I think this is a great example to the tech world of what people actually care about.
Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state; not for long anyway. We don't have much of a national conversation about it anymore, Obama isn't remembered for his actions around the NSA, bulk collection, etc.
Most people also don't seem to care too much about Facebook, Google, etc. collecting their browsing data and selling it to advertisers.
People very much care about the privacy of their sex life.
Did this company violate their own privacy policy?
It looks like the company settled rather than drag things out through court, but didn't actually do anything beyond collect standard usage data.
The company didn't even give it to third parties. So it isn't that they did something worse than NSA Facebook, but that people are more sensitive to the privacy of their sex lives than other things.
We wonder why Snapchat first rose to popularity for sexting while most people couldn't care less about GPGing their emails or using Signal day-to-day.
Either most people don't care about privacy or we, the tech community, do a poor job of connecting things like encryption to what people do genuinely care about.
These five words are, as far as I can tell, the poison in the pudding of American politics today.
1) There is no "average" American. Everyone is close to a median in some metrics, and everyone is at out-lier in others.
2) The fact that huge outcry over the NSA is not visible might just mean we're looking in the wrong places. I've traveled across the country by land twice in two years, stopping at hundreds of rural campfires and urban watering holes. My experience is that people are very upset with the state and want their rights back. And that, one way or another, they'll get 'em.
> Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state
I think it is about a mindset change. I remember in the 90s when people were cautious about using credit cards online. Then, I remember in the early 2000s when a relative, in her 70s, called me, angry, because I published my genealogic tree online (only with names and relationships). A few years ago she started using Facebook.
So what you're saying is... Instead of Edward Snowden releasing documents confirming the widespread surveillance methods, he should have stolen and released indecent photos of dignitaries and ordinary citizens alike. That would have brought it home. :-)
> Did this company violate their own privacy policy?
The original suit claims "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information" and "Plaintiff never provided her consent to Defendant to monitor, collect, and transmit her Usage Information".
And the proposed settlement requires changes to disclosure statements.
> but didn't actually do anything beyond collect standard usage data.
Leaving aside the disclosure question, the product category itself raises the question of what do we consider "standard usage data" in this context? (We talk a bit about this aspect in our DEF CON presentation follow-up TEDx talk here: https://www.youtube.com/watch?v=WxRSjC1rPmA )
The app transmitted: time of use (ergo duration); internal device temperature; and, real-time pattern & intensity settings. It was also aware of geographic location of the people using the app. Why does the later matter? At a minimum because adult toys are illegal in some locations.
There's already examples of home automation units, car telemetry loggers and heart pacemakers being used in law enforcement investigations so it's not a stretch to imagine real-time sex toy data also being used.
I believe that developers and manufacturers have a responsibility to the people who choose to buy/use their software/devices to not just "collect all the data" particularly when their product is of an intimate & personal nature.
There is an interview of Snowden by John Oliver where he comes to that conclusion as well, asking people about the usual things that surfaced and people just meh, then translates it into: gov got your d*ck pick and people get upset a whole lot more
I think this is more of a case of "sex sells". I.e. the whole topic gets attention because people are interested in sex, not because they are interested in privacy.
If anyone is interested in accessing the WeVibe or other toys (Kiiroo, Lovense, etc) directly via bluetooth, versus going through their apps, I run a website for documenting and reverse engineering this stuff, at http://metafetish.com. All of our docs and code are on github at
Looks like my s/o and I could be making a claim as part of the settlement class. Didn't get much use out of the app, the bluetooth connection was super unreliable.
That said, I take it as a given that any app I install on my phone is probably tracking my usage of their app. Dropping in Mixpanel or Heap or some other analytics lib that tracks feature usage seems like such a standard part of developing a mobile app, I'd be surprised if a developer didn't do it.
Bought the toy, found the bluetooth connection was almost hilariously bad, gave up on it, but sort of assumed they were recording usage data and analytics because that's what you do.
It's odd, there's all these privacy and security scandals going on, and nobody seems to care about them. And then here it turns out that a mobile app that I logged into into is actually logging stuff, like every mobile app ever, and it's a huge scandal and a lawsuit and now a settlement?
I don't get it. I'm not even sure I understand what they were did that was wrong. I could understand a lawsuit over how crap their bluetooth was (I can't stress enough just how horrible it was), but over the fact that their mobile app logged usage? Really?
Newsflash: When you buy a vibrator from a vendor, they know you're going to use it. That's what people do with them. What next, a lawsuit that Amazon is tracking your purchases on Amazon? Man, do you think Facebook might have some logs of what you click on in the Facebook app?
> analytics lib that tracks feature usage seems like such a standard part of developing a mobile app
Right, and we talked about this in a follow-up TEDx talk: https://www.youtube.com/watch?v=WxRSjC1rPmA Just because analytics are a standard practice doesn't mean they should be a standard practice for any particular product.
Developers for more personal/intimate devices need to recognise the impact their data collection may have; that different people have different "Device Intimacy Spectrums" (e.g. people who live in places where adult toys are illegal will be more concerned about what is collected); and, gain informed consent for any data they collect.
Some might say, Dan Grossman, that discretion is the better part of valour when disclosing your vibrator purchases on the internet.
I actually don't care, I just found it funny that you're posting under your real name without shame. It's refreshing, but I think it's also one of the ways techies are significantly different than the rest of the population.
The We Vibe was the topic of a Defcon 24 talk, Breaking the Internet of Vibrating Things[1]. Was an excellent talk, but I felt it needed more jokes woven in.
The Internet of Dongs project, at http://internetofdon.gs (on twitter at http://twitter.com/internetofdongs) exists to combat issues with security and user privacy in sex toys, They're working with multiple toy producers to create systems to report bugs and increase security.
Related TEDx presentation: https://www.youtube.com/watch?v=WxRSjC1rPmA (Aims to raise awareness of related IoT privacy issues for a non-technical audience via the concept of a personal "Device Intimacy Spectrum".)
Disclosure: I'm one of the presenters/security researchers referenced in the article.
I suppose it's to be expected, but the naïveté of thinking that an IoT sex toy wasn't phoning home still surprises me.
Not to excuse it, because spying on your users — particularly in an identifiable way, and doubly so given the sensitivity of this specific case — is a shitty thing to do, but it's not like this is unprecedented.
> I suppose it's to be expected, but the naïveté of thinking that an IoT sex toy wasn't phoning home still surprises me.
I agree. My experience with tech industry, IoT in particular, deserves quoting Avasarala on this: "My life has become a single, ongoing revelation that I haven't been cynical enough."
Then again, considering the number of retailers that categorize sex toys under sexual health and wellness, health being the keyword, is it possible that HIPAA could be relevant? And if not, should it?
Over the longer term, privacy is dead. Sensors are proliferating at a rate web servers were 20 years ago and a state of continual recorded surveillance is where we are headed over the next 20 years.
The main question is, how equitable will that surveillance be? Governments and powerful multinationals will have access to the personal information of ordinary people. Will the converse also be true?
As unpleasant as the prospect of sub mosquito-sized recording devices everywhere is, it matters greatly whether if law enforcement, moguls and politicians are subject to the same scrutiny as those without power.
Law enforcement, oligarchs and politicians will be subject to orders of magnitude more surveillance than ordinary people, who generally don't do anything that matters and aren't worth blackmailing. Most people will have to deal with an algorithmic dragnet which selects people for special attention, but important people will have full-time employees or teams of employees writing reports and proposing strategies.
> Governments and powerful multinationals will have access to the personal information of ordinary people. Will the converse also be true?
Absolutely not. In whose interest would it be to give ordinary people anything?
Privacy will die if we let it die. It's not an inevitability. We have the power to prevent it (through law imo, not tech). As for it being equitable I don't see how that could ever happen. Having access to everyone's private information would be of zero use to me but would be very useful for governments and companies.
I have a really hard time imagining people using this.
Maybe it's just my prudishness but how the hell is fighting with bluetooth pairing in any way foreplay?
On the information video there is a graphic showing it can be used by separated couples. One person is in Europe, one the US. Just don't give up your phone at the border.
And don't lose your phone either. You may just wind up losing your partner also when they see how much more adept someone else is at working the controls.
Guess there are some things I'll just never understand.
I'm of two minds about the funny comments this article is getting. On the one hand, some are indeed funny and often really clever use of the English language. On the other hand, I think about hours and hours I'd spend reading really clever comments on Reddit and then in the end realizing that I didn't learn anything, nor did it change my mind or influence my opinion about anything. I'm glad that HN exists as an alternative.
Perhaps this will make it clearer that controlling things from your phone currently involves somebody in the middle, monitoring what you're doing. If we had better phone-to-phone data connections, this wouldn't be necessary. This is a phone pairing application between phones that could be brought near each other for pairing.
> Perhaps this will make it clearer that controlling things from your phone currently involves somebody in the middle, monitoring what you're doing.
As I mentioned in another comment, part of the original suit (the claims that the app violated wiretapping laws) was based on the fact that when used in a "solo"/"local" siuation, the app had a direct Bluetooth connection between the phone and the controlled device which means there was no reason to think there was "somebody in the middle, monitoring".
* > An estimated 300,000 people bought Bluetooth-enabled WeVibes, according to court documents, and about 100,000 of them used the app.*
I know its not the primary issue, but its a very interesting part of the story to me and raises a lot of questions. Only 1/3 of people who purchased the device used the connected app. This sounds a lot like my Annova sous-vide: it has an app but I never use it (a dial and button are fine by me). I wonder if this 1/3 number is the normal rate among "smart devices". Do 2/3 of people not use it because its of no real value–or because the setup/ux sucks? Do companies make smart devices because "everyone else is doing it" or is there another reason (charge more & better margins)? Finally, will we start to see a decline in smart/connected devices if adoption stays low (in favor of products that simply innovate in other ways)?
Going from my own Anova experience - the people who use the app are probably power users who want the full feature set, as opposed to those (like you) whose use cases are served perfectly well by the clean minimalist UI exposed on the physical device.
I think the apps rarely provide value or they are outside the normal workflow. I just replaced my kitchen scale and the new one has an app that essential tries to be my fitness pal. But I already use myfitnesspal so I'm not going to switch since the only time savings is the time spent typing in the weight(I still have to search for the food) which is offset by the food database being worse.
> The We-Vibe product line includes a number of Bluetooth-enabled vibrators that, when linked to the "We-Connect" app, can be controlled from a smartphone. It allows a user to... give a partner, in the room or anywhere in the world, control of the device.
Wow. I'm just kind of incredulous that this was never hacked. The lawsuit is about the company's own data-collection practices, but just imagine the freakout if one fine day Vladimir Putin took control of all these devices at once.
Has anyone done a security review of the device and the associated app? If ever a service called for a thorough penetration test... (Bah-dum-bum! Thank you, I'll be here all week, tip your wait staff.)
I'm wondering if the lack of hacks came from actual good engineering on the company's part -- hope springs eternal! -- or if the device was just too niche to catch the interest of the black hats?
We started out wanting to learn how the device worked, wondering how secure it was and then discovered that what the manufacturer was doing was of more immediate concern. (FWIW the original suit was filed about a month after our DEF CON talk.)
> I'm wondering if the lack of hacks came from actual good engineering on the company's part
As you'll see in the talk, they appeared to have done some things right (e.g. secure network connections) but there are a lot of moving parts (device hardware, firmware, app, backend servers, chat, audio, video, control) and we barely scratched the surface.
> if the device was just too niche to catch the interest of the black hats?
It caught our attention but our hats were black with sparkly skulls on them. :)
To what end? The devices don't stay connected. You have to turn them on, open the app and sync them up. At best you get to alter the vibration patterns several hundred people at once. At best you've very mildly annoyed somebody and they'd just chalk it up to a buggy app.
So is the moral of the story for a developer to make sure you have an updated privacy policy? If they would have updated the privacy policy on their product would they have been legally protected?
> So is the moral of the story for a developer to make sure you have an updated privacy policy?
Given that the original suit included claims that "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information" that seems to be one potential moral.
> If they would have updated the privacy policy on their product would they have been legally protected?
Presumably only a case being decided at trial could determine that. But it's worth looking at the proposed settlement documents that outline the non-financial changes they agreed to in order to settle the case.
