Fitness App Reveals Names, Locations of Thousands of Western Troops and Spies

In January, Nathan Ruser, a young writer at the Australian Strategic Policy Unit, discovered fitness app Strava's global user heatmap could be used to determine the location of military bases and other sensitive locations in remote areas and conflict zones — and the exercise routes of personnel based at such installations. His serendipitous finding made headlines around the world, and was a major public relations disaster for the company.

However, the information Polar routinely disgorges is significantly more revealing, publishing more data per user more accessibly. Anyone wanting to find out the exercise routes taken by staff at military or intelligence installations anywhere in the world — and when they typically exercise, and for how long — need merely search for users in a sensitive area. While Google has a strict policy of not marking — and often obscuring — secret locations on its Maps and Earth provisions, no such impediment is evident in Polar's own mapping.

Moreover, it's possible to see where else certain users have exercised — making military and intelligence personnel's private residences extremely simple — ever since they joined, which in some cases dates back to 2014. Polar users often attach full names to their profiles, and headshots, ala Facebook profiles.

‘Top Secret'

The roll call of secret state employees identified on Polar is extensive, totalling almost 7,000, a total including personnel exercising at bases hosting nuclear weapons, FBI and NSA employees, military personnel specialized in cyber security, information technology, missile Defence, Intelligence and other delicate areas. US military personnel stationed in the ‘demilitarized zone' splitting North and South Korea, Baghdad's infamous ‘Green Zone', and makeshift bases erected to fight Daesh in Iraq and Syria, among others, were also identified.  

Cranking privacy settings does little to stem the deluge of data users unwittingly release to the outside world. Even if an individual only allows their followers to see their activities, their name, photo and location are still accessible by anyone. Moreover, unless users specify otherwise, other users can follow them — and thereby spy directly on their activities — automatically. While users can delete session data, preventing outsiders from viewing where they've exercised and when, currently it's only possible to remove individual sessions, a potentially onerous process given users typically notch up around half a dozen weekly on average.

In a statement, Polar was keen to stress the company itself had not leaked any data, and there'd been no breach of private information.

"We're aware potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API. We're analyzing options that will allow Polar customers to continue using the feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations. We apologize for the inconvenience the suspension will cause, however our goal is to raise the level of privacy protection and heighten awareness of good personal practices when it comes to sharing GPS location data," the company added.

Sloppy Spies

Much opprobrium has been directed at Polar, but there has been little if any consideration of whether military and intelligence personnel themselves should bear any responsibility for their lax attitudes to data — despite negligence by such individuals having a long and less than illustrious history.

For instance, in 1990, as the UK and US were preparing to engage in the first Gulf War, a British Royal Air Force laptop containing battle plans was stolen from a car in West London. The officer responsible for the computer's keeping was duly court-martialled, but the secrets were never leaked.

Similarly, in March 2000 a laptop was stolen from the Kent home of John Spellar MP, then-Armed Forces minister, which was alleged to contain both nuclear secrets and the military's role in Northern Ireland — although a Ministry of Defense spokesperson alleged the laptop only held constituency information.

Later that same year, an MI6 officer left a laptop in a taxi after a night out in Vauxhall, South London — it contained training files related to foreign intelligence. A mere few months later, a laptop containing sensitive information on Northern Ireland, was snatched when an MI5 officer put it down to assist someone while buying a ticket at Paddington station. An Army laptop containing data on 500 people was also stolen from a recruiting office in Edinburgh in 2005, and a Royal Navy laptop stolen in Manchester in 2006.

In 2007, officials at Her Majesty's Revenue and Customs dispatched two unencrypted computer discs through the post to the National Audit Office, which contained personal details of 25 million people, including every family in the UK with a child under 16. They weren't sent via recorded delivery and never arrived, and have never been recovered.

In December that year, it was revealed the names, addresses and phone numbers of three million driving test candidates had been lost after a computer hard drive went missing in the US.

A month later, a laptop holding the personal details of 600,000 individuals who'd applied to join the Armed Forces was stolen from a car in Edgbaston, Birmingham. In April, the laptop of an Army captain was stolen from under his chair at a McDonald's near the Ministry of Defense. Despite department staff stating the laptop's data wasn't sensitive, and was fully encrypted, staff were subsequently banned from taking unencrypted laptops from work.

However, the policy did nought to quell the massive data losses — in June, files containing an assessment of Iraqi forces and a Home Office report on al-Qaeda were left on a train by a senior intelligence officer in the Cabinet Office. The official responsible, Richard Jackson, was almost jailed for his ineptitude — he'd previously received a warning for not locking secret files in his safe when not reading them as required. In this instance, he'd accidentally taken confidential reports from his desk home with him, then failed to return them immediately, then left them in a folder on his train into work the next day.

The very same week, secret documents detailing UK policies towards fighting global terrorist funding, drugs trafficking and money laundering were left on another train by another intelligence officer. The files contained criticism of Iran and outlined how the trade and banking systems can be manipulated to fund terrorists. They also highlighted the weakness of tax authorities' computer systems, responsible for tracking financial fraud.