Soldiers And Secret Agents' Names And Home Addresses Exposed By Fitness Tracker

It appears that government and intelligence agencies throughout the world did little or nothing to change their policies for personal fitness app and tracker usage as for the second time this year a massive data breach has exposed sensitive locations and the daily routines of government personnel, all accessible to the public. 

And like with Strava's interactive online fitness tracking map that made headlines last January, which we detailed revealed clandestine sites in places like Syria, Iraq, and Africa, including for example a CIA "black site" in Djibouti, the new breach allows easy access to view the daily habits of millions of users going back years. 

Yet now in some instances even the names and addresses of intelligence and military personnel are able to be known. 


Image via ZDNet/Boston Mail

This time it's the fitness app Polar Flow, created by a Finnish-based company with offices in New York, at the center of controversy after an investigation by Dutch news site De Correspondent confirmed that the app "lets anyone find names and addresses for thousands of soldiers and secret agents."

This can even include profile pictures and often actual names of users shared via the publicly available “Explore” feature; but as researchers also found this data can potentially be accessed through a design flaw in the privacy setting. 

De Correspondent actually demonstrates just what can be known by examining one particular Polar fitness tracker near Erbil's international airport in Iraq. The results, found through quick open source searches, are startling:

The man – let’s call him Tom – is a Dutch soldier, part of the Netherlands’ Capacity Building Mission in Iraq. The CBM is encamped near the Erbil airport. Since 2015, this base has been one of the key locations from which the war against the terrorist group Islamic State is being waged. 

We are absolutely not supposed to know who Tom is and where he’s stationed. And we most definitely shouldn’t know where Tom lives.

Yet the activity tracking map in Polar’s fitness app lets us see that many of Tom’s runs start and end near a cluster of homes in a small town in the northern Netherlands. A little Googling gives us his exact address. We also find the names of his wife and children, and photos.

Though as the Dutch journalists note, exposing identities of intelligence agents is illegal in the US and many European countries, "we still found the names and addresses of personnel at intelligence agencies including the NSA and Secret Service in the US, the GCHQ and MI6 in the UK, the GRU and the SVR RF in Russia, the DGSE in France, and the MIVD in the Netherlands."

Dutch news site De Correspondent, working with the open source analysis site Bellingcat, produced infographic maps based on the Polar app, demonstrating how easy it is to locate home addresses of users via the Polar "Explore" feature:

"We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea." De Correspondent says this also included "the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases."

Other journalists have since found names and addresses for what are believed to be intelligence and military personnel at sensitive government locations throughout the US as well, and noted that "Although the existence of many government installations are widely known, the identities of their employees were not."

In the case of the Polaris app, as the tech site ZD Net explains, this can be done even if the user's settings are set to "private":

With two pairs of coordinates dropped over any sensitive government location or facility, it was possible to find the names of personnel who track their fitness activities dating as far back as 2014.

The reporters identified more than 6,400 users believed to be exercising at sensitive locations, including the NSA, the White House, MI6 in London, and the Guantanamo Bay detention center in Cuba, as well as personnel working on foreign military bases.

...they also found they could trick the API into retrieving fitness tracking data on private profiles.

Who knows how many times either foreign intelligence services or terrorist groups have already used this and possibly other apps to pinpoint the exact locations US government agents operating abroad? After all the journalists testing the online system explain how easy it was to cull the data: "Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone — including malicious actors or foreign intelligence services — to scrape the fitness activity data on millions of users."

But a few of the examples, names withheld by the journalists, are as follows:

  • ZDNet was able to trace one person who exercised nearby to NSA headquarters in Ft. Meade. The user later started his exercise tracking as he left his house in nearby Virginia. Through public records, we confirmed his name, and his role as a senior military official.
  • Another person, also believed to be an NSA staffer based at Ft. Meade, was found exercising close to the Guantanamo Bay detention facility.
  • The Dutch reporters also found the fitness tracking data of several foreign military and intelligence officers near sensitive installations in the US.
  • De Correspondent explained in an additional report how easy it was to follow around one Polar user, believed to be an officer at the Dutch state intelligence service, across the world, and even locate his home address.

Polar has since taken its tracking map offline and put out a statement: "While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API"  the company posted on its website.

The Office of the Director of National Intelligence (ODNI), which oversees America's 17 intelligence agencies, issued the following predictable and somewhat vague statement to ZD Net while saying it was "aware of the potential impacts" of personal fitness devices: "The use of personal fitness and similar devices by individuals engaged in US Government support is determined and directed by each agency and department."

Based on this official response from the ODNI which is essentially an admission that we'll just keep doing what we're doing, we fully expect more massive classified data and identity breaches to follow.