Haha, I own one of these and the thought has struck me multiple times that Lelo are probably collecting data on usage and also that there must be security holes to their backend so you could in principle take control over thousands of vibrators. Never worried too much about it, and not at this point either. But it's obviously not a good thing.
You should assume any (phone or windows store or mac store) app you install can and likely will be uploading all personal data that it can to their "mothership" in the name of wishing to keep track of Usage and "improve" future products. There are no laws preventing the selling of information to marketing agencies.
[+] [-] tyre|9 years ago|reply
Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state; not for long anyway. We don't have much of a national conversation about it anymore, Obama isn't remembered for his actions around the NSA, bulk collection, etc.
Most people also don't seem to care too much about Facebook, Google, etc. collecting their browsing data and selling it to advertisers.
People very much care about the privacy of their sex life.
Did this company violate their own privacy policy?
It looks like the company settled rather than drag things out through court, but didn't actually do anything beyond collect standard usage data.
The company didn't even give it to third parties. So it isn't that they did something worse than NSA Facebook, but that people are more sensitive to the privacy of their sex lives than other things.
We wonder why Snapchat first rose to popularity for sexting while most people couldn't care less about GPGing their emails or using Signal day-to-day.
Either most people don't care about privacy or we, the tech community, do a poor job of connecting things like encryption to what people do genuinely care about.
[+] [-] jMyles|9 years ago|reply
These five words are, as far as I can tell, the poison in the pudding of American politics today.
1) There is no "average" American. Everyone is close to a median in some metrics, and everyone is at out-lier in others.
2) The fact that huge outcry over the NSA is not visible might just mean we're looking in the wrong places. I've traveled across the country by land twice in two years, stopping at hundreds of rural campfires and urban watering holes. My experience is that people are very upset with the state and want their rights back. And that, one way or another, they'll get 'em.
[+] [-] denzil_correa|9 years ago|reply
Relevant Plug : John Oliver Interview with Snowden (23m45s)
https://www.youtube.com/watch?v=XEVlyP4_11M&t=23m45s
Also, the "You have got nothing to hide" argument fails.
[+] [-] wslh|9 years ago|reply
I think it is about a mindset change. I remember in the 90s when people were cautious about using credit cards online. Then, I remember in the early 2000s when a relative, in her 70s, called me, angry, because I published my genealogic tree online (only with names and relationships). A few years ago she started using Facebook.
[+] [-] blitmap|9 years ago|reply
[+] [-] follower|9 years ago|reply
The original suit claims "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information" and "Plaintiff never provided her consent to Defendant to monitor, collect, and transmit her Usage Information".
And the proposed settlement requires changes to disclosure statements.
> but didn't actually do anything beyond collect standard usage data.
Leaving aside the disclosure question, the product category itself raises the question of what do we consider "standard usage data" in this context? (We talk a bit about this aspect in our DEF CON presentation follow-up TEDx talk here: https://www.youtube.com/watch?v=WxRSjC1rPmA )
The app transmitted: time of use (ergo duration); internal device temperature; and, real-time pattern & intensity settings. It was also aware of geographic location of the people using the app. Why does the later matter? At a minimum because adult toys are illegal in some locations.
There's already examples of home automation units, car telemetry loggers and heart pacemakers being used in law enforcement investigations so it's not a stretch to imagine real-time sex toy data also being used.
I believe that developers and manufacturers have a responsibility to the people who choose to buy/use their software/devices to not just "collect all the data" particularly when their product is of an intimate & personal nature.
[+] [-] thomas-b|9 years ago|reply
[+] [-] Spone|9 years ago|reply
[+] [-] corysama|9 years ago|reply
[+] [-] jcoffland|9 years ago|reply
[+] [-] qdot76367|9 years ago|reply
http://github.com/metafetish
[+] [-] samstave|9 years ago|reply
[+] [-] dangrossman|9 years ago|reply
That said, I take it as a given that any app I install on my phone is probably tracking my usage of their app. Dropping in Mixpanel or Heap or some other analytics lib that tracks feature usage seems like such a standard part of developing a mobile app, I'd be surprised if a developer didn't do it.
[+] [-] Lazare|9 years ago|reply
Bought the toy, found the bluetooth connection was almost hilariously bad, gave up on it, but sort of assumed they were recording usage data and analytics because that's what you do.
It's odd, there's all these privacy and security scandals going on, and nobody seems to care about them. And then here it turns out that a mobile app that I logged into into is actually logging stuff, like every mobile app ever, and it's a huge scandal and a lawsuit and now a settlement?
I don't get it. I'm not even sure I understand what they were did that was wrong. I could understand a lawsuit over how crap their bluetooth was (I can't stress enough just how horrible it was), but over the fact that their mobile app logged usage? Really?
Newsflash: When you buy a vibrator from a vendor, they know you're going to use it. That's what people do with them. What next, a lawsuit that Amazon is tracking your purchases on Amazon? Man, do you think Facebook might have some logs of what you click on in the Facebook app?
[+] [-] follower|9 years ago|reply
Human bodies make great faraday cages.
> analytics lib that tracks feature usage seems like such a standard part of developing a mobile app
Right, and we talked about this in a follow-up TEDx talk: https://www.youtube.com/watch?v=WxRSjC1rPmA Just because analytics are a standard practice doesn't mean they should be a standard practice for any particular product.
Developers for more personal/intimate devices need to recognise the impact their data collection may have; that different people have different "Device Intimacy Spectrums" (e.g. people who live in places where adult toys are illegal will be more concerned about what is collected); and, gain informed consent for any data they collect.
[+] [-] rch|9 years ago|reply
[+] [-] sexyvibrator|9 years ago|reply
[+] [-] CoolGuySteve|9 years ago|reply
I actually don't care, I just found it funny that you're posting under your real name without shame. It's refreshing, but I think it's also one of the ways techies are significantly different than the rest of the population.
[+] [-] altendo|9 years ago|reply
[1] https://www.youtube.com/watch?v=v1d0Xa2njVg
EDIT: grammar fail
[+] [-] qdot76367|9 years ago|reply
[+] [-] follower|9 years ago|reply
Related DEF CON 24 presentation: "Breaking the Internet of Vibrating Things": https://www.youtube.com/watch?v=v1d0Xa2njVg (Includes more technical details)
Related TEDx presentation: https://www.youtube.com/watch?v=WxRSjC1rPmA (Aims to raise awareness of related IoT privacy issues for a non-technical audience via the concept of a personal "Device Intimacy Spectrum".)
Disclosure: I'm one of the presenters/security researchers referenced in the article.
[+] [-] rosser|9 years ago|reply
Not to excuse it, because spying on your users — particularly in an identifiable way, and doubly so given the sensitivity of this specific case — is a shitty thing to do, but it's not like this is unprecedented.
[+] [-] TeMPOraL|9 years ago|reply
I agree. My experience with tech industry, IoT in particular, deserves quoting Avasarala on this: "My life has become a single, ongoing revelation that I haven't been cynical enough."
[+] [-] deadowl|9 years ago|reply
[+] [-] xiaoma|9 years ago|reply
The main question is, how equitable will that surveillance be? Governments and powerful multinationals will have access to the personal information of ordinary people. Will the converse also be true?
As unpleasant as the prospect of sub mosquito-sized recording devices everywhere is, it matters greatly whether if law enforcement, moguls and politicians are subject to the same scrutiny as those without power.
[+] [-] pessimizer|9 years ago|reply
> Governments and powerful multinationals will have access to the personal information of ordinary people. Will the converse also be true?
Absolutely not. In whose interest would it be to give ordinary people anything?
[+] [-] k-mcgrady|9 years ago|reply
Privacy will die if we let it die. It's not an inevitability. We have the power to prevent it (through law imo, not tech). As for it being equitable I don't see how that could ever happen. Having access to everyone's private information would be of zero use to me but would be very useful for governments and companies.
[+] [-] mythrwy|9 years ago|reply
Maybe it's just my prudishness but how the hell is fighting with bluetooth pairing in any way foreplay?
On the information video there is a graphic showing it can be used by separated couples. One person is in Europe, one the US. Just don't give up your phone at the border.
And don't lose your phone either. You may just wind up losing your partner also when they see how much more adept someone else is at working the controls.
Guess there are some things I'll just never understand.
[+] [-] mysterypie|9 years ago|reply
[+] [-] Animats|9 years ago|reply
[+] [-] bsder|9 years ago|reply
Consequently, anyone running on your phone also has access to your wireless traffic.
Until you get fine grained security controls over hardware, you can always consider yourself rooted.
[+] [-] follower|9 years ago|reply
As I mentioned in another comment, part of the original suit (the claims that the app violated wiretapping laws) was based on the fact that when used in a "solo"/"local" siuation, the app had a direct Bluetooth connection between the phone and the controlled device which means there was no reason to think there was "somebody in the middle, monitoring".
[+] [-] cbhl|9 years ago|reply
[+] [-] callmeed|9 years ago|reply
I know its not the primary issue, but its a very interesting part of the story to me and raises a lot of questions. Only 1/3 of people who purchased the device used the connected app. This sounds a lot like my Annova sous-vide: it has an app but I never use it (a dial and button are fine by me). I wonder if this 1/3 number is the normal rate among "smart devices". Do 2/3 of people not use it because its of no real value–or because the setup/ux sucks? Do companies make smart devices because "everyone else is doing it" or is there another reason (charge more & better margins)? Finally, will we start to see a decline in smart/connected devices if adoption stays low (in favor of products that simply innovate in other ways)?
[+] [-] azernik|9 years ago|reply
[+] [-] sanswork|9 years ago|reply
[+] [-] choward|9 years ago|reply
[+] [-] tomek_zemla|9 years ago|reply
[+] [-] smacktoward|9 years ago|reply
Wow. I'm just kind of incredulous that this was never hacked. The lawsuit is about the company's own data-collection practices, but just imagine the freakout if one fine day Vladimir Putin took control of all these devices at once.
Has anyone done a security review of the device and the associated app? If ever a service called for a thorough penetration test... (Bah-dum-bum! Thank you, I'll be here all week, tip your wait staff.)
I'm wondering if the lack of hacks came from actual good engineering on the company's part -- hope springs eternal! -- or if the device was just too niche to catch the interest of the black hats?
[+] [-] follower|9 years ago|reply
Partially, yes, here's our DEF CON 24 presentation about it: "Breaking the Internet of Vibrating Things": https://www.youtube.com/watch?v=v1d0Xa2njVg
We started out wanting to learn how the device worked, wondering how secure it was and then discovered that what the manufacturer was doing was of more immediate concern. (FWIW the original suit was filed about a month after our DEF CON talk.)
> I'm wondering if the lack of hacks came from actual good engineering on the company's part
As you'll see in the talk, they appeared to have done some things right (e.g. secure network connections) but there are a lot of moving parts (device hardware, firmware, app, backend servers, chat, audio, video, control) and we barely scratched the surface.
> if the device was just too niche to catch the interest of the black hats?
It caught our attention but our hats were black with sparkly skulls on them. :)
[+] [-] ribosometronome|9 years ago|reply
[+] [-] qdot76367|9 years ago|reply
[+] [-] Applejinx|9 years ago|reply
three inches east three inches west three inches east FIVE inches west…
And then they sell the data to Facebook, who can market it to more effectively target men who move like that.
…which steps over the line from snark into relevant observations on abuse of privacy and who benefits, given deep enough data :)
[+] [-] kitd|9 years ago|reply
[+] [-] 6d6b73|9 years ago|reply
This is how they use the data:
Red lights flashing...
Tactical Officer: - Action Stations - User 5563 is close but needs additional stimulation.
Captain: Engineering can you give us additional 10%?
Engineering: We will need to adjust Warp Field but it should work for about 5 seconds.
Captain: That should be enough. Do it!
Engineering: Ready
Captain: Engage!
[+] [-] jonaldomo|9 years ago|reply
[+] [-] follower|9 years ago|reply
Given that the original suit included claims that "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information" that seems to be one potential moral.
> If they would have updated the privacy policy on their product would they have been legally protected?
Presumably only a case being decided at trial could determine that. But it's worth looking at the proposed settlement documents that outline the non-financial changes they agreed to in order to settle the case.
[+] [-] J0EKR|9 years ago|reply
[+] [-] marvin|9 years ago|reply
[+] [-] bleair|9 years ago|reply