
Vibrator Maker to Pay Millions Over Claims It Secretly Tracked Use - ceejayoz
http://www.npr.org/sections/thetwo-way/2017/03/14/520123490/vibrator-maker-to-pay-millions-over-claims-it-secretly-tracked-use
======
tyre
I think this is a great example to the tech world of what people actually care
about.

Your average American didn't understand or get worked up over Snowden and the
prospect of a surveillance state; not for long anyway. We don't have much of a
national conversation about it anymore, Obama isn't remembered for his actions
around the NSA, bulk collection, etc.

Most people also don't seem to care too much about Facebook, Google, etc.
collecting their browsing data and selling it to advertisers.

People very much care about the privacy of their sex life.

Did this company violate their own privacy policy?

It looks like the company settled rather than drag things out through court,
but didn't actually do anything beyond collect standard usage data.

The company didn't even give it to third parties. So it isn't that they did
something worse than NSA Facebook, but that people are more sensitive to the
privacy of their sex lives than other things.

We wonder why Snapchat first rose to popularity for sexting while most people
couldn't care less about GPGing their emails or using Signal day-to-day.

Either most people don't care about privacy or we, the tech community, do a
poor job of connecting things like encryption to what people do genuinely care
about.

~~~
jMyles
> Your average American didn't understand

These five words are, as far as I can tell, the poison in the pudding of
American politics today.

1) There is no "average" American. Everyone is close to a median in some
metrics, and everyone is at out-lier in others.

2) The fact that huge outcry over the NSA is not visible might just mean we're
looking in the wrong places. I've traveled across the country by land twice in
two years, stopping at hundreds of rural campfires and urban watering holes.
My experience is that people are very upset with the state and want their
rights back. And that, one way or another, they'll get 'em.

~~~
ryandrake
> My experience is that people are very upset with the state and want their
> rights back.

It's easy to _say_ you're upset about something. It's another thing to take
action or even vote (with the ballot, your feet or your wallet). How many
people out there who will say they are vaguely "concerned" about Company Xyz's
service actually have an account at Company Xyz and use that service?!

~~~
timthelion
How is one to vote when neither major party candidate was pro-privacy?

There are a number of pro-privacy representatives, and one or two senators, so
it is not like people aren't votinig at all, but if you don't get a choice
then you cannot be blamed for failing to make the choice.

~~~
joshmarlow
> How is one to vote when neither major party candidate was pro-privacy?

That's the heart of the matter. The major parties have a virtual monopoly;
we're as trapped as voters as consumers are in a market monopoly.

I think the way we fix this is weaken the monopoly of the major parties,
possibly with things like ranked voting:
[http://www.fairvote.org/](http://www.fairvote.org/)

Which Maine is trying to institute:
[https://ballotpedia.org/Maine_Ranked_Choice_Voting_Initiativ...](https://ballotpedia.org/Maine_Ranked_Choice_Voting_Initiative,_Question_5_\(2016\))

Perhaps we should try to institute laws that break up parties if they get too
big the same way we can break up corporations that are too big? Monopolies
being bad an all.

~~~
marcoperaza
Beware of blaming the system when the more likely problem is that enough
people don't care about the issue.

~~~
joshmarlow
There's definitely something to what you say. At the same time, it's a multi-
faceted problem and the two party monopoly is one of them.

------
qdot76367
If anyone is interested in accessing the WeVibe or other toys (Kiiroo,
Lovense, etc) directly via bluetooth, versus going through their apps, I run a
website for documenting and reverse engineering this stuff, at
[http://metafetish.com](http://metafetish.com). All of our docs and code are
on github at

[http://github.com/metafetish](http://github.com/metafetish)

~~~
samstave
May one be theoretically be able to send patterns to all devices
simultaneously?

~~~
qdot76367
This is exactly what my new project is about! :D

[http://buttplug.io](http://buttplug.io)

Working on building a system to create a generic signal set that can be
translated to any toy.

------
dangrossman
Looks like my s/o and I could be making a claim as part of the settlement
class. Didn't get much use out of the app, the bluetooth connection was super
unreliable.

That said, I take it as a given that any app I install on my phone is probably
tracking my usage of their app. Dropping in Mixpanel or Heap or some other
analytics lib that tracks feature usage seems like such a standard part of
developing a mobile app, I'd be surprised if a developer _didn 't_ do it.

~~~
CoolGuySteve
Some might say, Dan Grossman, that discretion is the better part of valour
when disclosing your vibrator purchases on the internet.

I actually don't care, I just found it funny that you're posting under your
real name without shame. It's refreshing, but I think it's also one of the
ways techies are significantly different than the rest of the population.

