upwards of 80% of intelligence operations conducted by law enforcement and intelligence agencies in the Western world. The method is not novel, but the scale certainly is. What was once confined to newspapers and other physical public records, now extends to emails, phone calls, search histories, tweets, and high-resolution imagery and footage that only modern technology makes possible, opening up a whole new world of data exploitation. As the sources for data collection have expanded, so too have the actors capable of gathering and interpreting it. Intelligence agencies in a select few countries were the only ones with the resources to collect, decode, and analyze information at scale, but now, in effect, the digital age has democratized intelligence — giving civilians and private companies power once solely in the hands of states, and exposing new vulnerabilities in the process. 

In 2017, when the popular fitness app Strava released its Global Heatmap, at first, it seemed like a harmless engagement feature, perhaps a sort of Spotify Wrapped for runners. However, one observant Australian college student was the first to point out there might be more at play. Sure enough, analysts and academics soon confirmed that Strava’s gold mine of data posed an overlooked security risk, carrying implications far more consequential than exposing the most underrated running trail in town. 

With tens of millions of workouts uploaded weekly, Strava’s detailed GPS tracking offered much more than a fitness record, it created a global dataset of movement pattern — by its own reports, Strava boasts an estimated 150 million users in over 185 countries.

Combining GPS data from anyone with their profile visibility set to “everyone” (the default setting), the Global Heatmap glows brightly, highlighting routes run all over the world. In countries where Strava is not as widely used, such as Afghanistan, Syria, and Djibouti, a few bright dots drew attention to its users, predominantly made up of members of the military. Their routes confirmed known layouts of foreign military bases. The sole roadblock to such a detailed, street-level view is simply registering for an account. This is hardly a barrier to anyone who knows how to download an app. While the locations of many of these bases are already in the public domain and though the map is nominally anonymous, through a bit of in-app maneuvering, programmers have shown that it was indeed possible to match names to activity details. With this data, anyone could discern troop movements and deployment details from names and locations of stationed personnel, all of which are usually withheld from the public, given the potential to endanger service members or disclose sensitive information about operations. 

The Pentagon banned its soldiers from using Strava and other geolocation fitness trackers in operational areas after the revelation — but not before the wealth of data had already been publicly accessible for months. Facing pressure from the Department of Defense, Strava did take its own steps to address the matter as well. Updates included removing low-traffic routes from the map and displaying a brief in-app pop-up on privacy controls, yet the default setting is still a public profile, and high-profile privacy leaks have persisted, even as recently as July of this year. 

The case of the Strava Global Heatmap is an example of the increasingly blurred line between digital exhaust, background data collected passively from online activity, and national security risk. Years ago, operations security was relatively simple enough — a matter of refraining from speaking too openly in public. Today, it’s not so easy. Strava’s controversial map was not an isolated event — from Google Earth images uncovering expansions of Chinese military installations and North Korean prison camps, commercial satellite photos revealing battle damage before or in greater detail than state-released statements, and Tiktok videos giving away troop movements during the ongoing Russo- Ukrainian War, not only do these instances of operations security leaks pose a strategic issue, but they emphasize how digital platforms as a whole have become an integral part of the modern battlespace. Taken together, they signal a world where intelligence is no longer monopolized by states, but distributed amongst billions. Private platforms now hold troves of information that governments can’t control. Intelligence has shifted from sticking to confidentiality to navigating the fine line between transparency and exposure, whether it’s interpreting what information is already out there or mediating what becomes visible. In this new ecosystem, power lies not only in secrecy, but in visibility — managing that may be the defining security challenge of the digital age.