Fit Leaking: When a fitbit blows your cover

JAN 29th UPDATE:  As Mikko Hypponen pointed out today, Strava is not the only company that makes this kind of data available today.  Suunto makes a global exercise map called Movescount available that does much the same thing.  In thirty seconds of examination it is possible to find patterns of movement in military facilities. The message is clear: Fit leaking is a global problem, and it it is only the tip of the location-data-iceberg.  Strava and Suunto made their maps public, and thus showed what their “God’s eye” view of human behavior looked like.  Most of the companies that collect this kind of data will never make such maps public, yet the data sits on servers around the globe.

Fitness Tracking uses movement sensors, and sometimes a GPS chip, to collect information about things like distance traveled, and activity during exercise. In the aggregate, the information can also be used to determine things like urban behavior patterns.

Strava is an exercise-based social network. Users provide Strava with their exercise information, in exchange for tracking their progress, and receiving social encouragement from fellow exercisers.  This provides a degree of community, opportunities to meet like-minded exercisers, and motivation to meet exercise goals. Strava also markets the information that they collect in the aggregate as a tool to help municipalities understand activities within a community. Strava shows some of what they collect in their recently published heat map, which provides a global view of fitness behavior.  It also appears to contain a remarkably large amount of information that institutions are trying to keep confidential.

Introducing Fit Leaking

The information emitted from fitness trackers, even when not immediately associated with a particular individual’s real identity is highly sensitive. Even more so when viewed in the aggregate.  Fitness tracker data, when combined with other publicly available information (or non public information), can be used to “out” sensitive activities, such as the location of classified facilities, diplomatic outposts, and military activity.  Location emitted by fitness trackers can also link individual users to their homes and patterns of life. I’ll refer to this as Fit Leaking, which I roughly define as: when fitness activities, recorded for personal benefit emit into signals that reveal sensitive and confidential information.

Small military outpost in an unnamed denied area, exposed by a heavy exerciser jogging the perimeters and fit leaking. Coordinates removed.

Since Strava released its newest map, twitter users have quickly begun looking into areas of interest, showing how fit leaking can quickly wipe out substantial efforts taken to keep certain activities hidden.

Strava’s global heat map is fascinating, and it is likely to be an effective pitch for their Metro product, which sells a version of this data to cities.

Strava’s heat map of a ‘normal’ area. Small pockets of intense activity are visible, connected by bike and running trips.

Whether or not Strava intended it, the map contains a massive set of signals about military, diplomatic, commercial, and private behavior. It will be interesting to observe whether Strava and other similar tracking-aggregators follow the inevitable path of being courted by other potential customers who have a much more invasive set of reasons for accessing it. 

PAPI: Presence, Activity, Profile, Identification

The objective of this section is to highlight some of the categories of information that can be quickly identified from perusal of Strava’s heat map. The map is a series of routes associated with user activities, displayed as an overlay on a slippy map, and using basic color ramp showing rate of passage over specific area, segmented by activity type.This section will outline several examples where the simple presence of indicators from fitness trackers could provide important signals to adversaries. It is not intended to be comprehensive.

Type of Signal Explanation Example
Presence In some cases, the presence of one or more individuals with trackers points to a non-public fact, such as the location of an installation. A covert military outpost is identified by a consistent pattern of exercise activity in a remote area, or an area where there are few other users of fitness trackers.
Activity Activity level at a sensitive installation can be ‘read’ based on volume of fitness tracker activity Rate of activity of personnel at an embassy, or installation, can reveal important information about activities and strategy
Profile A single fitness tracker user, or users, who regularly wear fitness trackers during their work activities can signal important information about who they are and what they are doing. Patrol routes can be observed at a military base, or outside of a military base.
Identification In areas of high fitness tracker use, it may be difficult to identify specific people, however in areas where fitness tracking is less common, specific residences or other locations can be used to identify individuals   Individual homes or workplaces, as well as other uniquely identifying areas can be used to associate a particular trajectory with a particular individual or small group.


While there are many global users of fitness trackers, they are not evenly distributed.  Some areas of the heatmap are thus “dark,” reflecting a lack of tracker ownership, power, cellular network and so on. Yet even in those areas, pinpoints of high activity can be observed.  Some of these areas may also be ‘denied’ such as Syria. Evidence of heavy activity in these very small areas can, when combined with satellite imagery, be used to identify military bases, and other covert activities.  I observed that military bases often feature very high levels of concentrated physical activity.  Looking for this “bright” activity in “dark” areas where conflicts were ongoing revealed a wide range of military installations that appeared to have foreigners busily exercising in them.

Stava’s heat map of an unnamed “dark” and denied area. The small dots correspond to areas that can be reasonably linked to a foreign military. The areas are not connected by movement, and likely have their own power and internet. The intensity of the areas indicates a lot of exercise in a confined space. Coordinates removed.

 In an hour, I was able to use fit leaking to identify several covert and non-declared operating bases, diplomatic outposts, and possible intelligence facilities in several ongoing conflict zones in Africa and the Middle East. The same technique can also be used to identify the presence of US Military personnel within bases of friendly countries.

Small military or intelligence outpost in a denied area, exposed by a heavy exerciser with not much running area available, fit leaking. Coordinates removed.

I was able to match a flurry of activity in a base belonging to a Middle Eastern country to recent public information about investment in improving facilities at that base.  The pattern of life activity also highlights the likelihood that the same western personnel are servicing aircraft, which matches with reports that the base is used to conduct drone warfare.

