Reminiscent of the recent controversy surrounding the fitness-tracking app Strava, the tale involving Polar Flow shows how the sharing of seemingly innocuous – but potentially telltale – data can have significant privacy implications
Fitness tracking app Polar Flow allowed anyone with relatively little effort to work out the names, home addresses and daily movement routes of thousands of military and intelligence officials who work at secretive installations around the world. This is according to a pair of reports by journalist outlet Bellingcat and Dutch news website De Correspondent.
The discovery comes not long after it emerged in January that Strava, another fitness-tracking app, was giving away the locations of military bases around the world. “Polar, which can feed into the Strava app, is revealing even more,” reports Bellingcat.
The privacy exposure by Polar Flow has to do with data collected for the app’s activity map called Explore. The feature has tracked the workout sessions of the app’s users in rather minute detail on the searchable map since as far back as 2014.
Says Bellingcat: “By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.”
Importantly, this includes not only data willingly shared by users, but often also information belonging to people who have their profiles set to private, according to the journalists. “Some users wisely hide behind a private profile, but an oversight in the Polar app allowed us to uncover the exerciser’s identity nonetheless in most cases,” writes De Correspondent.
The sleuthing identified the names and home addresses of a total of 6,460 users across 69 nationalities who apparently work in some 200 sensitive locations. They include soldiers at military bases including Guantánamo Bay, personnel working at nuclear storage facilities, the FBI, multiple intelligence agencies, troops deployed near the North Korean border, and airmen involved in the battle against the Islamic State.
“We found this information not through hacking or some other technological wizardry, but through a little clever searching in the online map that Polar makes available to anyone with an account,” writes De Correspondent. “Anyone with a basic understanding of computers and some common sense can find this information,” adds the website.
Making things worse, Polar omitted to impose a limit on how much information a sleuth can query and retrieve. “For example, we were able to automatically call up every activity across the entire world for those 6,460 users, which made it much easier to determine their home address, where people’s workouts often begin and end,” according to De Correspondent.
Users commonly use their real names and photos on Polar Flow, which can then be used to cross-reference the users with their accounts on social media.
In response, Polar, a Finland-based company that is behind Polar Flow and that also produces smartwatches and fitness-tracking kits, has issued a statement. Importantly, the firm said that it has temporarily suspended the activity map, and stressed that it “has not leaked any data, and there has been no breach of private data”.
“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” said the company, thus essentially refuting the journalists’ findings that not even users with private profiles were safe. Polar also affirmed that the data shared were a function of an opt-in system, i.e. shared willingly by its customers.