The article should have buried sony for how egregious they are. They require the app to collect location information, and ear. https://www.sony.com/electronics/support/articles/00233341 I'm not sure what else they collect.. but those are the 2 bad ones.
They've got a few settings that are software controlled (one being the bluetooth's internal volume) What happens if you get a software update and you open the app on a plane without wifi? You can't use it because it requires the internet to get the latest _required tos_ to use your headphones. You can't proceed further without being forced into an agreement. Clicking "don't accept" pushes you back to the tos screen.
I recently tried out wireless noise-cancelling headphones from both Bose and Sony, and (the important privacy issues aside) the user experience with these apps is just horrible.
You unpack your Bose headphone, eager to use them. But before that, you have to download an app on the iPhone, then download a software update program on your laptop, which in turn opens a program in the browser that downloads an update, then you connect the headphones with a wire to the laptop that the update gets installed, and THEN you can start using them.
I've owned the Sony WH-1000XM2 for several years and while the Android app location collection is unnecessary, ear data is entirely optional.
You have a valid point that the app can misbehave regarding updates and lack of internet connection. I personally find myself never using the app, it only really provides 3 somewhat useful features; equalisation (which forces the audio codec to SBC which is inferior to LDAC so I've never used it); automatic profile switching, e.g. ambient sound if detecting you are walking and finally, the level of noise cancellation to apply.
This model has a dedicated switch on the headphones to change the profile where a long press even "calibrates" the sound based on atmospheric pressure, not sure I buy into that gimmick, but they're perfectly useable without the app. I have them paired with Android, Windows, macOS and Linux and all work perfectly (with the minor exception being Linux does not support Bluetooth absolute volume). The headphones also support volume control from the unit for devices which have an older Bluetooth stack which does not support absolute volume.
Overall, I agree the app needs improvement but I'm not sure there's anything that warrants burying the company of these decisions. I suspect for many users, the app is entirely useless and not worth installing.
Geez, that's brutal. I'm glad I'm seeing this....it never crossed my mind that this sort of thing would be something that might get built into headphones.
If I want to avoid this sort of thing, I'm thinking / hoping it's sufficient to simply avoid headphones that require an app.
I've been using my Sony W-1000XM3s with my Android phone for months and I haven't had to install an app. The only thing the app would get me is a bunch of equalizer shit (which my music player could do and I never use anyway), dynamic noise cancelling of some form (which I'm not sure why I'd ever use, just an on/off toggle is good enough for me).
As shitty as the app collecting data is it isn't as if the app is required for me to have had an excellent experience with these headphones so I'm not really all that bothered that the app is invasive.
If any real functionality was locked behind it I'd be annoyed, but honestly the app seems like an afterthought with no real purpose other than "EVERYTHING NEEDS AN APP" type thinking.
I am fervently glad that I'm happy with my WH-1000XM3 in its stock configuration. I took one look at what the permissions they wanted for the app, and said "No effing way."
I shouldn't have been too surprised, though, given that it was Sony that brought us rootkits on music CDs.
as far as i can tell, the only thing the app does is dynamically change the noise cancellation level based on your location and accelerometer, so if it doesn't have location permission it's kind of pointless to use the app.
the headphones still work fine without the app, they're just bluetooth headphones that the OS can interface with directly if you don't want the location-based profiles.
> Clicking "don't accept" pushes you back to the tos screen.
This is a textbook example of a GDPR violation. In fact, it is a clear violation of the first of the five requirements for consent.
See recital 43:
"... Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
I have the WH-1000XM2 and the location permission is optional if you want the app to change noise cancelling profiles according to what you are doing (walking, running, on the bus). The ear scanner is another optional thing you can do to improve the 360 audio which only works on a few apps.
This was raised when Australia rolled out its' Contract tracing app.
On Android if you need bluetooth access you have to ask for locat ion access, because it's possible to derive location from bluetooth data. (Like wifi data).
I tend to use passive headphones with 3.5mm jack, they have no electronics in them except the small speakers. They do not collect data. They are also used by musicians when doing audio mixing so its should sounds neutral and good.
That the headphones does not have electronics and batteries means they will last longer and thus be be better for the environment.
There is an even easier analysis. If you were designing your own headphones just for your own use, would you have them collect personal data? If your answer is no, then choosing headphones that do not collect data is a logical choice.
The author cites some idea of "trading" ongoing collection of personal data^1 for features but I can't see how that applies here, assuming the user has already paid for the product, e.g., he has already paid for the headphpones.
1. This does not appear to be a one-time, voluntary submission of data by the purchaser. For example, submitting one's name and a product serial number in order to register for a warranty.
