A popular fitness app has suspended a feature that maps user activity after a joint investigation by Dutch news websites De Correspondent and Bellingcat revealed an alarming amount of sensitive data on users.
Using the app Polar Flow, a property of Finnish-based fitness company Polar, journalists were able to reach fitness tracking data of users, regardless of privacy settings, by modifying a web address. ZDNet reports that the app could be improperly queried to retrieve the fitness activity of any user, including many who work in sensitive areas like government, military and intelligence.
The situation is reminiscent of a similar revelation earlier this year, when it was discovered that a global activity heatmap published by Strava based on data it had collected from its fitness app revealed sensitive information about the movements of soldiers and the locations of U.S. military bases.
From AB: Strava Responds to Controversy with Opt-Out Redesign
The Polar Flow data was so easily manipulated that it reportedly could reveal users’ home addresses, and whether those users were tracking their exercise in sensitive locations. Journalists were able to identify thousands of users believed to be exercising in or around areas such as the White House, the NSA, London’s Mi6 headquarters, the Guantanamo Bay detention center, and military bases around the world. De Correspondent explained their process in a piece baring the headline: “Here’s how we found the names and addresses of soldiers and secret agents using a simple fitness app.”
Polar announced in a statement released Friday that it has temporarily disabled the app’s Explore feature, and also tried to quell concerns.
“It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” the statement reads. “While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”