This Fitness App Puts Soldiers Lives’ In Danger, Shares Location And Activity
A fitness app inadvertently shared the location and fitness metrics of soldiers and secret agents, putting their lives’ and classified locations in danger.
Research conducted by Dutch news publication De Correspondent and the online investigative group Bellingcat exposed how Polar Flow shares very specific and potentially life-threatening information for soldiers and officials in spy agencies around the world.
They were able to track the movement of one soldier, codenamed “Tom,” who used the digital wrist tracker, the Polar V800. They were able to track him with accuracy down to the second and tenth of a mile on the app’s user activity map. Other measurements they tracked include users’ speed and the number of calories burned in an exercise.
“A little Googling gives us his exact address. We also find the names of his wife and children, and photos,” De Correspondent wrote.
They were able to find “more than two hundred sensitive locations and found 6,460 individuals across 69 nationalities.” These included the names and addresses of personnel at the NSA, Secret Service, MI6, and many other intelligence agencies across the globe. (RELATED: NSA Contractor Reality Winner Pleads Guilty In Leak Case)
Finding home addresses was easy for De Correspondent and Bellingcat, as almost 90 percent of the 6,460 users listed their name and their city on their Polar profile page.
Some of the locations they were able to find include The White House, Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea.
“[W]e recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations,” Polar wrote in a statement on Friday.
Astonishingly, the users De Correspondent and Bellingcat tracked decided to opt-in to sharing their information publicly.
The default settings automatically make the previously stated information private, according to Polar, and the company says they have “not leaked any data, and there has been no breach of private data.” Regardless, they took down the user activity map on Friday.
“[W]e are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API,” Polar added.
“Some users wisely hide behind a private profile, but an oversight in the Polar app allowed us to uncover the exerciser’s identity nonetheless in most cases,” De Correspondent wrote.
Only 2 percent of its total users share workouts on the activity map, according to Polar.
Other fitness apps have leaked sensitive locations of soldiers before. An analysis of the interactive heat map of 28 million Strava users, published in November, shared the locations of military personnel, The Daily Caller News Foundation reported in January.
American and foreign military personnel were clearly visible on the map in less affluent locations like the Middle East, where regular citizens obviously did not have access to the technology.
Journalists and analysts were able to locate a CIA base in Mogadishu, Somalia, a Patriot site in Yemen, and U.S. special operations bases.
The app’s heat map also let people find the locations of missile sites.
“It took about ten seconds to figure out how I would use this to pick out every missile site in half a dozen countries,” wrote Jeffrey Lewis, an international arms expert, on Twitter.
Send tips to firstname.lastname@example.org