~~~
clarebear
I have no personal knowledge of Dan Grossman, but in my experience, techie
guys might over report indications of sexual activity and prowess on the
internet ;-)

~~~
5ilv3r
Techies are data driven folks. You're thinking of the REST of humanity.

~~~
freehunter
Yeah because being the SOAP of humanity is so last year.

------
altendo
The We Vibe was the topic of a Defcon 24 talk, Breaking the Internet of
Vibrating Things[1]. Was an excellent talk, but I felt it needed more jokes
woven in.

[1]
[https://www.youtube.com/watch?v=v1d0Xa2njVg](https://www.youtube.com/watch?v=v1d0Xa2njVg)

EDIT: grammar fail

~~~
follower
> Was an excellent talk

Thanks. :)

> but I felt it needed more jokes woven in.

Oh, believe me, we had no shortage of jokes we _could 've_ included but
because we wanted the topic & issues we raised to be taken seriously we erred
on the side of leaving out jokes. (We were also really pushed for time having
only 20 minutes--we later gave another presentation on the topic to a local
security group and talked for over an hour.)

~~~
altendo
I understand completely! I appreciate the effort that you and goldfisk put
into it. Hope to see more Defcon talks from you guys :)

------
qdot76367
The Internet of Dongs project, at
[http://internetofdon.gs](http://internetofdon.gs) (on twitter at
[http://twitter.com/internetofdongs](http://twitter.com/internetofdongs))
exists to combat issues with security and user privacy in sex toys, They're
working with multiple toy producers to create systems to report bugs and
increase security.

------
follower
[From an earlier submission:
[https://news.ycombinator.com/item?id=13862694](https://news.ycombinator.com/item?id=13862694)]

Related DEF CON 24 presentation: "Breaking the Internet of Vibrating Things":
[https://www.youtube.com/watch?v=v1d0Xa2njVg](https://www.youtube.com/watch?v=v1d0Xa2njVg)
(Includes more technical details)

Related TEDx presentation:
[https://www.youtube.com/watch?v=WxRSjC1rPmA](https://www.youtube.com/watch?v=WxRSjC1rPmA)
(Aims to raise awareness of related IoT privacy issues for a non-technical
audience via the concept of a personal "Device Intimacy Spectrum".)

Disclosure: I'm one of the presenters/security researchers referenced in the
article.

------
rosser
I suppose it's to be expected, but the naïveté of thinking that an IoT sex toy
_wasn 't_ phoning home still surprises me.

Not to excuse it, because spying on your users — particularly in an
identifiable way, and doubly so given the sensitivity of this specific case —
is a shitty thing to do, but it's not like this is unprecedented.

~~~
deadowl
Then again, considering the number of retailers that categorize sex toys under
sexual health and wellness, health being the keyword, is it possible that
HIPAA could be relevant? And if not, should it?

~~~
dragonwriter
> Then again, considering the number of retailers that categorize sex toys
> under sexual health and wellness, health being the keyword, is it possible
> that HIPAA could be relevant?

No, because HIPAA covered entities and the information held by them to which
the Privacy and Security rules applies are very explicitly defined, and how
retailers categorize products is not a factor.

> And if not, should it?

Probably not, though you could probably make a good case that a more general
privacy law not focussed on relations between healthcare providers, payers,
and patients should exist and apply.

------
xiaoma
Over the longer term, privacy is dead. Sensors are proliferating at a rate web
servers were 20 years ago and a state of continual recorded surveillance is
where we are headed over the next 20 years.

The main question is, how equitable will that surveillance be? Governments and
powerful multinationals _will_ have access to the personal information of
ordinary people. Will the converse also be true?

As unpleasant as the prospect of sub mosquito-sized recording devices
everywhere is, it matters greatly whether if law enforcement, moguls and
politicians are subject to the same scrutiny as those without power.

~~~
k-mcgrady
>> Over the longer term, privacy is dead.

Privacy will die if we let it die. It's not an inevitability. We have the
power to prevent it (through law imo, not tech). As for it being equitable I
don't see how that could ever happen. Having access to everyone's private
information would be of zero use to me but would be very useful for
governments and companies.

~~~
xiaoma
> _" It's not an inevitability"_

It's ironic you use this word given that Kevin Kelly's new bestseller which
focuses on this and two other trends is called, _The Inevitable_.