Since the publication of Strava’s map, many others have begun examining the data, looking for indications of the presence of previously hidden activities


Military and diplomatic personnel need to exercise, and this can be difficult in tight urban areas during a conflict. As a result, these activities are likely to create a very tight and intense hot spot of activity that does not correspond to sporting areas or other areas.  In Damascus, Syria for example, we can locate the Embassy of Russia simply by looking for fit leaking outside typical areas for exercise, and focusing on the hotspot of fitness tracker activity.

Staying in shape inside the walls: Fit leaking at the Russian embassy in Damascus.

It is likely that the activity rate at the embassy across time would likely provide a further signals about the activities of personnel within the embassy. We see similar hotspots elsewhere in Damascus.  For example, in the Al Assad University Hospital, we spot further evidence of enclosed fitness activity, or substantial movement.

The same exercise can be conducted for many embassies and diplomatic compounds in high risk areas around the globe.

We can also find evidence of tracker activity likely indicating shipping activity, and possibly the arrival of military personnel needing exercise, in the port of Tartus, Syria.

Sea Legs? Fit leaking of likely-Russian activities at the port in Tartus Syria.

This post is written based solely on the kinds of things that can be inferred from the use of Strava’s public heat map, which contains partially anonymized information, and does not have a time dimension.  Access to the same information in a more real time basis, either with the consent of companies like Strava, or via techniques such as network monitoring, could be expected to provide an even more granular picture of sensitive activities, and thus result in even more potential risk and harm.


Fitness trackers may also record activity that reveals sensitive information about specific activities that range beyond fitness. For example, fitness tracking logs show apparent sentry or patrol activities in a base located in Western Syria.  In this case, the fit leaking has revealed a regular pattern around what appears to be a munitions storage area. 

Pattern of life at a munitions depot in Syria

By examining fit leaking at other non-recreational areas for a high level of activity, we find additional signs of activity at military bases in Syria. In this case, at an airbase.

Activity pattern in a Syrian airbase, likely by Russian military.

In outposts and undeclared facilities throughout Syria belonging to both Russian and NATO forces, fit leaking reveals individuals’ routes from bases to other locations, shows evidence of regular patrols, and provides a window into other sensitive activities. Such information could be used in the planning of military strikes, or even plant roadside bombs.

Fit leaking revealing patterns of life on an airbase. Coordinates removed.

As twitter users have pointed out over the last day, this kind of activity is visible everywhere.  Such patterns are widely visible across military bases, including non-declared military bases in areas of the Middle East and Africa.  The granularity of the activity is such that individuals can be seen regularly moving between buildings within a base in some cases, indicating clear information about patterns of life for specific individuals with specific tasks, such as aircraft maintenance and flight support.


In low fitness-tracker density areas, it is possible to use fit leaking to identify individual routes, and link them to specific high value locations, such as between residential areas and embassies. I am choosing not to include any examples, however they are not difficult to find, and they may already be appearing on Twitter.  

Conceivably, when combined with other information, it may be possible to localize diplomats, intelligence officers, VIPs and other at risk individuals by following the routes displayed from sensitive facilities to residences, hotels, and other areas.

Additional Areas of Concern

Many workplaces (and some insurers) encourage the use of fitness tracking to promote health. However, fit leaking can expose information that is business confidential, or highly valuable to competitors. There is a constant pressure to develop new forms of business intelligence that track hard-to-hide business data, like using satellites to count cars in factory parking lots, or measure the size of coal piles.  What is remarkable about fit leaking is that the data is intentionally emitted, albeit without awareness of the implications of publishing it.

Commercial Espionage Risks

Examination of the heat map makes it clear that fitness trackers are also carried by individuals undertaking a wide range of commercial activities, from fishing to oil and gas exploration and exploitation, mining, and manufacturing. In some cases, the map actually reveals patterns taken by fishing boats, dredging equipment, and open-air equipment, to name a few.  This kind of information is valuable, and some of these industries are already heavily scrutinized by competitors and investors seeking estimates of production rate, resources, oil and gas exploration, etc.

Individual & Family Privacy

I have been able to locate individual routes in rural areas, even with the resolution limitations available in Strava’s public heat map.  For example, I was able to find a Californian individual’s jogging paths beginning from their front door of a house, and following a regular circuit. I was also able to identify individual trips from a home to other locations. In the hands of an informed party, such as a stalker, or an individual engaged in intimate partner violence, such information could conceivably lead to harm. The same concern holds for regions where there is a high risk of kidnapping.

I found cases where schools and other educational areas were included in the take.  In some rural areas it may be possible, simply with access to the Strava interface, to trace routes taken between schools and individuals’ homes, as well as other information, such as the exercise habits of likely minors (as implied by use of a school track, for example, or a playground). While Strava explicitly states that the service is not intended for those under 13, it would be interesting to know what safeguards, if any, are used to prevent the data of minors from being included.

Addressing the Fit Leaking Risk

Fit leaking is a new kind of operational security risk, and it slipped under the radar of many organizations that are highly concerned about secrecy.  Militaries, intelligence agencies, and diplomats take many costly steps to shield certain activities from surveillance. Clearly, however, these entities did not realize that some of their personnel may have been unintentionally eroding these efforts via fit leaking.