Also, for phone calls and conferencing, wired headsets have neglible latency, compared to bluetooth, which is likely at least 100ms. In itself, this isn't terrible, but add the other latencies in (e.g. wifi, inter-city network). Our brains do a great job of compensating, but I'm starting to think that this compensating comes at a cost (headaches, tiredness), especially if you're on conferences all day as many are in remote work.
> they will last longer and thus be be better for the environment
This isn’t necessarily true.
My wireless headphones have been with me for years. My wired earbuds are cheap enough that I can lose or damage them without care. The former are far better for the environment.
Me, too! I use the $1 ones from Dollar Tree. They are easy to replace, come with microphones if desired, and work just as well on calls as expensive solutions. They don't always last as long, but purchasing 10 at a time fixes that.
Drugstores in Brazil are doing it and that concerns me A LOT.
Their modus operandi is to ask you your CPF (it's like an SSN, but not that secret and powerful) and, if you refuse to tell them, you are not eligible for some discounts which can reach 40% in some more expensive items.
Customers happily agree to give their CPFs, completely unaware they are of the potentially disastrous consequences, and we are not even offered something resembling a privacy policy.
Think of the uses of such data. Health insurers could use them to detect and even predict health issues. One could estimate menstrual cycles and even the size of your genitalia.
A Brazilian data protection law is about to become active within the next weeks, but honestly.. such data shouldn't even be collected at all.
I'm looking for support for a bill to forbid drugstores to collect CPFs and to offer any sort of discount to people who identify themselves, but I believe this should be more publicized before being discussed for voting by the Congress. The more active drugstores on the "data business" are part of huge chains and their lobby will definitely be massive. Society should be aware of that and counterbalance for such lobby.
That's an interesting thought. The european GDPR and I think the california CCPA have some sort of clause that says if you decide not to allow, you have to be treated the same.
But loyalty discount cards and your drugstore example should have a way to get the discount without giving up your anonymity. This would be better for society.
Truly, is it possible for tech companies today to release even one fucking product, even something so simple as headphones, without piling on all the desperate, grubby, scummy tracking bloat and related shit possible in an effort to turn you into a product EVEN when you're paying for their creations. It's revolting and sincerely deserves to be harshly punished by the market (if enough consumers could be bothered to give enough of a shit about something so "irrelevant" as their basic privacy).
You're not even as high-status as 'product' (let alone 'customer') - you're the 'fuel' - for an ad product, bought by ad customers. You're the coal being burned - all for profit and power.
Yes, my analogy doesn't go too far. We're sentient coal, being fed bread and circuses as the trade-off for being burned away. We still have some choice, power, and control.
Only a slightly related tangent, but most headphones and other loudspeakers can be very effective microphones when wired into the right circuit.
While speakers are often wired directly to a one-way DAC, that's not always the case. Sometimes the analog lines are all fed into a multiplexer and it can be routed to a ADC. Sometimes it's wired to a general purpose IO pin.
In such cases, reprogramming could turn that speaker into a microphone. I wonder if anyone has exploited this in the wild yet.
You can do the opposite of noise cancellation too: determine the back emf from the speaker compared to the audio input, that will give you the audio in the room. So you can use the same circuit both to drive the speaker and use it as a microphone. As good as undetectable until you trace the circuitry of what looks like an ordinary amplifier. The difference is on the order of a few mV but that's more than enough.
My personal favorite is the laser attack that turns any shiny surface into a microphone. When it's not on it literally isn't there.
If you are a hacker who removed microphones from your computer but is worrying about this exploit, fortunately, a simple mitigation is possible - just put an audio amplifier or unity-gain buffer between the speaker and the audio output port, so the audio signal cannot travel back to the audio chip. Any "Hi-Fi" headphone amplifier can be used, but a $0.5 opamp is enough - a daughterboard can be tiny enough to fit inside a laptop.
When I was younger, I was wondering what it would feel like to to feel 'left behind' by technology. I remember helping so many adults to navigate a world they didn't understand. They'd ask "left click or right click?" every time I asked them to use their mouse. They just couldn't grasp some of the context.
This is not quite the same thing, but I'm starting to feel that perhaps I am starting to witness that same disconnect. Having read the title alone, I wondered "how are the headphones collecting data?" Oh, there's an app. Why would you need an app for headphones? It simply never occurred to me.
We just should to stop tolerating conventional things using Internet connection. There is no way headphones really need an Internet-connected app to work and even to let you use advanced functions (i.e. all the configuration can be implemented in a purely offline app). And if they don't need they should not even nudge, let alone require, you to install such. Most of the people just don't give a uck, somebody competent on the state level should give it.
