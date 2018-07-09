Back in January​, a fitness app called Strava attracted some unflattering attention when security experts discovered that they could easily locate secret military bases on a public map of Strava users' workouts. Now, almost the exact same thing has happened again with another fitness-tracker company called Polar. Dutch news site De Correspondent and social-media-investigation site Bellingcat have published the results of a joint investigation into Polar's practice of publishing users' workouts on an online map that, until recently, anyone could search. Here's what you need to know.

The journalists involved in the investigation looked at "two hundred sensitive locations and found 6,460 individuals across 69 nationalities" on Polar's map, allowing them "to identify military and intelligence personnel by name, then find out exactly where they and their families live." In the Netherlands and many other countries, the identities of intelligence operatives are closely guarded state secrets — yet it took only a little clever searching of Polar's online map, plus some Googling, for these journalists to figure some of them out.

We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea.

We also learned the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases.

[De Correspondent]

The map, which has since been taken down, allowed anyone to search other people's workouts by location. De Correspondent and Bellingcat's journalists started by looking at workouts logged near known sensitive locations. Polar did not place any limit on how much information a individual could search for, making it easy for the journalists to find every workout ever logged, anywhere around the world, by the 6,460 people who had logged workouts near the sensitive locations. By looking at all their workouts, the journalists could often figure out a user's home address based on where they stopped and started most of their workouts.

Bellingcat explains why Polar's map design made it so much less secure for users' data than its competitor's maps.

Polar is not the only app doing this, but the difference between it and other popular fitness platforms, such as Strava or Garmin, is that these other sites require you to navigate to a specific person to view separate instances of his or her sessions, each exercise having its own small map. Moreover, they often limit the number of exercises that can be viewed. Polar makes it far worse by showing all the exercises of an individual done since 2014, all over the world on a single map.

As a result, you only need to navigate to an interesting site, select one of the profiles exercising there, and you can get a full history of that individual.

[Bellingcat]

What's more, even the setting that was supposed to show a Polar user's workout data only to their friends "still let profiles show a name, photo and the location they wrote in during registering to anyone." Furthermore, changing your privacy settings in the app only affected new workouts — if you'd had your previous workouts set to "Public," they'd still be public even after you changed your privacy settings, according to Bellingcat.

Polar responded to De Correspondent and Bellingcat's reporting by announcing that it was temporarily taking the workout map down.

It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.

[Polar]

Emphasizing "the choice and responsibility of the customer" after your company has been exposed for recklessly sharing user data with potential bad actors is not a great look! That said, now is probably a good time for all of us to check our privacy settings in any apps that could potentially reveal our location, and maybe even to delete any apps we no longer trust to keep our data safe.