Recently, the official account of China's Ministry of State Security published an article titled "Military Secrets Leaked — Could It Be Because of This?" It pointed out that even common smart bands and watches — wearable GPS devices — can lead to the leakage of military secrets. The article was somewhat vague: "A leak of military secrets caused by smart wearable devices in a certain country has drawn global attention. At the time, an important piece of military equipment from that country was on a mission. An officer, while jogging, wore a smart sports watch that continuously recorded and publicly shared high-precision GPS data. This led to the exposure of sensitive information, including the real-time location of the military equipment, causing significant and irreparable damage to the country's national defense." It did not specify the exact data source. The author, being curious, searched for the case and found a likely match.
Strava Heatmap Incident
The Strava Heatmap Incident, also known as the "Strava fitness heatmap leak," broke out in January 2018. Strava is a highly popular fitness app among sports enthusiasts worldwide. In November 2017, Strava released a global "heatmap" of user activities. This map aggregated GPS exercise tracks uploaded by millions of users via smart wearable devices. The brighter the area on the map, the more people were exercising there.
In GIS, this is a routine data visualization. However, in January 2018, Nathan Ruser, an Australian university student, noticed a flaw while examining the heatmap: In large cities like those in Europe and America, the heatmap was bright everywhere, showing no anomalies. But in barren war zones or desert areas like Syria, Afghanistan, and Iraq, the map revealed bright "isolated islands" and specific routes.
These bright spots were exactly the secret overseas military bases of the United States and other Western countries. Because local civilians rarely used such smart watches, only officers and soldiers stationed at the bases wore smart devices and recorded GPS data while jogging, patrolling, or exercising. These continuously recorded and publicly shared high-precision GPS tracks not only exposed the exact locations of hidden bases but also clearly outlined the internal layout of the base, soldiers' daily patrol routes, and the operational patterns of supply lines. The image above shows a military base in Helmand Province, Afghanistan, highlighted by Strava to show the routes taken by joggers.
Strava responded firmly. After the incident, Strava advised military users to "opt out" (implying: if you blame us for leaking secrets, then don't use it). In August 2018, the U.S. Department of Defense officially issued new regulations banning military personnel in war zones or sensitive military bases from using any electronic devices with GPS functionality. That same year, Strava also modified its privacy settings, allowing users to hide the start and end points of their activities or choose not to contribute their data to the global heatmap. Strava still offers a global activity heatmap. If you are interested, you can view it at the link below:
https://www.strava.com/maps/global-heatmap
Data in domestic cities such as Beijing, Shanghai, Guangzhou, Shenzhen, and Taipei is very abundant.
The Morning Jog Loophole
Did it all end with Strava adjusting its privacy settings? Not really. At the end of October 2024, the renowned French newspaper Le Monde published an in-depth investigative report revealing that top security teams from countries including the United States, France, and Russia had inadvertently exposed the highly sensitive itineraries and hotel accommodations of heads of state to the entire world by casually using fitness tracking apps.
In September 2020, three days before Macron's visit to Vilnius, the capital of Lithuania, security personnel arrived early. Their running tracks left on Strava all converged at the entrance of a local five-star hotel. A few days later, Macron checked into that very hotel. According to statistics, before Macron's stay, the hotel's address had been exposed more than a dozen times by the running tracks of security personnel. Furthermore, Macron's "undeclared private vacation" to the Normandy coast was also revealed by the media thanks to his bodyguards' running routes.
In 2023, Biden traveled to San Francisco for the highly anticipated U.S.-China summit. Hours before Biden's arrival, a U.S. Secret Service agent went for a jog from a local hotel and left an exact route map on Strava. Subsequently, Biden checked into that hotel and held high-level talks there.
Data Leak from the French Nuclear-Powered Aircraft Carrier Charles de Gaulle
On the morning of March 13, 2026, a young officer serving on the aircraft carrier FS Charles de Gaulle went for a jog on the ship's deck, lasting about 35 minutes and covering 7.5 kilometers. He wore a GPS-enabled smartwatch linked to the social fitness app Strava. His account was set to "public," and the exercise data was automatically uploaded to the internet after the run. Because the aircraft carrier was moving at sea, the GPS-recorded track appeared on the map as a series of loops spinning in the middle of the ocean. By analyzing this public track, investigative journalists quickly pinpointed the exact location of this flagship of the French Navy: the eastern Mediterranean, northwest of Cyprus, about 100 kilometers off the Turkish coast. Subsequently, using public satellite imagery from the European Space Agency, they successfully captured images of the approximately 262-meter-long Charles de Gaulle and its escort fleet at the corresponding time and coordinates, confirming the authenticity of the data leak.
Is China Absolutely Safe?
Not really. The ecosystem of domestic apps is currently quite problematic. Various apps collect your user information — including geographic information — in all sorts of ways. You might open an app in an unfamiliar city, and soon after, someone is trying to sell you property there. The same applies to the military domain. China Military News has also reported several similar cases: After training, officers from a coastal defense brigade of the Fujian Provincial Military District posted their running tracks on apps like Joyrun and WeChat Sports, with maps clearly showing place names and landmarks around the barracks.
A case reported in 2016: Meng Fanting, a political instructor of the Second Company, First Battalion, of a border defense regiment in the Northern Theater Command, noticed while walking in the barracks that a soldier, Liu Tao, was using a mobile app to measure running steps and calories burned. The jogging route was around the barracks and very close to the border line.
Conclusion
In the era of the Internet of Everything, even the world's most rigorous physical security network can be easily torn apart by a small smartwatch on someone's wrist. From a GIS professional's perspective, the trajectory data from these smart devices is essentially a high-frequency, high-precision crowdsourced geographic data collection. When hundreds of millions of sensor nodes converge in real-time, carrying latitude, longitude, elevation, speed, and personal identity tags, the seemingly trivial data of jogging cadence aggregates in the cloud into a dynamic digital basemap capable of deconstructing national security. These incidents serve as a stark warning to spatial information professionals: geographic information is never just a cold coordinate point; it is a sensitive asset with strong sovereign implications and tactical value.