Our customers’ privacy is of the utmost importance to us and we take this issue very seriously. We apologize that published training data has been available for potential misuse.
6 JULY, 2018: STATEMENT REGARDING PUBLIC AND PRIVATE TRAINING DATA
We’d like to take a moment to address recent concerns regarding Polar Flow user profiles and data privacy. Polar is dedicated to supporting our users and helping them achieve their health and fitness goals via our products. However, we recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.
It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.
We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations.
The Explore feature is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions. We apologize for the inconvenience that the suspension of the Explore API will cause, however our goal is to raise the level of privacy protection and to heighten the awareness of good personal practices when it comes to sharing GPS location data.
We will share updates with Polar Flow customers to inform them of the next steps relating to Explore. For additional information, we recommend reviewing Polar’s Privacy Notice and our privacy frequently asked questions. You can also view the latest updates on our Support Updates page.
QUESTIONS AND ANSWERS
Q: How can users manage their privacy settings in the Polar Flow web service?
A: When a Polar Flow account is created, everything is set to Private by default. In that case, no information about the user is shown to other users. Users can change their settings (Settings > Privacy) themselves and set the desired privacy levels for the following:
- Profile (name, profile picture, location)
- Training sessions (e.g. routes)
- Activitity summaries
If a user wants to share all of their training sessions, in the Polar Flow web service, and would like the sessions to be visible in the Explore view, this can be done by changing the privacy setting of their sessions to Public.
Furthermore, it is possible to change the privacy settings of a single training session by opening the session and choosing Public, Followers or Private.
Q: How is it possible that the points of interests of, users whose profiles were set to private were exposed via the Explore feature of Flow?
A: Sessions set to public are visible to anyone via the Explore feature, whereas sessions set to private can only be seen by the user him- or herself. If the user wants to keep their profile private and yet share some training sessions, their name is not shown in the Explore view but ‘Private user’ is displayed instead. It should not have been possible to link public training sessions of this type to a particular user profile.
The issue was caused by the fact that the public training session details contained the User Identifier (UID) that could be linked to a particular user. This also applies to sessions belonging to private user profiles. With the help of this identifying UID it was possible to retrieve users public training sessions by altering the search parameters in the browser. By doing this, the training sessions belonging to a private profile could be linked to each other. Training sessions that have not been set to public by the user are not displayed publicly. When there are multiple public training sessions that always start and end in the same location, it is possible to deduce potential points of interests associated with the user. The same method also worked the other way round: one could first find sessions in a specific location and then search for these users’ other training sessions. This was especially unfortunate, for example, for military personnel and intelligence agents.
We apologize for the situation. We have already implemented corrective actions and continue to take additional measures as a precaution. As a result, the Flow Explore feature has been disabled until further notice.
Q. What is the risk to those customers who this case is potentially relevant to?
A. By default, your profile, training sessions and activity summaries are all set to private. If you have shared training data publicly, it was suggested that by undertaking a number of calculated actions, combined with a level of speculation, explained above, it could have been possible to locate a possible point of interest. Therefore, we decided to suspend the Flow Explore feature.
Q. How do I know if my Polar Flow user profile and data privacy was affected by the recent news article?
A. The vast majority of Polar customers are not affected in any way by this case. This case refers specifically to customers who have shared their training data publicly.
Q. I have seen statements that private users' names and addresses have been identified from your services. Is this true?
A. This is not true. The alleged acquired names and addresses have not been found from Polar services.
Q. The case referenced access to potentially sensitive locations - are such people at risk?
A. We have suspended the Flow Explore feature to protect the identity of such persons. There is no longer access to previously published training data through the Flow Explore feature. By default, profile, training sessions and activity summaries are all set to private. We anticipate, and continue to advise, that the vast majority of those people, who work within potentially sensitive areas, continue to adhere to the default settings and comply with best practices as advised by their employer.
Q. What corrective actions have been taken?
A. We have already implemented a number of measures to address the concerns raised. We are aware that potentially sensitive locations were appearing in public data. Subsequently, we made the decision to suspend the Flow Explore feature until further notice.
Q. If there hasn't been a data breach, why have you suspended the Explore feature?
A. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.
Q. I have seen statements that suggest that Polar leaked data - Did Polar leak any data?
A. Contrary to what has been reported—it's important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.
Q. Is my privacy and/or data at risk when using Polar?
A. We take your privacy exceptionally serious at Polar. We continue to take measures to ensure your privacy and data are not at risk.
If you have further questions on this matter, please do not hesitate to contact our Customer Care team: https://support.polar.com/en/support/contact_us/email_polar