US military officials tracked with beer ratings on Untappd
US military officials are giving away more sensitive personal information than they might realise by using beer review site Untappd.
Untappd is a website and mobile app popular with millions of beer fans all over the world, allowing them to post photos of what they are drinking, where they’re drinking it, and share this information with their friends.
But apparently, it could also be used to track and trace military personnel, making it easy to find secretive military installations, as well as find out out where they live, and who they live with.
That’s according to an investigation by open-source intelligence site Bellingcat.
To register with Untappd, you need to provide some personal details – or log in with Facebook.
Bellingcat reporter Foeke Postma said he was able to track down a US drone pilot, a list of bases he had visited over the past months, a US naval officer and a number of senior officials.
“Untappd users log hundreds, often thousands of time-stamped location data points,” he wrote this week.
“These locations are neatly sorted in over 900 categories, which can be as diverse and specific as ‘botanic garden.’ ‘strip club,’ ‘gay bar,’ ‘west-Ukrainian restaurant,’ and ‘airport gate.’ As the result of this, the app allows anyone to trace the movements of other users between sensitive locations.”
On top of that, he was also able to find very sensitive information in photographs that may been taken by “slightly inebriated users” – things like personal identification card information.
Aside from photos being uploaded that are visible to anyone, Postma also pointed out that users themselves can be tracked down outside of the app.
When people register an Untappd account, they can only display their first name and first letter of their surname. However, many users create their username around their surname. Joe W, for example, could be written as “Wicks100”. From there, you can use social networking sites such as Linkedin or Facebook, and search a few combinations of their name and locations found in Untappd check-ins to find their profile.
It is not the first time an app has been used to track military personnel. In 2018, Online fitness tracker Strava published a “heatmap” showing the paths its users log as they run or cycle, and showed the structure of foreign military bases in countries including Syria and Afghanistan.
Postma, who has a background in conflict analysis, told the drinks business he was inspired to delve into the murky waters of beer reviews after a similar investigation into a fitness app he was using.
“This story on the Strava app broke, and then I did some digging later on in a fitness app I was using myself – Polar – and was able to track a lot of military personnel from their deployments back to the front door of their homes.”
Postma decided to try out Untappd after drinking a few beers with his dad.
“We talked about tastes and stuff, which ones are good, and I found it difficult to keep track of the beers I had and their taste. So naturally I began looking for an app for that.
“Downloaded the app – logged a beer or two – and then began looking at other people’s profiles and saw they had hundreds, often thousands of beers logged with locations added.”
He then started to check military sites and saw the same result, “and from there the story developed.”
Using data from the app, Postma was able to find the precise location of a military site which hosts a covert CIA training facility, called Camp Peary, and then showed how this could be used to track individual users’ movements around the world.
This, suffice to say, is not the safest place for a military officer’s data. “Extensive data on military personnel, particularly when they have functions where discretion is required, can be used maliciously,” Postma said.
Following a request for comment from the drinks business, Greg Avola, founder & chief creative officer of Untappd, said: “We take consumer data and privacy very seriously and understand that it is our duty to protect our users’ private information. Internally, we have measures in place to protect our consumer data from being stolen or hacked. Untappd users can visit our Privacy Information page here to better understand what data is used by Untappd and how, as well as how they can set their profiles to private. As always, we encourage smart data usage for all app users to avoid falling victim to bad actors online.”
The US’ Department of Defence has not responded to our request for comment.
Postma said: “I don’t particularly blame Untappd for this – they have decent privacy settings and users actively need to add info such as their location. Users themselves have the freedom to decide what they put on there and what they leave out. If a person is actively deciding to share certain things such as their location, then the onus is on them, not the platform.”