Defence
Air Marshal Amar Preet Singh
The Indian Air Force’s (IAF) agreement with Uber to provide transportation solutions for its personnel and families has sparked a backlash, with critics pointing to major security concerns.
The deal is intended to offer IAF personnel and their families convenient, cost-effective mobility services. However, the partnership has raised alarms over the potential exposure of sensitive data, including travel details and personal information, that could be accessed by Uber, a company that, though widely used, is not free from security risks.
Critics argue that the deal is a potential breach of secrecy, given the significant amount of sensitive data that could be compromised. The absence of a robust data privacy law in India only exacerbates these concerns.
What is even more troubling is that this deal between the IAF and Uber mirrors situations in the past where security risks associated with data sharing have led to disastrous consequences. The experience of the United States with Strava offers a clear warning of what could go horribly wrong.
Strava, a popular fitness tracking application, has inadvertently demonstrated how personal data can be exploited to uncover highly sensitive military information.
In 2018, Strava’s global heat map, which tracks user activity such as running and cycling routes, revealed information that the US military would have wanted to remain classified. What was originally seen as an innocuous sharing of daily fitness activity data quickly became a security nightmare for the United States (US).
Researchers and journalists discovered that Strava’s heatmap displayed over 1 billion activity points worldwide, including those of users who appeared to be active-duty military personnel and intelligence agents. Through careful analysis of these public records, experts were able to pinpoint the locations of sensitive military and intelligence operations based in foreign countries.
The most glaring issue was the ability to track movements and identify life patterns of military personnel, particularly in conflict zones.
One example that sparked concern was the identification of US military bases and patrol routes in Afghanistan. The Strava heatmap, when cross-referenced with known locations, revealed not only the presence of US military bases but also specific patrol routes and even the time frames in which personnel were moving. Security analysts feared that adversaries could easily exploit this information to monitor US operations.
Strava’s heatmap has exposed serious operational vulnerabilities in Afghanistan, with two of the largest coalition bases — Bagram and Kandahar — easily identifiable, along with other smaller, publicly known installations. However, the real threat lies in the unintentional disclosure of additional airstrips and base-like structures in regions where US forces are not known to operate.
Even more concerning are the faint lines linking these locations, which unmistakably trace the primary travel routes used by American convoys and personnel. This data reveals key logistical corridors, effectively laying out the most vulnerable points for attack, making military personnel easy targets.
This same technique was later applied to military and intelligence facilities worldwide, including Turkish military patrols in Syria and French bases in Niger.
Experts also quickly recognised that such data could be used to track individuals — down to the specific military personnel at sensitive locations.
This problem became especially worrying when some researchers, using only the publicly available Strava data, were able to follow the movements of a French soldier back to his home, mapping the soldier’s personal and professional life with alarming ease.
A particularly chilling aspect was that once an individual was identified, their patterns of life could be used to track their movements between military bases, creating a digital footprint that could lead adversaries to previously unknown locations.
The Strava case highlighted how dangerous seemingly innocuous data can be when aggregated and analysed for patterns.
With access to data, adversaries could not only identify personnel but also build a comprehensive understanding of their routines, routines that could be exploited for espionage or physical attacks. In essence, Strava had turned everyday activity data into a goldmine for adversaries seeking to undermine security.
This is precisely the kind of risk that many security experts are warning about in the case of the IAF’s partnership with Uber. The concern is that sensitive data related to Air Force personnel, including travel information and family details, could be exposed to foreign entities through Uber’s platform, which may not have the kind of airtight security necessary to protect such critical information.
As experts have pointed out, hackers can break into seemingly secure systems with ease, and the lack of stringent safeguards could lead to catastrophic breaches of secrecy.
While Uber has assured that it will provide enterprise benefits tailored to the IAF's needs, critics remain unconvinced. The Indian Navy, Coast Guard, and Air Force are now reportedly considering terminating their contracts with Uber due to security concerns, particularly regarding data access.
The lessons from Strava are clear: when dealing with sensitive data, particularly in a military context, the risks of exposure far outweigh the potential benefits of convenience or cost savings.
The IAF’s agreement with Uber, despite its good intentions to offer cost-effective transportation, risks repeating the same mistakes that have led to major security breaches in the past. Military personnel, their families, and veterans deserve mobility solutions, but these must come with the highest levels of security, especially when the safety of national interests is at stake.
The IAF would do well to heed the warnings from security experts to avoid a scenario where the convenience of modern technology turns into a liability.