Location data from fitness app Polar Flow has revealed the home addresses of intelligence officers — even when their profiles were set to private.
Just six months after competing fitness tracking company Strava came under fire for revealing the location of US military bases, Finnish wearable company Polar has experienced similar privacy concerns and has suspended its “Explore” service as a result.
Polar is the manufacturer of such popular running watches like the Polar M200 and M400, as well as fitness-oriented smartwatches like the Polar M430 and M600, while its Polar Flow app is used to organize and view user data.
The Explore component of Polar Flow was intended to show anonymous data on its users and their activities around the globe, displaying it in a similar fashion to the activity map that was responsible for Strava’s woes earlier in the year.
According to a new report from the Dutch De Correspondent and the open source investigative site Bellingcat explains that Polar’s Polar Flow app “is revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world.”
The investigation zeroed in on two hundred sensitive locations and, using site scraping techniques, found 6,460 individuals across 69 nationalities. The two organizations found areas such as a military base, selected an exercise that had been published there, then simply looked at where that same user profile had been.
The investigation found the names and addresses of personnel from multiple intelligence agencies including the NSA, US Secret Services, and MI6. Even sensitive personnel often used their real names, making them easy to identify.
In a statement sent by Polar chief strategy officer Marco Suvilaakso, the company said it “recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.”
“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” said the statement. “While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”