I think this is a great example to the tech world of what people actually care about.
Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state; not for long anyway. We don't have much of a national conversation about it anymore, Obama isn't remembered for his actions around the NSA, bulk collection, etc.
Most people also don't seem to care too much about Facebook, Google, etc. collecting their browsing data and selling it to advertisers.
People very much care about the privacy of their sex life.
Did this company violate their own privacy policy?
It looks like the company settled rather than drag things out through court, but didn't actually do anything beyond collect standard usage data.
The company didn't even give it to third parties. So it isn't that they did something worse than NSA Facebook, but that people are more sensitive to the privacy of their sex lives than other things.
We wonder why Snapchat first rose to popularity for sexting while most people couldn't care less about GPGing their emails or using Signal day-to-day.
Either most people don't care about privacy or we, the tech community, do a poor job of connecting things like encryption to what people do genuinely care about.
These five words are, as far as I can tell, the poison in the pudding of American politics today.
1) There is no "average" American. Everyone is close to a median in some metrics, and everyone is at out-lier in others.
2) The fact that huge outcry over the NSA is not visible might just mean we're looking in the wrong places. I've traveled across the country by land twice in two years, stopping at hundreds of rural campfires and urban watering holes. My experience is that people are very upset with the state and want their rights back. And that, one way or another, they'll get 'em.
I think @tyre's point was dead on. It's one thing to hem and haw about civilization being doomed, but it's another thing altogether to delete your FB account.
Thing is, as an industry nerd i understand implicitly what FB are doing with their services, and yet i still use the messenger app to keep in contact with some of my friends.
Ultimately I'm relatively comfortable trading some measure of my privacy for convenient communication with people whose friendship i value and might otherwise struggle to keep in touch with.
If I'd purchased myself a physical good, regardless of it being a sex toy, I'm not sure i would necessarily expect to be entering into the same agreement.
My fridge phones home, but my kettle doesn't, my TV is a CIA outpost, but my wallet is just made of cows and Faraday cages. Granted the app connectivity would be a red flag, but ultimately there needs to be some kind of 'privacy mark' in the same way films carry a cert to allow us all to instantly understand what using it will entail.
For me that is the key difference here, and something that needs to change.
The problem with discussions about "trading privacy" is the tendency to think only about known, temporally local risks. The actual risk from surveillance from the current "smart"-device manufacturer today or in the near future is probably low.
We are used to information deteriorating over time, and the non-zero cost of distribution and analysis limiting how far information about you could spread. Our heuristics that estimate risk are not prepared to evaluate risks that extend indefinitely into the future.
You say your are comfortable trading (some) privacy. Are you prepared for that data being sold/hacked/subpoenaed after 20 years? Are you sure you're comfortable with future machine learning tricks and other advanced analysis techniques reconstructing a detailed patter-of-life from several decades of data?
The worst ways to abuse all this surveillance data probably hasn't been discovered yet. Nobody should be comfortable trading away their privacy, because we don't even know the risks. We only know that risk only increases with time.
A "privacy mark" doesn't help (much). Instead, what we need is an education campaign similar to anti-smoking efforts that attempt to realign the common wildly inaccurate perceived risks to be a closer match to the actual risks.
Completely agree with your diagnosis. As for the prognosis, social policy may be a good idea, but it is not what HackerNews readers are best positioned to facilitate. Rather, we should be implementing technologies to faciltate the increase of entropy in information actually and unavoidably collected. Plausible deniability will be the best safety net against future risks unknown.
If my dildo is publicly known to have reported its use whilst I was also known to have been watching Trump's Presidential Address (don't ask!), I would have an out in that all such data has long been known to have been poisoned. Spam is our friend.
I like the idea of a privacy classification system, along the lines of movies or video games. With at least some public focus on privacy, perhaps this is the time to create an industry standard?
I've been wishing for something more along the lines of open source licenses. GPL might be a complicated contract but once you know it, all you need is 3 letters to describe it. You've still got the option to write up your Special Snowflake 1.0 license, but most products won't need that or want it, so a few common contracts emerge and then we don't all need to skim pages of legalese (subject to change at whim) every time we visit a new website.
A standard could certainly contribute to informed consent by the people who purchase/use devices. It's a complex concept to summarise and distill into iconography though.
> ultimately there needs to be some kind of 'privacy mark' in the same way films carry a cert to allow us all to instantly understand what using it will entail.
That was the direction we were wanting to go with the Private Play Accord mentioned at the end of our DEF CON presentation: http://www.privateplayaccord.com/
We got as far as drafting an initial star-based grading system but turns out writing code is easier... :)
Is a log of ip addresses and times that your smart toaster was used acceptable?
What if said smart toaster really needs to contact a server to decide exactly how long to heat the toast for?
It's difficult to have an internet-connected widget with an App that doesn't generate some kind of information in logs somewhere.
I agree with you but I think it's something that needs laws around it, and unfortunately can't be simplified down to your one sentence solution.
Unfortunately with the apathy of the general population and the flat-out corruption of our own untrustworthy governments, I think those laws are unlikely to materialize.
Yes, there is some information that can be collected, for example, in server logs. But does the company need to keep those logs forever? And does it need to collect it all?
But the problem is not only in the IP addresses. Companies just want to save everything they can collect. Remember Amazon Echo that was storing everything said to the device on the server. And almost every mobile app now has Google Analytics or similar system inside.
It is obvious that companies do this for profit because the information could have some commercial value and could be sold later or used for marketing purposes. But the users want the device just to serve its purpose and not to be a modern implementation of a telescreen.
I think this problem can be only solved by government regulation too.
So for example a store owner that has a CCTV system would not be allowed to keep the records forever or recognize faces on the video and sell this information to marketers. A security system should serve just its purpose.
> It's difficult to have an internet-connected widget with an App that doesn't generate some kind of information in logs somewhere.
The server can be run on the phone or user's computer or router. Why should the data from the toaster travel across the world?
> Yes, there is some information that can be collected, for example, in server logs. But does the company need to keep those logs forever? And does it need to collect it all?
No, but companies will continue to do it if there is no cost and no consequences, which is the current state.
> The server can be run on the phone or user's computer or router. Why should the data from the toaster travel across the world?
Exactly. But people should be given the information to be able to make that decision.
Either mandatory rules on what any IoT appliance is allowed to send and rules on how much of and for how long that information will be stored, or a system that will reasonably allow consumers to make the decision between devices.
But nothing will happen if the consumers continue to not care and buy toasters that send your toasting information back to China.
I think the delusion you have fallen victim to here is that it all boils down to your personal choices. The issue is not whether--for you personally in the market--it makes sense to delete your facebook. The important point that outrages people rightly is that the system has evolved in such a way that the choice is not a reasonable one to have to make (between friends and privacy).
We need policy changes that separate the choice to have privacy from state/corporate knowledge of our intimate lives from the choice to make connections with friends, advertise, reach out to the world, etc. The market as it currently exists is not an adequate mechanism to achieve these changes.
The business model of people-farming and super-stasi state spying is the polar opposite of the utopian promises made by many in this industry at the emergence of the internet, and there need to be concrete proposals to stop it from every arena, because there will certainly be far more dire consequences as it evolves if it isn't checked in a comprehensive, thoughtful way.
Deleting your FB account actually is a lot easier than most people imagine. Instead of spending my idle time [1] on stupid online arguments, I can do all sorts of fun and productive stuff.
