According to an investigation by Le Monde, the crew of a French nuclear submarine inadvertently exposed patrol schedules and routes through their use of the fitness tracker Strava.
The Île Longue base, located in Brest harbor (Finistère), serves as a critical hub for France’s nuclear fleet, hosting four nuclear submarines. To ensure the security of the facility, 24/7 surveillance is maintained through drones and constant patrols, with access to the base strictly regulated.
Mobile phones are prohibited on the premises, and personnel are required to store them in designated lockers before entering. However, a data leak occurred nonetheless—via smartwatches used to record activities on Strava. Over the past decade, more than 450 Strava users were active within the base’s territory. Many individuals used their real names and public profiles, enabling journalists to uncover their identities.
One notable example is “Paul,” who recorded 16 workouts in January 2023. His route on February 3 passed alongside the docks housing the submarines. Subsequently, he disappeared from the app for nearly two months, returning only on March 25. Similar activity gaps were observed for users “Arthur” and “Charles,” suggesting their involvement in patrol missions. Paul explained his absence on Strava, mentioning the difficulty of resuming sports after “two and a half months in a waste box,” adding emojis of bubbles and a diving mask.
Despite enhanced security measures and patrols, this information leak became possible through the Strava fitness app, where personnel logged their runs. Analyzing user profiles revealed that workouts near the submarine docks often ceased for weeks, corresponding to the duration of submarine patrols.
The French Navy admitted that smartwatches might have bypassed security protocols despite existing bans. Representatives attributed such incidents to personnel negligence, asserting that they did not pose critical risks to the Île Longue base. However, the routes shared on Strava could enable foreign intelligence agencies to anticipate submarine deployment schedules—particularly concerning workouts conducted in the restricted dock area, where physical activity is notably rare.
While the French Navy maintains that its security measures ensure safe patrols, experts emphasize that absolute protection is unattainable. The Strava issue highlights the pressing need for stricter enforcement of security protocols and measures to prevent similar leaks.
This is not the first time Strava has exposed sensitive user data. Previously, Le Monde reported significant security risks for Joe Biden, Donald Trump, and Kamala Harris. Movements of their security personnel, including members of the U.S. Secret Service, were trackable via Strava. In 2023, researchers used the app’s heat map feature to identify users’ home addresses. Furthermore, it was discovered that Strava could disclose personal data to strangers in proximity due to default privacy settings.
The recurring leaks underline the importance of revising app privacy configurations and enforcing stringent digital security practices to safeguard sensitive information.
