The security of Polar users’ data could be comprised, in a big way

The Finnish fitness device and software maker Polar has found itself in the centre of a data leaking scandal, which it’s feared could jeopardise the security of personnel on sensitive missions.

In a country where personal space and privacy is highly respected, Finland can be rather transparent too. Every year at the beginning of November, the tax office will grant public access to data on how much income and capital gains made by everyone in the previous year as well as how much tax has been paid.

The country also produced Polar, the company that invented the portable heart beat reader. More recently its professional heart beat monitor system was credited to be largely behind the scientific training at Leicester City Football Club, which went on to win the Premier League in 2016.

But it is safe to say Polar has taken transparency too far. After months’ investigation, the Dutch independent media De Correspondent, in conjunction with the British “citizen journalism” website Bellingcat, and the Finnish investigative journalist Hanna Nikkanen on Long Play (in Finnish), published the findings on how anyone with a Polar account was able to see all the details of anyone else who publicly shared their workout sessions on Polar’s user interface app Flow.

Data extracted include the names, as well as time-stamped GPS data of all the workouts uploaded since 2014. When zoomed out, the aggregated data would generate a clustered view of the user’ activity pattern on the map. This could lead to a rather accurate estimate of the user’ home base, where most exercises started and ended, including places in sensitive locations, e.g. military bases in Iraq or Afghanistan. With some additional cross-search on social networks, the user’s professional affiliation including those of the military and secret service, could be made available.

By the time they published their reports, the journalists had managed to gather personal and professional details of more than 6,000 Polar users, including those working for the NSA of the US, Britain’s GCHQ and MI6, Russia’s GRU and SVR RF, France’s DGSE, the Finnish military, as well as the Dutch MIVD.

The journalists notified the Dutch and Finnish authorities as well as reaching out to Polar before they published the findings. The app was disabled remotely on official phones issued to its employees by the Dutch and Finnish Defence Ministries, and warnings were sent out to private device users. However Polar did not formally take down the feature until yesterday (9 July), more than two weeks after being contacted by the journalists and after a forlorn attempt to defend itself by claiming that the company had not leaked the users’ data.

Finland’s Data Protection Ombudsman is looking into the matter. Because its failure to safeguard user data has affected users in other EU countries, the possibility that the case could be brought under the new GDPR cannot be ruled out.

Polar was not the first fitness app to score own goals. As a matter of fact, it was the high-profile case of Strava leaking training data in military bases, which made headlines at the beginning of the year, that prompted the independent journalists to look into the vulnerability of other apps, including Polar. What makes the Polar case stand out is the ease with which users’ private data could be extracted, and the slow reaction from the company.

The ramification of the case could be profound. The journalists have found that similar data could also be extracted from other fitness apps like Endomondo, Runkeeper, Garmin, albeit with a bit more skill. This could result in authorities banning all similar apps from use by employees in sensitive functions, just to be on the safe side. The Finnish military had already banned the sharing of location data on social networks even before the Strava case, but the rank and file servicemen and the reservists largely ignored the order, according to Long Play.

In her testimony to the Congress, the newly appointed Director of the CIA, Gina Haspel, declared she has no social network accounts. This could move from voluntary decision to mandatory order for employees on sensitive missions. Profiles on social networks like LinkedIn and Facebook have made it straightforward for the journalists to join dots and put together the Polar users’ personal and family details, functions, and locations.

In our latest annual survey published at the end of last year, nearly 95% of the network operators called security as being either critical (69%) or important (25%) to their company’s overall technology and business. Clearly other service providers including device makers and app developers should also enhance their awareness and subject their products to more rigorous security tests.