Quick take:, A French sailor's public Strava profile exposed the Charles de Gaulle aircraft carrier's classified position in the Mediterranean. Le Monde confirmed it with ESA satellite imagery within an hour (Le Monde, 2024). If you build apps with geolocation, default to private and fuzz coordinates, online is covered here.
On March 13, 2026, a French Navy sailor strapped on a smartwatch, ran seven kilometers on the deck of a warship, and uploaded his workout to Strava. That 35-minute jog gave away the real-time position of the Charles de Gaulle, France's only nuclear-powered aircraft carrier, while it was on a classified deployment in the eastern Mediterranean.
Le Monde broke the story on March 20th. The newspaper's journalists didn't need classified intelligence or insider sources. They just browsed a public Strava profile.
What Happened, Step by Step
The sailor's Strava account was set to public. His recorded run showed GPS loops in the middle of the Mediterranean Sea, northwest of Cyprus, roughly 100 kilometers off the Turkish coast. There's no landmass there. Running loops in open water narrows the possibilities fast.
Le Monde matched those coordinates against European Space Agency satellite imagery captured about an hour after the run. The satellite photo showed the unmistakable 262-meter silhouette of the Charles de Gaulle and its escort group, sitting approximately 6 kilometers from the geolocated workout.
President Macron had ordered the carrier group from the Baltic Sea to the Mediterranean on March 3rd. The deployment was part of what he called a "purely defensive" posture in the region. But the exact position? That wasn't supposed to be public knowledge.
The French Armed Forces General Staff told Le Monde the incident "does not comply with current instructions" and confirmed that "digital hygiene for sailors" is covered in pre-deployment briefings. So someone ignored the briefing. It happens.
Why This Keeps Happening
Here's the thing, this isn't new. Not even close.
Strava's Global Heatmap blew up in January 2018 when analysts noticed it was lighting up patrol routes at U.S. military bases in Afghanistan, Syria, and Djibouti. The Pentagon ordered a full review of wearable device policies. Strava updated its privacy controls.
Did that fix it? Obviously not.
In 2024, Le Monde's "StravaLeaks" investigation tracked bodyguards protecting Emmanuel Macron, Joe Biden, and Vladimir Putin by scraping their public Strava profiles. Reporters identified the hotel Biden stayed at during a 2023 San Francisco trip. They mapped Macron's movements across multiple countries. I remember reading that investigation and thinking every location-aware app I've built probably had similar exposure vectors I'd never considered.
And in a particularly embarrassing earlier incident, a crew member aboard one of France's ballistic-missile nuclear submarines posted Strava data that revealed details about the vessel. A nuclear submarine. On Strava.
The Technical Problem Developers Should Care About
If you build anything that handles geolocation data, this story is a case study you can't ignore. The Strava API and the browser's Geolocation API share a fundamental design problem: they default to giving away too much.
Consider the Web Geolocation API:
navigator.geolocation.getCurrentPosition(
(position) => {
// position.coords.latitude , up to 18 decimal places
// position.coords.longitude, sub-meter accuracy
// position.coords.altitude , if available
// position.timestamp , exact time
},
(error) => { /* handle error */ },
{ enableHighAccuracy: true } // many devs set this by default
);
That's sub-meter accuracy with a timestamp. When your app stores and shares this data publicly, you're building a surveillance tool whether you intended to or not. I've shipped location features in three different projects over the years, and after the 2018 Strava incident I went back and audited every one of them. Two had unnecessarily precise coordinate storage.
What should developers actually do differently?
Default profiles to private. Strava still defaults new accounts to public activity uploads. That's a product decision that prioritizes engagement over safety. If you're building a social fitness app or any location-sharing feature, flip that default. Users who want public profiles will find the toggle. Users who don't know better won't accidentally broadcast from aircraft carriers.
Implement coordinate fuzzing. You don't need 7 decimal places of latitude precision for a workout summary. Round to 3 decimals (roughly 110-meter accuracy) or even 2 decimals (roughly 1.1 km) for public-facing data. Store precise data server-side if needed, but never expose it through public APIs or profiles.
Add geofencing for sensitive contexts. Strava already offers "hidden zones" around home addresses. Why not extend that concept? An API could suppress or flag uploads from coordinates that match known military installations, government buildings, or open ocean (where the only explanation is a ship).
Strip metadata aggressively. The Geolocation API returns altitude, heading, speed, and timestamp alongside coordinates. Each extra field is another data point for correlation attacks. Only collect what you actually need for the feature you're building.
The Bigger OPSEC Picture
Military OPSEC failures from consumer technology aren't going away. They're accelerating. Every smartwatch, fitness tracker, and phone app that touches GPS coordinates is a potential leak. And the people using them aren't hackers or spies, they're soldiers who want to log a morning run.
Should militaries just ban smartphones and smartwatches aboard vessels? Some security researchers argue exactly that. I think that's unrealistic and misses the point. The real failure is on the app side. When a platform makes it trivially easy to broadcast your coordinates to the entire internet, some percentage of users in sensitive positions will do exactly that. Every single time.
The French Navy will probably discipline the sailor. Strava will probably release another statement about privacy controls. And in six months, we'll read about the next incident from a different country's military. The pattern is predictable because the underlying technical defaults haven't changed.
What Developers Should Take Away
If you're writing code that touches navigator.geolocation or processes GPS data from wearables, treat location as what it is: sensitive personal data with national security implications. Default to private. Fuzz coordinates for public display. Audit your API responses for unnecessary precision.
The Charles de Gaulle incident isn't a Strava problem. It's a design pattern problem. And it's one we can fix in code, if we stop treating precise geolocation as just another data field. For more on building with security in mind, check our guide to React hooks best practices, the same "sensible defaults" philosophy applies to every API you expose.