The move to no-jack phones really only exacerbates this problem.
It's difficult for manufacturers to justify an app for wired headphones, but, now that bluetooth is becoming the new norm, there's suddenly a justification for instrusive, data-collecting apps.
This whole story is a really good reason for keeping headphone jacks on phones.
Technology moves on. The same shift also happened with cars. I remember when there was pushback (ok at least hearing about the pushback) when cars started to use computers. Why does it have to so complicated? Why does everything need a computer?
You know to a certain extent those folks were right. But you look at cars today and I couldn't imagine my car not having a computer. Adaptive cruise control, lane keep assist, apple carplay, I could go on.
The problem I see now is that privacy is still a pretty novel concept among the regular user so companies in the mean time can get away with overbearing data collection. My prediction is in the next 3-5 years, users will start to get savvier, and overbearing data collection will become a taboo and no company will do it because users will revolt.
I would rather give up on a smartphone than give up on my wireless headphones. Hell, I was without a phone for a few months a couple of years back and it felt liberating. It’ll be my excuse to be a permanent smartphone luddite.
I use Bluetooth headphones, but almost never use or bother to set up the associated app. So hopefully Bluetooth pairing alone isn’t enough. Looks a lot of these details are collected through a companion app.
I've come to believe that this can only be fixed with legislation and regulation. There are no technical fixes that could practically be deployed as there is far too much "attack surface" and anyway there is zero incentive to deploy them.
In the meantime: install as few apps as possible on phones, be careful about IoT and personal assistance devices, and use Apple or Linux (not Android) based systems as they seem to have the best record for security and privacy.
When you buy food there's a label on the package that tells you what's in it.
When you buy cigarettes there's a big warning label about the risk to your health.
I think consumer devices need something like that. Imagine browsing an aisle and seeing a label on the package like "WARNING: These earbuds phone home with the track names you play, your GPS location and menstruation cycle history." How many people do you think will buy that box vs. the cheap $20 pair with the analog plug?
Re: Personal fitness and menstruation history - Is that shocking? They're earbuds, but they're marketed as fitness buds that track personal data. It looks like Fitbit for your ears. Fitbit and Apple Health (or whatever it is called) does these kinds of things as well.
Re: Bose collecting all that stuff
I can see "why" they would want all that, in order to optimize their sound output of their buds to the kind of music and environments for which they are used. That should, of course, be opt-in, but I don't think it is evil.
Do I necessarily like the latter example? No. I believe, like the "cookie policies" that exist on many websites, there should be "Needed permissions" and "Please thank you" permissions, and they should incentivize the consumer to help them out. Amazon does this on their Kindles: $20 off if you let them run ads on the lock screen.
But if all the manufacturers do this, then what competition is there to push them to change?
I'm wondering if someone could file HIPAA complaint at them and get these things classified as Medical Devices and shut this sharing of bio data down. A simple opt-out doesn't fly with HIPAA. It requires a signature that you will allow another person to access your medical records.
Give me a dumb pair of headphones with a 3.5mm jack and I'm happy.
Edit: Thinking about this article more, it really goes back to hardware not getting funding unless there's a model for recurrent income. It's going to get a LOT worse before we either wise up or give up.
To those only looking for the noise cancelling component of modern headphones: I was only interested in this as I already have a good pair of (wired, offline) hi-fi headphones, and given some HN comments on this I decided for Peltor x5a passive noise cancelling earmuffs. No batteries to charge and become disfunctional with time, no spy-apps, no potential hearing damage from ANC (not sure what the status is here), no cables, no bluetooth issues; and you get Peltors for 15-30$ so no problem if they break because you stored them in the bottom of a bag. My growing collection of low tech might look a bit dorky but I love it.
[+] [-] monksy|5 years ago|reply
They've got a few settings that are software controlled (one being the bluetooth's internal volume) What happens if you get a software update and you open the app on a plane without wifi? You can't use it because it requires the internet to get the latest _required tos_ to use your headphones. You can't proceed further without being forced into an agreement. Clicking "don't accept" pushes you back to the tos screen.
[+] [-] niklasd|5 years ago|reply
You unpack your Bose headphone, eager to use them. But before that, you have to download an app on the iPhone, then download a software update program on your laptop, which in turn opens a program in the browser that downloads an update, then you connect the headphones with a wire to the laptop that the update gets installed, and THEN you can start using them.
I send both back and now I'm a happy AirPod user.
[+] [-] andrewmackrodt|5 years ago|reply
You have a valid point that the app can misbehave regarding updates and lack of internet connection. I personally find myself never using the app, it only really provides 3 somewhat useful features; equalisation (which forces the audio codec to SBC which is inferior to LDAC so I've never used it); automatic profile switching, e.g. ambient sound if detecting you are walking and finally, the level of noise cancellation to apply.