No doubt action will finally and belatedly be taken if and when the first "Fitbit tracker-based kidnapping" of a government employee takes place.

* * *

Below are some of the open source satellite tracking images that the multi-part De Correspondent investigation produced based on Polar fitness tracking app data:

NSA headquarters at Fort Meade, MD. De Correspondent/ZD Net

British Secret Intelligence Service (MI6)

Tracking a single user who entered Britain's GCHQ headquarters. Via De Correspondent

General Directorate for External Security (DGSE, France's foreign intelligence agency) headquarters, Paris. 

Guantanamo Bay detention camp. 

Routes run by Polar users at a military base in Gao, Mali.

Bagram Airfield, Afghanistan

Bellingcat: "Exercises tracked at a military base in the Middle East. Red squares with white dots are clusters of many more sessions which started at that location." (airbase in Afghanistan)

Comments

GeezerGeek MuffDiver69 Mon, 07/09/2018 - 17:44 Permalink

IoT. Prelude to Skynet.

The ability of tech to spy on us is far beyond what Orwell ever conceived. (Science Fiction in general is usually very conservative in its future prognostications.)

The willingness of sheeple to allow others to spy on them is, to me, incredible. They actually yearn of these spies.

In reply to by MuffDiver69

Never One Roach GeezerGeek Mon, 07/09/2018 - 17:49 Permalink

Speaking of....

My Fat Bit just alerted me to the fak I have to get up and move around...and go get another donut.

The $839 gadget is really amazing; it tells me when i'm sleeping and when I'm awake.

It tells me I'm breathing and/or walking.

Going up steps or down.

Who doesn't want to know that stuff for a mere $839?

Well worth the money.

In reply to by GeezerGeek

glenlloyd Shemp 4 Victory Tue, 07/10/2018 - 12:54 Permalink

I have to wonder if large service providers, like Garmin, have given any of their (user) data to the government?

I have a couple Garmin devices and if I find that they've been handing out user data like the cell providers I'm going to no longer be a user with them.

It's unfortunate that we have to divest ourselves of anything tech in order to feel secure in our privacy.

In reply to by Shemp 4 Victory

NoDebt MuffDiver69 Mon, 07/09/2018 - 17:47 Permalink

Imagine how much faster we could have found Osama Bin Laden if we had this technology back then.  Jezuz, we spent MILLIONS OF DOLLARS and YEARS of time tracking him down (some say we actually never found him and it was all just a farce) when all we needed to do was drill into his fitness tracking app history!

 

 

In reply to by MuffDiver69

besnook Mon, 07/09/2018 - 17:42 Permalink

if they spy on us then turnabout is fair play. same goes with any law enforcement. out all of them with names and addresses. maybe then they will reevaluate their choices in life.

LOL123 Mon, 07/09/2018 - 17:57 Permalink

Bill Clinton's name pops up everytime a destructive, illegal endevour comes to light.

"Selective Availability (SA) was an intentional degradation of public GPS signals implemented for national security reasons.

In May 2000, at the direction of President Bill Clinton, the U.S government discontinued its use of Selective Availability in order to make GPS more responsive to civil and commercial users worldwide.

The United States has no intent to ever use Selective Availability again.

In September 2007, the U.S. government announced its decision to procure the future generation of GPS satellites, known as GPS III, without the SA feature. Doing this will make the policy decision of 2000 permanent and eliminate a source of uncertainty in GPS performance that had been of concern to civil GPS users worldwide."

The Deep State misses their"godfather" ( since George HW Bush Sr. Put out to pasture)and Hillary...2020.

Obamanism666 Mon, 07/09/2018 - 18:01 Permalink

They missed the one when the physical ed student was doing a thesis on Fibit and noticed that the were tracks in the Syrian ruins, Libya etc and it took him 10 minutes to figure out that it was special ops wearing the fitbit and he had time location and id.

Anything with the smart label means it following you and recording your activities

whitedragon Mon, 07/09/2018 - 21:20 Permalink

Jogging is for faggots. Diesel will always have more stamina than any human body.

 

Use your brain, stupid tax-feeders.

 

Because one well-placed mortar can take down a helicopter with 60 loser special forces who jogged every day.

Animal Mother Mon, 07/09/2018 - 21:51 Permalink

I wonder if this could be used to track how many cockbag MI-5 and MI-6 operatives set up the fake chemical weapons attacks on the Skripals and the new couple? 

VW Nerd Mon, 07/09/2018 - 23:00 Permalink

Military/intelligence make it their business crawling up everyone else's ass, but find it rather bothersome when someone finds a way to crawl  up theirs.  Worth thinking about....