Recently, the fitness app Strava published a “heatmap” of trillion of data points visualizing the information of users who submitted or synchronized their fitness activity to their servers. This data includes both fitness information recorded directly on the fitness app and data synchronized with the app from a number of physical fitness trackers, such as a Fitbit.
The purpose of this heatmap was to show the most active areas for Strava users, including paths for jogging or cycling. However, the heatmap also visualized the data of individual users. In other words, the path of millions of jogs in Central Park in New York City are visualized on the map, but the patrol path of a single soldier on a military base, assuming he or she was recording data on the Strava app, is also present.
Nathan Ruser was the first person to notice the potential use of the Strava heatmap to identity military sites.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
As The Verge wrote, you can already find most of these military sites with satellite imagery, but the heatmap reveals human activity, such as “how people are moving along those areas, and how frequently, a potential security threat to personnel.” As Jeffrey Lewis noted, the data held by Strava, both in its heatmap and elsewhere in its databases, is invaluable.
— Jeffrey Lewis (@ArmsControlWonk) January 28, 2018
However, the map alone is sometimes inadequate to provide useful analysis. In this guide, we will outline some of the complementary methods and tools to analyze the unusual data you may find on the Strava heatmap, and a consideration of some of the limits of the recorded activity.
Limits and considerations of Strava’s data
Since Nathan’s tweet, a number of interesting findings from this heatmap have been shared on Twitter, mostly related to secret military and detention sites. However, these locations are far more often open secrets rather than actual secrets, as local reports have revealed the presence of most, if not all, of these “secret” locations. For example, Jeffrey Lewis wrote for the Daily Beast how the Strava heatmap shows the location of a missile command headquarters in Taiwan. Though personnel at this base would cringe at the idea that possible patrol routes are visible on the heatmap, the location of the headquarters itself has long been an open secret after local reporters investigated faux-delivery trucks transporting missiles.
Additionally, the information visualized in the heatmap is largely, though not entirely, restricted to the activity of particular countries. For example, Nathan Ruser found a series of forward operating bases (FOBs) in Afghanistan, likely manned by American and NATO Coalition soldiers.
Here are some FOBs in Afghanistan. pic.twitter.com/JoB7hKHwyh
— Nathan Ruser (@Nrg8000) January 27, 2018
Even in relatively small American bases, we can find activity on the Strava heatmap. However, when examining one of the largest Russian military camps on the Ukrainian border, the Kuzminsky firing range, we can find only a small amount of activity, despite the fact that thousands of Russian soldiers have moved through this location over the past three years (click for full size of visual below).
When searching for geotagged photographs on particular social networks, we will find far more activity in the post-Soviet space for Vkontakte, and more posts in the United States for the Foursquare service. This heatmap works in a similar fashion, where we will find a disproportional amount of activity on the Strava heatmap with, for example, Americans rather than Russians.
How to interpret heatmap activity
Cross-reference with historical satellite imagery
The majority of discoveries surrounding the Strava heatmap have been military locations, due to the presence of American and other Western soldiers in a number of Middle Eastern and South Asian states with large swaths of depopulated area. Though obviously, not all of the activity in these military locations is necessarily from Western military personnel. For example, @LostWeapons identified Strava activity in Aden, Yemen, where the UAE has deployed Patriot missile systems, as Chris Biggers reported in January 2017.
You can literally spend less than a minute on Stravas new data service and find sensitive sites. Nice patriot position you have there pic.twitter.com/eYS8TOuT0F
— Lost Weapons (@LostWeapons) January 27, 2018
Finding this site is easy when looking around Yemen, as this reported Patriot missile site is the only place in Aden with any noticeable Strava activity.
Once we located a potentially interesting site on Strava, we should cross-reference the site with the historical imagery on Google Earth. Doing so for this location in Aden shows rapid construction since 2014.
Cross-reference with Wikimapia
Wikimapia is also an excellent, though not always completely reliable, tool to cross-reference sites that light up on the heatmap. The descriptions of locations in Wikimapia are user-generated, including from a number of active open source investigators. However, due to the user-generated nature of the system, the information provided for particular locations should be cross-checked with other sources of information.
We can use Wikipedia to identify an unusual location in Syria that resembles an oasis of Strava activity.
If we cross-reference this spot with Wikimapia, we see that it is apparently an oil well with a nearby gas pipeline, meaning that one or more people with their Strava data tracking enabled apparently took a regular jogging or patrol path along the roads near the wells and pipeline.
We should keep in mind that not every data point in the heatmap is accurate, as GPS activity can easily be spoofed, and users can intentionally falsify data to their liking. The clearest example of this is by looking at the activity of the GPS coordinates 0.000, 0.000, in the Atlantic Ocean due south of Ghana. It is extremely unlikely that there has ever been genuine Strava activity from this spot, but GPS coordinates can be spoofed to a particular location either by state actors or individuals. For example, GPS coordinates near the Kremlin have been reported to be spoofed to the Vnukovo Airport. With this location at coordinates that are so easy to input, it is no surprise that there is an island of activity in the middle of the ocean.
Don’t jump to conclusions
But not every instance of Strava activity in the desert is from mysterious military activity. At first, this strange geometrical pattern in the desert of Nevada seems like it could be a secret nuclear missile site or underground base that is modeled after the Pentagon.
The answer is much less sinister — it’s the Burning Man festival, where thousands of people who likely have Fitbits or other fitness trackers visit a temporary city that is created each year in the remote Nevada desert.
In the coming weeks, there will be additional findings from both open source investigators and professional journalists in sensitive locations around the world. For example, Pulitzer Prize-winning journalist Charlie Savage has already updated his previous research into Camp 7 of the Guantanamo Bay prison using Strava’s heatmap. Bellingcat will continue to publish information on many of these findings, with an eye on methods to utilize Strava heatmap, and also assisting in crowdsourcing the analysis of particularly mysterious locations with unusual activity.
If you have any additional tips on using the Strava data, or discovered any pitfalls for faulty analysis, please leave ideas in the comments, or send them to use via Twitter or Facebook and we will add them to this post, with proper credit.