Strava runs an incentive system that encourages us to turn over personal information in exchange for social rewards. This landed Strava a tremendous amount of information. Now, they are monetizing it. For the Strava users who have already provided the company with their data, it is probably too late to take any of it back.

While Strava provides users some control over privacy zones (where data is not recorded), this case illustrates the extent to which all individuals in a large user base cannot be expected to take full advantage of privacy settings available to them when they are presented as opt-outs.

Rosie Spinks, writing last August, pointed to the concern about how Strava users might inadvertently reveal more than they intended.

“…the multi-layered, opt-out heavy, and rather unclear nature of their settings still seems like a problem.”

Spinks was speaking to concerns about unwanted attention women could experience from other users on Strava’s social network. Her observation about privacy, however, could not be more relevant. Even some of the most highly privacy conscious individuals, such as military personnel operating in denied areas, have not effectively implemented these privacy settings.  This suggests that Strava’s model of privacy is not working in practice to prevent a global epidemic of fit leaking.

What to do?

Organizations concerned about operational security should probably consider taking urgent measures to halt further fit leaking from sensitive government and commercial activities, which might include policies against the use of location-enabled fitness trackers in work areas, limiting the network traffic of apps like Strava, banning them from official devices, and educating personnel about the risks that fit leaking poses.

While some may be tempted to ask Strava to remove access to take heat map down, it is unclear whether this would realistically mitigate the impact of the fit leaking. Certain facilities and activities have now been outed (if they were not already known to some well-resourced adversaries). Given the secrecy surrounding some of these activities, however, we may know whether this new ‘outing’ has caused any additional harm.

Basic Encryption: Boeing & Northrop Grumman lag behind competitors, rest of internet

Seven weeks ago Motherboard reporter Lorenzo Franceschi-Bicchierai penned The World’s Biggest Military Contractors Don’t Encrypt Their Websites. Lorenzo’s good read probably caused some red faces at Raytheon, Lockheed Martin, Boeing, and Northrop Grumman. The reason is simple: the lack of HTTPS on your site signals that you lag behind the security curve.  This is unfortunate if you are a company with billions in cybersecurity contracts.

Lorenzo’s piece clearly had an impact. As I write this, it looks like the websites of Raytheon and Lockheed Martin have HTTPS-by-default enabled. Nice work CISOs and your teams! 

Boeing and Northrop Grumman still lagging as of late November 2017

Unfortunately not all of the companies followed suit.

Boeing and Northrop Grumman Websites Lagging Behind Competitors

As I write this, Boeing and Northrop Grumman still do not have HTTPS encryption enabled-by-default. This is pretty remarkable for companies that regularly ask for billions in taxpayer money. Even the often-lagging US Government implemented an HTTPS-only standard back in 2015. Yet companies like Northrop Grumman actively market themselves, and their products, as at the forefront of cybersecurity.

Boeing has had several wakeup calls about cybersecurity in recent weeks.  A must-read story by Raphael Satter of the Associated Press highlighted that Russian hackers had targeted Boeing employees, among other defense contractors. Then, last Week the Department of Homeland Security announced that they had remotely hacked a Boeing 757 at an airport.  A more subtle wakeup call on cybsersecurity issues may be found by visiting the website in a Chrome browser: you will get a “Not Secure” notification next to the URL.

Boeing Website in November 2017: still not using encryption

This is Google’s helpful reminder to web users about the privacy of their personal data when visiting sites served over HTTP (i.e. without encryption). It is also one of Google’s not-so-subtle nudges to website operators (like downranking websites without encryption in search results) that HTTPS-by-default is essential to a safe internet

Northrop Grumman has a 2 billion dollar cybersecurity business, and pitches itself as a trusted partner to government in both offensive and defensive capabilities. Somehow, the company has still not gotten around to enabling HTTPS encryption.

The combination of and Google Chrome is unintentionally funny today

I wonder how the many fine employees who work in cybersecurity at Boeing and Northrop Grumman feel about their employers lagging so far behind basic cybersecurity good practices? I suspect some are secretly embarrassed.

HTTPS: A Cheap Signal That Your Company Gets It

Although there has been a tremendous push towards serving all websites using encryption, HTTPS is still not universal. Ask any expert in cybersecurity: for the past couple of years lack of HTTPS is a major red flag on any site selling anything cyber-related. At this point, lack of HTTPS on any website selling anything is a reason to browse the heck out of there.  HTTPS on a website, on the other hand, a great indicator that your company is keeping up with basic norms and good practices on the internet.

If you work at a company that has not enabled HTTPS, take a look Google’s argument for enabling it, then ask your IT staff what the roadmap is for HTTPS implementation.

While you are at it, take a peek at these simple digital security steps for everyone.

Google News Launches Hoax Story Into Orbit [updated]

Update (Nov 28, 2017)

-The obviously fake GearsOfBiz “news” site now shows only a blank page. However, readers can still find cached versions of the page here (

Update (Nov 20, 2017)

-After three days receiving Top Story positioning in the Science section, Fox News has now jumped in, and is now chasing the traffic train. It is joined some additional news outlets and the dubious (in a different way) Russia Today.

-Post updated with an additional dubious site included (The Canada Journal), and an appendix of domains from the same cluster.

Have you Visited Google News between last Saturday morning and today?* If so you might have spotted a top Science story with a headline claiming that a photo “PROVES NASA staged Apollo 17 Mission.” Or similar.

