Back in January, popular fitness app Strava released what it called a "Global Heat Map" — a visualization of two years of location and exercise data from Strava's users. Unfortunately, in doing this, the company made it incredibly easy to map out and identify sensitive militaristic locations, from U.S. bases to Turkish patrol areas. Now, according to Foeke Postma of Bellingcat, it seems that Polar — fellow fitness company and maker of the first wireless heart rate monitor for athletes — is revealing similarly sensitive data an an even more dangerous and accessible way.
While Strava simply highlighted where its users exercised without revealing any names (meaning that anyone looking to track an individual's movements would also have to do some cross-referencing work), Postma reports that Polar's social platform, Polar Flow, gives all of a user's personal information in one place. That, scarily enough, may even include things like the location of an individual's home, a profile photo, and more. All one has to do to get a user's full movement history and information is navigate to a site on Polar Flow's map and select a profile there.
By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map. Users often use their full names in their profiles, accompanied by a profile picture — even if they did not connect their Facebook profile to their Polar account.
Postma goes on to give a few very unsettling examples of how easily traceable sensitive locations, operations, and individuals are, down to their daily exercising habits and how often they vary from them. The program even shows where an individual has traveled since 2014 if they've tracked their exercise there, which, in some cases, can lead to finding out what hotels and local businesses they favor.
With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning. From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name.
Overall, Potsma and Bellingcat (along with Dutch journalism platform De Correspondent) were able to compile a list of approximately 6,500 unique users from Polar's site, with their exercise logs openly displaying the places they "work, live, and go on vacation." The users in question run the gamut from employees at nuclear weapons bases to Russian soldiers troops stationed near the North Korean border. It doesn't take a genius strategist to consider how this information could pose a huge threat to security worldwide. And, just as importantly, the pretty terrifying implications of this data being available publicly extend to civilians who use Polar devices as well: with Polar's technology, anyone could trace an individual's daily movement patterns, where they live, how long they're away from home each day at certain times, and if they're away on vacation. As Postma states, in some case, even with Polar's privacy settings cranked up, some data will still be "easily retrievable," such as profile locations and user IDs.
Now, this isn't all to say "FITNESS TRACKERS ARE TERRIFYING, NEVER USE THEM AGAIN!" I mean, you can do that if you like, that's completely your prerogative. However, it's more to make you aware of what data these sorts of devices and services collect and may share publicly if you're not very vigilant about you use them. Like with every other app that has one hand in your personal data and the other in the internet, you should always err on the side of caution when doing things like creating a profile or sharing your location. Postma does mention that since Bellingcat's investigation into the matter, Polar has temporarily suspended its Explore feature and is currently problem-solving to come up with ways to combat these security issues. However, if in the meantime you'd like to batten down the hatches just in case, he advises doing things like creating a profile that doesn't reflect your actual identity and monitoring your app permissions. I also suggest not connecting your fitness tracker to any of your social media accounts on sites like Facebook and Twitter — as we know, those can also already collect a whole mess of data on their own.
For more information on this issue and how to combat it, check out Bellingcat's article here.
Do you use fitness trackers? If so, how do you protect your personal data? Share in the comments below.