Migrating away from GMail or Google search? Now that's something I don't think I can pull off. I tried switching to DDG several times and I could never stick with it. It's the Linux desktop of search engines.
That's how you use FB. I avoid arguments there (though inevitably I get into one once in a while) but it's a hugely important social outlet for me. I've got a lot of wholly virtual relationships that go back years, and trying to organize them into other channels would be a major headache. I know quite a few of my other friends on other platforms/forums, but the very generality of FB (vs the extreme siloing of most websites) is an asset despite its many flaws.
See I'm the exact opposite. Outlook.com and DuckDuckGo are working just fine for me, but when my friends are having a get-together, it's an event on Facebook. When my sister takes pictures of my niece, they're on Facebook.
I instituted a personal policy a long while back of never friending someone on Facebook that I don't know more than casually in real life. That means my friends list is limited to actual, real friends (and coworkers), and there's a distinct lack of stupid online arguments.
Everything is relative, but to me, throwing that phone to thrash bin and buying a rootable/non-fb-craplet-pre-installed phone instead does not sound overtly complicated.
> My experience is that people are very upset with the state and want their rights back.
It's easy to _say_ you're upset about something. It's another thing to take action or even vote (with the ballot, your feet or your wallet). How many people out there who will say they are vaguely "concerned" about Company Xyz's service actually have an account at Company Xyz and use that service?!
How is one to vote when neither major party candidate was pro-privacy?
There are a number of pro-privacy representatives, and one or two senators, so it is not like people aren't votinig at all, but if you don't get a choice then you cannot be blamed for failing to make the choice.
Perhaps we should try to institute laws that break up parties if they get too big the same way we can break up corporations that are too big? Monopolies being bad an all.
It's not like the major parties woke up one day and put forth Clinton and Trump and told the plebs "vote one or the other". The US especially has a very extensive election process, with the party primaries and all, plus, there are also minor parties which do get votes. Is it really true that out of all the democratic and republican candidates at the primaries, and out of all the minor party candidates, none of them were pro-privacy? Or more likely, some of them were pro-privacy, but people voted for others because they don't see privacy as the be-all end-all of life issues.
I don't think the ~15% of people who are at poverty level care as much about privacy as they do about getting a better job or getting proper healthcare, for example. You'd have to form a pretty strong voting bloc just to offset those votes.
I'm torn on this issue.
If they have limited terms, then they can't play long-term political games and that seems like it should simplify the system.
But it also means that at the end of the last term they could more easily disregard their constituents in favor of some last minute lobbying-endorsed legislature.
> How is one to vote when neither major party candidate was pro-privacy?
You vote 3rd party for someone who is and bitch at whichever major candidate wins regardless (which is why they resort to form letters, so at this point its newspaper outlets/townhalls/etc).
Democracy doesn't end at the voting booth and you have to put continual, sustained effort to create change. Look at the GOP running and hiding from their townhalls over Healthcare. Imagine if that was for privacy-related issues (or whatever). Sure, it may not work with the GOP but the Democrats might seriously consider adopting it to try to split voters away from the GOP.
If anything, being involved with Company XYZ correlates positively with (paying lip service to) being concerned about its policies. Example, I quit Facebook so I stopped caring about their privacy violations, but I'm still attached to Google so I still am "concerned" about theirs.
> These five words are, as far as I can tell, the poison in the pudding of American politics today.
> 2) The fact that huge outcry over the NSA is not visible might just mean we're looking in the wrong places. I've traveled across the country by land twice in two years, stopping at hundreds of rural campfires and urban watering holes. My experience is that people are very upset with the state and want their rights back. And that, one way or another, they'll get 'em.
If they genuinely wanted to be alone, in substantial numbers, they wouldn't be voting for either major party in the US which are both "big government" parties.
I understand its a popular meme and thing to bitch about. The reality of people's actions, the degree of effort they expend in that direction, and so forth sends a completely different message.
Actions speak far louder than words.
Now, you can argue those aren't "their" actions but if you do so you are conceding the OP's point that the problem is ignorance.
To be honest, I think its a combination of those things. Some people "care" but not more than they care about enforcing a certain social conservative world view. Some people simply do not have the time/energy for politics and simply believe the words that politicians say.
Let me know when those people delete their FB accounts and stop using most of Google's services.
> If they genuinely wanted to be alone, in substantial numbers, they wouldn't be voting for either major party in the US which are both "big government" parties.
Sure they would, so long as they are trying to have their vote directly effect a change. Outside of "sending a message that I support someone else," the logical voter must consider that their vote will only change an outcome if there's a tie between candidates, and it's usually obvious which two candidates that tie will be between. Such a voter will need, then, to choose the candidate between those two that they would prefer, even if they hate them both. To do otherwise may help send a message, may help them feel that they are uncompromising in their moral fortitude, or may feel good, but their actual vote will not matter.
That's one of the reasons that ranked voting systems are so nice. It allows you to say "I prefer X to Y if it comes down to that, but I much prefer N,A,D, and Q over them both."
> Sure they would, so long as they are trying to have their vote directly effect a change. Outside of "sending a message that I support someone else," the logical voter must consider that their vote will only change an outcome if there's a tie between candidates, and it's usually obvious which two candidates that tie will be between. Such a voter will need, then, to choose the candidate between those two that they would prefer, even if they hate them both. To do otherwise may help send a message, may help them feel that they are uncompromising in their moral fortitude, or may feel good, but their actual vote will not matter.
That logic presumes that A over B results in government getting less involved in people's lives which is what the person I was responding to argued.
If you are genuinely voting on that issue as your primary and core issue, "sending a message" even if it renders your vote otherwise worthless is the only option that has the slightest chance of success. Voting for A or B (as both do nothing in relationship to your single issue) will always ultimately bring about failure.
I guess what I'm trying to say is if people never stand on principle, the principle isn't relevant and is not a genuine want but rather a trivial wish of no real impact. I can also wish to win the lottery or to become a millionaire through an inheritance too. It doesn't mean its a genuine desire I take action on.
"rural campfires and urban watering holes" lol...I too have had similar experience. Basically it boils down to the media severely downplaying it and avoiding the topic. Because that's what the powers that be tell them to do. The same way US Intelligence was able to tell them, "look Russia without a doubt did it [the DNC hack]" and they repeated that without question and without proof ad nauseum, the media by and large does what they're told. It's ultimately a recipe for the sort of revolutions that took over Russia 100 years ago. People in those watering holes are getting fed up and have no outlet and feel like nobody is listening to them--cuz nobody is listening to them.
Also, older generations are less concerned. They understand technology less, so my assessment is they kinda throw in the towel. Maybe 10-20 more years of those 20-30 year olds at those watering holes and we'll be the majority of the country--at that point they'll have no choice but to hear us, because we'll be working at and running those media companies, congress as well. That's my hope. Otherwise, it means violent revolution. The state can't be trusted anymore.
My experience is that people are very upset with the state and want their rights back. And that, one way or another, they'll get 'em.
I think that's likely true with a huge segment of Americans, but the definition of "the state" probably varies widely. For example, there are folks that want municipal police powers curtailed and the EPA unleashed, while other folks want the opposite.
I don't think the definition of the state is what varies as much as the circumstances of the person who wants their "rights back".
As an example:
In rural America restriction on gun ownership are pure crazy talk, a gun is a tool just like a shovel. You keep varmint off your land, scare bobcats away from the sheep, and keep your home safe because the police are 30 minutes away.