The origin of this top story on Google News Science is a single conspiracy-theory YouTube video with a wild interpretation of a blurry image. In other words, the same plot of every UFO video since home camcorders started showing up under Christmas trees. Nevertheless, it has has edged out real science news for more than three days.

The story shares a top spot with a NASA scientist complaining about being inundated with questions about other space nonsense. Shortly after I took this screenshot, the false story overtook the scientist story.

Humorously, the story initially appeared below a Washington Post reporting on a NASA scientist being pestered by internet users who were taken in by a prior dubious claim circulating last week. Shortly after I took the screenshot, the nonsense story surged past the Washington Post story.

What is going on?

In a nutshell? Google News can’t stop itself from pouring traffic kerosene on the internet’s dumpster fire of fake science stories.  

Science Nonsense (SN) like this belongs in tabloids next to the skittles in the supermarket checkout aisle, not Google’s widely trusted news site.  Yet for three days, Google News has been amplifying a story promoted by tabloids, and a cluster of dubious sites.  These sites are sloppy, rife with obvious indicators of low-quality, built on fake identities, and have no relationship to anything scientific (E.g. The Fashion Observer). 

The Science Nonsense That Google News Can’t Shake

This Science Nonsense is based on a YouTube video by pseudonymous conspiracy theorist who fancifully interprets of a low-resolution reflection in an astronaut’s visor on a grainy piece of footage. The same person offers images of martian pyramids and UFOs.  

The original YouTube source channel is filled with UFO videos

Most of the outlets that are disseminating the story are highly suspect or are tabloids (more on this later). Shortly after appearing on Google News, the story bubbled into Google Search, for searches involving the Apollo 17 mission. 

The story has persisted on Google News long enough for other news outlets to try and hop on the traffic train. Newsweek,  sensing the buzz, picked the story up a day after it began, including block paragraphs from the anonymous YouTube user without commentary, and appending a quick conclusion pointing out that conspiracy theories have been debunked in the past.

While some of the reporting uses hedge terms like ‘claims that,’ even the internet comment section knows what is going on. Several reader comments on the Newsweek story provide some critical editorial feedback. 

Todd and Jim give Newsweek some editorial feedback


More Than A Fact Checking Problem?

As recent articles have pointed out, algorithmic news sites have a problem with amplifying false and inflammatory stories, and conspiracy theories. Google, along with  Facebook, has recently been criticized for promoting conspiracy theories around multiple mass shootings, as well as failing to detect and block election interference. Google News was also “gamed” earlier this year to serve scammy advertising, as I wrote in June.

To address the critics, Google has doubled down on a highly publicized strategy of adding fact checking (via partners) to aggregated news results.This includes partnering with prestigious journalistic organizations, like the Poynter Institute, which sponsors the International Fact-Checking Network.  

Were the Google News Fact Checking process working properly, this SN story cluster should have been flagged. And at minimum provided with some debunking. The fact is: three days in and there is still no flag. The closest Google News gets to fact checking comes from the content itself, some of the stories have included terms like “claim” in their titles.

Google News: Your Headlines Matter!

Whether or not you think that a gentle ‘fact check’ reminder that something might be ‘off’ about a story is enough to stop people from believing it, stories about this nonsense claim should have never made it into Google News.

Headlines, as anyone who has looked at a newspaper stand knows, have clear news value. They capture your attention, and shape how you think. One study concludes that 44% of visitors to Google News simply scan headlines, and do not read the articles.  This seems about right, according to my n=1 observations.

Google News does not just amplify headlines, it adds credibility to the claims they make. According to a recent study, people view headlines as more trustworthy when they appear on Google News than when they appear in their original outlets.

“…readers are more likely to trust a headline they read in Google’s news aggregator, over the same headline on its original website.”


An interesting New Yorker piece by Maria Konnikova makes it clear that headlines have a major cognitive framing effects, create an initial an impression that is “sticky” and hard to correct. Even if the correction is featured in the article they are attached to.  At the same time, it could not be more clear that adults and children often struggle to spot fake news.

The damage, in other words, may be done once the headline appears in the first place. No doubt it is compounded when the story won’t go away.

Perhaps if this SN attracts even more traction it will receive a debunking that Fact Check can point to on day four. By then, however, Google News will have helpfully launched this Science Nonsense launched into a stable news orbit.

Google News Cannot Spot The Lie

The fact that Apollo’s brave astronauts went to the moon is not a matter of debate. Nor is it a political or hotly contested claim. It is false information that could be instantly identified as such by any of Google’s tens of thousands of competent employees. Or a student editor at a high school paper.

In fact, Google “knows” that the Apollo 17 event took place, and helpfully provides it as a sidebar to searches about Apollo 17. The enduring presence of this SN in Google News suggests that the criteria that seem to be being used to feature “Scientific” news may be fully decoupled from even the most basic scientific knowledge, or other factual information available to Google.

Google’s Sidebar for Apollo 17: Google knows that Apollo 17 happened

Google avoids the accusations of partisanship that dogged facebook’s news editors, by avoiding human news editors, but provides no failsafe for getting rid of nonsense that gets through the algorithms.  

The success of this particular SN may be partly because Google News is sourcing from many highly dubious sites. There also may be category issues. For example, should tabloids ever be looked to as source of Science news?  

