The Pentagon is moving to protect its personnel from unintentionally advertising when they’re in an operational, and possibly secret, location. A memo issued Aug. 3 by Deputy Defense Secretary Patrick Shanahan prohibits the use of “geolocation features and functionality on government and nongovernment-issued devices, applications, and services while in locations designated as operational areas,” an edict that applies to smartphones, fitness trackers, and any other devices that will reveal a user’s location.
The new policy is a response to the revelation in January that a global heat map posted by fitness tracking company Strava could be used to identify the locations and activities of military personnel, even down to individuals, at military outposts around the world or in high-security areas such as the National Security Agency. But it addresses a broader problem than just FitBits or Jawbones, because of the military’s widespread—and growing—use of wearable, GPS-enabled devices, whether they be government-issued or personal property.
“The rapidly evolving market of devices, applications, and services with geolocation capabilities presents a significant risk to the Department of Defense personnel on and off duty, and to our military operations globally,” Pentagon spokesman Army Col. Robert Manning III told reporters in announcing the policy.
DoD already has rules, included in annual cybersecurity training and manuals such as the Army’s Social Media Handbook, against using location-based social networking services while operating in classified areas. Shanahan’s memo reinforces those policies while bringing enforcement of the rules closer to the ground. Commanders will have responsibility for enforcing the rules, and will be allowed to make exceptions only after a thorough risk assessment, Manning said.
A big part of the new policy is just making sure users manage their devices more carefully, since, as in the case of the Strava revelations, users might not always know that their locations are being broadcasted. Fitness devices such as FitBit, Apple Watch, and Jawbone all have privacy settings that prevent revealing one’s location. Strava also lets users choose a single-player mode that keeps their information private, and select privacy zones (such as home or work) so no information is broadcast when users are near those locations.
Strava, which has about 27 million users around the world, lets runners, bicyclers, and others track and post their exercise routines, which are displayed on a map. Many users, however, leave their devices on after exercising, thus revealing where they go the rest of the day. With all that information, a 20-year-old Australian noticed that its heat map of users could be used to locate and track military deployments, including near the Korean Demilitarized Zone. Strava also lets its members mine current information on individual users, creating the potential for serious breaches.
For DoD officials, who immediately ordered a review of the security issues and whether new policies were required, it wouldn’t be as simple as banning the use of mobile, Internet of Things-connected devices, since those devices are not going away. Wearable technology is a burgeoning field in the military. A few years ago, DoD announced a $175 million initiative into wearable technology that would address areas such as medical monitoring, communications, field computing, and new uses for sensors. The Marine Corps, for example, is working with MIT Lincoln Labs on a biomechanics and agility monitoring device that Marines can wear in their boots. The Army is pursuing a number of ways to monitor the physiological health of soldiers in the field, and the Air Force has similar programs.
DoD needs to address security with those and other wireless IoT devices—and ensure that users are meticulous about security settings, to avoid being blindsided again by an exposure such as what happened with the Strava app. Features such as geolocation might be controlled in certain circumstances, but they will persist. Remember Foursquare, the app whose whole purpose was to let people tell the world their location every minute of every day? After riding high for a while as a member of the Twitter/Instagram pack of social media hotshots, it seemed to fall off the map, as it were. But it is now resurfacing as an under the radar tool to let businesses track consumers.