Peleton's leaky API is not earth-shattering news. It's basically what we should expect when we choose to share private information and the collector of such data has much to gain from it. What is particularly galling in this instance is that the person sharing data only to have it leaked, is paying for that privilege by way of a monthly subscription.
This is a bit more offensive than our data being scraped off of Facebook, LinkedIn, ClubHouse and the like. Most of us are not paying directly to any of these services though the act of sharing real data is very much a fee. As such events become routine, consumers will experience fatigue and stop bellyaching over it. That in turn will normalize the notion that privacy should not be expected at all. It's great if you happen to get it but generally you won't. The response from Peleton is very telling:
Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.
That goes to prove its a not a problem they are in any rush to fix. People have been made aware that such leak is possible, they have had time to absorb what it means for them and it does not appear that the customer base is up in arms demanding an immediate remedy. It is a great way to assess the tolerance of their customers for lack of data privacy.
Comments