[https://www.amazon.com/Inevitable-Understanding-
Technologica...](https://www.amazon.com/Inevitable-Understanding-
Technological-Forces-Future/dp/0525428089)

~~~
ionised
One man's book does not decide the future.

------
mythrwy
I have a really hard time imagining people using this.

Maybe it's just my prudishness but how the hell is fighting with bluetooth
pairing in any way foreplay?

On the information video there is a graphic showing it can be used by
separated couples. One person is in Europe, one the US. Just don't give up
your phone at the border.

And don't lose your phone either. You may just wind up losing your partner
also when they see how much more adept someone else is at working the
controls.

Guess there are some things I'll just never understand.

~~~
bradlys
We heard good reviews. Wanted to give it a shot because it said it sync'd to
music. For people who also dance, this seemed kinda exciting.

The app was so bad though and that was the huge selling point of it and why I
paid what was essentially a $150+ premium over another product. Disconnecting
bluetooth constantly and the app would crash when we played a song. The idea
of using it remotely was also exciting and having a partner control another's
pleasure but, ultimately, it didn't work.

I'd gladly get some money back for this device knowing they also were
collecting data on what we were doing.

~~~
bambax
> _why I paid what was essentially a $150+ premium over another product_

Well you just won $10,000! ;-))

------
mysterypie
I'm of two minds about the funny comments this article is getting. On the one
hand, some are indeed funny and often really clever use of the English
language. On the other hand, I think about hours and hours I'd spend reading
really clever comments on Reddit and then in the end realizing that I didn't
learn anything, nor did it change my mind or influence my opinion about
anything. I'm glad that HN exists as an alternative.

~~~
rosser
I'm sure this article is gathering reddit-caliber comments in at least twelve
different subs _right now_. If you want that, it's there to be found.

That's very specifically not what HN wants to be.

------
Animats
Perhaps this will make it clearer that controlling things from your phone
currently involves somebody in the middle, monitoring what you're doing. If we
had better phone-to-phone data connections, this wouldn't be necessary. This
is a phone pairing application between phones that could be brought near each
other for pairing.

~~~
cbhl
True, but to fix that, you have to fix everyone being behind a NAT instead of
having IPv6 addresses.

~~~
TeMPOraL
Not really. We need a way to create ad-hoc phone-to-phone physical networks,
not virtual ones that still go through the Internet. Though even just going
through LAN would be an improvement. Bluetooth could technically do this, but
as it is, it seems to suck.

~~~
cbhl
I'm pretty sure most smart vibrators _do_ use Bluetooth for the last mile. The
"smart" part comes from integration with IRC bots or live streaming sites so
that others can control the device from across the ocean (across the
Internet).

------
callmeed
* > An estimated 300,000 people bought Bluetooth-enabled WeVibes, according to court documents, and about 100,000 of them used the app.*

I know its not the primary issue, but its a very interesting part of the story
to me and raises a lot of questions. Only 1/3 of people who purchased the
device used the connected app. This sounds a lot like my Annova sous-vide: it
has an app but I never use it (a dial and button are fine by me). I wonder if
this 1/3 number is the normal rate among "smart devices". Do 2/3 of people not
use it because its of no real value–or because the setup/ux sucks? Do
companies make smart devices because "everyone else is doing it" or is there
another reason (charge more & better margins)? Finally, will we start to see a
decline in smart/connected devices if adoption stays low (in favor of products
that simply innovate in other ways)?

~~~
azernik
Going from my own Anova experience - the people who use the app are probably
power users who want the full feature set, as opposed to those (like you)
whose use cases are served perfectly well by the clean minimalist UI exposed
on the physical device.

------
tomek_zemla
Is this one of the devices on CIA hacked systems list?

~~~
gwern
Who knows, but intelligence agencies could benefit from hacking it. Of course
the dildo itself is worthless to pwn, but apparently many of the owners are
connecting it to a mobile app, and dollars to doughnuts, the maker has not
hardened the app against malicious inputs from the dildo and so it can
probably be exploited, and from there, you might have lots of useful
permissions (depending on how lazy the maker is) or at least a springboard to
attack the rest of the iOS/Android OS. Plus, if anyone suspected they were
being hacked from their dildo - would they ever admit it?

------
smacktoward
_> The We-Vibe product line includes a number of Bluetooth-enabled vibrators
that, when linked to the "We-Connect" app, can be controlled from a
smartphone. It allows a user to... give a partner, in the room or anywhere in
the world, control of the device._

Wow. I'm just kind of incredulous that this was never hacked. The lawsuit is
about the company's own data-collection practices, but just imagine the
freakout if one fine day Vladimir Putin took control of all these devices at
once.

Has anyone done a security review of the device and the associated app? If
ever a service called for a thorough penetration test... (Bah-dum-bum! Thank
you, I'll be here all week, tip your wait staff.)

I'm wondering if the lack of hacks came from actual good engineering on the
company's part -- hope springs eternal! -- or if the device was just too niche
to catch the interest of the black hats?