This model has a dedicated switch on the headphones to change the profile where a long press even "calibrates" the sound based on atmospheric pressure, not sure I buy into that gimmick, but they're perfectly useable without the app. I have them paired with Android, Windows, macOS and Linux and all work perfectly (with the minor exception being Linux does not support Bluetooth absolute volume). The headphones also support volume control from the unit for devices which have an older Bluetooth stack which does not support absolute volume.
Overall, I agree the app needs improvement but I'm not sure there's anything that warrants burying the company of these decisions. I suspect for many users, the app is entirely useless and not worth installing.
[+] [-] mandelbrotwurst|5 years ago|reply
If I want to avoid this sort of thing, I'm thinking / hoping it's sufficient to simply avoid headphones that require an app.
Does that seem right?
[+] [-] dragonsngoblins|5 years ago|reply
As shitty as the app collecting data is it isn't as if the app is required for me to have had an excellent experience with these headphones so I'm not really all that bothered that the app is invasive.
If any real functionality was locked behind it I'd be annoyed, but honestly the app seems like an afterthought with no real purpose other than "EVERYTHING NEEDS AN APP" type thinking.
[+] [-] flyinghamster|5 years ago|reply
I shouldn't have been too surprised, though, given that it was Sony that brought us rootkits on music CDs.
[+] [-] notatoad|5 years ago|reply
the headphones still work fine without the app, they're just bluetooth headphones that the OS can interface with directly if you don't want the location-based profiles.
[+] [-] panpanna|5 years ago|reply
This is a textbook example of a GDPR violation. In fact, it is a clear violation of the first of the five requirements for consent.
See recital 43:
"... Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
[+] [-] Teledhil|5 years ago|reply
[+] [-] MaxBarraclough|5 years ago|reply
There has been research done on identifying people by their ears. [0]
> You can't use it because it requires the internet to get the latest _required tos_ to use your headphones.
Can't you just uninstall the app entirely? They're standard Bluetooth headphones, right?
[0] https://www.southampton.ac.uk/news/2010/10/new-method-to-ide...
[+] [-] trissylegs|5 years ago|reply
[+] [-] waheoo|5 years ago|reply
But I'm also a long time suck fony guy so, I basically accepted it as karma for buying this witch doctor voodoo noise cancelling anyway.
[+] [-] acd|5 years ago|reply
That the headphones does not have electronics and batteries means they will last longer and thus be be better for the environment.
[+] [-] pwdisswordfish2|5 years ago|reply
The author cites some idea of "trading" ongoing collection of personal data^1 for features but I can't see how that applies here, assuming the user has already paid for the product, e.g., he has already paid for the headphpones.
1. This does not appear to be a one-time, voluntary submission of data by the purchaser. For example, submitting one's name and a product serial number in order to register for a warranty.
[+] [-] askvictor|5 years ago|reply
[+] [-] tdons|5 years ago|reply
Same reason I don't use WiFi at home but ethernet: it's simple.
[+] [-] JumpCrisscross|5 years ago|reply
This isn’t necessarily true.
My wireless headphones have been with me for years. My wired earbuds are cheap enough that I can lose or damage them without care. The former are far better for the environment.
[+] [-] Kye|5 years ago|reply
[+] [-] jcims|5 years ago|reply
[+] [-] IncRnd|5 years ago|reply
These little earbuds are commodity items.
[+] [-] myth2018|5 years ago|reply
Their modus operandi is to ask you your CPF (it's like an SSN, but not that secret and powerful) and, if you refuse to tell them, you are not eligible for some discounts which can reach 40% in some more expensive items.
Customers happily agree to give their CPFs, completely unaware they are of the potentially disastrous consequences, and we are not even offered something resembling a privacy policy.
Think of the uses of such data. Health insurers could use them to detect and even predict health issues. One could estimate menstrual cycles and even the size of your genitalia.
A Brazilian data protection law is about to become active within the next weeks, but honestly.. such data shouldn't even be collected at all.
I'm looking for support for a bill to forbid drugstores to collect CPFs and to offer any sort of discount to people who identify themselves, but I believe this should be more publicized before being discussed for voting by the Congress. The more active drugstores on the "data business" are part of huge chains and their lobby will definitely be massive. Society should be aware of that and counterbalance for such lobby.
[+] [-] slim|5 years ago|reply
http://partidopirata.org
[+] [-] someguyorother|5 years ago|reply
[+] [-] m463|5 years ago|reply
But loyalty discount cards and your drugstore example should have a way to get the discount without giving up your anonymity. This would be better for society.
