I spent much of the day yesterday reading about the implications of what Strava has done by releasing their heatmap of location data into the wild. If you’re unfamiliar with the controversy, Strava, a company that aggregates the location data of folks using their phones and “wearables” like FitBit, released a worldwide heat map of where folks are running, walking and jogging. As you might imagine, folks like the Pentagon have a number of places throughout the world where they don’t want public records of people walking, jogging, or running. Especially the number of people that might be walking, jogging, or running.
This is a huge Operational Security (OpSec) fail. Foreign adversaries can see the concentration and repeated movement of American operatives throughout the world– all through an innocuous little piece of consumer hardware that got a little bit chatty. I can imagine that there are some folks having a considerably worse Monday morning than me right now.
Location data can be extremely sensitive if you can correlate a few other data points with it. For example, the number of folks walking in New York City isn’t likely to change the world, but companies like FourSquare have detailed databases of locations in New York City. Now correlate that to the time series data and you can derive insights like: Foot traffic to Chipotle is down 30% and so are sales. Front running the stock market isn’t necessarily a threat to national security, but it’s a pretty good start.
There are a lot of parallels with the commercial drone industry on this particular problem. Through nefarious means, you’re able to get access to someone’s drone data. You see that they survey their site twice a week at the same time. Now you have the opportunity to do “Bad Thing X” at the most opportune time: right after a survey with the maximum amount of time to cover up your dastardly deed or make a clean getaway.
It also means that data aggregators need to use exceptionally sound judgement about deriving insights from the data they collect. The de-anonymized nature of their data was particularly worrying. For example, someone was able to deduce which houses were owned by folks that used the app.
The narrative sounds eerily familiar: Enterprises and Government all start using a widely available consumer product with a very consumer-driven backend. Data trickles into the could and comes spilling back out as a Tsunami of insight. And this wasn’t even a breach, this was data they were entitled to give away.
We think a lot about this at Kittyhawk. When you use the wrong tool for the job, you often end up with subpar results. We’re working hard every day to build a product for the enterprise customer looking to use the right tool for the right job.