The personal data of approximately a thousand soldiers are on the street. These are soldiers who have played sports at Brabant defense locations and have kept their training at SportApp Strava. For example, their full name, place of residence and photos on which they are recognizable in the picture are visible to everyone via the app. This is according to research by Omroep Brabant and Omroep Gelderland.
“It’s really bad,” says Matthijs Koot, expert in the field of digital data protection and privacy. “It is about the data of more than a thousand soldiers and that is a lot. This way you can easily put yourself on the radar of the enemy.”
SportApp Strava
Before the investigation, Omroep Gelderland looked at the Strava App. That is a social medium on which athletes share their performance. The website contains routes and it is stated per route who has walked there. A number of hiking trails are located on secure areas of Defense, where only soldiers or visitors are allowed to walk around with an access pass.
Omroep Gelderland also looked at the Brabant defense locations and shared the data with the research editor of Omroep Brabant. Users who have registered a walk in the past two years have been included in a Brabant defense location in this study. This concerns, for example, the Lunettenkazerne, Woensdrecht Air Base, Gilze-Rijen and Lieutenant-General Bestkazerne.
Combine data
According to Expert Koot, it is easy to combine the names of soldiers found via Strava with information obtained through a data breach from, for example, a webshop. “Then they also know your e-mail address, telephone number and home address,” says Koot.
“If you, as a military, have access to buildings, people and systems for which the enemy can be interested, then you should not play too much in the spotlight. That does not only apply if you go on a mission abroad, but also here in the Netherlands.”
Also at the KMA
It is striking that more than 250 soldiers whose data is on the street come from the Royal Military Academy in Breda. There the officers of the Dutch armed forces are trained and the personal data of them are even more sensitive than from soldiers from other barracks. For example, because these soldiers have access to sensitive or even state secret information due to the nature of their work. And therefore an interesting target for foreign intelligence services.
At the Air Base in Volkel and at the home of the commands in the Engelbrecht of Nassaukazerne in Roosendaal, people deal with information security better. There were no routes on Strava at these locations and it was not possible to find out personal data from soldiers.
Danger to national security
The army leadership has been warning soldiers for years to be careful when using social media and not to share data that shows that they are working for defense. A spokesperson for Defense says: “The enemy could indeed abuse this information. Soldiers are then put under pressure with all possible consequences. For themselves, their families, but also for national security.”
Despite the warning, it is fairly easy to find out more about the soldiers with the public data of Strava. With the full names and photos on the Strava profiles, we were able to find profiles on Facebook, Instagram and other social media from a number of soldiers.
To shield their data, athletes on Strava can make their profile private. Only people who are invited can see their activities. About a quarter of the soldiers have such a private account. But even if a profile is protected and activities are not visible, the names still appear in the rankings that Strava shows. And by clicking on a profile, the profile photo and possibly the place of residence are also visible.
Figure often
It is not the first time that the use of sports apps among soldiers has caused a fuss. Earlier, The Guardian already revealed that the locations of secret bases could be found via the Strava app. Bellingcat and De Correspondent managed to find out the names of soldiers via the Polar app in 2018. After those revelations, the Ministry of Defense has tightened the guidelines for soldiers.
Expert Matthijs Koot wonders when the Ministry of Defense will learn something from this. According to him, there is only one way to prevent this type of information leak. “Soldiers should stop placing their activities in the fields of Defense on social media.” And if they really want that? “Then create an account under a different name.”
Do you want to respond to this story or do you have a tip? Mail the research editorial team or reach us 100 percent anonymously via Public.
Response Defense
In a response, the Ministry of Defense stated that the advice is to lock their profile, not to use certain apps at defense locations and not recognizable as a military on such platforms. The reporting by Omroep Gelderland is a reason for the Ministry of Defense to extra point out the risks of sharing private information. The Ministry of Defense says it is not able to make statements about any additional security measures that are taken.
Accountability
Omroep Gelderland analyzed data on rankings of eight different military sites in Brabant. The data was shared with the research editing of Omroep Brabant, which further studied the data. This is the Lieutenant General Bestkazerne, Major General De Ruyter of Steveninckkazerne, Lunettenkazerne-van Brederodekazerne, Woensdrecht Air Base, Volkel Air Base, Gilze-Rijen, Engelbrecht and the Royal Military Academy. The profiles of every ranking listen Omroep Gelderland. The broadcaster then collected the data automatically from each profile on that ranking. Only soldiers who have been active on the app in the last two years have been included in the study.