Wearable technology company Polar Electro Inc., Kempele, Finland, on July 6 suspended the Explore function of its Polar Flow application after a group of Dutch journalists used the function to uncover the personal data and geographic locations of 6,460 U.S. military and security personnel.
Much like Strava and other physical activity-tracking applications, the Polar app has allowed users to create and publicly share geo-marked activity maps such as those for neighborhood running routes. In exploring these publicly shared routes, the journalists were able to learn additional information about app users going back to 2014.
"As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map," the July 8 Bellingcat article stated. "Users often use their full names in their profiles, accompanied by a profile picture — even if they did not connect their Facebook profile to their Polar account."
A July 18 report by The Washington Post confirmed that the journalists tracked the running histories of users stationed at military bases overseas, including Guantanamo Bay Naval Base and Camp Lemonnier in Djibouti, the primary base of operations for U.S. Africa Command in the Horn of Africa.
"Polar’s widely used fitness app endangers military personnel, intelligence operatives, and people who work at sites where nuclear weapons are stored. It’s dead simple to track down their names and addresses," the July 8 De Correspondent article stated.
In addition to suspending the app's Explore function, Polar issued an online statement after the journalists' investigation in which the company insisted it did not "leak" personal data.
"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the July 6 statement said. "Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API."
Polar is "sensitively re-working" its Explore function, according to the statement, and it plans to take additional measures to remind app users to avoid publicly sharing sensitive GPS data. (When a Polar Flow account is created, activity mapping is set to private by default, meaning users must opt-in to publicly share content.)
De Correspondent estimated that the Polar app has approximately 30 million users and is particularly popular in Western Europe and the United States.
“This example demonstrates how important it is to be aware of all the consequences digital technology can have,” Dutch Minister of Defense Ank Bijleveld told De Correspondent. “Technology keeps making more and more things possible, but the flip side of that ability is adjusting our security and awareness to match.”