Silicon Valley’s relentless quest to collect and collate every shred of consumer data hit a snag last week following the revelation that a global exercise heatmap, published online by fitness-technology firm Strava in November, inadvertently exposed the location and activities of U.S. service members stationed at sensitive military bases overseas.
In hindsight, the security concerns raised by the map are stunningly obvious. By displaying well-worn running routes used by American soldiers stationed in active war zones, Strava’s map could provide insurgents with insight on where to place explosive devices or snipers in order to maximize U.S. casualties. Blame for the security breach is also easy to apportion, with observers condemning both Strava and the Defense Department for their irresponsible policies and insufficient imagination.
But while the problem is simple to diagnose, experts worry that Congress and the Pentagon face an uphill battle to preempt new threats raised by the vast tranches of consumer data vacuumed up daily by tech companies.
Though House Democrats have opened a preliminary investigation into Strava’s privacy policies, any attempts to legislate a solution would likely run up against Silicon Valley’s entire business model. “Unless the Hill’s prepared to go after industry writ large on this, you can’t just isolate one company for doing what everyone else is doing,” said Todd Rosenblum, a fellow at the Atlantic Council and a former official at the Pentagon and the Homeland Security Department.
The Defense Department, for its part, may struggle to implement policies that prevent soldiers from oversharing online. “I think that is going to be difficult, because a lot of the use is done on private time or after-duty hours,” said Lt. Gen. (ret.) Guy Swan, the vice president of the Association of the United States Army. “How you enforce it would be an issue.”
And even if Pentagon brass can get a handle of soldiers’ misuse of this specific technology, it’s not clear that they’re equipped to foresee the inevitable security threats posed by big data in the future.
“The nature of secrecy—and the presumption of secrecy—is becoming a dated concept,” said Peter Singer, a strategist and senior fellow at New America. “And that’s really what the military has to figure out how to handle.”
Strava created its heatmap by combining billions of anonymized global-positioning data points transmitted by athletes using a Strava device or app to monitor their exercise regimen. That appears to have included a significant number of military personnel overseas, who Rosenblum and other experts say should have been more aware of Strava’s plans for their data.
“The responsibility lies with DoD and military personnel,” said Rosenblum. “It’s a failure of imagination in regards to the tracking devices … When you stand up entities that have the job of counterintelligence and force protection, these are things that people should be thinking of.”
Others experts primarily fault Strava for its opaque privacy policies. The company refused to take the map offline last week, instead issuing a letter claiming that users could have opted out of participation in the heatmap project.
Paul Scharre, the director of the Technology and National Security Program at the Center for a New American Security, dubbed Strava’s explanation a cop-out. “None of these military personnel would’ve shared this data if they understood what they were sharing,” he said. “I’m sure there was an option [to opt out]. But they didn’t clearly communicate that to people.”
Scharre called Strava’s decision to keep the map online—and to blame military users for failing to find the appropriate opt-out option—“wholly irresponsible,” and said he hopes Congress will call the company in for a browbeating.
Democrats on the House Energy and Commerce Committee appear interested in doing just that. They sent a letter to Strava demanding a briefing on the company’s privacy policies, as well as information on the processes surrounding the heatmap’s development and release. A Democratic spokesman said the inquiry was at its beginning stages, but did not rule out the potential for legislation down the road.
Elena Hernandez, a spokeswoman for Energy and Commerce Republicans, told National Journal that GOP lawmakers were not asked to sign onto the Democratic letter, but that they “will continue to closely monitor the situation with Strava.”
Any push to impose a federal legislative or regulatory fix would have to also target the broader Silicon Valley ecosystem, which is highly reliant on maintaining privacy policies that allow for the maximum collection of consumer data. Information-technology lawyer Tatiana Melnik said the questions Congress is now asking Strava could also be asked of “almost any other company.”
“Does that now mean that all these companies should have policies that specifically address whether those users are in the military?” she asked. “How would they even know that?”
Steve Grobman, the chief technology officer at cybersecurity company McAfee, cautioned regulators against taking a hard line against permissive corporate-data policies. “Big data, analytics, the ability to publish large quantities of data and understand the interaction of data in general, will provide massive benefit to mankind,” he said. “But we need to recognize there will be residual challenges, and new challenges that we’ve never seen before. And we just need to come up with pragmatic policies and practices to work through them.”
Those policies and practices may now be in development, at least as they’re related to exercise apps and wearable technology. A spokeswoman told reporters that Defense Secretary James Mattis is mulling drastic changes to the military’s use of mobile and wearable tech, including a possible ban on personal cell phones at the Pentagon. Several experts also floated the possibility that Strava could work with the Defense Department to create a separate, secure app for military personnel.
But as long as the culture of Silicon Valley continues to hype big data’s benefits and downplay its drawbacks, most experts believe the onus will be on the military and other vulnerable institutions to foresee the potential risks of a new app or device before its usage becomes widespread.
Steve Weber, a professor at University of California, Berkeley’s School of Information, believes the very nature of data science could make predicting the next crisis challenging. With so much data at corporate fingertips—and with the ability to mash disparate data sets together in a near-infinite number of combinations—Weber worries that researchers, companies, and institutions won’t notice the potential for negative impacts until the damage is already done.
“What we’re going to see increasingly are these unpredictable uses, which from a scientific perspective are incredibly interesting,” he said. “It’s going to be these ad-hoc responses. It’s gonna happen and we’re gonna go, ‘Shit, we should’ve seen that coming.’ But the truth is most of these things are going to be really hard to see coming, specifically when you’re combining data sets together.”