Garbage In Garbage Out: Dubious Sites Get Major Play on Google News

It is not clear why a UFO conspiracy theory would be suddenly catapulted into visibility by Google News.  Some of the sourcing is from major online tabloids (e.g. The Sun) but for the past three days, most of featured stories belong to a cluster of badly executed, dubious websites that provide fake phone numbers and questionable contact information.  Can it be that Google News is looking to these highly questionable sites for signals that an important story is breaking?

“Full Coverage” showing the presence of dubious outlets (November 18th, 2017)

The dubious websites include, among others:

Fake Fake Fake

A look through these pages immediately identifies major red flags that go far beyond obvious issues such as bad English. These include:

  • Fake editors
  • Stolen About Us content
  • Plagiarized stories
  • Fake contact information

I called the contact phone numbers listed on the websites. None of them appeared to be genuine, although I did reach some surprised and confused people. I have grouped these sites into several rough clusters based on shared accommodation addresses.  Each of the outlets shows evidence of major red flags.


Outlets Amplifying Story Some Red Flags Listed Address Other “news” sites Sharing the address Associated Identity
The Quebec Times, The Stopru Wrong and disconnected phone numbers, bad English Accommodation address in Toronto, Ontario The Siver Times UNKNOWN
The Fashion Observer Fake Editors, Misc plagiarized content, wrong phone numbers Address in Chester, Oklahoma   Chester Report, Crypto Crimson, The Beacon Daily UNKNOWN
Gears of Biz Plagiarized About Us UNKNOWN UNKNOWN UNKNOWN
The British Journal, Canada Journal Plagiarized About Us, wrong number, plagiarized story content Residential address in Quebec, Unknown None, however a very large number of sites linked by advertising trackers (See: Appendix A) UNKNOWN

Fake Editors

The Fashion Observer lists a “Justine Forester” as Chief Editor.  This person has an impressive bio that begins “I am a Ph.D. trained neuroscientist with over ten years of experience in biomedical research…” Which sounds like a pretty great CV for the editor of a Fashion news site. “Justine” shares the same bio as editorial staff listed on other dubious sites, such as  “Alan Cook” from Hitech News Daily and “Frankie Price,” editor at Examiner Standard.

The Fashion Observer:

Hitech News Daily:

Examiner Standard:

Stolen About Us Pages

Gears of Biz has a nonsensical mash-up of text on the About Us page that begins “Our aim is invoking the finest light for Humanity.”  It goes on to include text stolen from the reputable Nature Publishing Group.  Of course, this makes no sense on a “gadget” review website. Their only contact information, meanwhile, is a free online e-mail address.

Plagarized About Us Examples:

Gears of Biz:

The reputable science publisher Nature Publishing Group, from which the text was lifted:

The British Journal site also includes a sloppy copy-pasted Contact info, neglecting to delete the name of the Hays Post, whose website it is stolen it from.

Sloppy Copy Paste in the Contact Information on The British Journal still includes the name of the news website it was stolen from
Text stolen from the Canberra Times.

The Canada Journal also steals Contact info from a real news organization: the Canberra Times. The theft is sloppy, and the site simply pasted in addresses and phone numbers from the Canberra Times.

Fake Contact Info

The Quebec Times and The Stopru are particularly weird.  Care seems to have been taken to establish accommodation addresses, and develop a more detailed narrative. The writer(s) are clearly not native English speakers: “The Quebec Times is Quebec provincial newspaper.”  The sites also offer plenty of news about Russia in bad English about topics such as heavy snowfall in Vladivostok.

A “Quebec provincial newspaper” providing weather updates for Vladivostok, Russia

The sites have a heavy focus Russian news, and appear to be promoting stories generally favorable to Russia.

The Stopru takes a pro-Russian government line on doping allegations

If the bad English and emphasis on snowfall in Vladivostok were not enough to suggest that the site might not be Quebecois provincial news, the listed phone numbers are wrong.  A confused person reached at the only working number I could reach on The Stopru denied knowing anything about it.  The sites also list an accommodation address in Toronto as their contact information.

The British Journal also lists a phone number. A surprised and polite man in Quebec answered when I called, and explained that he had never heard of the British Journal, and that this was his personal phone number.

Gears of Biz also borrows the contact information of an individual in Connecticut. Sites linked to it (e.g. The Beacon Daily) not only use that persons number, but also borrow the phone number of a pasta shop, and an industrial lubricant manufacturer.

The Rabbit Hole

I would go on listing problems with these sites, but I can’t help feeling that I’m spending more time identifying flaws in these pages than the creators spent making them. The sites are clearly part of larger networks of sites that share content, page templates, advertising trackers and similar dubious standards.

An example of such a network can be found by examining the web presence of The British Journal. A quick look at Google’s own analytics identifier on the The British Journal site shows that the website operator is not hiding their network of related sites from the company. Using Passive Total we can see that 31 similarly dubious “news” sites share the same Google Analytics tracking identity.

Passive Total shows a total of 31 dubious sites linked to The British Journal by the same Google Analytics tracker ID

Perhaps this is diagnostic of the problem that Google News faces? In any case, it highlights that the Google News product is struggling with publisher quality control.

The Harm from Google News Product Fails

Ultimately this particular story will eventually lose its position. Maybe on day 4? Other things will likely jostle it out, right? I hope so.

When asked about the recent proliferation of false stories about the Las Vegas shooting on its platform, a Google spokesperson gave a revealing quote to Vice News.

