Published: Wed, July 11, 2018
Medicine | By Douglas Stevenson

Polar fitness tracker exposes locations of soldiers and spies on military bases

Polar fitness tracker exposes locations of soldiers and spies on military bases

The revelation was made possible thanks to the Finnish company's Polar Flow feature that shows workout activity of the users of its app down to the tiniest detail on a global searchable map.

It allows users to track their fitness and sleep activity, analyze their progress, set fitness targets and get guidance, and connect with other fitness enthusiasts.

The investigation draws parallels with the Strava fitness app, which in January of this year was shown to reveal sensitive locations around the world.

Polar has acknowledged that the Explore feature could be used to provide insight into potentially sensitive locations, but blamed users for sharing their data.

Specifically, Bellingcat notes that Polar's Polar Flow app "is revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world".

By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Polar has also chose to temporarily suspend its explore function, but let's hope it's not too late. The two organisations found areas such as a military base, selected an exercise that had been published there, then simply looked at where that same user profile had been.

Open source and social investigative site Bellingcat and Dutch news publication De Correspondent were able to access exercise data shared by users of Polar's Flow social platform, and glean large amounts of location information from it.

"We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea". Altogether, the group of journalists managed to compile data on a total of over 6,000 Flow users. On Friday, the company issued a statement in which it said that it did not leak users' private information and that there had been no data breach affecting private data.

In other words, according to Polar, the "Airmen involved in the battle against the Islamic State" who Bellingcat researchers were able to identify and find their homes were the ones who messed up, not Polar.

What this is actually saying is that users have the option to mark their data as private via the user profile page in the app. Marking it private will also prevent the service from sharing information to third-party apps such as Facebook. And you can see where those runs start and stop.

And as this comment, and a further Polar statement, suggests, this is a little different to the Strava episode, in which data wasn't automatically set to private.

Like this: