Wireless fitness band maker Polar Electro Oy has suspended a public workout-sharing feature after it was found that the location data could be used to track soldiers and spies on military bases.

The discovery, detailed today in a joint investigation from Bellingcat and Dutch journalism platform De Correspondent, involves Polar sharing data from its users, complete with profile pictures and often actual names of users, via a publicly available “Explore” feature.

The specific details such as the route taken, and the fact that it’s publicly available, is where security concerns arise, since a significant number of users are military or government personnel. Unlike Strava, a fitness app accused of exposing confidential data back in January, Polar’s Explore feature allows anyone to click on any user whereas Strava only offered access via a user’s profile page.

“By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well,” Foeke Postma from Bellingcat explained. “Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.”

In one example given, a U.S. serviceman is shown as having exercised on both the east and west coast along with locations in Iraq and Afghanistan. In another case, a high-ranking officer of an airbase known to host nuclear weapons, identified by the fact that the Explore feature shares his actual name and profile picture, was found jogging across the compound every morning.

Although the chances of an attack occurring in the U.S. are slim, data relating to U.S. soldiers serving in foreign locations could potentially allow terrorists to plan an attack on a solider on or off the base.

While noting that users have always had the option of making their profiles private, Polar responded to the report by shutting Explore. It said in a statement that it has shut access to the Explore API while it analyzes “the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations.”

The shutdown should be welcomed, but the company has squarely pointed the finger at its users, noting that “the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case.”

The investigation did confirm that Polar does offer privacy settings. But some of them are dubious, including a followers-only sharing feature that still exposes location data and does not include a second step to implement follower approval Facebook Inc. style. The investigation also noted that there is no privacy option to prevent home or work location from being published automatically. In effect, unless users opt for completely private profiles, their data is put at risk.

“Fitness devices and apps are just one more area where people need to be aware of what kind of data they are sharing, particularly as they strongly rely on sensitive data such as location and health-metrics,” Postma concluded. “As always, check your app-permissions, try to anonymize your online presence, and, if you still insist on tracking your activities, start and end sessions in a public space, not at your front door.”

Images: Bellingcat