The news that Le Monde tracked France’s Charles de Gaulle aircraft carrier in real time using Strava activity data should feel familiar to anyone paying attention in early 2018. That January, Nathan Ruser, then a 20-year-old international security student at the Australian National University, scrolled through Strava’s newly published global heatmap and noticed that supposedly empty desert regions were glowing with GPS traces. Forward operating bases in Syria, CIA staging areas near Camp Lemonnier in Djibouti, the NSA campus at Fort Meade: all of them betrayed by the jogging habits of the people posted there. The heatmap contained over 13 trillion GPS data points rendered at one meter per pixel, and in areas where civilian Strava usage was essentially zero, every glowing line was military.
That incident prompted Pentagon memos, Strava press statements, UI overhauls, and years of institutional guidance from defense ministries in the US, UK, Australia, and Germany. The Charles de Gaulle story, published in 2026, suggests that none of it solved the problem at the level it actually lives.
What the Data Model Looks Like
Understanding why this keeps happening requires understanding how fitness apps are architected at a product level, not just a privacy-settings level.
Strava’s core data object is the activity: a GPS track timestamped to the second, associated with a persistent user account that typically contains a real name, profile photo, and follower network. Activities are stored indefinitely. They accumulate across years. The social layer is built around sharing those activities, competing on leaderboard segments, and following other athletes; the entire product incentive structure pushes users toward public or semi-public visibility.
The heatmap is only the most dramatic expression of this model. Strava’s segment system creates another exposure layer that operates independently. Any user can define a segment by selecting a start and end point over a GPS route. Every subsequent athlete who rides or runs through that segment is automatically detected and added to a public leaderboard ranked by elapsed time. This means that even an athlete who sets their account to private, and who never shares a single activity voluntarily, can appear by name on a public leaderboard simply by passing through a segment someone else created. The segment feature existed specifically to create competitive visibility, and it does exactly that regardless of account-level privacy settings.
The Flyby feature added a temporal layer on top of geography. Flyby showed users a synchronized replay of every other Strava athlete whose workout overlapped with theirs in time and space. When security researchers began documenting the exposure this created in 2020, Strava changed the default to opt-in rather than opt-out. But opt-in defaults solve collective action problems only when they are introduced before behavioral norms calcify, not after.
Then there is the social graph itself. Fitness app followers/following relationships are frequently genuine social networks among colleagues and unit members. An analyst who identifies one service member through any of the above mechanisms can traverse their follower list to enumerate others, cross-reference against LinkedIn or other platforms, and build a reasonably complete picture of who is posted where.
Why the Charles de Gaulle Is a Different Kind of Target
The Charles de Gaulle is France’s only nuclear-powered aircraft carrier, commissioned in 2001 after a decade of troubled construction, home-ported at Toulon, and carrying a crew of approximately 1,950 people including air wing personnel. It is, by any measure, one of France’s most significant military assets and a central instrument of French power projection.
What makes a carrier group a particularly rich fitness-data target is the crew size. A single destroyer might have 280 sailors. The Charles de Gaulle has close to 2,000. Even if 95 percent of the crew follows responsible operational security practices, the remaining 5 percent is nearly 100 people whose Strava activities are broadcasting position. At the scale of a carrier group, which includes escort vessels, the number of potential data sources grows further.
The 2018 heatmap incident revealed fixed installations: bases that stay where they are. What Le Monde demonstrated is something more operationally significant: real-time tracking of a mobile strategic asset. A carrier’s position matters in ways a fixed base’s position generally does not, because it determines what it can strike, what it threatens, and how adversaries might counter it. Historical GPS accumulation in a heatmap reveals that people exercise at a base. Live fitness tracking of crew members reveals where the ship is right now.
The Policy Response Problem
After 2018, the US Department of Defense issued guidance restricting geotagging applications on military devices in operational areas. The UK Ministry of Defence and German Bundeswehr issued similar directives. Strava agreed to exclude designated military installation coordinates from heatmap rendering after receiving lists of coordinates from cooperating governments. These were reasonable responses to a documented problem.
They also share a common failure mode: they treat this as a policy compliance problem rather than a behavioral and design problem. A policy memo that says “disable geotagging apps in operational areas” requires every service member to internalize that instruction, apply it correctly every time, and maintain that discipline across deployments of months or years. One person’s lapse is sufficient to create exposure. At crew sizes in the hundreds or thousands, the probability of at least one lapse approaches certainty over the course of a deployment.
The Polar incident of 2018 illustrated how deep this runs. Bellingcat and the Dutch investigative outlet De Correspondent demonstrated that Polar’s Explore feature allowed querying public activities near any address, including the addresses of GCHQ, MI6, the NSA, and the CIA. Searching for activities starting at those addresses returned named athletes with full route histories including home addresses. Polar shut down the feature within hours of contact. But the exposure had existed for years before anyone looked systematically. That is the structure of the problem: the capability to surveil is created as a side effect of product features designed for other purposes, it exists quietly until someone uses it, and the remediation is always reactive.
What ‘Real Time’ Means Here
The Le Monde reporting describes locating the carrier in real time, which is worth being precise about. Strava does not stream live location data in the way that, say, Apple’s Find My network does. What real-time tracking via Strava means in practice is that an activity becomes visible to others shortly after it is recorded and uploaded, which on a modern smartphone with a persistent connection is typically within minutes of the workout ending. If a crew member runs a lap of the flight deck, uploads the activity, and that activity is public or accessible to people who follow them, an observer can see the GPS track, infer the ship’s position from the coordinates, and check the timestamp to know when the ship was at that position.
For a carrier moving at 27 knots, a position fix from thirty minutes ago still constrains its current location to a circle of roughly 13 nautical miles radius. Multiple position fixes over days of a deployment allow trajectory inference. This is not the same as real-time satellite tracking, but it is considerably more than nothing, and it is entirely free and requires no specialized capability.
The Design Incentive Problem
The structural issue is that fitness apps are built to maximize sharing. Their business models depend on engagement, and engagement depends on social features: leaderboards, kudos, follower feeds, Flyby, heatmaps. Every one of those features is a vector for location disclosure. Privacy settings can be tuned at the margin, but a fitness app with no social sharing is not a product that survives in the market.
This creates a fundamental mismatch. Defense institutions need their personnel to use fitness platforms in a way that is directly contrary to how those platforms are designed to be used. They can issue memos instructing people to disable features, but they are working against the grain of the product’s incentive structure, its default settings, its onboarding flows, its push notifications encouraging users to share a recent activity, and the social pressure from friends and colleagues who are already on the platform.
The 2018 Strava heatmap story prompted genuine product changes. Flyby became opt-in. Heatmap access required a subscription. Segment leaderboard privacy improved. Eight years later, Le Monde tracked a nuclear aircraft carrier in real time through the same class of data. The conclusion is not that Strava failed to act; they acted. The conclusion is that the surface area of the problem is larger than any set of product changes can cover, because the data keeps being generated by people who want to track their fitness and share it with friends, which is exactly what the apps were built to help them do.
Until that behavioral pattern changes, or until militaries treat personal fitness devices as categorically prohibited equipment in the same way they treat personal communications devices in certain secure environments, journalists will keep finding the warships.