France's aircraft carrier located in real time by Le Monde through fitness app

Original Article ↗ Hacker News Discussion ↗

Overall significance of the Strava leak

  • Many note this isn’t about nation‑states tracking carriers (which they likely can already) but about:
    • A journalist using consumer fitness data and public APIs to track a capital ship in near real time.
    • How trivially individual behavior can compromise operational security (OPSEC).

How hard is it to track an aircraft carrier?

  • One side: tracking is easy for major states
    • High‑res optical and synthetic aperture radar (SAR) satellites, commercial constellations, and RF/ELINT systems make large ships stand out.
    • Once a carrier is seen leaving port, software and periodic imaging can keep a track within a manageable search area.
    • Commercial imagery can be bought or shared by allies; some cite examples like Planet Labs revisit rates.
  • Other side: global real‑time tracking is nontrivial
    • Oceans are vast; full‑coverage, up‑to‑date imagery is expensive and bandwidth‑limited.
    • Weather, revisit gaps, and limited SAR constellations reduce “live” precision.
    • Non‑state or poorer actors may not have this access.

Why Strava and fitness apps are a distinct risk

  • Provide precise, timestamped, easily scraped GPS tracks to anyone, not just states.
  • Enable:
    • Real‑time targeting by low‑end actors (e.g., drones needing only a rough fix).
    • Identification and long‑term profiling of personnel, their units, and deployment cycles.
    • Inference of readiness state (e.g., lots of jogging vs battle stations).
  • Past parallels: Strava and Fitbit exposing “secret” bases, heatmaps around perimeters, and even individual officers being tracked and attacked.
  • Some commenters think this Le Monde case is overblown and mostly a publicity stunt; others argue it clearly lowers the barrier for adversaries.

Structural OPSEC problem with personal devices

  • Militaries struggle to balance morale (phones, internet, entertainment) with security.
  • Examples of leaks via Telegram, Tinder triangulation, fitness trackers, and casual social media use.
  • Proposed mitigations:
    • Total bans or Faraday cages in sensitive contexts.
    • Network whitelists/blacklists and welfare networks with strong filtering.
    • A “military‑safe” OS or app ecosystem, and true device‑local/private modes for logging workouts.
  • General view: when things get truly serious, communications need to be cut; any system that assumes perfect user behavior will fail.

Ethics and journalism

  • Split views:
    • Some see Le Monde’s work as legitimate, even important, demonstration of real vulnerabilities.
    • Others see it as irresponsible doxxing that marginally endangers a ship and sailor “for clicks.”
  • Possibility of spoofed tracks is mentioned, but remains unclear.