(Credit: Polar Electro)

Tech blog Bellingcat and Dutch newspaper De Correspondent reported over the weekend that the Polar fitness app has been exposing detailed information about the locations and activities of military personnel around the world, possibly surfacing sites and operations that were previously confidential. The New York Times reported a similar situation in January regarding fitness app Strava, but that app showed a user's current locations, whereas Polar provides an activity history that stretches back to 2014.

SEE: Stylish plug-in yanked from Chrome and Firefox for logging users' browser history

Bellingcat collected the GPS history of nearly 6,500 users claiming 69 nationalities at over 200 distinct locations from Polar's publicly viewable user activity map to reach its conclusions. The user profiles linked from this map may contain a customer's name, age, gender, and a profile picture.

Bellingcat contends that one can infer both a user's work location and home addresses from the available data. Among the locations were 125 military bases, 48 nuclear weapon storage facilities, six drone bases, and the White House.

Polar took its user activity map offline late last week in response to the reports.

In a press release, Polar suggests that the blame lies with its users: "Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API."

Bellingcat's research appears to call this statement into question: "Other fitness sites, such as Strava, provide the option to automatically prevent your home or work-location from being published. Polar doesn't."

Bellingcat also discovered that changing your exercise sessions from public to private is not retroactive, and that hiding or deleting previous sessions must be done one at a time. Therefore, if you have been using the app regularly since 2014, removing everything may be impractical.

However, Bellingcat notes that Polar's privacy policy was updated in August 2017, "and new accounts do have their default settings set to the most private options available, meaning users have to opt-in to share."

FOLLOW Download.com on Twitter to keep up with the latest app news.

So where does the fault lie?

In the wake of the Strava leak, the U.S. military adjusted its guidelines for fitness trackers. However, Bellingcat and De Correspondent still encountered the names and locations of personnel from the National Security Agency and the Secret Service, as well as Britain's MI6 Secret Intelligence Service and Russia's Main Intelligence Directorate (aka GRU) that acts as its counterpart to our Central Intelligence Agency.

Polar partly upgraded its user privacy before the Strava leak even emerged, but users continued to opt in to more activity sharing, despite the sensitivity of their identities and their work.

Bellingcat suggests one option to increase your privacy during workout sessions: "[I]f you want absolute assurance that you are not running into data-pitfalls during future exercises, you could leave your device at home, so you can jog around anonymously to your heart's content."

Takeaways

  1. If you work at a spy agency or nuclear weapons bunker, it's probably a bad idea to broadcast your name, location history, and physical appearance on a website that anyone can view.
  2. As Facebook proved nearly 15 years ago, people love sharing and over-sharing personal details, in the hopes of making a connection or just getting attention, and it looks like even secret agents aren't immune to the lure.

Also see

Tom is the senior editor covering Windows at Download.com.