Data made publicly accessible via the Polar fitness app was found to reveal the identities, home locations and activities of users employed at highly sensitive or secret locations such as military bases, intelligence agencies and critical infrastructure facilities, according to dual investigative reports by Bellingcat and De Correspondent.
The findings prompted Finland-based Polar to temporarily suspend Explore, its global activity map feature, which was the primary source of data used to uncover users' identities.
Last January, the GPS-based fitness app Strava similarly generated controversy because it recorded the movements of military personnel on what turned out to be highly sensitive base locations. But the Polar case may even be more extreme, the reports say, because the app shows every exercise a person has performed since 2014 on a single map, allowing potential snoops to gather scores of valuable information on potentially high-ranking people.
To spy on a user, malicious actors could have simply selected a location of interest using the Explore feature -- perhaps a military site -- then look for an exercise that was published at that location. From there, they could pull up the attached profile to discover that person's identity. They can also pinpoint users' homes by studying their full activity histories, including jogging or biking routes -- or by looking at where these users turned their trackers on and off (typically that occurs at home).
The reports said investigative researchers were able to generate a list of almost 6,460 unique users collectively performing over 650,000 exercises at more than 200 sensitive sites, in addition to other locations where they live or had visited. Users included a nuclear airbase officer, an intelligence officer at a US Air Force base; Western military members in Afghanistan and Iraq; and employees at the NSA and FBI.
Even though some of these users had set their profiles to private, the investigators nonetheless were able to research their identities online simply by leveraging the sheer amount of location information that was available via the app, the reports state. However, in a 6 July company statement, Polar appears to state that only users whose profiles were set to public were affected.
"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the Polar said in the statement. "Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API."
The company said it's "analysing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations."