Source: French to English Tester Published on: 2026-04-20
Source: The Conversation – in French– By Fabrice Lollia, Doctor in information and communication sciences, associate researcher at the DICEN Ile de France laboratory, Gustave Eiffel University
The “StravaLeaks” case shows that, in a world saturated with connected objects and location data, ordinary digital traces have become a central security issue for sensitive environments. Simple movement data from a jog, recorded and shared by a public application, were able to be used to locate ships or military bases.
A jog, apparently, has nothing sensitive. Yet, in March 2026, an activity recorded on Strava by a French soldier made it possible to locate in near real time theaircraft carrierCharles de Gaullein the Eastern Mediterranean. Since 2018, theStrava global heatmapA – an aggregated visualization of public activities recorded by its users – had already revealed somemilitary bases and sensitive sites, and more recent investigations have shown that the sporting practices of bodyguards can reveal movement habits ofHeads of State.
The problem does not stem from sophisticated hacking, but from the ordinary use of a connected watch, a public account, and GPS tracking accessible online. This case illustrates how today’s security no longer limits itself to physical protection but also includes controlling the digital traces produced by our most ordinary behaviors.
When an application goes beyond its initial use
Strava is an application designed to track and share sports performances. Its primary use concerns leisure, digital sociability, and self-monitoring, not the documentation of sensitive activities. Yet this is where the ambivalence of this type of tool lies because, although not designed with security in mind, they can have very concrete effects on it.
As tracking technologies become part of daily use, they cease to appear as control devices. They become familiar tools, associated with comfort or the optimization of practices. From then on, a race, a repeated route, a starting or ending point, or an activity recorded at sea can reveal much more than just a sporting practice. A performance data point can become an indication of a routine, a presence, or a travel habit.
The Strava case is not isolated, moreover.At Heathrow Airport(London), in 2014, connected toilets were tested to anonymously measure their usage, improve cleaning, and better allocate maintenance resources. The example may seem remote, but it shows that, beyond explicitly security-related tools, connected devices also discreetly collectdigital traceson user behavior. In this sense, vulnerability no longer arises solely from an attack or a voluntary leak, but alsoof ordinary uses whose visibility effects are often underestimated.
Security is no longer determined only on the field
For a long time, security was thought of according to an essentially physical model. It was necessary to protect a person, secure a movement, control a perimeter, anticipate a threat. This logic is still relevant but, in the digital age, it is no longer sufficient.
In an environment saturated with connected objects, platforms, and location data, vulnerability can now arise at the periphery of the protection system. It no longer necessarily results from an intrusion or malicious action. It can come from a poorly configured use, an unexamined digital routine, or a tool used without awareness of its visibility effects.
The security of a political leader, a business executive, a diplomat, or a sensitive site therefore also depends on the digital traces produced by their human and technical environment: assistants, drivers, escorts, collaborators, military personnel, connected objects, tracking applications, or sharing networks. Protecting a “sensitive person,” a personality, today is no longer just about protecting their body or their itinerary. It is also about protecting the informational ecosystem that surrounds them.
This evolution reflects security increasingly reinforced by technologyviathe sensors, the data, and the monitoring tools. But the addition of technology does not eliminate vulnerability. That is precisely the problem of atechnosolutionist readingwhich overestimates human-machine complementarity. On the contrary, it reminds us that technology is only effective when it is combined with human analysis, field experience, and a deep understanding of the context. Certainly, technology therefore enhances vigilance, but it does not replace judgment, training, or a culture of risk.
The observed vulnerability is also organizational, cultural, and human. It arises from a form of mismatch between the banality of digital practices (running with a connected watch, for example) and the sensitivity of the environments in which they take place (being in a classified secret-defense location). The same tool can be perceived as a comfort or performance device while producing significant exposure effects.
Training thus becomes as important as equipping because it is not just about forbidding certain uses, but rather about making people understand how a digital trace, by definition invisible, can, through aggregation and cross-referencing, become sensitive information. Security is therefore no longer about controlling tools, but about the intelligence of practices.
Reintegrate the human at the center of security doctrine
One of the main lessons from these cases is that no technology protects on its own. An app, a connected watch, or a geolocation device are neither good nor bad in themselves.As research shows, it all depends on the context in which they are used, the rules that surround them, and the ability of the actors to understand their effects. This is why the response cannot be purely “technical”.
It also requires a usage doctrine, appropriate training, and a shared safety culture. Conversely, traceability can also enhance protection, but it does not replace human analysis, context assessment, or traditional safety methods.
In other words, the security of sensitive environments relies on a complementarity between the tool and the human. It is not enough to deploy devices; users must also understand what they produce, what they expose, and the possible consequences of their uses between potential surveillance and asurveillance, that is to say a more discreet form of capturing traces integrated into ordinary gestures and sometimes barely perceived by those who participate in them.
In the Strava case, the issue is therefore not just about better configuring an application. It is about building a culture of digital risk, capable of integrating the most ordinary actions into security considerations.
What research teaches us in connection with these cases is that the real lesson of these affairs may be here: in a connected world, the threat does not only lie in what one tries to hide, but also in what one produces without thinking.
These so-called “StravaLeaks” cases show that digital traceability, far from being a mere convenience of use, can become a security issue when it is part of a sensitive environment. Protecting today is no longer just about locking down a perimeter or escorting a personality. It is also about learning to manage the traces produced by the most ordinary uses.
![]()
Fabrice Lollia does not work for, advise, hold shares in, or receive funds from any organization that could benefit from this article, and has declared no other affiliation than his research institution.
–ref. « StravaLeaks »: when digital traces become a security issue –https://theconversation.com/stravaleaks-when-digital-traces-become-a-security-issue-279942