If someone in NY is carrying a gun it's a huge liability to the people that are in close proximity to that person. There are also police and emergency services very nearby.
In rural America your house can burn down before the fire department arrives. Gravel roads aren't a problem. Largely what you do on your land doesn't have any affect on anyone else. Nobody should be able to tell you what you can flush into your own septic system.
In a dense city what you flush down the toilet can cause big problems for other people. Well maintained roads and an understanding that you should walk on the left and stand on the right contribute to sense that your actions affect others and what they do affect you.
I don't see enough respect for how rightfully different the perspectives of people are.
> For example, there are folks that want municipal police powers curtailed and the EPA unleashed, while other folks want the opposite.
Curtail them both. I'm building a barn, not a running an open pit mine. A federal agency shouldn't have a say in what kind of barn I build for my own personal use on my own personal property.
> These five words are, as far as I can tell, the poison in the pudding of American politics today.
In the abstract, you're right, but I feel like it's worth noting that there's nothing exceptionally ignorant about voters of _today_. If anything they're more knowledgeable than any voters in American history.
> there's nothing exceptionally ignorant about voters of _today_
What makes you think that? It certainly doesn't seem true based on direct observation.
It seems to me that Americans today a lot more certain of various false things than they were during the 1970s, 80s, or 90s.
Not that people haven't always believed lots of incorrect things, but if we could (magically) get the data and find out, I'd be very surprised if it didn't show people believe more incorrect things today than in (say) the 1980s and they are more confident (sure they are right) in their wrong beliefs as well.
Of course, this is one of those very tricky subjects, and I am not aware of any high-quality data on it. So I could be wrong, my experience may not be representative, and maybe people were historically as ignorant as they are today. But I doubt it.
The "filter bubble" and the explosion of authoritative-looking-but-totally-full-of-shit sources are probably major contributors to the phenomenon.
Also, I think that the ratio of basically correct, informative information to garbage info has inverted. For example, IIRC in the 1970s and 1980s, seems to me people had maybe a dozen or two dozen regular news sources. Most news sources -- major newspapers, ABC/CBS/NBC news -- were mostly accurate.
That's certainly not the case today. The overwhelming majority of information most people intake is completely inaccurate or fabricated. It's not really "news", it's advertising, propaganda, for-profit clickbait, whatever. And yet, many people seem to have the same confidence in it and it seems to shape their beliefs in a similar way.
It feels like people know more things than in the old days, but if they know more incorrect things, then I think that's "more ignorant" when you tally it up.
If you read about "Yellow Journalism" and how newspapers were used to accomplish things rich people wanted to happen, you will realize that Americans, and humans in general, have been subject to mass manipulation via the media for centuries.
I do know about that, and find it interesting. And that stuff still goes on, of course, and likely always will.
But there's a lot of other stuff also going on today. It feels more organic, rather than intentionally directed, but I think the effects on the collective mind are still huge.
The clickbait articles that don't have any underlying motivation other than getting people to click on them (along with those that do). The web of people out there providing each other confirmation of truly nuts conspiracy theories, whether it be "the Sandy Hook massacre of children was a government hoax" or "thousands of children have gotten autism from the measles vaccine". Youtube comment threads.
There's no cohesive agenda behind a lot of this stuff, and no ultimate benefit achieved by any party. It's more like these things are memetic prions, folding onto each other and interacting in their unthinking inanimate way, having significant effects on the host but without any intention driving them.
> 1) There is no "average" American. Everyone is close to a median in some metrics, and everyone is at out-lier in others.
I've always read it as "average countryman in the relevant metrics" (here views on privacy/knowledge of implications of mass surveillance), rather than suggesting that there is an hypothetical average person who fits for all contexts. It's obviously flawed, but I don't think it's a useless concept.
Yet, when John Oliver switched to Dick Pic program, almost everyone who previously didnt get the risk suddenly got the risk. My own experiences talking to hundreds of them about the topic confirms that. Many dont get it. You have to give specific examples they can understand before they start opposing it. Even smart, non-IT folks were like that in many cases.
In high school a good friend of mine was coming to realize that he was never going to be a great speaker. He found that he was able to explain things to me; that I was interested enough in the content and in him, than I didn't mind the delivery. Then in turn, I'd explain his points to the rest of our friends and give him credit for it.
So they started to listen to him, more and more, they were willing to do what I had and just... pay attention. They accepted that maybe the guy who knew so much, might not be the guy who was best at expressing all of what they knew (without being given more a chance than normal).
The thing is... that was high school, and a small group of friends. In theory science and tech journalism should be doing for you and Snowden and others, what I was able to do for my buddy. Unfortunately if I had been modern science/tech journalism, I would have given our friends a half-assed explanation, plugged my own views, and taken credit for all of it.
As the clip points out you need a strong sense of empathy to convey information to people who aren't already interested in that information. John knows what people care about, Edward doesn't.
> Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state
I think it is about a mindset change. I remember in the 90s when people were cautious about using credit cards online. Then, I remember in the early 2000s when a relative, in her 70s, called me, angry, because I published my genealogic tree online (only with names and relationships). A few years ago she started using Facebook.
> Then, I remember in the early 2000s when a relative, in her 70s, called me, angry, because I published my genealogic tree online (only with names and relationships).
I had the exact opposite and had to call a relative, in her 70's, to remove me and my bit of the family from her genealogic tree online.
I'm actually surprised that you would break someone else's privacy like that.
> I'm actually surprised that you would break someone else's privacy like that.
I wasn't aware genealogy was private. I'd assume the opposite, as birth and marriage records are public matters. If I were to post a public tree and someone berated me for it, I'd be dumbfounded at their reaction.
Bingo. You're more private if it costs 10x the amount to get at your data. For example, if you have to phone up the records office yourself to find the records, you're not going to wind up with random people being interested in them, generally speaking - but if they turn up on the first page of google when someone searches your name, there's a lot more people are going to find them. Privacy is all about creating friction - similar to hashcash or similar.
It is if a large part of your family is poor or you're related to a felon or political extremist. Sure it's not as private as bank records but it's not the kind of thing anyone with a brain would want to make it trivial to find.
> I'm actually surprised that you would break someone else's privacy like that.
Indeed, I sent an e-mail to my family when I published the genealogical information online. She sent me her concerns years later. It seems she haven't paid attention to my e-mail.
I don't think so, genealogy goes well beyond the personal interest of some individuals. The main purpose of my genealogical research involved connecting with family members who were "disconnected" and don't know how to connect with their entire family. In a few years this will be almost impossible to accomplish since many of these "links" will be dead.
Yes, well, that may be so but in some cases those family members are disconnected for a reason. FWIW I have a pretty good reason to be as disconnected from some of my family members as is possible and I find it presumptuous of you that you would feel that your research (which you do for yourself, not for me) would trump my personal interests. After all it would be my name, not yours out there. You are entirely free to do as much research about your genealogy as you wish, but there is absolutely no need to do such a thing publicly.
I understand your perspective but it is not my case. The relationship with my relative is good, we live in different countries, and "all" my family was aware of my genealogical research. I didn't give all details about this because the point of the comment was showing how people selectively and inconsistently manage their privacy.
I find it a bit amusing you're being downvoted, because while it's certainly possible that's not what said relative cared about, I've seen firsthand how much relatives care deeply about stories of dubious morality several generations back.
My dad was very interested in genealogy, and one of the things that frustrated him for years was a particular dead end:
An at the time young, unmarried woman a few generations back in our family tree had a child, and then moved in with her sister and her sisters husband.
