We live in the age of sharing. The frequency and normalcy with which we share our videos, pictures, reading logs, and even workout routines has become so ingrained in our routines that it borders on reflexive. But, from time to time, a story comes along that highlights the inherent dangers – yes, dangers – that can arise from over-sharing.
Dutch news site De Correspondent recently unveiled a story that illustrates perhaps the most overt socially-generated threat to life to date. It revolves around the Polar fitness app, which could have been a potential gold mine to nefarious actors looking to take a foreign soldier, intelligence agent, or their families, as tender for blackmail.
The Polar Flow app – dubbed “the online window to your training, activity, and sleep” – allows users to voluntarily post maps of their runs, information about calories burned, and even sleep metrics for the public to view. Polar says that this is a feature that users must opt into – by default, maps are private, and only a reported 2% of users make their data available to the public. But, upon requesting an answer to whether this feature has always been private, Polar’s representatives have reportedly been silent, at least for now.
It’s a critical question, considering the startling revelations that were uncovered by the De Correspondent examination. According to the report, “more than two hundred” “sensitive locations” were examined, and the digital maps in the area surrounding military bases, drone bases, nuclear power plants, nuclear weapon storage facilities, intelligence agencies, embassies, royal residencies, and even the White House were analyzed.
To explain how the De Corresponent journalists reached their conclusion – that names and addresses of soldiers and intelligence personnel were compromised – they use a metaphorical soldier named ‘Tom’. Though they don’t completely elaborate on precisely how they deduced their findings, a modicum of trust that they aren’t completely fibbing makes these findings extremely concerning.
‘The man – let’s call him Tom – is a Dutch soldier, part of the Netherlands’ Capacity Building Mission in Iraq. The CBM is encamped near the Erbil airport. Since 2015, this base has been one of the key locations from which the war against the terrorist group Islamic State is being waged.
We are absolutely not supposed to know who Tom is and where he’s stationed. And we most definitely shouldn’t know where Tom lives.
Yet the activity tracking map in Polar’s fitness app lets us see that many of Tom’s runs start and end near a cluster of homes in a small town in the northern Netherlands. A little Googling gives us his exact address. We also find the names of his wife and children, and photos.’ (De Correspondent)
In response to the report, Polar temporarily took its mapping information offline. They cited the aforementioned statistics about the relatively small pool of users who voluntarily post their data online as cover. It’s fair to assume that, perhaps, sensitive personnel didn’t realize how much information could be gleaned from the data that Polar was storing. Or, pending a definitive answer, it should be considered whether these users’ information was being posted online without their knowledge.
The sheer magnitude of the De Correspondent report’s findings leaves the latter possibility open. They were able to discover the ‘names and addresses of personnel at intelligence agencies including the NSA and Secret Service in the US, the GCHQ and MI6 in the UK, the GRU and the SVR RF in Russia, the DGSE in France, and the MIVD in the Netherlands.’ The same goes for military personnel stationed across the world from Guantanamo Bay to Iraq, Afghanistan, South Korea and beyond. And, as De Correspondent notes, the ability to find this information –invaluable in the wrong hands – flies in the face of all that we know about the lengths to which state and defense entities go to keep their personnel safe.
‘To illustrate: only since March of this year may Dutch military personnel board the country’s public transportation system in uniform. Uniformed travel was forbidden in 2014, after a Dutch jihadist in Syria threatened to attack the government.
The ministry also enforces stringent rules to keep the identities of intelligence and special forces personnel confidential. The names and addresses of intelligence operatives are state secrets. The government’s policy for deployed military personnel is also strict.’ (De Correspondent)
The stakes couldn’t be higher.
‘A spokesperson for the Dutch defense department explains why: if the identities of these high-risk groups are exposed, not only are these soldiers in danger, but also the entire operation and the Netherlands’ national security.’
Yet, a single, seemingly innocuous fitness app could have gone a long way to undoing many of those efforts for a select number of at-risk personnel.
It begs an obvious question that is almost unanswerable by tech outsiders.
What other apps are tracking the movement of high-risk personnel, and who has access to that data?