Fitness App Activity Exposes Location of French Aircraft Carrier En Route to the Middle East

There have been serious privacy issues with fitness apps since they first became available in the early 2010s, and Strava in particular since it played a part in outing the specific locations of secret military bases in 2018. These problems never seem to get fully solved, and Strava is once again in the news for a related issue as a French officer seems to have obliviously used it to give away the position of France’s only aircraft carrier.

To be fair to Strava, the French government has said that the officer was not in compliance with current instructions about using fitness apps while on duty. Some of this boils down to the data-hungry business model of such apps, however, and the fact that it is difficult for more private alternatives to find their way to app stores.

Long history of fitness apps and government secrets

Strava has not only been in the news for related incidents since 2018, it has been involved in some recent stories. An in-depth examination of it by Le Monde in 2024 found that security details for Emmanuel Macron, Joe and Jill Biden, Donald and Melania Trump, and even Vladimir Putin had all exposed their location repeatedly via the fitness app dating back to at least 2021.

The central issue is that fitness apps include the ability to display one’s precise location during workouts on a public profile, and that this is usually on by default and has to be manually disabled (if it even can be disabled). The use of GPS data in this way does have some legitimate purpose for fitness features, such as tracking elevation changes during runs and letting people socialize and compare times and notes on different courses. But it creates what should be an obvious security hole for military members and presidential staff, yet one that people continue to fail to catch.

In some cases, governments downplay these incidents after the fact by saying that the information that was leaked was not actually all that sensitive. This does seem to at least partially be the case with the French carrier incident, as there was a public announcement that these assets would go to the Mediterranean for NATO exercises and be expected to stay there until May. No one wants precise locations broadcast, however, especially when moving within range of an active conflict and hostile forces!

France does not currently have fitness app bans for military, but does issue “instructions”

The French officer was using Strava on March 13 as they ran on the deck of the carrier, revealing that it was passing near Cyprus at the time. Their public profile has since been withdrawn. A French government response to the story indicates that there is not currently a ban on deployed military personnel using fitness apps, as the US military has in place, but there are some sort of “instructions” the officer was failing to follow.

This is obviously a case of staff awareness about the second-order risks that fitness apps present, but it also provides a general reminder that use of personal devices at work can create threat or espionage opportunity even if those devices are segregated from the business network.