A Gogle spokesperson speaking to a prior episode of false stories showing up in search results

This reflects a deeper philosophy: Google clearly prefers a “no hands” approach to content. This means letting constantly-tweaked algorithms sort things out, but staying away from directly picking winners and losers in what gets selected.

As Google News reaped the whirlwind of false stories that proliferated without a human editorial failsafe, the hard algorithmic line has been nuanced. Google’s approach has been to add a “fact check” feature, making it possible to flag stories. In theory. In this case, however, the facts speak for themselves:  non-credible stories have stayed on the News page so long that they are starting to look credible to other outlets. In three days they have not even been flagged for a fact check.

By surfacing interesting stories and relevant articles, Google News has earned a position as a major trusted source for news. Getting on Google News is a valuable (and lucrative) prize for news media, marketers and spammers alike.  

I suspect the sites behind this SN were seeking traffic, not achieving something more malicious.  Google News got gamed, and noise, once more, obscured signal. 

Bad Science News is a Scourge, Google Could Help

Some of the most serious issues our generation faces, like global climate change, live partly in the “Science News” bucket. There are decades of evidence that there are extensive campaigns to deny the existence of global climate change. Such campaigns include attempts to overwhelm online good science reporting with disinformation and noise.

This fake moon landing garbage reminds us that the Science News category on Google News can be successfully manipulated with false information. In fact, this story edged out many other genuinely interesting news stories in the Science News bucket.

Good and interesting science news stories stories edged out by Moon Hoax nonsense on Google News

These stories reflect serious investments of public money into science, and it is unfortunate that they have been buried.

As a company, Google depends on a highly skilled and smart workforce. Google is also a major supporter of STEM education programs. The Science News section of Google News is an opportunity to present good science to a general public. Unfortunately, like the Health News section earlier this year, it is clearly susceptible to promoting garbage. 

When Google News displaces important scientific stories with nonsense, it risks eroding the gains made by Google’s financial support for STEM programs.

Google News (and us) Got Lucky This Time

The real world consequences of false information treated as news could not be more clear. Intentionally planted false stories have inflamed ethnic tensions, caused stock market fluctuations, triggered diplomatic crises, and re-shaped elections. Historically, false stories have started wars.

The internet of today is built for marketing, and opinion shaping. This makes it an extremely powerful and appealing tool for groups with dubious motivations who wish to tinker with what people think, feel, and do. Sites like Google News and Facebook are ground zero for this malicious experimentation, and the internet has quickly become a freewheeling disinformation laboratory for those seeking to most effectively manipulate how we perceive the world around us, and how we act.

Networks of dubious ‘news’ sites, and attempts to launder information into a more credible venue are a major tool of nation state disinformation campaigns. The networks that I highlighted in this note could be used for the same purposes. In a sense, we (and Google News) got lucky.  The same buzz could have been easily created for a much more damaging, and socially inflammatory story.

Coincidentally, Google announced today that it would be encouraging Publishers to add additional ‘trust indicators’ to their content following a standard format. Whether or not these trust indicators works remains to be seen.  The presence of false information, including accommodation addresses, narratives of “local” news and lists of apparently qualified editors suggests that many of these sites have already been falsifying this information.  There is every reason to suspect that they will continue to attempt to game and deceive whatever indicators Google is looking for.

This case will (I hope) be used as a datapoint by the Google News team to hone algorithms, and refine indicators for stories and news sites that don’t belong.Is that enough? For the past three days, as this obviously false story shows up every time I check the news, I found myself asking the basic question: when will someone activate the failsafe and pull this story?  I’ve come to the uncomfortable conclusion that there may not be one.


*(Nov 20th, 2017)


Appendix A: The British Journal Cluster of Fakes

A list of sites associated with The British Journal’s Google Analytics tracker.

via a PassiveTotal search

Website First Seen Last Seen 2017-03-25 9:05:26 2017-11-18 22:22:20 2014-11-21 7:00:41 2017-11-15 14:28:04 2015-05-20 8:04:47 2017-11-13 2:06:06 2017-11-08 16:49:04 2017-11-08 16:49:50 2017-09-02 11:53:34 2017-11-08 8:30:55 2017-10-16 5:37:31 2017-11-01 5:30:21 2017-10-10 11:48:06 2017-10-20 14:53:10 2017-10-01 5:40:36 2017-10-05 11:17:15 2016-01-24 22:08:55 2017-09-23 0:54:14 2016-12-19 12:47:04 2017-09-03 21:32:03 2017-06-09 14:37:55 2017-06-09 16:17:17 2016-09-01 14:11:15 2017-06-03 8:14:34 2016-11-01 21:33:55 2017-03-29 11:34:04 2017-03-29 11:33:13 2017-03-29 11:33:13 2016-10-28 11:05:08 2017-03-19 12:16:46 2016-10-04 12:25:02 2017-03-10 6:10:56 2017-02-28 16:27:48 2017-02-28 16:28:40 2016-11-14 22:46:55 2017-01-23 14:29:45 2016-03-13 10:18:52 2017-01-04 3:33:43 2016-12-10 16:03:21 2016-12-21 16:33:24 2016-10-16 19:53:05 2016-11-03 15:53:43 2016-10-06 15:47:01 2016-10-22 21:57:40 2016-01-07 23:51:04 2016-01-07 23:53:04 2015-05-20 8:05:26 2015-05-20 8:06:11 2013-06-07 13:08:38 2013-11-22 12:03:36 2013-07-03 21:42:57 2013-11-22 5:28:25 2013-04-25 6:00:22 2013-05-20 3:12:16 2012-07-31 11:05:31 2012-07-31 11:05:31 2012-07-21 14:04:36 2012-07-21 14:04:36 2012-06-27 6:56:55 2012-06-27 6:56:55 2012-06-08 12:53:40 2012-06-08 12:53:40






My views are my own and not those of my employer, The Citizen Lab at the Munk School of Global Affairs, University of Toronto.  I am a past Google Ideas and Jigsaw (Alphabet) fellow.