The father was named as so-and-so, "currently employed as a travelling hat maker, resident in Bremen".
A "travelling hat-maker from Bremen" was not particular common in Norway at the time. He should have existed in the police register in Oslo for that time period (people had to register on arrival back then), and he's not. My dad found no trace of him in any other relevant registers from that time period either to my knowledge.
All clues point to the girl inventing this hat-maker to hide that she either didn't know the father or that the father was someone it shouldn't be, or possibly that the father of her child gave her a made up story. At the time not giving the name of the father would have been a crime, hence it was not that strange to see likely false accounts.
But here's the thing: That branch of the family had taken to the idea of a German ancestor that gave them justification for an upper-class sounding double-barreled last name, and even though that decision had been made a couple of generations before my dad started talking about this, that branch of the family reacted with intense anger at any idea that the woman in question had not been truthful, and were furious that he would not let it go. It was already scandalous enough that she was unmarried. That the name of the dad might be fake was too much.
This came up in the 90's. People got angry over something that happened about 150 years back in time, several generations before even the oldest family members involved were born.
Which goes to show that sensibilities around morality has an astounding power over people.
(I still occasionally for fun do searches for the various possible spellings of this supposed hat-makers name, and have not found a single German family using it)
> People got angry over something that happened about 150 years back in time, several generations before even the oldest family members involved were born.
This can vary. My grand-grand-grand-father (Romanian) married a Transylvania Saxon girl who had traveled across the Carpathians in order to run away from her brothers (I think this was around 1880-1890). She was the village's only homeless person, so to speak, had her head shaved (possibly because of lice), nobody was looking at her, apart from my grand-grand-grand-father who chose to marry her. Even though it doesn't paint that great of a picture when it comes to our family's ascendency (as my grand-grand-grand-mother was no aristocrat or anything, quite the contrary) the story got told for every generation since then.
So what you're saying is... Instead of Edward Snowden releasing documents confirming the widespread surveillance methods, he should have stolen and released indecent photos of dignitaries and ordinary citizens alike. That would have brought it home. :-)
I think you say this sarcastically but I actually believe this type of argument does have some legs to stand on. The public reaction to Snowden's revelations would have been very different.
There have been a lot of discussion and laws around "revenge porn also". For an example, in the UK it's now illegal.
Also:
"an incident with Scarlett Johansson photos that eventually lead to a ten year prison sentence of perpetrator Christopher Chaney."
Exchange the word sexually exploited with privacy invaded:
"It is a sexual violation. It's disgusting. The law needs to be changed, and we need to change. That's why these Web sites are responsible. Just the fact that somebody can be sexually exploited and violated, and the first thought that crosses somebody's mind is to make a profit from it. It's so beyond me," the "Hunger Games" actress said.
Yeah. The thing is, he was probably in no position to actually get that kind of thing as some contractor. He did what he could, expecting that people would be horrified. He should have read his history.
That's kind of digital terrorism really, take drastic measures that effect people at an individual level to get people to notice your cause. Though, might be very effective.
> Did this company violate their own privacy policy?
The original suit claims "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information" and "Plaintiff never provided her consent to Defendant to monitor, collect, and transmit her Usage Information".
And the proposed settlement requires changes to disclosure statements.
> but didn't actually do anything beyond collect standard usage data.
Leaving aside the disclosure question, the product category itself raises the question of what do we consider "standard usage data" in this context? (We talk a bit about this aspect in our DEF CON presentation follow-up TEDx talk here: https://www.youtube.com/watch?v=WxRSjC1rPmA )
The app transmitted: time of use (ergo duration); internal device temperature; and, real-time pattern & intensity settings. It was also aware of geographic location of the people using the app. Why does the later matter? At a minimum because adult toys are illegal in some locations.
There's already examples of home automation units, car telemetry loggers and heart pacemakers being used in law enforcement investigations so it's not a stretch to imagine real-time sex toy data also being used.
I believe that developers and manufacturers have a responsibility to the people who choose to buy/use their software/devices to not just "collect all the data" particularly when their product is of an intimate & personal nature.
There is an interview of Snowden by John Oliver where he comes to that conclusion as well, asking people about the usual things that surfaced and people just meh, then translates it into: gov got your d*ck pick and people get upset a whole lot more
I've seen that interview. I lean to the side of "nothing to hide, not bothered". I've never taken pictures of my penis; I assume that it's not really that common. If it is common I'd expect it not to be common for people over maybe 25? Or only common for people who want others to see unsolicited pictures of their genitals.
I mean if you did make "dick pics" and were bothered about people seeing them then you likely did it wrong and your ISP had access and your phone provider had access and your backup service provider had access. At that point, why would you - short of guilt - be bothered that the government might have potential access in a situation where you were accused of a crime. If you're on the "nothing to hide" side of things, how does that push you to any other position.
In short, it's pithy, and Oliver probably made good talk-show level comments but I don't see it as really being a persuasive way to couch the argument for greater privacy.
I believe the underlying idea behind "dick pics" is that people are guided to think of something that is embarrassing to them. When you tell people they should stop using Facebook if they want to protect their privacy, they think of all the things they've freely shared and associate Facebook with positive memories - my friends liked my post, they laughed at it and shared it. When you make them think of "dick pics", they think of something that is taboo to share in most social circles, and associate it with embarrassment/negative memories.
The issue is that many of the things people share on Facebook/Twitter/etc are actually "taboo", and people's evaluation of them is just wrong. As an example, the story of Justine Sacco, a person who would arguably be even more aware than the average of the impact of public statements, still did not manage to correctly evaluate that the things she was sharing on Twitter would lead to a serious backlash and witch hunt against her.
The worst part is, you won't necessarily get instant feedback, like Justine did. You may post something "among your friends"(in reality, publicly on Twitter), all your friends may agree with you, and then several years down the line you will be judged by a completely different social group, looking through your records. We don't tend to accommodate evolution in people's beliefs as much as we do for ourselves - try the defense "I'm not that kind of person anymore" to strangers and see how often it works out(no need to try on your own, just check out how easy convicted felons have it when trying to reintegrate into society).
I mean it was used for comedic effect. But imagine in 15-20 years that you want to run for Congress. Anything you emailed, wrote, video chatted about in your past is fair game. For blackmail, to discredit etc... The context doesn't even matter as it can be manipulated. You see this in political attack ads already.
I think this is more of a case of "sex sells". I.e. the whole topic gets attention because people are interested in sex, not because they are interested in privacy.
It certainly appears there's a large element of that and one of the challenges of our talk was to get the audience past the "sex lol" stage and to take the issues & implications seriously.
Overall we were pretty happy with the degree to which the actual issues got coverage (albeit with varying degrees of accuracy/sensationalism)--even the Daily Mirror managed to communicate the key points.
> And given the mindset of him & his fraternity brothers in their emails, this isn't surprising:
Tbh, debauchery and sex are what frats are about. It shouldn't come as a surprise to anyone that's been to a large college. Even at the least, you should have a basic understanding that frats are not representative of normal society.
Many people have been in frats and transitioned to successful careers (and "toned it down.").
It is a dichotomy. People want to share cause they need followers and likes like a Pavlovian dog. So they vomit every moment to everyone they can in search of another hit of dopamine. Except when someone shares something secret or embarrassing, then they want privacy, but still only for these few things.
I think the problem is that we haven't matured as a culture yet to handle this amount of accessibility and sharing. The pendulum is currently in the full share quadrant but will swing back as the consequences of over sharing mount. I expect social media to look vastly different in 10 years time but lessons are only ever truly learned the hard way.
Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state... People very much care about the privacy of their sex life.
Is there any reason to think that the average person actually cares about it in this case?
This appears to be a class action suit with anonymous plaintiffs - I'm a member of lots of class action suits that I really don't care about, not even enough to return the post card to make me eligible for the $5 or whatever the paltry payout ends up being.
Maybe you personally know parent poster but I saw nothing indicating "his president" was Donald Trump. This false dichotomy is another poison. Obama was a man, he did good and bad things, and also had no say in others.
To pretend a person is above criticism, or that these issues are 2 sided is absurd. This is an instance of what that poster (imo) is talking about.
Edit: what user jmyles is talking about. People are close to the median and also outliers. Saying you hate obama (or implying you disagree with a single policy during his administration as that post did) isn't a tacit endorsement or ballot punch for someone running in an unrelated election after he left office. That logic is very flawed
> Either most people don't care about privacy or we, the tech community, do a poor job of connecting things like encryption to what people do genuinely care about.
Communication needs to be better for sure. The burden of that is on us - we know what's going on, but misinformation and technical jargon can make that knowledge less useful.
To the broader point, though: I don't think it's necessarily that people don't care about privacy. It may be partly that some people don't know to what extent we share our lives online, but also partly that the convenience of using online services - shopping online, chatting online, etc - outweighs whatever perceived privacy risks exist. (I say perceived because they may not completely understand what gets shared, how, and when.)
> People very much care about the privacy of their sex life.
Because sex actually has a political dimension (or conscious lack thereof) as well
The bedroom is the one refuge from the state/government and you can bet any attempts to take that intimacy away are going to be met with high resistance.
> The bedroom is the one refuge from the state/government and you can bet any attempts to take that intimacy away are going to be met with high resistance.
I can assure you, this is not the prevailing reason nor do most adults view the world through this lense.
It's purely an emotional knee-jerk, the same as when you see nuclear reactor plans being turned down because of public outcry.
There are some things the public is exuberantly irrational about where any deviation will cause business failure.
The principle of charity demands when at first glance you want to attribute irrationality to an opponent you should instead seek to understand their motivations instead of simply dismissing them as 'irrational'
There are good reasons for nuclear power but it's not irrational to say nuclear power poses risks. The public simply calculates a different expected value in the unlikely event of a problem because the outrage produced by such an event would be so high.
Also, It doesn't have to be a conscious lens for it to have an effect on norms/behavior
> The principle of charity demands when at first glance you want to attribute irrationality to an opponent you should instead seek to understand their motivations instead of simply dismissing them as 'irrational'
I'm speaking of the U.S.A. Foundations never go away and the U.S.A was founded on puritan values, i.e shameism. There is no motivation, it's a rooted tradition that hasn't been uprooted yet.
> There are good reasons for nuclear power but it's not irrational to say nuclear power poses risks. The public simply calculates a different expected value in the unlikely event of a problem because the outrage produced by such an event would be so high.
This topic, nuclear vs. similarly-outputting-source, has been beaten to death. Nuclear power is one of the less dangerous, yet high output, sources of energy. The public "eyeballs" their calculations with old data, anecdotes, and inconsistencies.
> Also, It doesn't have to be a conscious lens for it to have an effect on norms/behavior
Yes, but then it starts to sway towards irrationality. When you can no longer understand the basis for your actions, how can you figure out if they're rational or not?
If you don't know your reasons or logic, then by simplification your actions are irrational.
> People very much care about the privacy of their sex life.
Or do they have different expectations depending on what they represent in the relationship?
As far as the Snowden story goes, the public is the state. The public represents the product when it comes to Google and Facebook. In this case the public represents the customer, buying a product that appears to not come particularly cheap at that.
If these devices were handed out to anyone who wanted one, akin to a Google/Facebook account, the expectations may have been different. Or, to put it another way, if you had to pay to have a Facebook account you may have different expectations about what they will do with the data.
People do care about privacy, but they don't understand how they can improve it or how their actions impact it. Then they are endlessly marketed to and told that a networked dildo is going to make their lives better, and hey, everyone else is doing it!
People have been very steadily cooked from a low heat, and they're just starting to realize that it's getting hot in there. Unfortunately, like the frog, it brings them no closer to understanding the cause, their contribution, or any obvious solutions.
...And frankly when so many people here use FB, I find it hard to judge them.
The ironic and the most chilling thing is the people in the class action lawsuit aren't remotely aware their sex acts are already all recorded not by dildos but everyday appliances in the bedroom-microphones, cameras, now available to every hacker and selected government employees/contractors.
Forfeiture of privacy as a free citizen to higher powers is absolutely okay but if my dildo starts recording how many times I've been penetrated with it and uploads it to the internet-pitchforks for all.
Such is the mechanism of the common man/woman/ze. Incapable and unwilling to spend the extra brain power associated with understanding the underlying system but quick to get angry and play the victim when that oversight finally burns him.
"A man who procrastinates in his choosing will inevitably have his choice made for him by circumstance." - Some old white guy.
In this case those who procrastinated in their acquisition of understanding and knowledge of systems and signed their privacy away, were unable to reverse their outcome when it turned out to be not in their best interests.
If the options are to sue someone with essentially infinite resources (government) vs a company that needs to make money to survive, the latter is a better target for a lawsuit.
>"I think this is a great example to the tech world of what people actually care about."
I am not following your suggestion that this article is indicative of disinterest. Are you suggesting that this is a really big news story or that this case might be a watershed moment? Because I don't see that. In fact I have had NPR on all day so far and haven't heard this mentioned.
The intent of my question was to ask for clarification if the OP thought that this was going be a watershed moment.
My comment regarding the position of this story in the news cycle was only meant to be relevant to the question of whether the OP felt that this case was going to be a catalyst, nothing more.
It was in no way meant to trivialize the importance of the case. That's an assumption you made, incorrectly.
It was not meant to be a commentary on the importance of privacy or the importance of the conversation surrounding privacy which is something I care deeply about.
Incidentally, what are the "broader cultural forces at play"? That's a pretty nebulous if not completely banal statement.
People only care about privacy when it directly affects them.
If we unveiled how the insurance industry is using / mining / buying social data to hike the rates on people they deem as higher risk, you would have a national debate front and center.
As long as it doesn't directly affect them, most people don't care.
They already base my insurance rates primarily on my age and what's between my legs (something I can't control and never could control at all). No outrage.
Mining my social data would be a welcome change, honestly. At least they would be trying to use more data points and be competitive.
That's splitting hairs. Facebook and Google's main source of revenue is letting advertisers target users based on things Facebook and Google know about them.
I disagree. There's a big difference between selling customer data and selling selling ads to a demographic. Also, the excuse that companies like Microsoft and Apple get a free pass just because it's not their main source of revenue is a weak one. If you have an issue with the practice then don't be selective in your criticism.
Microsoft and Apple don't get any more of a free pass than Facebook and Google. Also, you could spend all day going into Google threads and asking why Facebook, Microsoft, and Apple are getting a free pass, or going into Apple threads and asking why Google, Facebook, Microsoft, and Robert Mugabe are getting a free pass, but it isn't a positive defense.
In general, every issue - violence, privacy etc are much more hot button when they involve genitalia. was just talking to my wife about this this morning and trying to understand if its a result of long standing oppression from males to females or if its related to the puritanical treatment of sex as still largely a taboo subject.
