DOD Prohibits GPS-enabled Devices for Soldiers, But Civilian Risks are Low

While news broke last week of a Department of Defense (DOD) policy to prohibit GPS-enabled devices in deployed settings, no one should expect a drop in usage of popular devices such as Fitbit fitness trackers from the general public.

It was reported last week out of Washington that deployed service members could no longer use their “geolocation devices” in response to a memo from Deputy Defense Secretary Patrick M. Shanahan. This ban includes physical fitness aids, applications in phones that track locations, and other devices and apps that pinpoint and track the location of individuals.

“Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and nongovernment-issued devices, applications and services while in locations designated as operational areas,” Pentagon spokesman Army Col. Robert Manning III told Pentagon reporters in published reports.

Deployed personnel are in “operational areas,” and commanders will make a determination on other areas where this policy may apply.

The market for these devices has taken off in a big way over the past few years, with many people — including service members — incorporating them into their workout routines. The devices and applications are used to track their pace, running routes, calories burned, sleep patterns and more. These devices then store the information and upload it to central servers where it can be shared with third parties. That information can present enemies with information on military operations.

That’s why the DOD has reason to be concerned. But for most civilians using these devices, these concerns will not typically apply.

“For the general public, generally it’s not a big issue. However, if someone is a victim of stalking then it could be an issue. There’s an additional data source that a stalker can use to get insight into your locations. But for normal Jane or Joe on the street who is using their Fitbit for exercise, it’s not really an issue,” Todd Morris, CEO of BrickHouse Security, told Inside GNSS.

Morris, who wears a Fitbit himself, said the concern with these types of devices primarily surrounds where the data that they acquire is stored and how secure it is. In much the same way a stalker can track a victim, a company, organization or government can have its privacy and safety threatened if their location-based data were to fall into the wrong hands.

“If you have a large number of people who work for one organization and they all show up at one location often, whether it be a government installation, the military or for a corporation, and some foreign actor wanted to learn more about that organization, the government can’t really vouch for the security of a company like Fitbit. So they don’t know if Fitbit, for example, has been hacked by the Russians, the Chinese or the mafia, or whoever else,” Morris said.

The data acquired by these devices could allow a hacker to determine, among other things, if a group of employees (or soldiers) gather a certain locations and at certain times, and they then can easily piece together information about such locations as well as gain the ability to track them back to their homes.

“So if they want to find employees of this organization they can find them, but they can also find secret installations because the people who show up at this location also show up at this other location,” Morris said. “That’s really what the military is worried about, for some foreign entity to mine that data being collected on a third party server.”

Morris said companies like Fitbit take steps to protect their servers and the data, but that these steps most likely do not match the resources available to the DOD and yet last week’s memo still indicates a need for additional security measures.

The Risks are Real
“The rapidly evolving market of devices, applications and services with geolocation capabilities presents a significant risk to the Department of Defense personnel on and off duty, and to our military operations globally,” Manning said last week.

These GPS capabilities can expose personal information, locations, routines and numbers of DOD personnel. Their use in overseas locations “potentially create unintended security consequences and increased risk to the joint force and mission,” Manning added.

Personal phones and other portable devices also contain apps that rely on GPS technology, and they will be affected. Commanders will be responsible for implementing the policy, and they will be allowed to make exceptions only after conducting a thorough risk assessment, according to published reports.

Security is at the heart of this guidance. DOD is seeking a balanced way that allows for legitimate official and personal uses of geolocation technology that does not impact security.

Morris compares last week’s announcement from the DOD to a similar action taken by the Department of Justice (DOJ) last year in regards to the U.S. Army and its use of drones from Chinese manufacturer DJI.

“The U.S. military was using these hobbyist drones from DJI, which has its server in China,” Morris explains. “And all that data’s being stored on a server in China and although it may not be a government-owned company, it’s pretty well known that in countries like China and Russia, when the government comes and makes a request to view your servers, you don’t say ‘No.’ ”

While DJI stated their drones include options to not store the data on their servers, by default it does send the data to their severs, much the same way fitbit and other devices do.

“And it’s not just Fitbit and DJI,” Morris said. “For every American company that creates cool technology, like Fitbit, there are 40 knockoffs that are not necessarily secure, made by companies and they sell them on random websites and people buy these knock offs not realizing that their data is stored by some random company maybe in China.”

Again, Morris states, in most cases most of the users of fitness tracking devices need not worry.

“It’s no issue for Jane or Joe and I personally use one myself and I’m a security professional. But I don’t have any secret installations I’m trying to hide. If my company had a secret office that some of my employees went to regularly, then I’d rethink,” he said. “Because if you’ve got a secret location you don’t want people to know about and half of your employees go there, you could be discovered that way.”

Paul Bischoff, privacy advocate at Comparitech.com, agrees with Morris that most civilians should not be concerned about continuing to use their fitness trackers and GPS-enabled cell phones, but should be aware of the risks along with steps that can be taken to reduce the risks.

“If you insist on using such a device, keep it and the app separate from the rest of your digital footprint. Don’t connect your fitbit to your social media account to show everyone where you go running every day, and for how long. That’s just asking for a break-in,” Bischoff said.

It is, however, a different story when it comes to the military, Bischoff adds.

“Deployed service members who use GPS-enabled devices not only put their personal privacy at risk, but also the safety of their fellow soldiers, so there’s a much greater impetus to ban such devices among service members. While there may be a handful of other cases where this applies, the general public usually don’t need to worry about putting their neighbors at risk by using a Fitbit,” he said.

IGM_e-news_subscribe