[+] [-] shadowprofile77|5 years ago|reply
[+] [-] mindfulhack|5 years ago|reply
Yes, my analogy doesn't go too far. We're sentient coal, being fed bread and circuses as the trade-off for being burned away. We still have some choice, power, and control.
[+] [-] chooseaname|5 years ago|reply
[+] [-] briandear|5 years ago|reply
[+] [-] retrac|5 years ago|reply
While speakers are often wired directly to a one-way DAC, that's not always the case. Sometimes the analog lines are all fed into a multiplexer and it can be routed to a ADC. Sometimes it's wired to a general purpose IO pin.
In such cases, reprogramming could turn that speaker into a microphone. I wonder if anyone has exploited this in the wild yet.
[+] [-] jacquesm|5 years ago|reply
My personal favorite is the laser attack that turns any shiny surface into a microphone. When it's not on it literally isn't there.
[+] [-] segfaultbuserr|5 years ago|reply
If you are a hacker who removed microphones from your computer but is worrying about this exploit, fortunately, a simple mitigation is possible - just put an audio amplifier or unity-gain buffer between the speaker and the audio output port, so the audio signal cannot travel back to the audio chip. Any "Hi-Fi" headphone amplifier can be used, but a $0.5 opamp is enough - a daughterboard can be tiny enough to fit inside a laptop.
[+] [-] mixermachine|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] everdrive|5 years ago|reply
This is not quite the same thing, but I'm starting to feel that perhaps I am starting to witness that same disconnect. Having read the title alone, I wondered "how are the headphones collecting data?" Oh, there's an app. Why would you need an app for headphones? It simply never occurred to me.
[+] [-] lysium|5 years ago|reply
I did not know that!
[+] [-] qwerty456127|5 years ago|reply
[+] [-] maest|5 years ago|reply
It's difficult for manufacturers to justify an app for wired headphones, but, now that bluetooth is becoming the new norm, there's suddenly a justification for instrusive, data-collecting apps.
This whole story is a really good reason for keeping headphone jacks on phones.
[+] [-] _fat_santa|5 years ago|reply
You know to a certain extent those folks were right. But you look at cars today and I couldn't imagine my car not having a computer. Adaptive cruise control, lane keep assist, apple carplay, I could go on.
The problem I see now is that privacy is still a pretty novel concept among the regular user so companies in the mean time can get away with overbearing data collection. My prediction is in the next 3-5 years, users will start to get savvier, and overbearing data collection will become a taboo and no company will do it because users will revolt.
[+] [-] dkersten|5 years ago|reply
[+] [-] duxup|5 years ago|reply
Apps are quickly becoming this weird add on that I really don't want.
[+] [-] t0mmyb0y|5 years ago|reply
[+] [-] catchmeifyoucan|5 years ago|reply
[+] [-] api|5 years ago|reply
I've come to believe that this can only be fixed with legislation and regulation. There are no technical fixes that could practically be deployed as there is far too much "attack surface" and anyway there is zero incentive to deploy them.
In the meantime: install as few apps as possible on phones, be careful about IoT and personal assistance devices, and use Apple or Linux (not Android) based systems as they seem to have the best record for security and privacy.
[+] [-] rkagerer|5 years ago|reply
When you buy cigarettes there's a big warning label about the risk to your health.
I think consumer devices need something like that. Imagine browsing an aisle and seeing a label on the package like "WARNING: These earbuds phone home with the track names you play, your GPS location and menstruation cycle history." How many people do you think will buy that box vs. the cheap $20 pair with the analog plug?
[+] [-] unethical_ban|5 years ago|reply
Re: Bose collecting all that stuff
I can see "why" they would want all that, in order to optimize their sound output of their buds to the kind of music and environments for which they are used. That should, of course, be opt-in, but I don't think it is evil.
Do I necessarily like the latter example? No. I believe, like the "cookie policies" that exist on many websites, there should be "Needed permissions" and "Please thank you" permissions, and they should incentivize the consumer to help them out. Amazon does this on their Kindles: $20 off if you let them run ads on the lock screen.
But if all the manufacturers do this, then what competition is there to push them to change?
[+] [-] baochan|5 years ago|reply
[+] [-] fffernan|5 years ago|reply
[+] [-] chooseaname|5 years ago|reply
Edit: Thinking about this article more, it really goes back to hardware not getting funding unless there's a model for recurrent income. It's going to get a LOT worse before we either wise up or give up.
[+] [-] DanielleMolloy|5 years ago|reply
[+] [-] im3w1l|5 years ago|reply