If anyone is interested in accessing the WeVibe or other toys (Kiiroo, Lovense, etc) directly via bluetooth, versus going through their apps, I run a website for documenting and reverse engineering this stuff, at http://metafetish.com. All of our docs and code are on github at
Looks like my s/o and I could be making a claim as part of the settlement class. Didn't get much use out of the app, the bluetooth connection was super unreliable.
That said, I take it as a given that any app I install on my phone is probably tracking my usage of their app. Dropping in Mixpanel or Heap or some other analytics lib that tracks feature usage seems like such a standard part of developing a mobile app, I'd be surprised if a developer didn't do it.
Bought the toy, found the bluetooth connection was almost hilariously bad, gave up on it, but sort of assumed they were recording usage data and analytics because that's what you do.
It's odd, there's all these privacy and security scandals going on, and nobody seems to care about them. And then here it turns out that a mobile app that I logged into into is actually logging stuff, like every mobile app ever, and it's a huge scandal and a lawsuit and now a settlement?
I don't get it. I'm not even sure I understand what they were did that was wrong. I could understand a lawsuit over how crap their bluetooth was (I can't stress enough just how horrible it was), but over the fact that their mobile app logged usage? Really?
Newsflash: When you buy a vibrator from a vendor, they know you're going to use it. That's what people do with them. What next, a lawsuit that Amazon is tracking your purchases on Amazon? Man, do you think Facebook might have some logs of what you click on in the Facebook app?
> I'm not even sure I understand what they were did that was wrong
The original complaint states:
* "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information."
* "Plaintiff never provided her consent to Defendant to monitor, collect, and transmit her Usage Information."
* "Plaintiff would never have purchased a We-Vibe had she known that in order to use its full functionality, Defendant would monitor, collect, and transmit her Usage Information through We-Connect."
The claims were based on potential violations of: "Wiretap Act", "Illinois
Eavesdropping Act", "Illinois Consumer Fraud and Deceptive Business Practice Act;", "intrusion upon seclusion" and "unjustly enriched through its conduct."
Of particular interest to me was the "Wiretap" angle--my understanding is that the suit claimed that--because analytics were transmitted over the internet even when the app was used solo--the company was unlawfully intercepting the customer's command being transmitted over Bluetooth between the phone and device.
> analytics lib that tracks feature usage seems like such a standard part of developing a mobile app
Right, and we talked about this in a follow-up TEDx talk: https://www.youtube.com/watch?v=WxRSjC1rPmA Just because analytics are a standard practice doesn't mean they should be a standard practice for any particular product.
Developers for more personal/intimate devices need to recognise the impact their data collection may have; that different people have different "Device Intimacy Spectrums" (e.g. people who live in places where adult toys are illegal will be more concerned about what is collected); and, gain informed consent for any data they collect.
I suspect it was part of the click-through license for the app.
I suspect the company would actually have prevailed. You didn't have to use the app, and the click-through almost certainly had the correct legal language. Precedent would also be on their side.
I also suspect the negative press and legal fees would be more than the profit they made on these vibrators. If we assume $100 of profit on each on we're only talking roughly 40,000 units sold.
> I suspect it was part of the click-through license for the app. [snip]
> ...the click-through almost certainly had the correct legal language...
The claim of the original suit stated that it wasn't and didn't. And, after the original press coverage of our DEF CON talk, the company updated its policies to be more transparent about what it was doing.
> You didn't have to use the app
True, but the company specifically sold an "app-only" version (that had no physical remote control unit) and the original suit claimed that the company justified its premium price in part because it was app connected.
> I also suspect the negative press and legal fees would be more than the profit they made on these vibrators.
> If we assume $100 of profit on each on we're only talking roughly 40,000 units sold.
From the article: "An estimated 300,000 people bought Bluetooth-enabled WeVibes..."
They retail through Amazon and other stores for $179 to $250ish. They sell to retailers through distributors, so you've got two levels of markup. If they're wholesaling for more like $50 and have been available since 2014, that's just $5M a year or so on SI's books.
I wasn't able to find any financials for the company in a quick Google except this CNBC quote from 2013, before the We-Vibe 4 app-enabled product came out:
> We-Vibe, which retails for $79-$170, has been one of those big hits. Over the past five years, the device has amassed cumulative sales of $100 million. And it's gaining momentum. In 2012, the company says, annual sales were 50 percent higher than the preceding year—and the company had revenues of $35 million. It expects those revenues to land between $45 million and $50 million this calendar year.
Some might say, Dan Grossman, that discretion is the better part of valour when disclosing your vibrator purchases on the internet.
I actually don't care, I just found it funny that you're posting under your real name without shame. It's refreshing, but I think it's also one of the ways techies are significantly different than the rest of the population.
Is that a reasonable thing to be ashamed of? Sure, it's a private topic that you might not discuss casually with your parents or priest, but I would stop short of calling it something to be ashamed of.
I think it's fascinating that societies swing back and forth, like the pendulum of a grandfather clock, between liberal and conservative accepted social norms. I wonder if these swings become more pronounced or less over time.
Don't these comments just show that people don't reallly care about privacy on such things. They want the attention more than they want to keep it private at least.
Isn't the supposed demand for discretion the whole point, the rest of the thread seems to be taking as read that people don't want anyone to find out about their vibrator use - yet here we are and [some of] the people actually affected want us all to know they used the device.
CoolGuySteve's comment seems apposite. Of course his last sentence may be correct but that's to be shown.
I have no personal knowledge of Dan Grossman, but in my experience, techie guys might over report indications of sexual activity and prowess on the internet ;-)
The We Vibe was the topic of a Defcon 24 talk, Breaking the Internet of Vibrating Things[1]. Was an excellent talk, but I felt it needed more jokes woven in.
Oh, believe me, we had no shortage of jokes we could've included but because we wanted the topic & issues we raised to be taken seriously we erred on the side of leaving out jokes. (We were also really pushed for time having only 20 minutes--we later gave another presentation on the topic to a local security group and talked for over an hour.)
The Internet of Dongs project, at http://internetofdon.gs (on twitter at http://twitter.com/internetofdongs) exists to combat issues with security and user privacy in sex toys, They're working with multiple toy producers to create systems to report bugs and increase security.
Related TEDx presentation: https://www.youtube.com/watch?v=WxRSjC1rPmA (Aims to raise awareness of related IoT privacy issues for a non-technical audience via the concept of a personal "Device Intimacy Spectrum".)
Disclosure: I'm one of the presenters/security researchers referenced in the article.
I suppose it's to be expected, but the naïveté of thinking that an IoT sex toy wasn't phoning home still surprises me.
Not to excuse it, because spying on your users — particularly in an identifiable way, and doubly so given the sensitivity of this specific case — is a shitty thing to do, but it's not like this is unprecedented.
> I suppose it's to be expected, but the naïveté of thinking that an IoT sex toy wasn't phoning home still surprises me.
I agree. My experience with tech industry, IoT in particular, deserves quoting Avasarala on this: "My life has become a single, ongoing revelation that I haven't been cynical enough."
Then again, considering the number of retailers that categorize sex toys under sexual health and wellness, health being the keyword, is it possible that HIPAA could be relevant? And if not, should it?
> Then again, considering the number of retailers that categorize sex toys under sexual health and wellness, health being the keyword, is it possible that HIPAA could be relevant?
No, because HIPAA covered entities and the information held by them to which the Privacy and Security rules applies are very explicitly defined, and how retailers categorize products is not a factor.
