Finnish-based fitness tracking app Polar has temporarily disabled its global activity map feature after last week journalists used it to track down the real-world identities of military and intelligence personnel.
The investigations were carried out by reporters from Dutch newspaper DeCorrespondent and online investigations group Bellingcat.
These two group of reporters discovered that Polar Flow, one of the Polar apps, was allowing anyone access to a feature called Explore, which is an activity map. Data exposed on this map included a user's past activity, such as running or biking routes, but also the user's personal details such as heart rate, physical attributes, and more.
While other fitness apps have released activity maps in the past —for showing popular running, hiking, or biking paths— Polar made the mistake of exposing the username and personal details of each user for each individual activity/route.
Journalists used this feature to search the map for the location of known military bases and intelligence agencies' headquarters and training grounds, identifying persons who recorded fitness activity history at those locations.
In several cases, researchers were able to identify usernames that led back to real-world identities. This was either because military and intelligence agents used their real name for the Polar app, or because they re-used usernames they used somewhere else online.
In addition, the same accounts running jogging routes at military bases also contained jogging and biking routes in other locations, exposing what looked to be that user's home address.
In just one example, DeCorrespondent tracked down a jogger near the Dutch military base Volkel —where the Netherlands stores its nuclear arsenal— to the LinkedIn profile of a senior officer in the Dutch military.
Several other examples are included in the DeCorrespondent and Bellingcat respective investigations, all exposing the real-world identities of persons required to keep a low profile due to the nature of their work.
The two reports highlighted a real risk to the national security of multiple countries around the world, showing how foreign intelligence agents could track down the identities of their counterparts in other countries.
Furthermore, the Polar Flow activity map could also be used to track down the location of military bases unknown to foreign countries. For example, extremely active jogging routes in the middle of the Sahara desert are a clear indicator that a military base is located nearby, something that could be very easily corroborated using updated satellite imagery.
Looking at the profile of users running those routes, foreign intelligence agents would not only discover a new base but would also be able to put together a manifest of who's deployed there as well.
But on Friday, Polar announced it was temporarily suspending the Explore API (activity map), due to the privacy concerns exposed in the two reports.
The company also clarified that the Polar Flow app does not expose the user's activity and username by default. Polar said these details are shared only based on an opt-in system, and the data exposed via its activity map was willingly shared by only some of its users, with the vast majority of user data remaining private.
Polar has taken this decision in an attempt to avoid scrutiny from officials around the world. Back in January, a similar privacy scandal affected the Strava fitness tracking app, which also published a similar activity map. In a similar fashion, journalists used the Strava map to expose the locations of several military bases, some unknown prior to the Strava exposure.
Makers of the Strava app were called in to testify in front of a Senate committee in early February regarding their app's privacy settings and later rolled out improved privacy protections.
But unlike the Strava exposure, the Polar incident seems much worse, mainly because the app leaked personal details that could deanonymize Polar users.