# Strava Workout Reveals Location of Aircraft Carrier Charles de Gaulle
A crew member on the French aircraft carrier Charles de Gaulle logged a run in the Strava app with geolocation enabled, allowing the ship's exact position in the Mediterranean Sea to be publicly pinpointed. The incident happened on March 13 northwest of Cyprus, about 100 km from the Turkish coast. The data became available to all users because of the open profile.
How Strava Leaks Military Secrets
Strava aggregates GPS tracking data from smartwatches and smartphones, creating heatmaps of activity. Service members often use the app for fitness, but public logs reveal not just personal routes but also base infrastructure, convoys, and ships.
In this case, a 35-minute run along the aircraft carrier's deck produced a clear track matching the ship's outline. The profile under the pseudonym "Arthur" was public, making the coordinates available for anyone to analyze. Le Monde noted that while the Charles de Gaulle's presence in the region wasn't a secret, the precise coordinates pose risks to escort operations and logistics.
Risks to OPSEC in the Age of Fitness Trackers
Operational security (OPSEC) for service members is under threat from consumer apps. Strava records not only land-based runs but also at-sea ones—on ship decks or near bases.
- Base heatmaps: In 2018, Strava analysis exposed secret US facilities in Afghanistan and Syria.
- Sea tracks: Runs on aircraft carriers outline ship shapes, including hangars and flight decks.
- Group activities: Crews create activity clusters that reveal group sizes.
- Timestamps: Syncing with maneuver schedules amplifies vulnerabilities.
The French Ministry of Defense confirmed the violation: a public Strava profile goes against instructions. Command will take action, including disciplinary measures.
Recommendations for Minimizing Risks
Developers and cybersecurity specialists can study these incidents to build monitoring tools.
- Profile privacy: Set visibility to "private" or "friends only".
- Disable geolocation: Block GPS during duty or at facilities.
- Corporate policies: Integrate with MDM systems to control apps on devices.
- OSINT analysis: Regularly scan Strava for leaks using API or scraping.
- Alternatives: Use offline trackers without cloud sync.
In corporate settings, similar risks come from employee fitness data: HR policies should cover rules for BYOD.
Key Takeaways
- Precise track: A 35-minute run exposed the carrier's coordinates 100 km from Turkey.
- Public profile: Open access on Strava made the data publicly available.
- OPSEC violation: France's Ministry of Defense acknowledged the incident and promises measures.
- Broader context: Strava leaks have previously compromised US and NATO bases.
— Editorial Team
No comments yet.