I'm truly gobsmacked that it never occurred to anyone that this might pose a problem. Maybe not the 19 year old grunt who signed up because getting a master's in CS wasn't in his future, but c'mon, there isn't someone responsible for preventing data leakage? This is not some corner case, or some side-channel attack; Strava's whole business model rotates around "track where you've been with extreme accuracy, and let the world know about it". Otherwise I'd just keep the data locally, like I did in the old days.
But even if kept locally, what happened to the worry of radio leakage? Ten years ago I worked on some stuff that might end up being used by the military, and I distinctly remember a co-worker who used to be pretty high up in the army (colonel, maybe?) pointing out that in the field things like Bluetooth, et. al., were generally frowned upon for what I thought would be obvious reasons. Perhaps with the subsequent advent of more and more devices emitting radio signals, what used to be obvious isn't so obvious anymore, so now we let military personnel run around with devices on their wrist that signal to anyone within 30m that they're there.
Institutions tend to optimize so they run close to the redline, busy with a lot of stuff as it is. Adding more tasks, making them important, making everyone get educated and compliant is a huge undertaking.
Noticing and discerning what needs to be prioritized, in areas presenting such volatility and new possibilities as smartphones, apps, and data security could be daunting to do selectively.
They could ban cell phones / bt devices altogether but that will likely not go well.
As for our relationship with security, I find Richard Feynman’s experiences delightfully relevant:
http://calteches.library.caltech.edu/34/3/FeynmanLosAlamos.h...
Edit: typo
Can we please drop the elitist attitude and explicit assertion that enlisted military personnel are stupid and that CS students are intelligent.
Why even bother breaking into an air gapped DoD network to get classified data when you can target all these third party cloud companies that have secondary data that isn't air gapped in classified networks, and most won't have the security resources to really lock things down.
This is somewhere in the awkward middle between what's called "open source intelligence" and traditional intelligence.
I don't envy defensive cybersecurity staff and their jobs/responsibilities.
This isn't just heat maps they have, they have the movement and timestamped location of millions of people around the world. Undoubtedly some of those people are "interesting" to someone, especially since Strava just revealed that a lot of them hang out in unique places.
edit: For example: https://twitter.com/thegrugq/status/957851350099832834
The data these companies have is too valuable, cleanly IoT collected, and keyed by email, for nation states to not try to get.
And as an anecdote, back during my conscription, we were told to disable location services altogether and not take photos during training sessions, but I honestly think it had more to do with keeping in mind the best practices rather than avoiding anything to get "leaked". The officers were sometimes seen with phones of their own, meaning the government issued tinfoil ones.
Let's wait to see how long it will take before someone figures out how to ID the security detail jogging with a president somewhere.
Like any other data breach, it speaks for the customers who want offline, non-cloud solutions...
The Pentagon is also entirely dark.
