I spent much of the day yesterday reading about the implications of what Strava has done by releasing their heatmap of location data into the wild. If you’re unfamiliar with the controversy, Strava, a company that aggregates the location data of folks using their phones and “wearables” like FitBit, released a worldwide heat map of where folks are running, walking and jogging.
As you might imagine, folks like the Pentagon have a number of places throughout the world where they don’t want public records of people walking, jogging, or running. Especially the number of people that might be walking, jogging, or running. And most especially, their names.
This is a mammoth Operational Security (OpSec) fail. Foreign adversaries can see the concentration and repeated movement of American operatives throughout the world — all through an innocuous little piece of consumer hardware that got a little bit chatty. I can imagine that there are some folks having a considerably worse morning than me right now.
Location data can be extremely sensitive if you can correlate a few other data points with it. For example, the number of folks walking in New York City isn’t likely to change the world, but companies like FourSquare have detailed databases of locations in New York City. Now correlate that to the time series data and you can derive insights like: Foot traffic to Chipotle is down 30% and so are sales. Front running the stock market isn’t necessarily a threat to national security, but it’s a pretty good start.
There are a lot of parallels with the commercial drone industry on this particular problem. Let’s say that through nefarious means or even the negligence of the operators or app owners, you’re able to get access to someone’s drone data. You see that they survey their work or construction site twice a week at the same time. Now, you have the opportunity to do “Bad Thing X” at the most opportune time: right after a survey with the maximum amount of time to cover up your dastardly deed or make a clean getaway.
It also means that data aggregators need to use exceptionally sound judgement about deriving insights from the data they collect and how they share them. The de-anonymized nature of the Strava data was particularly worrying. For example, someone was able to deduce which houses were owned by folks that used the app. Perhaps more terrifying, Wired UK was able to de-anonymize the data and get the names of Soldiers at a base in Afganistan. All my friends now know that I am sedentary idiot. I’m secure with that in more ways than one.
The narrative sounds eerily familiar: Enterprises and Government all start using a widely available consumer product with a very consumer-oriented backend. Data trickles into the cloud and comes spilling back out as a Tsunami of insight. And this wasn’t even a breach, this was data they were entitled to give away.
When you use the wrong tool for the job, you often end up with subpar results. We’re working hard everyday to build a product for the enterprise looking to use the right tool for the right job. The enterprise isn’t like other customers. At Kittyhawk, we’re thinking about that everyday.
Joshua Ziering
Joshua is the Founder and Chief Security Officer of Aloft (formerly Kittyhawk), the market leader in drone airspace systems & UTM technologies. He is also a Part 61 certificated private pilot, a founding member of the FAA's Drone Safety Team, and an FAA Part 107 certificate holder.