~~~
follower
> Has anyone done a security review of the device and the associated app?

Partially, yes, here's our DEF CON 24 presentation about it: "Breaking the
Internet of Vibrating Things":
[https://www.youtube.com/watch?v=v1d0Xa2njVg](https://www.youtube.com/watch?v=v1d0Xa2njVg)

We started out wanting to learn how the device worked, wondering how secure it
was and then discovered that what the manufacturer was doing was of more
immediate concern. (FWIW the original suit was filed about a month after our
DEF CON talk.)

> I'm wondering if the lack of hacks came from actual good engineering on the
> company's part

As you'll see in the talk, they appeared to have done some things right (e.g.
secure network connections) but there are a _lot_ of moving parts (device
hardware, firmware, app, backend servers, chat, audio, video, control) and we
barely scratched the surface.

> if the device was just too niche to catch the interest of the black hats?

It caught our attention but our hats were black with sparkly skulls on them.
:)

------
Applejinx
I picture it being hooked to a GPS:

three inches east three inches west three inches east FIVE inches west…

And then they sell the data to Facebook, who can market it to more effectively
target men who move like that.

…which steps over the line from snark into relevant observations on abuse of
privacy and who benefits, given deep enough data :)

------
kitd
Gentle warning if you're at work: the article has a large picture of the
product at the top.

------
6d6b73
But they did it to help people!

This is how they use the data:

Red lights flashing...

Tactical Officer: \- Action Stations - User 5563 is close but needs additional
stimulation.

Captain: Engineering can you give us additional 10%?

Engineering: We will need to adjust Warp Field but it should work for about 5
seconds.

Captain: That should be enough. Do it!

Engineering: Ready

Captain: Engage!

------
jonaldomo
So is the moral of the story for a developer to make sure you have an updated
privacy policy? If they would have updated the privacy policy on their product
would they have been legally protected?

~~~
follower
> So is the moral of the story for a developer to make sure you have an
> updated privacy policy?

Given that the original suit included claims that "Defendant never informed
Plaintiff that it would monitor, collect, and transmit her Usage Information"
that seems to be one potential moral.

> If they would have updated the privacy policy on their product would they
> have been legally protected?

Presumably only a case being decided at trial could determine that. But it's
worth looking at the proposed settlement documents that outline the non-
financial changes they agreed to in order to settle the case.

------
marvin
Haha, I own one of these and the thought has struck me multiple times that
Lelo are probably collecting data on usage and also that there must be
security holes to their backend so you could in principle take control over
thousands of vibrators. Never worried too much about it, and not at this point
either. But it's obviously not a good thing.

------
bleair
You should assume any (phone or windows store or mac store) app you install
can and likely will be uploading all personal data that it can to their
"mothership" in the name of wishing to keep track of Usage and "improve"
future products. There are no laws preventing the selling of information to
marketing agencies.

------
gozur88
I'm trying to imagine what you would actually do with this kind of data.

~~~
manarth
Sell it to a dating/hookup service to improve recommendations for sexual
compatibility criteria.

------
brilliantcode
Seems like publicity stunt only works when you don't have to payout millions
to people affected by it negatively.

They got the publicity but at a price that is too high.

------
MichaelMoser123
isn't it amazing how every piece of equipment is turned into a tracking
device? Always reminds me of Stanislav Lem's 'The Washing Machine Tragedy'
[http://nemaloknig.info/read-192176/?page=10](http://nemaloknig.info/read-192176/?page=10)
where this appliance turned smarter and smarter until it took over...

------
zelias
This could bring new meaning to the concept of the "man in the middle attack"

------
fpgaminer
Besides the privacy concerns being raised here, connected sex toys themselves
fascinate me. Like a lot of IoT markets, it intuitively feels as if adding
connectivity and intelligence to the products will benefit them in some way.
And yet, also like a lot of IoT markets, this doesn't seem to be panning out.

The toys themselves are too primitive to be useful in general. They're too
sluggish in their responses, and not sensitive enough. There's also little to
no feedback on the control side.

