Former Homeland Security secretary Michael Chertoff once said during a conversation with me that he uses a fitness tracker to monitor his regular runs, but he doesn’t connect it to the cloud. One of the top security officials in the country, in other words, implied that he thinks such devices are too tempting a target for hackers and easy to co-opt for spying or other nefarious purposes.
The U.S. Defense Dept., meanwhile, has finally gotten around to formally acting based on that same assumption — that such devices, even if they’re not broken into or misused, can easily give away sensitive information. Like the whereabouts and activity of soldiers in a combat zone who might be using a GPS-enabled tracker to monitor their workouts and the like.
According to a memo from the Pentagon obtained by the Associated Press, the military is now forbidding troops and other workers in sensitive areas, like a warzone, from using devices and applications that can give away sensitive information like the user’s location. Indeed, the Pentagon memo describes a “significant risk” as a result of the “rapidly evolving market of devices, applications and services with geolocation capabilities.” Those capabilities, the memo continues, can expose personal information, routines and numbers of military personnel, among other things, and “created unintended security consequences.”
Worth noting: the devices like fitness trackers and smart watches aren’t banned themselves. The order is focused on whether the GPS capabilities are in use or not.
Per Forbes, “The move follows the discovery earlier this year by Nathan Ruser, a student studying international security at the Australian National University, that the fitness app Strava was revealing sensitive information through its publicly-available activity map.
“For nearly two years, the app was displaying the movements of users in locations such as US bases in Afghanistan and Syria, a French military base in Niger and even Area 51.”
Forbes goes on to note how another researcher, Paul Dietrich, claimed he was able to use data scraped from the activity map to track one individual soldier from country to country.
Here’s the memo, in full. It also spells out how the Defense Dept.’s chief information officer and the U.S. Under Secretary of Defense for Intelligence are going to be jointly working on the development of geolocation risk management guidelines and training so that commanders and other military officials can be better informed in this area.
The memo was written by Deputy Defense Secretary Patrick M. Shanahan, who sent it out earlier this week to all service leaders.