#HyphensUnite: A Decade of United Airlines Ignoring The Hyphenated

United Airlines keeps changing my hyphenated last name, costing me up to hours of trouble when I travel. When an airline like United changes travelers names, all parts of a trip can be affected I am not alone in this: hyphenated users have complained about this for a decade. There are tens of thousands of hits on Google for this problem. 

By deleting hyphens, United Airlines creates a Passenger Name Record mismatch, which torpedoes smooth air travel. Here are some common problems for people with hyphens who fly on United, I have encountered all of them:  Online check-ins don’t work, forcing travelers to arrive early at the airport to get a paper boarding pass, or miss their flights. Customs flags travelers arriving in the US for extra scrutiny, resulting in long waits. TSA may send travelers back to airline counters.

United has publicly shrugged about this for over a decade. Noted security expert Bruce Schneier even blogged about the issue of hyphenations nine years ago. @united can be found on twitter advising passengers to simply delete their hyphens, which is bad advice and may result in a records mismatch, and delays. In 2017 the problem is still not fixed. Is United Airlines incapable of such a simple change?

United Arbitrarily Changes The Names of Hyphenated Travelers

The problem is so bad that I have decided to write this post.

John Scott-Railton

A fine name. It is pretty unique, and it helps to differentiate my research! Thank you, progressive parents. United, on the other hand, has a problem with my name. So they change it when I try to book flights, arbitrarily deleting the hyphen and splicing my last names together.

United’s Mileage Plus frequent flyer program recognizes the correct spelling of my name.

Figure 1: accommodates hyphens, it seems

However, when booking tickets with United, directly on the United site, the hyphen disappears and my last name is concatenated to SCOTTRAILTON.  Anyone with a hyphenated name will recognize this. As will many with two last names. Or a middle name. Or a long name.

Figure 2: United books the ticket under the wrong name, dropping my hyphenated name


The result?  United has issued me a ticket that is not in the name on my travel documents. This creates a Passenger Name Record (PNR) mismatch which raises flags everywhere. Thus begins the journey of pain.

When United Deletes My Hyphen It Can Cost Me Hours

The pain starts with online check in. I am unable to receive boarding passes from United because of this problem when traveling internationally to the US.  


Figure 5:Hyphenated customers waiting for their boarding passes from United (not really). Image: Flickr orijinal

Lines, Lines, Lines

Instead of proving me a boarding pass, on flights into the US, I am encouraged to go to a kiosk at the airport.  So much for seamless travel in 2017.

Figure 3. United tells me that I cannot get a printed boarding pass from online check in

From experience, however, the same mistake can result in an error at the kiosk, requiring me to wait in a line to receive my paper boarding pass.

Figure 4. I get this missive in lieu of a boarding pass when checking in online


The dreaded X

When entering the United States my entry is typically flagged for additional scrutiny when I travel with the wrong name.

Of course I flag! This is not the name on my passport. United does not allow me to use my legal name.

The result is extra scrutiny, and a long wait. Typically, after the “extra attention” line,  I arrive in front of an officer who looks at boarding pass and passport, notes the mismatch, and waves me through. As anyone who has been in this situation knows, on a busy day these lines can last a long time.  After numerous conversations with officers, I have repeatedly had it verbally confirmed that my dreaded X was caused by this mismatch.

The Result: My Travel Takes Longer

I am a regular business traveler. Yet my travel is just-as-regularly disrupted by the additional burdens placed on by United’s failure to accommodate my hyphen. Depending on the trip, and the airport where my travel starts, this can cost me serious additional time, stress, and uncertainty. 

As the rest of the world is passed through increasingly automated customs and screening, we hyphenated-last-names are stuck with a problem caused by an archaic set of systems that cannot handle simple characters.

United Airlines Has Ignored Complaints About Hyphens For a Decade

United has known about problems with hyphenation for a long time. How long?  There is more than a decade’s worth of online posting complaining about the problem. Some travelers have gone as far as contacting United Airlines.  The official response often looks like a bit of a shrug. United has an unfortunate history of not addressing problems until they reach a critical mass of frustration. Or an unfortunate incident.

Apparently, hyphenated United Airlines customers are not a priority.

Figure 6: Thousands of posts and complaints going back a decade about United and hyphenation

The blog posts describing the issue go back more than a decade. This adds up to a lot of unhappy, inconvenienced customers.

Some of the posts also highlight United’s customer focused approach to the problem: ‘change your name.’

Figure 7: United basically saying “change your name”

A follow-up updated noted that the issue was not with, but with their reservations system.

The only mention on of the issue of hyphenation is a page explaining the hoops travelers need to jump through to change their name in Mileage Plus.  Which is, of course, not the problem for a traveler like me.  The problem comes when United makes the booking.

Figure 8: United Airlines does not have much documentation for people with hyphens in their names

A decade later, hyphenated travelers like me still face this problem with United Airlines.