> And if not, should it?
Probably not, though you could probably make a good case that a more general privacy law not focussed on relations between healthcare providers, payers, and patients should exist and apply.
Considering stores like CVS can freely track things like cough and pain medicine (which are indisputably health-related) for marketing and giving-you-endless-coupons purposes, it almost certainly wouldn't be a HIPAA violation.
Over the longer term, privacy is dead. Sensors are proliferating at a rate web servers were 20 years ago and a state of continual recorded surveillance is where we are headed over the next 20 years.
The main question is, how equitable will that surveillance be? Governments and powerful multinationals will have access to the personal information of ordinary people. Will the converse also be true?
As unpleasant as the prospect of sub mosquito-sized recording devices everywhere is, it matters greatly whether if law enforcement, moguls and politicians are subject to the same scrutiny as those without power.
Law enforcement, oligarchs and politicians will be subject to orders of magnitude more surveillance than ordinary people, who generally don't do anything that matters and aren't worth blackmailing. Most people will have to deal with an algorithmic dragnet which selects people for special attention, but important people will have full-time employees or teams of employees writing reports and proposing strategies.
> Governments and powerful multinationals will have access to the personal information of ordinary people. Will the converse also be true?
Absolutely not. In whose interest would it be to give ordinary people anything?
Privacy will die if we let it die. It's not an inevitability. We have the power to prevent it (through law imo, not tech). As for it being equitable I don't see how that could ever happen. Having access to everyone's private information would be of zero use to me but would be very useful for governments and companies.
I have a really hard time imagining people using this.
Maybe it's just my prudishness but how the hell is fighting with bluetooth pairing in any way foreplay?
On the information video there is a graphic showing it can be used by separated couples. One person is in Europe, one the US. Just don't give up your phone at the border.
And don't lose your phone either. You may just wind up losing your partner also when they see how much more adept someone else is at working the controls.
Guess there are some things I'll just never understand.
We heard good reviews. Wanted to give it a shot because it said it sync'd to music. For people who also dance, this seemed kinda exciting.
The app was so bad though and that was the huge selling point of it and why I paid what was essentially a $150+ premium over another product. Disconnecting bluetooth constantly and the app would crash when we played a song. The idea of using it remotely was also exciting and having a partner control another's pleasure but, ultimately, it didn't work.
I'd gladly get some money back for this device knowing they also were collecting data on what we were doing.
Same reason that sous vide machines have Bluetooth - these are devices that need to look good and be small, and so if you want any interesting configuration options you need to use an external touchscreen.
My SO and I bought this device and used it with the app a few times. It worked well no issues with connectivity after the initial sync. We enjoyed it although they didn't ask for consent. Obviously we are not ashamed and I'm not worried about the privacy. Many people would be jealous that two people who've known each other 30 years still know how to have fun.
I'm of two minds about the funny comments this article is getting. On the one hand, some are indeed funny and often really clever use of the English language. On the other hand, I think about hours and hours I'd spend reading really clever comments on Reddit and then in the end realizing that I didn't learn anything, nor did it change my mind or influence my opinion about anything. I'm glad that HN exists as an alternative.
Perhaps this will make it clearer that controlling things from your phone currently involves somebody in the middle, monitoring what you're doing. If we had better phone-to-phone data connections, this wouldn't be necessary. This is a phone pairing application between phones that could be brought near each other for pairing.
> Perhaps this will make it clearer that controlling things from your phone currently involves somebody in the middle, monitoring what you're doing.
As I mentioned in another comment, part of the original suit (the claims that the app violated wiretapping laws) was based on the fact that when used in a "solo"/"local" siuation, the app had a direct Bluetooth connection between the phone and the controlled device which means there was no reason to think there was "somebody in the middle, monitoring".
Not really. We need a way to create ad-hoc phone-to-phone physical networks, not virtual ones that still go through the Internet. Though even just going through LAN would be an improvement. Bluetooth could technically do this, but as it is, it seems to suck.
I'm pretty sure most smart vibrators do use Bluetooth for the last mile. The "smart" part comes from integration with IRC bots or live streaming sites so that others can control the device from across the ocean (across the Internet).
* > An estimated 300,000 people bought Bluetooth-enabled WeVibes, according to court documents, and about 100,000 of them used the app.*
I know its not the primary issue, but its a very interesting part of the story to me and raises a lot of questions. Only 1/3 of people who purchased the device used the connected app. This sounds a lot like my Annova sous-vide: it has an app but I never use it (a dial and button are fine by me). I wonder if this 1/3 number is the normal rate among "smart devices". Do 2/3 of people not use it because its of no real value–or because the setup/ux sucks? Do companies make smart devices because "everyone else is doing it" or is there another reason (charge more & better margins)? Finally, will we start to see a decline in smart/connected devices if adoption stays low (in favor of products that simply innovate in other ways)?
Going from my own Anova experience - the people who use the app are probably power users who want the full feature set, as opposed to those (like you) whose use cases are served perfectly well by the clean minimalist UI exposed on the physical device.
I think the apps rarely provide value or they are outside the normal workflow. I just replaced my kitchen scale and the new one has an app that essential tries to be my fitness pal. But I already use myfitnesspal so I'm not going to switch since the only time savings is the time spent typing in the weight(I still have to search for the food) which is offset by the food database being worse.
Who knows, but intelligence agencies could benefit from hacking it. Of course the dildo itself is worthless to pwn, but apparently many of the owners are connecting it to a mobile app, and dollars to doughnuts, the maker has not hardened the app against malicious inputs from the dildo and so it can probably be exploited, and from there, you might have lots of useful permissions (depending on how lazy the maker is) or at least a springboard to attack the rest of the iOS/Android OS. Plus, if anyone suspected they were being hacked from their dildo - would they ever admit it?
> The We-Vibe product line includes a number of Bluetooth-enabled vibrators that, when linked to the "We-Connect" app, can be controlled from a smartphone. It allows a user to... give a partner, in the room or anywhere in the world, control of the device.
Wow. I'm just kind of incredulous that this was never hacked. The lawsuit is about the company's own data-collection practices, but just imagine the freakout if one fine day Vladimir Putin took control of all these devices at once.
Has anyone done a security review of the device and the associated app? If ever a service called for a thorough penetration test... (Bah-dum-bum! Thank you, I'll be here all week, tip your wait staff.)
I'm wondering if the lack of hacks came from actual good engineering on the company's part -- hope springs eternal! -- or if the device was just too niche to catch the interest of the black hats?
We started out wanting to learn how the device worked, wondering how secure it was and then discovered that what the manufacturer was doing was of more immediate concern. (FWIW the original suit was filed about a month after our DEF CON talk.)
> I'm wondering if the lack of hacks came from actual good engineering on the company's part
As you'll see in the talk, they appeared to have done some things right (e.g. secure network connections) but there are a lot of moving parts (device hardware, firmware, app, backend servers, chat, audio, video, control) and we barely scratched the surface.
> if the device was just too niche to catch the interest of the black hats?
It caught our attention but our hats were black with sparkly skulls on them. :)
To what end? The devices don't stay connected. You have to turn them on, open the app and sync them up. At best you get to alter the vibration patterns several hundred people at once. At best you've very mildly annoyed somebody and they'd just chalk it up to a buggy app.
So is the moral of the story for a developer to make sure you have an updated privacy policy? If they would have updated the privacy policy on their product would they have been legally protected?
