A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services.
The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years -- simply by modifying the browser's web address.
For most users who set their activity tracking records to public, posting their workouts on Polar's so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user's fitness activity can reveal where a person lives.
An exposed location of anyone working at a government or military installation can quickly become a national security risk.
It's the second time this year a fitness app has sparked controversy by revealing the locations of personnel at sensitive installations. Strava changed its privacy settings after word quickly spread that the fitness trackers used by military personnel were exposing the classified routes between bases on the battlefield, making it easy to launch attacks. Much of the controversy was because the companies put the onus of privacy on the user, but many are not aware their information is searchable, let alone accessible by anybody.
Although the existence of many government installations are widely known, the identities of their employees were not.
But now, an investigation by Dutch news site De Correspondent and Bellingcatfound that Polar Flow exposed their fitness tracking data. The company's developer API could be improperly queried to retrieve fitness activities, like each running and cycling session, on any user.
More from De Correspondent: This fitness app lets anyone find names and addresses for thousands of soldiers and secret agents | How we found the names and addresses of soldiers and secret agents | Why we decided to publish our findings | Check your apps
With two pairs of coordinates dropped over any sensitive government location or facility, it was possible to find the names of personnel who track their fitness activities dating as far back as 2014.
The reporters identified more than 6,400 users believed to be exercising at sensitive locations, including the NSA, the White House, MI6 in London, and the Guantanamo Bay detention center in Cuba, as well as personnel working on foreign military bases.
Names of officers and agents at foreign intelligence services, like GCHQ in Cheltenham, the French DGSE in Paris, and the Russian GRU in Moscow, were also found.
Staff at nuclear storage facilities, missile silos, and prisons were also spotted.
De Correspondent shared some of the data with ZDNet to examine.
Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived, if they started or stopped their fitness tracking as soon as they left their house.
Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone -- including malicious actors or foreign intelligence services -- to scrape the fitness activity data on millions of users.
But they also found they could trick the API into retrieving fitness tracking data on private profiles.
In densely populated areas such as the White House, the number of ordinary people tracking their fitness nearby is higher, adding to a lot of unwanted noise in the data, but isolated military camps and government bases produced better results..
De Correspondent explained in an additional report how easy it was to follow around one Polar user, believed to be an officer at the Dutch state intelligence service, across the world, and even locate his home address. Yet, in some countries, like the Netherlands, revealing an intelligence officer's identity is illegal, the reporters pointed out.
ZDNet was able to trace one person who exercised nearby to NSA headquarters in Ft. Meade. The user later started his exercise tracking as he left his house in nearby Virginia. Through public records, we confirmed his name, and his role as a senior military official.
Read more: How Strava's "anonymized" fitness tracking data spilled government secrets | Researchers found a way to unmask Strava users' hidden locations | Strava lesson: Share fitness data online? Check these privacy settings now | Fit by Data: Where data and fitness overlap
Another person, also believed to be an NSA staffer based at Ft. Meade, was found exercising close to the Guantanamo Bay detention facility.
The Dutch reporters also found the fitness tracking data of several foreign military and intelligence officers near sensitive installations in the US.
The data can build up an unsettling picture of a person's life, where they live, where they go, and open up avenues to find out more about who they are and who they know.
But while some would call it creepy and unnerving, others would call it espionage.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, commented on the exposure.
"There's probably a point in our recent history or future past which you can't be a spy anymore," he said.
After a private disclosure, Polar took its map offline shortly before publication.
In a statement sent by Polar chief strategy officer Marco Suvilaakso, the company said it "recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations."
The company denied a leak or a breach of its systems.
"Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case," said the statement. "While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API."
We asked Polar if this data exposure, specifically the revealing of some home addresses on private profiles, constituted a breach of Europe's new data protection law -- known as GDPR.
"Yes, we are GDPR compliant," said Suvilaakso.
Polar does not reveal its user figures, but De Correspondent found more than 30 million users IDs.
De Correspondent contacted Dutch and Finnish authorities to secure Polar's platform, while ZDNet contacted several US authorities about the data exposure.
We contacted several government departments, including the Office of the Director of National Intelligence, which oversees the intelligence community and its agencies. Spokesperson Charles Carithers said Thursday the ODNI was "aware of the potential impacts" of devices that collect and report personal and locational data.
"The use of personal fitness and similar devices by individuals engaged in US Government support is determined and directed by each agency and department," he said.
NSA spokesperson Brynn Freeland said the agency "has in place and enforces policies regarding the use of wearable fitness devices inside controlled work areas," but did not say what those policies were.
"In addition, we have an ongoing educational campaign for our workforce focusing on the relationship between technology, their privacy, and operational security," he said.
CIA spokesperson Ryan Trapani declined to comment, or provide its guidance on the use of personal fitness devices, and the White House did not comment when reached Thursday. A spokesperson for the National Security Council also did not comment.
The FBI did not return a request for comment. A spokesperson for the Pentagon did not respond to a request for comment either.
In earlier statements, the department that oversees the military said it "takes matters like these very seriously." Previous guidance shows military personnel are not permitted to use fitness trackers that contain Wi-Fi or cellular capabilities, but it permits Bluetooth and GPS-enabled devices that sync data to phones.
Polar isn't the only fitness tracking company inadvertently exposing user data. Other fitness apps had similar issues, though the reporters said the exposures were not to the same extent as Polar.
Polar apologized for the inconvenience caused by suspending the map.
"However our goal is to raise the level of privacy protection and to heighten the awareness of good personal practices when it comes to sharing GPS location data," the company said.