Fitness monitoring app Polar could be used to find out the current locations of military personnel and embassy staffers, as well as details of where they live and work, and their exercise routes.
Researcher Foeke Postma found that information shared publicly on the app could be scraped. Details from over 200 sensitive sites were accessible, from which the researchers were able to build a list of almost 6,500 unique users. Because users can (and generally do) use their full name and a profile photo to identify themselves, the identity of the individual can often be easily identified by cross-checking against social media sites, particularly those listing career information, such as LinkedIn.
With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning.
– Foeke Postma, researcher
Additionally, because users could be searched for by name, it would be possible to search – for example – military personnel who had stated elsewhere the country in which they were based. Clusters could then be found which would indicate sites whose location should have been secret.
Postma gave an example of the information users of the app could piece together about individuals at sensitive sites:
“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning. From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name.”
Exercise details from users at sensitive sites around the world could be viewed using the app, including military bases in the United States and Afghanistan. A non-exhaustive list of examples Postma discovered and shared in the post included employees of the FBI and NSA, staff at nuclear power plants, Americans in the Green Zone in Baghdad, Russian soldiers in Crimea, and military personnel at Guantanamo Bay. Some of these users were operating in countries where soldiers are banned from wearing their uniforms on the street to prevent them from being targeted – but they were publicly sharing their exact exercise routes, and often (in doing so) disclosing their home and work addresses.
It is important to understand that Polar has not leaked any data, and there has been no breach of private data.
– Spokesperson, Polar
Another fitness app, Strava, was recently found to have a similar potential use. Polar’s data, which can also feed into Strava, provides more detailed data on the users and does so in a more accessible way, as it allows users to see all public sessions at a sensitive site rather than requiring them to navigate to a specific user’s profile first. It also allows users to view all of a user’s public sessions dating back to 2014, which it presents on a worldwide map.
As Postma points out, “you only need to navigate to an interesting site, select one of the profiles exercising there, and you can get a full history of that individual”.
In a statement, Polar said: “It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case.”
Since the update of Polar’s privacy settings in August 2017, new accounts have their profiles and sessions set to private by default. However, older accounts would have to manually opt-out of sharing. Since Postma’s research was published, Polar has taken the Explore API offline while it explores possible solutions, such as enabling users to make all past sessions private at once.
Given that the Strava case in January made significant waves, it is somewhat surprising that apparently neither Polar or its users thought about the similar potential for data misuse. The fact that the researchers apparently did not encounter serious obstacles to scraping the data is worrying, despite Polar’s defence that users sharing sensitive location data had chosen to do so.
As well as the implications for sensitive military sites, data obtained in this way could also be used for corporate espionage, spearphishing attacks, stalking, or planning burglaries. Polar has a good point that users should be wary about the data they post publicly, but the amount of data that could be accessed via the Explore API using only a person’s name is cause for concern.