Fitness app Polar even better at revealing secrets than Strava

'I spent a year hiding in shrubs, and they just … publish their daily runs'

+Comment Online investigations outfit Bellingcat has found that fitness tracking kit-maker Polar reveals both the identity and daily activity of its users - including soldiers and spies.

Many users of Polar's devices and app appear not to have paid attention to their privacy settings, as a result a Bellingcat writer found 6,460 individuals from 69 countries. More than 200 of them left digital breadcrumbs around sensitive locations.

Bellingcat's report claimed the Polar Flow social-fitness site produces more compromising data than other fitness-trackers than previous leaks: “Compared to the similar services of Garmin and Strava, Polar publicizes more data per user in a more accessible way, with potentially disastrous results.“

“Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.”

Bellingcat notes that the big difference between Polar and Strava is that the former offers more comprehensive data, more easily, covering everything a user has uploaded to the platform since 2014.

Secure it, Hudson

US Pentagon scrambles after Strava base leaks. Here's a summary of the new rules: 'Secure that s***, Hudson!'


The investigation describes all sorts of interesting targets in the data: an officer whose air base hosts nuclear weapons; Western military personnel in Afghanistan; yet another officer whose profile carries his name, and whose location hosts drones. People exercising near their homes, and also near their workplaces – which happen to be intelligence agencies.

“We were able to scrape Polar’s site (another security flaw) for individuals exercising at 200+ of such sensitive sites, and we gathered a list of nearly 6,500 unique users. Together, these users had made over 650,000 exercises, marking the places they work, live, and go on vacation,” Bellingcat's Foeke Postma wrote.

Polar told the publication it had updated its policy in August 2017 so accounts have more secure default settings, and the platform has blocked users from exploring its data while it investigates fixes.

Over the weekend, in response to the revelations, the Dutch Minister of Defence issued an edict that military personnel should remove fitness apps from their smartphones.

Running in circles

The Dutch response may well feel familiar because Shortly after Nathan Ruser of the Australian National University revealed the extent of the Strava leak in January this year, the Pentagon warned personnel to lock down their privacy settings.

The official response included an investigation in the US military, but such things proceed relatively slowly. Army Colonel Robert Manning III said at the time: “DoD personnel are advised to place strict privacy settings on wireless technologies and applications”

However, even if military and intelligence users had locked down their defaults after that warning, Bellingcat's Postma wrote that the platform still kept old data public until it stopped Internet passers-by browsing peoples' records.

Yes, people with sensitive jobs need to be careful with social technologies, but it seems to be an open question just how well people in general understand how much data leaks when they sign up for online services.

The US military is, after all, easily large enough to act as a proxy for the whole population, and people at scale aren't paying close attention to how their data leaks, until it stings them. ®

Keep Reading

Biting the hand that feeds IT © 1998–2021