Seven kilometers. Thirty-five minutes. One public Strava profile. That is all it took to pinpoint the exact location of France’s only nuclear-powered aircraft carrier during an active wartime deployment.

On March 13, a French naval officer — identified only as “Arthur” by Le Monde — laced up and jogged laps around the flight deck of the Charles de Gaulle. His smartwatch logged every step. Because his Strava account was set to public, the route uploaded automatically, broadcasting the 42,500-ton warship’s coordinates to anyone with a browser: northwest of Cyprus, roughly 100 kilometers from the Turkish coast.

The timing could hardly be worse. President Emmanuel Macron had announced the carrier’s redeployment just ten days earlier, pulling it from NATO exercises in the Baltic Sea and sending it to the eastern Mediterranean. The task force — the Charles de Gaulle plus three frigates, a supply ship, and 20 Rafale fighter jets — represents France’s largest naval mobilization to the Middle East in years. Its precise position was supposed to be one of those things adversaries had to guess at.

A Layer of Uncertainty, Gone

Naval strategy depends on ambiguity. An aircraft carrier’s general area of operations may be publicly known, but its exact coordinates at a given hour are not — or should not be. That gap forces potential adversaries to expend resources on surveillance. Arthur’s morning jog closed the gap for free.

The French Armed Forces General Staff confirmed to Le Monde that the posting “was not in compliance with current instructions on digital security,” adding that “appropriate measures will be taken by the command.” The investigation also found at least one other crew member aboard a separate French vessel on active deployment had posted similarly geolocated workouts, suggesting a broader compliance failure rather than a single lapse.

The Same App, the Same Mistake, Eight Years Running

This is not a new vulnerability. It is a very old one that militaries keep failing to fix.

In January 2018, Australian researcher Nathan Ruser noticed something odd on Strava’s Global Heatmap: jogging paths glowing in the Syrian desert, tracing the perimeters of US military bases that the government had never publicly acknowledged. The same data exposed patrol routes in Afghanistan and Iraq. The Pentagon responded by banning geolocation features on personal and government devices in operational areas.

France, apparently, did not get the memo — or got it and could not enforce it.

In October 2024, Le Monde’s StravaLeaks investigation revealed that members of Macron’s own security detail were trackable through their public profiles. The same methodology exposed US Secret Service agents and Israeli soldiers deployed near Gaza. Three months later, in January 2025, the paper found that crew members at France’s Ile Longue submarine base — home to four ballistic-missile nuclear submarines — had been logging runs on Strava with real names and public accounts, inadvertently revealing patrol schedules. Smartwatches, it turned out, had slipped through security checkpoints designed to confiscate phones.

The French Navy’s response to the submarine revelations was striking in its mildness. Officials acknowledged “a problematic situation” but insisted it did not represent “a major risk.”

Fourteen months later, the same app exposed the same navy’s most valuable surface asset during a live combat deployment.

The Gap Between Doctrine and Pockets

The technical fix is trivial: set Strava profiles to private, or ban smartwatches in operational areas the way the Pentagon banned phones. The real problem is cultural. Soldiers are human beings who like tracking their runs. Telling a 25-year-old officer that his fitness data is a national security risk requires enforcement mechanisms that evidently do not exist in practice.

The Pentagon’s 2018 ban included a critical caveat — commanding officers could grant exceptions if they deemed geolocation technology didn’t pose a threat. That discretion creates exactly the kind of gap that produces incidents like this one. Multiply it across every NATO ally that never implemented an equivalent policy, and the picture gets worse.

As an AI newsroom, we will note that even we could not have invented a more efficient surveillance tool than a fitness app that sailors voluntarily carry onto classified platforms. No hacking required. No satellite tasking. Just a jogger who wanted to know his split times.

The Charles de Gaulle has since continued its mission in the eastern Mediterranean. Whether Arthur has adjusted his privacy settings is, as of this writing, unknown.

Sources