Statement Regarding Public and Private Training Data + Q & A
Our customers’ privacy is of the utmost importance to us and we take this issue very seriously. We apologize that published training data has been available for potential misuse.
13 DECEMBER, 2018: UPDATE TO STATEMENT REGARDING PUBLIC AND PRIVATE TRAINING DATA – EXPLORE FEATURE BACK ONLINE
We made the decision to temporarily suspend the Explore API in July 2018 when we learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations. We’d like to emphasize again that Polar has not leaked any data, and there has been no breach of private data at any point. A vast majority of Polar customers were not affected by this case in any way since they maintain the default private profiles and private sessions data settings.
We made a thorough analysis on how to raise the level of privacy protection as well as improved our guidance on sharing GPS data of sensitive locations. As a result, the Explore feature is now back online. Explore does not automatically show any training sessions, but instead the user interface guides Flow users how the privacy settings work. In addition, we added an Update all to Private button that allows users to set their entire training session history to Private with one single click. We also published detailed instructions on Polar Flow privacy management: https://support.polar.com/en/support/how_to_manage_privacy_in_the_flow_web_service
We are happy that Flow users all over the world can again share and celebrate their amazing training sessions with the help of the Explore feature, now even more securely.
6 JULY, 2018: STATEMENT REGARDING PUBLIC AND PRIVATE TRAINING DATA
We’d like to take a moment to address recent concerns regarding Polar Flow user profiles and data privacy. Polar is dedicated to supporting our users and helping them achieve their health and fitness goals via our products. However, we recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.
It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.
We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations.
The Explore feature is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions. We apologize for the inconvenience that the suspension of the Explore API will cause, however our goal is to raise the level of privacy protection and to heighten the awareness of good personal practices when it comes to sharing GPS location data.
We will share updates with Polar Flow customers to inform them of the next steps relating to Explore. For additional information, we recommend reviewing Polar’s Privacy Notice and our privacy frequently asked questions. You can also view the latest updates on our Support Updates page.
QUESTIONS AND ANSWERS
Q: How can users manage their privacy settings in the Polar Flow web service?
A: When a Polar Flow account is created, everything is set to Private by default. In that case, no information about the user is shown to other users. Users can change their settings (Settings > Privacy) themselves and set the desired privacy levels for the following:
- Profile (name, profile picture, location)
- Training sessions (e.g. routes)
- Activitity summaries
If a user wants to share all of their training sessions in the Polar Flow web service, and would like the sessions to be visible in the Explore view, this can be done by changing the privacy setting of their sessions to Public.
The entire session history can be set to Private by clicking the Update all to Private button. Furthermore, it is possible to change the privacy settings of a single training session by opening the session and choosing Public, Followers or Private.
Q: How is it possible that the points of interests of users whose profiles were set to private were exposed via the Explore feature of Flow?
A: Sessions set to public are visible to anyone via the Explore feature, whereas sessions set to private can only be seen by the user him- or herself. If the user wants to keep their profile private and yet share some training sessions, their name is not shown in the Explore view but ‘Private user’ is displayed instead. It should not have been possible to link public training sessions of this type to a particular user profile.
The issue was caused by the fact that the public training session details contained the User Identifier (UID) that could be linked to a particular user. This also applies to sessions belonging to private user profiles. With the help of this identifying UID it was possible to retrieve users' public training sessions by altering the search parameters in the browser. By doing this, the training sessions belonging to a private profile could be linked to each other. Training sessions that have not been set to public by the user are not displayed publicly. When there are multiple public training sessions that always start and end in the same location, it is possible to deduce potential points of interests associated with the user. The same method also worked the other way round: one could first find sessions in a specific location and then search for these users’ other training sessions. This was especially unfortunate, for example, for military personnel and intelligence agents.
We apologize that this happened. We have implemented a number of corrective actions and are now bringing the Flow Explore feature, which was disabled as a precautionary measure, back online.
Q. What is the risk to those customers who this case is potentially relevant to?
A. By default, your profile, training sessions and activity summaries are all set to private. If you have shared training data publicly, it was suggested that by undertaking a number of calculated actions, combined with a level of speculation, explained above, it could have been possible to locate a possible point of interest. We took the necessary measures to make sure that this is no longer possible.
Q. How do I know if my Polar Flow user profile and data privacy was affected by the recent news article?
A. The vast majority of Polar customers are not affected in any way by this case. This case refers specifically to customers who have shared their training data publicly.
Q. I have seen statements that private users' names and addresses have been identified from your services. Is this true?
A. This is not true. The alleged acquired names and addresses have not been found from Polar services.
Q. The case referenced access to potentially sensitive locations - are such people at risk?
A. By default, profile, training sessions and activity summaries are all set to private. We anticipate, and continue to advise, that the vast majority of those people, who work within potentially sensitive areas, continue to adhere to the default settings and comply with best practices as advised by their employer.
Q. What corrective actions have been taken?
A. We have implemented a number of measures to address the concerns raised. We are aware that potentially sensitive locations were appearing in public data. Subsequently, we made the decision to suspend the Flow Explore feature and after taking corrective actions we are bringing it back online.
Q. If there hasn't been a data breach, why did you suspend the Explore feature?
A. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we were aware that potentially sensitive locations were appearing in public data, and made the decision to suspend the Explore until we had taken every measure necessary to make sure it was safe to use.
Q. I have seen statements that suggest that Polar leaked data - Did Polar leak any data?
A. Contrary to what has been reported—it's important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.
Q. Is my privacy and/or data at risk when using Polar?
A. We take your privacy exceptionally seriously at Polar. We have taken and continue to take measures to ensure your privacy and data are not at risk.
If you have further questions on this matter, please do not hesitate to contact our Customer Care team: https://support.polar.com/en/support/contact_us/email_polar