Sending Office: Honorable Jackie Speier
I urge you to join me in writing to Secretary of Defense James Mattis to express concern over details of sensitive DoD facilities publicly available from users of FitBits and other “smart” technology. The recent
Washington Post article indicates that FitBit data of military personnel can reveal their locations, routes, and other sensitive information. This presents serious operational security concerns that could be exploited by our adversaries.
Please join me in sending a letter to Secretary Mattis requesting a Department of Defense review of smart technology policies, details on any previous red cell testing or known compromises, and planned mitigation efforts.
If you have any questions regarding the letter, or if you would like to sign on, please contact Richard Wozniak at 202-225-3531 or Richard.Wozniak@mail.house.gov.
Dear Secretary Mattis:
I am writing in response to an article in the Washington Post on January 29, 2918, titled “U.S. soldiers are revealing sensitive and dangerous information by jogging.” The article describes maps generated by GPS tracking company Strava that reveal sensitive
locations and activities of individuals at U.S. military bases around the world. However, this operational security problem is not isolated to only FitBits and other wearable devices, but also personal GPS, smart phones, smart cars, and other smart technology.
According to the article, users of the Strava maps allegedly acquired the locations of a Patriot missile site in Yemen, Special Operations bases in the Sahel, a suspected base under construction in Syria, among other sites. Details shared from wearable
technology used by personnel at these sites, even for locations that are overt and publicly known, create a vast amount of easily accessible data on individuals’ identities, patterns of life, and operations. Such widely available data available increases
terrorism and counterintelligence threats to our personnel and facilities.
The U.S. military allegedly expanded the use of Fitbits among military personnel and distributed them in a pilot program in 2013. However, in response to the Washington Post article, the U.S. Central Command in Kuwait issued a press response that “the Coalition
is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.”
As a member of the House Committee on Armed Services, I am concerned with the potential security risks that the use of wearable technology and smart devices could create to U.S. military personnel and facilities around the world. Given the large number
of DoD facilities with varying levels of sensitivity, it seems plausible that policies on the use of these devices may be unevenly implemented. I am also concerned that we find ways to keep personnel connected with their friends and family while accounting
for operational security needs.
I respectfully request your Department conduct a review of facility security protocols relating to this issue, to include restrictions on the presence or use of smart technology. In particular, I request answers to the following questions:
- What is the Defense Department’s current policy on use of “smart” technology that transmits user data at overseas bases? At classified overseas facilities? What processes do the Department have in place to periodically review such policies? Who is responsible
for ensuring that these policies are implemented?
- What operational security training does the Department of Defense or individual military services require for individuals traveling or deploying overseas?
- What red cell testing has the Department of Defense conducted on this risk and what are the results of the tests?
- What safeguards does the Department have in place to prevent personnel user-generated data from being used by adversaries seeking to collect intelligence on and/or compromise individuals?
- What terrorist or foreign intelligence activity has been connected to the use of open source information, such as that generated by wearable devices?
- What are Department processes for mitigating security risks once a sensitive facility or program is publicly exposed? How is this information reported within the Department? How is this information reported to Congress?
Thank you for your attention to this matter, and for your prompt response within two weeks of your receipt of this letter.
e-Dear Colleague version 2.0