The data collection side of things (privacy issues aside) is also not useful.
Does the frequency with which you use a vibrator really going to inform your
life? Sleep patterns, diet, exercise, etc. Those are all useful metrics.
Certainly the amount you have sex is also a useful metric. But to be useful,
you need to actually know how much you have sex, and need to have the ability
to analyze that data alongside everything else. A tracked vibrator does not
accomplish that, and there's no central app for analyzing all this data
together (that I know of). A smart watch, on the other hand, _could_ track
sexual activity, and already has the facilities for analyzing that data along
with the other important metrics.

But there's still a market here, I feel, for when the right combination of
technology shows up. About a year or two ago Internet controlled vibrators
showed up on cam sites like Chaturbate. It started off as a novelty on a few
cam shows, but today almost every show has them. It consists of a vibrator,
either worn externally or internally, that vibrates with variable intensity
based on tips given my customers of the show. So, you tip, it vibes. It's a
means for customers to have more direct involvement in the show. It's an easy
sell to tell someone "You know that hot girl? You can pay to give her
pleasure." That's the sort of "right combination of technology" I'm talking
about.

The next big innovation, I think, will come from an Internet connected,
articulated Fleshlight-like product for men. Ya know, a Fleshlight that jacks
you off. There's one product out there, but like most of these failed
attempts, it sucks. It has the right "idea", but failed execution. It connects
to your computer and you can then direct its movement either with a synced
video or remote control by a cam show performer. That's a great idea! But the
articulation needs to be better, with several nodes with at least two degrees
of freedom (up-down, contract/relax). If you can make the device actually
useful, it won't be hard to extract a hefty price on the device, and a hefty
price on videos and camshows. And, of course, this is a far more useful device
for long distance relationships. Not to belittle the needs of the woman, but I
don't believe a remote controlled vibrator is in the same class of remote-
intimacy as a remote controlled masturbator. The equivalent would be more like
a remote controlled tongue or "fucking machine". But good executions of both
are further away, I believe.

And yes, I _have_ thought "too much" about this stuff, even to the extent of
sketching out a potential way to build the masturbator using electro magnetic
actuators arranged in a ring to provide silent operation.

> Since the app was released in 2014, some observers have raised concerns that
> Internet-connected sex toys could be vulnerable to hacking.

Oddly enough, that might be some people's fetish.

~~~
cryptarch
I do agree the data is probably quite useless, although it could give an
indication of frequency.

A more extreme scenario: it could allow for public shaming when it's used in
public; for instance by setting it to a painful and/or audible setting
(although I doubt any remote vibrator can vibrate that strong), and by
focusing attention on that via other means ("what's that buzz?").

(I don't understand why parent was flagged so I vouched.)

------
k-mcgrady
Linking the data with email addresses was stupid and unnecessary. Regardless
of whether it's right or wrong (if this wasn't 'embarrassing' data I don't
think anyone would care) linking data to emails was just a totally stupid
decision.

------
watertom
How is what they did different than what facebook does?

------
nojvek
How do I claim the lawsuit amount?

------
blacksqr
Puts a new spin on the phrase "give me a buzz", doesn't it?

------
HiFlight
Vibrator maker creates Clit Bit.

------
w1ntermute
The perils of teledildonics.

------
bjourne
How stupid can a company be?

~~~
TallGuyShort
I have to ask how stupid consumers can be. If someone is building a mobile
app, custom devices, and connecting them with a web service, you're pretty
much guaranteed that the data flowing through their systems is accessible by
some people if not stored.

From the sounds of this article, the data collection was relatively innocuous,
and probably just the default that a typical developer is going to build into
the system. Could they have provided the same service with zero storage and
very decoupled from the email address. Sure, but I'd only expect that from a
company who pushed privacy and security above all else - and even then I
wouldn't trust it unless they published details of how everything is P2P and
secure. Sounds to me like they will lose functionality (or at least like have
very poor customer support) without the email addresses. If you're not willing
to risk this rather obvious exposure, why not buy a normal vibrator? This is
only marginally more sane of a lawsuit than the one against Red Bull because
it does not, in fact, give you wings.

------
slezakattack
A sex toy being hacked by some hacker could make for an interesting porn
plot..

~~~
TenOhms
Please no, they already made Swordfish, we don't need another attempt.

------
hellofunk
This article really sent shivers through me.

------
peter_retief
No man this must be marketing :) :)

------
Dowwie
Yesterday it was farts and today it's IoT enabled vibrators.. Has Howard Stern
taken over HN?

~~~
finid
It's technology news. Technology is everywhere, you know.

------
arcaster
Just waiting for some scumbag to repost as fake news... "Vault 7 leaks find
NSA spying on vibrator use!"

