Fitness app Polar Flow exposed names and locations of thousands of military, NSA and FBI staff
It's not all that long since fitness app Strava caused something of a security nightmare by inadvertently revealing the locations of numerous secret military bases. Now another app -- Polar Flow this time -- has gone a step further and revealed the names and home addresses of nearly 6,500 users.
A joint investigation by Bellingcat and Dutch journalism platform De Correspondent found that the app is "revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world".
See also:
- Google responds to Gmail privacy concerns: 'we're not reading your emails'
- Privacy warning: Samsung phones are leaking photos to random contacts
- The NSA is deleting all of its call records since 2015 because of privacy issues
Bellingcat's investigation found that the privacy settings used by 6,460 Polar users meant that they could be located through the activity they had shared from their fitness devices. A number of users have their activities configured to be automatically publicly shared, and this can be used to determine where they live.
The investigative site explains:
By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map. Users often use their full names in their profiles, accompanied by a profile picture -- even if they did not connect their Facebook profile to their Polar account.
What's particularly concerning with this privacy issue is that it is not just the locations of military bases that have been exposed -- in many cases these were already known. The fact that individuals' locations can be determined, bearing in mind the fields in which they work, is a serious security risk.
The Polar website makes it incredibly easy -- much easier than other similar sites -- to view the activities of individual users, and the tracking of activities' start and end points makes it very simple to determine where someone lives. Bellingcat says:
With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning. From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name.
In all, the investigation was able to identify nearly 6,500 people across 69 countries at locations including NSA, the White House, MI6 and Guantanamo Bay.
You can read more about the findings of the investigation on De Correspondent.
Image credit: Bellingcat