SBN

What Peleton Knows About You | Avast

Peloton, the connected device that lets spin-class enthusiasts take classes from home, was already gaining traction when the pandemic took off globally in March of 2020. But as it became clear that people weren’t going to be sweating it out in group settings for a while, Peloton sales rocketed. In fact, even President Biden has one.

But like all connected devices, Peloton collects and uses data about customers in order to deliver specific services. And while I don’t have one myself, one of my closest friends does. So for this edition of What Does the Internet Know About Me?, the “me” in question is actually “her” — and we’re going to call her “Jane,” for privacy’s sake.

What Peloton tracks

While Fitbit seemed to track pretty much everything about me, Peloton tracks fewer things about Jane. That’s because their product is more limited in scope: The purpose is to take classes, while Fitbit is trying to provide 24/7 health tracking. And while Peloton offers users yoga classes and runs, we’re going to focus specifically on the spin classes because they’re the most well-known and popular offering, as well as the one Jane uses.

So let’s start with the obvious. Jane’s Peloton knows: 

  • Her age, gender, height, and weight (but you don’t have to share these things if you don’t want to)
  • How far she’s cycled
  • Her heart rate, average and over time
  • How many times she’s ridden
  • When she’s ridden
  • Her RPM, average and over time
  • Calories burned
  • Who she’s following and who’s following her
  • Types of workouts she’s done
  • Which teachers she prefers

On the less obvious side, Jane’s Peloton knows a bunch of stuff about her devices and location. According to the Peloton Privacy Policy, Peloton knows Jane’s:

  • GPS location
  • Longitude/latitude
  • City, county, zip code, and region 
  • Location and her smart device’s proximity to “beacons,” Bluetooth networks and/or other proximity systems
  • IP address and internet service provider (ISP)
  • Cookie identifiers
  • Mobile carrier
  • Mobile advertising identifiers
  • MAC address, IMEI, Advertiser ID, and other device identifiers that are automatically assigned to your computer or device when you access the Internet
  • Browser type and language
  • Geo-location information
  • Hardware type
  • Operating system
  • Internet service provider
  • Pages that she visits before and after visiting the Peloton page
  • The date and time of her visits
  • The amount of time she spends on each page
  • Information about the links she clicks and pages she views within the Peloton ecosystem, and other actions taken through use of the “Services,” such as preferences

And while all of that might seem like a surprisingly lot of info, it’s actually pretty standard. Most websites use tracking devices, like cookies, to figure out what you’re doing, where you’re doing it, for how long, etc. It’s the way the internet is currently built, with a much greater focus on company growth than on personal data privacy. 

Peloton also has Jane’s credit card info, as well as information about any loans she’s taken out in order to pay for the bike or the services. They also say in the Privacy Policy that they may retain photos or videos of member support and sales calls. 

And we do, of course, need to address this whole camera-on-the device issue, which Jane didn’t even realize was a thing until the news came out about President Biden’s Peloton. The purpose of the camera and microphone, according to Peloton, is to “help you stay connected,” aka to let you video chat with friends while you’re working out. They’re not taking photos or videos of you without your knowledge, so while there are certainly potential security issues with the camera and mic, there don’t seem to be privacy issues.

To quote another Peloton user I know, “Why would anyone want to have their video taken while they are grimacing in pain??” Very fair point. This feature reminds me of that storyline in “The Office” when Ryan tried to turn the Dunder Mifflin website into a social network: It was all the rage for everything to be social, but some things just aren’t meant to be social. Buying paper is one of those things, and I think letting someone stare into your face while you look like a tomato and drip sweat off your forehead is probably another.

Peloton also offers integration with other health devices, including Apple Watch, Fitbit, and Strava. If you choose to connect one of these devices, Peloton will share information like calories burned and distance with those devices, per your instructions. And according to the Peloton Privacy Policy, they might get “private information that you have made public” to the app (or to a social media site), including: “your name, your social media site user identification number, your user name, location, gender, birth date, email, profile picture and your social media contacts.”

What Peloton could figure out

When I looked into what Fitbit knows about me, it turned out there was a lot that researchers or the company or health insurance companies or the government could theoretically infer about me based on my data. That’s because my Fitbit is on my physical body 23.5 hours a day, seven days a week. (I literally only take it off to shower.)

But Peloton isn’t a 24/7 device. If you really think about it, it spends even less time in contact with Jane’s actual body than her phone does. (And let me tell you: This woman is a spin fanatic.) As a result, the inferences that Peloton — or groups that Peloton theoretically could share data with — can make about Jane are limited.

I suppose it could take guesses about when she’s on vacation, based on changes in her workout schedule. But vacation isn’t the only thing that would interrupt a workout schedule, so it’d be very, very difficult for them to say definitively, “Jane was on vacation from July 7 to July 21, 2020.” 

Actually, the most invasive data collection that Peloton is doing is related to Jane’s interactions with their website, not their device or their classes. Using trackers, the company can learn a lot about Jane that she might not necessarily want them to know. But, again, this is a general internet issue — not a Peloton-specific issue. 

What does Peloton do with your data?

Peloton clearly states in their Privacy Policy that they don’t sell user data. Users can also request that their data be deleted. Users in California can also request that the sharing of their data with third-party advertisers be “minimized,” while European users can put through a privacy request with proof of residency.

They do, however, let third-party advertisers put trackers on their website, which means you don’t really know who has that info or what they’re doing with it. 

Peloton also states they retain data only for as long as they need to, in order to provide you with the services you want. When you’re no longer using the service, they say they “will destroy, erase, or de-identify it in accordance with our data retention policies and applicable law.”

What am I getting in exchange for my data? What are the tradeoffs?

Unlike Fitbit, which is “free” (as in, no subscription fees unless you want their Premium features), Peloton actually requires a monthly subscription if you want to use it to the fullest. That means that, unlike other services whose business model is based around serving up advertisements (cough cough, Facebook), Jane is actually paying money to Peloton. Could that be another reason they collect relatively little data? Perhaps. I can’t say for sure, but it seems like a possibility. 

For her part, Jane feels good about what she’s getting from Peloton and doesn’t feel like the data they collect is too much or too invasive. She likes the ability to take classes whenever and wherever she wants. She doesn’t care much about the social aspect, except to shade her little brother when he takes Beyoncé classes.

And when it comes to what they know about her, Jane doesn’t think that they’re collecting any information that they shouldn’t. All in all, Peloton seems to be doing pretty well by their clients.

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/what-peleton-knows-about-you-avast