> So is the moral of the story for a developer to make sure you have an updated privacy policy?
Given that the original suit included claims that "Defendant never informed Plaintiff that it would monitor, collect, and transmit her Usage Information" that seems to be one potential moral.
> If they would have updated the privacy policy on their product would they have been legally protected?
Presumably only a case being decided at trial could determine that. But it's worth looking at the proposed settlement documents that outline the non-financial changes they agreed to in order to settle the case.
Haha, I own one of these and the thought has struck me multiple times that Lelo are probably collecting data on usage and also that there must be security holes to their backend so you could in principle take control over thousands of vibrators. Never worried too much about it, and not at this point either. But it's obviously not a good thing.
You should assume any (phone or windows store or mac store) app you install can and likely will be uploading all personal data that it can to their "mothership" in the name of wishing to keep track of Usage and "improve" future products. There are no laws preventing the selling of information to marketing agencies.
isn't it amazing how every piece of equipment is turned into a tracking device? Always reminds me of Stanislav Lem's 'The Washing Machine Tragedy' http://nemaloknig.info/read-192176/?page=10 where this appliance turned smarter and smarter until it took over...
Besides the privacy concerns being raised here, connected sex toys themselves fascinate me. Like a lot of IoT markets, it intuitively feels as if adding connectivity and intelligence to the products will benefit them in some way. And yet, also like a lot of IoT markets, this doesn't seem to be panning out.
The toys themselves are too primitive to be useful in general. They're too sluggish in their responses, and not sensitive enough. There's also little to no feedback on the control side.
The data collection side of things (privacy issues aside) is also not useful. Does the frequency with which you use a vibrator really going to inform your life? Sleep patterns, diet, exercise, etc. Those are all useful metrics. Certainly the amount you have sex is also a useful metric. But to be useful, you need to actually know how much you have sex, and need to have the ability to analyze that data alongside everything else. A tracked vibrator does not accomplish that, and there's no central app for analyzing all this data together (that I know of). A smart watch, on the other hand, _could_ track sexual activity, and already has the facilities for analyzing that data along with the other important metrics.
But there's still a market here, I feel, for when the right combination of technology shows up. About a year or two ago Internet controlled vibrators showed up on cam sites like Chaturbate. It started off as a novelty on a few cam shows, but today almost every show has them. It consists of a vibrator, either worn externally or internally, that vibrates with variable intensity based on tips given my customers of the show. So, you tip, it vibes. It's a means for customers to have more direct involvement in the show. It's an easy sell to tell someone "You know that hot girl? You can pay to give her pleasure." That's the sort of "right combination of technology" I'm talking about.
The next big innovation, I think, will come from an Internet connected, articulated Fleshlight-like product for men. Ya know, a Fleshlight that jacks you off. There's one product out there, but like most of these failed attempts, it sucks. It has the right "idea", but failed execution. It connects to your computer and you can then direct its movement either with a synced video or remote control by a cam show performer. That's a great idea! But the articulation needs to be better, with several nodes with at least two degrees of freedom (up-down, contract/relax). If you can make the device actually useful, it won't be hard to extract a hefty price on the device, and a hefty price on videos and camshows. And, of course, this is a far more useful device for long distance relationships. Not to belittle the needs of the woman, but I don't believe a remote controlled vibrator is in the same class of remote-intimacy as a remote controlled masturbator. The equivalent would be more like a remote controlled tongue or "fucking machine". But good executions of both are further away, I believe.
And yes, I _have_ thought "too much" about this stuff, even to the extent of sketching out a potential way to build the masturbator using electro magnetic actuators arranged in a ring to provide silent operation.
> Since the app was released in 2014, some observers have raised concerns that Internet-connected sex toys could be vulnerable to hacking.
I do agree the data is probably quite useless, although it could give an indication of frequency.
A more extreme scenario: it could allow for public shaming when it's used in public; for instance by setting it to a painful and/or audible setting (although I doubt any remote vibrator can vibrate that strong), and by focusing attention on that via other means ("what's that buzz?").
(I don't understand why parent was flagged so I vouched.)
Note that the We-Vibe couples vibes are designed/promoted for use during intercourse, in addition to "solo" use--and we found design documents for future models that included functionality to detect and measure partner movement. So it's not just one-sided data collection.
Linking the data with email addresses was stupid and unnecessary. Regardless of whether it's right or wrong (if this wasn't 'embarrassing' data I don't think anyone would care) linking data to emails was just a totally stupid decision.
You're right. It's not. At least there if I post something a conversation usually happens. Here, I post something and, at best, I get one reply total. While Reddit indeed has a load of crap at least some percentage of it is valuable engagement once you stay of the default and political subreddits.
Here I get they same amount of value of posting when I have something to say as putting it into a local text file.
It sounds as if you like Reddit and Reddit likes you. Maybe instead of getting salty because HN doesn't appreciate puerile humor, you should just take it back to Reddit.
I don't know -- telling someone they should go back to another site so as not to reduce the quality of this one is a very Reddit thing to do. See you over at Digg!
It's not just joke. It's the fact that it way too closely resembled the writing style of big-city newspaper articles, trying to "subtly" play on double-meaning words. It's just so awful.
They never ever adjust the position or color of any comment. They used to, until the day the mods labeled my account a "troll" account a few years ago. Now my posting is rate-limited, and my votes do nothing. Even after changing my behavior on HN, they refused to reverse their decision.
Let that be a warning to everyone here, never to post comments or links the HN mods do not approve of. Their vengeance is moderate and permanent.
I worry that this will happen (or has happened) to me: I regularly use vouch to vouch for comments which I believe are unfairly flagged. Does that offend the moderators? I have no idea.
Same happened to me on another account. Long standing account with karma over 1000. One little spat and the account got rate limited and its votes did nothing - its flagging rights remained though for some weird reason... Since then I've been on throwaways.
I have to ask how stupid consumers can be. If someone is building a mobile app, custom devices, and connecting them with a web service, you're pretty much guaranteed that the data flowing through their systems is accessible by some people if not stored.
From the sounds of this article, the data collection was relatively innocuous, and probably just the default that a typical developer is going to build into the system. Could they have provided the same service with zero storage and very decoupled from the email address. Sure, but I'd only expect that from a company who pushed privacy and security above all else - and even then I wouldn't trust it unless they published details of how everything is P2P and secure. Sounds to me like they will lose functionality (or at least like have very poor customer support) without the email addresses. If you're not willing to risk this rather obvious exposure, why not buy a normal vibrator? This is only marginally more sane of a lawsuit than the one against Red Bull because it does not, in fact, give you wings.
Your average American didn't understand or get worked up over Snowden and the prospect of a surveillance state; not for long anyway. We don't have much of a national conversation about it anymore, Obama isn't remembered for his actions around the NSA, bulk collection, etc.
Most people also don't seem to care too much about Facebook, Google, etc. collecting their browsing data and selling it to advertisers.
People very much care about the privacy of their sex life.
Did this company violate their own privacy policy?
It looks like the company settled rather than drag things out through court, but didn't actually do anything beyond collect standard usage data.
The company didn't even give it to third parties. So it isn't that they did something worse than NSA Facebook, but that people are more sensitive to the privacy of their sex lives than other things.
We wonder why Snapchat first rose to popularity for sexting while most people couldn't care less about GPGing their emails or using Signal day-to-day.
Either most people don't care about privacy or we, the tech community, do a poor job of connecting things like encryption to what people do genuinely care about.