United to Hyphenated Customers: Do Not Book Under Your Legal Name

The @united handle is active on Twitter, responding to all sorts of passenger issues. Including tweets from panicked hyphenated customers.

Figure 9: United confirms that their tickets cannot support hyphens or other characters

The typical advice? Put your last name together. In other words? Do not book your ticket under your legal name. This advice is likely to result in a Passenger Name Record mismatch, causing customers additional problems.



Figure 10: @united advising customer to change name, likely creating a PNR mismatch which can lead to travel delays and problems

Not all travelers are so polite.  Some point out United’s obvious lack of attention to the wide variety of names. To which @united cheerfully asks if the check in happened successfully, and promises to take the feedback on board.


Of course, the problem persists.


Figure 11: United flyer complains about hyphen issue, gets a chipper reply from @united. But the problem persists.

Despite the continuing flow of tweets from flyers having this issue, United Airlines does not seem to have made any progress in fixing it.

Will United Stop Forcing Customers To Use Incorrect Names?

United needs to stop shrugging when the hyphenated among us have a crummy customer experience. There may be short term solutions, such substituting spaces for hyphens, but the real solution is to work with their reservations and database providers to ensure that hyphens are treated correctly.  

Failing to do so means that some customers are subjected to this extensive additional disruption, and hours of valuable time wasted in lines, for reasons that are not under our control (our names!).

Buying a plane ticket should include the fear of a security issue, missed flight, or travel delay simply because of a “-” in a name.


Figure 12: Security expert Bruce Schneier pointing out problems with hyphenated names in flight reservations almost a decade ago

United is not the only airline with this problem.  As noted security expert Bruce Schneier pointed out almost 9 years ago, some airlines appeared to have been profiting from their inability to handle hyphens by charging change fees. It is unclear how widespread this practice was, or is. However, it points to the fact that this issue is not new. It is not even fresh. George Bush was president during many of these complaints.

So, why ask United if others have the same issues? Because sometimes asking one person is more effective than making a general request (see: diffusion of responsibility). I am also not a customer of any third party companies that might provide them with reservation and booking services. But United is their customer, and can make requests.

So, United Airlines, is it a waste of words to ask you to tackle this after 10 years of the same customer complaint? I suppose I will know the next time I have to check in for a flight to the USA…



Gaming Google News: Once as Spam, Once as…?

[Update: it looks like many others have been observing the same issue. Updated What is Happening section with detail.]

It is not just fake election results sites that are gaming Google’s News. As of writing almost 50% of the news stories that display on Google Health are fake news articles that redirect to spam sites.

This morning while reading Google news and putting off checking my inbox I clicked on the Health category. I skimmed a stories about obesity, seductively named veggies, and a legionnaires outbreak at a two LA fitness clubs. Then things got a bit stranger.

The first strange article seemed like a mistake in how the title was selected.

Then I read the text. No, this was not right at all. The page looked like it was part of a Search Engine Optimization (SEO) strategy. Flukes in algorithmically generated news do happen. Then I scanned further and found more. Much more.

Nine out of 19 news stories (47%) on Google News Health are a variant of the spam at time of writing.

Google News health was yielding up a ton of obviously SEO pages advertising the usual Viagra and Cialis. But also online dating services. Taking a look at Viagra jelly we see that this is generating enough of a buzz that the algorithm is offering “realtime coverage” of the event. Clearly, breaking news.


Helpfully I’ve got some other related stories, including Herbal Viagra.

Google News Spam Redirects

Readers will notice that there are at least two involved sites: “The Missouri Times” and the “Microfinance Monitor.” The Missouri Times is a news site with an online presence. Microfinance Monitor also appears to be a preexisting site.

Clicking on a link in Google Health gets you…penis pills

The links, as displayed on Google appear like this:


Directly visiting the links (without clicking via Google News) leads the user to the original site. However, clicking via Google News leads to the chain of redirects.


The result is an online pharmacy.

An online pharmacy site is the ultimate destination of the chain of redirects.

At the time of writing, on the “news” stories redirects to spam websites like “Dirty Tinder” and “Top Canadian Pharmacy.” There are no news stories.

What is Happening

It appears that news sites deemed legitimate by Google News are being modified by third parties. These sites are then exploited to redirect to the spam content. It appears that the compromised sites are examining the referrer and redirecting visitors coming from Google News to shop.medcom[.]top (and possibly other sites.

Update:  A story from The Register lays out how this works.


The Reg shows how visitors coming from Google News are redirected on a different, compromised site.

A quick investigation using Passive Total suggests that the operation is larger, and the iframe with a redirect to “shop.medcom[.]top” may be present in a range of news sites.

Some other news sites showing evidence of the iframe

Why Spam on Google News is a Bigger Issue

The use of real news sites provides a clever vector for the insertion of more problematic fake news and disinformation into a prominent landing page for news.

Just as fake news can damage democracy, fake news about health can have public health consequences. The fact that such obvious fakes have bubbled into Google News makes it clear that the information served there is still susceptible to intentional manipulation.

In this case it is hard to believe that anyone reading the headlines on articles would mistake them for real medical advice. The implausible headlines show a lack of imagination from whomever is behind them. They could have used much more plausible headlines, and easily redirected to lookalike news pages for the purposes of disinformation.  The case shows how easy might be for someone with other, less transparent objectives, to manipulate what readers see.