It appears that government and intelligence agencies throughout the world did little or nothing to change their policies for personal fitness app and tracker usage as for the second time this year a massive data breach has exposed sensitive locations and the daily routines of government personnel, all accessible to the public.
And like with Strava's interactive online fitness tracking map that made headlines last January, which we detailed revealed clandestine sites in places like Syria, Iraq, and Africa, including for example a CIA "black site" in Djibouti, the new breach allows easy access to view the daily habits of millions of users going back years.
Yet now in some instances even the names and addresses of intelligence and military personnel are able to be known.
This time it's the fitness app Polar Flow, created by a Finnish-based company with offices in New York, at the center of controversy after an investigation by Dutch news site De Correspondent confirmed that the app "lets anyone find names and addresses for thousands of soldiers and secret agents."
This can even include profile pictures and often actual names of users shared via the publicly available “Explore” feature; but as researchers also found this data can potentially be accessed through a design flaw in the privacy setting.
De Correspondent actually demonstrates just what can be known by examining one particular Polar fitness tracker near Erbil's international airport in Iraq. The results, found through quick open source searches, are startling:
The man – let’s call him Tom – is a Dutch soldier, part of the Netherlands’ Capacity Building Mission in Iraq. The CBM is encamped near the Erbil airport. Since 2015, this base has been one of the key locations from which the war against the terrorist group Islamic State is being waged.
We are absolutely not supposed to know who Tom is and where he’s stationed. And we most definitely shouldn’t know where Tom lives.
Yet the activity tracking map in Polar’s fitness app lets us see that many of Tom’s runs start and end near a cluster of homes in a small town in the northern Netherlands. A little Googling gives us his exact address. We also find the names of his wife and children, and photos.
Though as the Dutch journalists note, exposing identities of intelligence agents is illegal in the US and many European countries, "we still found the names and addresses of personnel at intelligence agencies including the NSA and Secret Service in the US, the GCHQ and MI6 in the UK, the GRU and the SVR RF in Russia, the DGSE in France, and the MIVD in the Netherlands."
Dutch news site De Correspondent, working with the open source analysis site Bellingcat, produced infographic maps based on the Polar app, demonstrating how easy it is to locate home addresses of users via the Polar "Explore" feature:
"We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea." De Correspondent says this also included "the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases."
Other journalists have since found names and addresses for what are believed to be intelligence and military personnel at sensitive government locations throughout the US as well, and noted that "Although the existence of many government installations are widely known, the identities of their employees were not."
In the case of the Polaris app, as the tech site ZD Net explains, this can be done even if the user's settings are set to "private":
With two pairs of coordinates dropped over any sensitive government location or facility, it was possible to find the names of personnel who track their fitness activities dating as far back as 2014.
The reporters identified more than 6,400 users believed to be exercising at sensitive locations, including the NSA, the White House, MI6 in London, and the Guantanamo Bay detention center in Cuba, as well as personnel working on foreign military bases.
...they also found they could trick the API into retrieving fitness tracking data on private profiles.
Who knows how many times either foreign intelligence services or terrorist groups have already used this and possibly other apps to pinpoint the exact locations US government agents operating abroad? After all the journalists testing the online system explain how easy it was to cull the data: "Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone — including malicious actors or foreign intelligence services — to scrape the fitness activity data on millions of users."
But a few of the examples, names withheld by the journalists, are as follows:
- ZDNet was able to trace one person who exercised nearby to NSA headquarters in Ft. Meade. The user later started his exercise tracking as he left his house in nearby Virginia. Through public records, we confirmed his name, and his role as a senior military official.
- Another person, also believed to be an NSA staffer based at Ft. Meade, was found exercising close to the Guantanamo Bay detention facility.
- The Dutch reporters also found the fitness tracking data of several foreign military and intelligence officers near sensitive installations in the US.
- De Correspondent explained in an additional report how easy it was to follow around one Polar user, believed to be an officer at the Dutch state intelligence service, across the world, and even locate his home address.
Polar has since taken its tracking map offline and put out a statement: "While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API" — the company posted on its website.
The Office of the Director of National Intelligence (ODNI), which oversees America's 17 intelligence agencies, issued the following predictable and somewhat vague statement to ZD Net while saying it was "aware of the potential impacts" of personal fitness devices: "The use of personal fitness and similar devices by individuals engaged in US Government support is determined and directed by each agency and department."
Based on this official response from the ODNI which is essentially an admission that we'll just keep doing what we're doing, we fully expect more massive classified data and identity breaches to follow.
No doubt action will finally and belatedly be taken if and when the first "Fitbit tracker-based kidnapping" of a government employee takes place.
* * *
Below are some of the open source satellite tracking images that the multi-part De Correspondent investigation produced based on Polar fitness tracking app data:
NSA headquarters at Fort Meade, MD. De Correspondent/ZD Net
British Secret Intelligence Service (MI6)
Tracking a single user who entered Britain's GCHQ headquarters. Via De Correspondent
General Directorate for External Security (DGSE, France's foreign intelligence agency) headquarters, Paris.
Guantanamo Bay detention camp.
Routes run by Polar users at a military base in Gao, Mali.
Bagram Airfield, Afghanistan
Bellingcat: "Exercises tracked at a military base in the Middle East. Red squares with white dots are clusters of many more sessions which started at that location." (airbase in Afghanistan)