Fitness App Polar Flow Exposes the Daily Routines of Government Officials


Just Plain Mean
Staff member
May 18, 1997
Finnish fitness tracking app Polar Flow has been exposing the locations of any of the 30 million users of their app for years. According to researchers at the Bellingcat open source intelligence collective; even if the user sets their account to private, it was very easy to track the individual users. This was because the app allowed anyone to see a user's unique user number and use it in searches.

After using the map to track a random runner who frequented a military installation back to his home where he also worked out on a treadmill, the researchers decided to walk his daily workout path. They were able to watch his neighbors carry on everyday life and then knocked on the man's door. He quickly referred them to the defense department when confronted with the revelations from the app. John Doe's name, LinkedIn account profile, address, job title and and more was uncovered from a trip to the registry of deeds.

This is more proof that Internet of Things (IOT) devices need more security built into them. When we agree to attach a tracker to our bodies there should be a measure of security baked into the device so that situations like Polar Flow stops becoming the normal. When are we going to wake up and realize that our data is a precious commodity and should be protected? These researchers were able to track FBI agents as they worked and pinpointed where they lived with satellite imagery from Google Maps. Is that not enough of a wake up call for everyday citizens to demand more security?

One Fort Meade runner is harder to track down. His Polar profile is private. Polar’s map leads us to a group of houses where he probably lives, but we can’t pinpoint the exact address and thus we can’t use our registry-of-deeds trick to determine his identity. But there’s another runner in that same neighborhood who also takes regular runs at Fort Meade. She turns out to be a cybercrime response specialist.

We run her through public US databases and discover she’s recently changed her name. Using the new name, we finally locate the house where she and our first runner live. It’s not the address we first found; the couple have recently moved. He’s part of a special intelligence unit.

Good find. I was going to say I remembered seeing something about this happening with another fitness tracker not too long ago. I mean, just common sense if you ask me. If you're worried about people tracking your location, dont wear things that track your location. Derp.

Honestly, I don't understand why people are so keen on "tracking" their fitness anyway. "Oooh I took 17658 steps today. Wooot!"
Any time you use a Personalized Tracking Device, be it a fitness tracker, smartphone, smart TV or most IOT gizmos, you are basically entering into a Faustian Bargain. You are getting some short term gain be it ease of health monitoring, portable web/comm device, voice activated TV, etc in exchange for giving up control of all personal information said gizmos collect. Plus, thanks to large campaign contributions made to Super PACs that in return fund US elected official's campaigns, you have very little recourse when the devil/large corporations mis-handle all of the information they have collected about you. "Your mandatory arbitration hearing is in two days, in the law offices of Dewey, Cheatum and How, meeting room SB 34. Enter through entrance 2, be ready for anal probing (for security reasons), go down two flights of stairs, (watch out for the yellow mold), SB 34 is 2nd door on left, (beware the CEO's pet cougar, its undergoing a 14 day rabies evaluation.)"
It's convenience or privacy, no amount of built in security will fix this. This is the way of our connected society. Use these things, you will forever be public data for all to consume.

Looks like citizens now have a similar capability to surveillance agencies and there's no going back. Technology is a double edged sword where both sides cut you.

Much easier for other nation states to track classified individuals too .. 2spooky for the spooks.
Last edited:
It's time to step up our game and start adding more bad data to their good data. if anything for our own national defense.
Last edited:
I wonder if there will be a radical openness movement that wants all data to be public and there to be no secrets.. The opposite of privacy
It's convenience or privacy, no amount of built in security will fix this. This is the way of our connected society. Use these things, you will forever be public data for all to consume.

From what I've read, this was negligence on Polars part. They left an easily manipulated API open, so you could send two sets of coordinates (creating a location box) and it'd give you back the users. You could then pass the users in and get back the routines / location data associated to them.

Essentially, they didn't put basic permissions on their API queries.

So if one wanted to box Langley, you could get all of the Polar accounts that were found to have traveled within those coordinates.
In other news. . .be interesting in how many wives use to monitor hubby's heart rates at specific places around town that are not the gym. Just sayin'