It's been just over a year since Strava was found to be publishing data that could be used to discern the location of secret military bases. The Polar Flow app, used by owners of Polar fitness devices has been found to make the same sort of data publicly accessible. While this is a great way to see where other people are running or riding, this feature can be used to locate people who are meant to be keeping a low profile and even allow their identities to be revealed.
Polar has been forced to take their activity map offline, following an investigation that revealed the locations of runners who work at the FBI, NSA and other agencies, Russian soldiers in the Crimea and other "interesting" military targets. As well as revealing where soldiers are stationed, those not being deployed can have their home locations revealed by analysing start and end locations.
Researcher Foeke Postma said his team was able to scrape Polar’s site for individuals exercising at over 200 sensitive sites. They found information for about 6,500 unique users who competed over 650,000 exercise sessions.
Strava tightened its settings last year following the controversy last year. But Polar seems to have not paid attention to what happened. The problem Polar faces isn't that there's a software bug that can be exploited. It 's that privacy wasn't designed with today's threat environment in mind.
Users can stop their personal data being revealed on the Polar activity map. According to de Correspondent, Postma's partner in the investigation, just 2% of Polar's users publish there data in this way. Polar's defence, made in a statement says "the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer".
While that's true and we all have a responsibility to take steps to protect our own data, service providers need to also step up. That means disabling all data sharing by default and making it super clear what the potential consequences are when data is shared. Whenever the terms and conditions change, sharing should be disabled until users are clearly told what changes mean and they opt in again.
While it's true that Polar's systems didn't leak any data as the result of a breach or bug, the data they collected and published could be used in ways that were unanticipated when the software was developed. But when news broke about how Strava's map data could be used, it was remiss, in my view, for Polar not to reconsider how their service works and take steps to ensure the data they collected and published could not be mis-used in the same way.