The Flow fitness app produced by the Finnish sports activity tracking firm Polar has been found to reveal users’ sensitive location data, according to the investigative news service Long Play, the Dutch online news service De Correspondent and the online citizen journalism group Bellingcat.
A study by the three news organisations determined that it is possible to use Polar’s Flow app to track down the home addresses of military and intelligence personnel.
The working group used the app to find the names and home addresses of intelligence and secret service employees from different countries.
The individuals whose personal addresses were discovered included employees from the United States’ National Security Agency, the UK’s Government Communications Headquarters and MI6 as well as Russia’s Main Intelligence Directorate or GRU.
The list also included some Finns who had engaged in athletic pursuits while participating in international operations.
Users of the Flow app were located at several military bases, including Erbil in northern Iraq, Guantanamo Bay in Cuba and Gao in Mali. Altogether, the group of journalists managed to compile data on a total of over 6,000 Flow users.
Most of the information that the journalists found was culled from the app’s public map service. However they also managed to uncover information that was not part of the affected users’ public profiles.
Data Protection Ombudsman probing reports
Two weeks ago, the investigative group reported its findings to Polar. On Friday, the company issued a statement in which it said that it did not leak users’ private information and that there had been no data breach affecting private data.
The firm added that it had been aware that the potential existed for sensitive location data to appear in public information, saying that it had decided to temporarily suspend the Explore API, which allows users to share information about training sessions.
“We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations,” Polar said in the statement.
Long Play reported that Finland’s Data Protection Ombudsman is now looking into the issues surrounding the Flow app. The online news site speculated that the case could be the first where new EU data protection regulations could be applied to a commercial application found to have data security shortcomings.
The international group of investigative journalists began looking into the app when in January data released from the US Strava training app revealed data about the location of military bases as well as the movement of military personnel. At the time, bracelet activity trackers worn by some of the personnel were found to be responsible for disclosing the sensitive location data.