
Bose Headphones Spy on Users, Lawsuit Says - 0x0
http://fortune.com/2017/04/19/bose-headphones-privacy/
======
tomtalks
(Created an account to post this) I downloaded the app on android and listened
to a few songs on Spotify to find out what information was being sent.

While the app is running, the app sends a HTTP (edit: HTTPS) request every
time the track information changes or the volume changes. When the track
information changes it sends the artist, album and song name. When you change
the volume it sends the new volume level.

Every request includes standard meta-data such as

* An _anonymous-id_

* Device serial number

* Information about whether wifi or cellular are connected and carrier name

* Device name, model and manufacturer

If there is interest I will write a blog post about potential ways to stop the
data collection without removing the app :)

~~~
jumpkickhit
Did you packet sniff what is being sent out? Or do you have some intermediary
running on the device itself?

Just curious if it was difficult to do. If more people knew how to, maybe this
sort of activity wouldn't sneakily happen as often.

~~~
tomtalks
Unless an android app uses certificate pinning
([https://security.stackexchange.com/questions/29988/what-
is-c...](https://security.stackexchange.com/questions/29988/what-is-
certificate-pinning)), it is usually trivial to MITM its traffic passing
through your phone.

Provided you own and have physical access to your phone, you can use any
number of proprietary/open free/costly tools to do so. (E.g Fiddler
[http://www.telerik.com/fiddler](http://www.telerik.com/fiddler), Burp
[https://portswigger.net/burp/](https://portswigger.net/burp/) and mitmproxy
[https://mitmproxy.org/](https://mitmproxy.org/))

In this case I used fiddler, all I had to do generate a custom root
certificate (Be warned this is not a good idea in general, look up super fish
if you want an example of why installing custom root certificates can be bad),
install that certificate on my device and then proxy my device through the
computer running fiddler.

This process is far better documented here
[http://docs.telerik.com/fiddler/Configure-
Fiddler/Tasks/Conf...](http://docs.telerik.com/fiddler/Configure-
Fiddler/Tasks/ConfigureForAndroid) if you need any more help or advice let me
know

~~~
BoorishBears
I recall older versions of one of those (forget which) generated a non-unique
custom certificate, meaning anyone who had used it could be MITM'd with the
same cert. It was changed later on, but it's a risk if you go with something
poorly designed.

------
ungzd
Reading about spying headphones on website where video with sound starts
automatically and continues to play when pressing pause (but jumps to right
corner, just like hoaxes for Windows 95 where "start" button evaded mouse) —
we're living in _adtechpunk_ world.

~~~
throwasehasdwi
Enable the tab mute button that's existed in chrome for years but is still
hidden:

Go to URL chrome://flags in a new tab Search for the ‘Enable tab audio muting
UI control’ flag Hit the ‘Enable’ link Relaunch Chrome when prompted (on
Chrome OS a full restart is required)

Now you can click the little speaker that appears next to the tab's close
button when a tab is playing sound to stop that tab from playing audio.

God knows why this isn't enabled by default, somethingsomething advertising
money...

~~~
smelendez
I wish they also had "mute all other tabs."

~~~
kakarot
Sounds like a simple enough addon :)

------
vr46
Hmm, not pleased, we have two sets of the 35 earphones and I use the app -
well, I have to, else I can't change some settings on the earphones. This is
totally overstepping the boundaries of what earphones/headphones should be
doing. Any company that collects my data and moves it from under my purview to
theirs should have to display or expose this data in the exact form that it's
collected to the user, so we can see exactly what it is. Not cool.

~~~
ecomhacker
This reminds me of a bluetooth toothbrush I just bought that requires my
location to be enabled to change the settings via the oral b app which is
required since this model has less buttons than others.

The reason why I bought a bluetooth toothbrush was for a wireless hardware
clock, brushing timer, and ranking system which also really doesn't work
correctly even with the app.

~~~
troncheadle
> The reason why I bought a bluetooth toothbrush was for a ranking system

We are truly living in a modern fall of rome. We will choke on our bluetooth
enabled toothbrushes, 700 dollar juicer machines, our fucking fitbits. We've
ravaged the earth to adorn ourselves with decadent shackles and we will reap
the consequences with fake tans and ultra clean teeth.

In the past year I've gone from being an environmentalist to a big fan of the
end times. We're going to eat ourselves out of a home, and a few billion years
later, the Earth will still be here, not missing us at all. Fuck it, get three
bluetooth toothbrushes next time.

~~~
tomjen3
>reap the consequences with fake tans and ultra clean teeth.

Fake tans are better than cancer and ultra clean teeth sounds like it would
cut down on dental issues.

~~~
tomsthumb
When you get a fake tan, how much of what chemicals is your body absorbing
that all don't cause cancer?

Something like 70% of Americans are vitamin-D deficient. Get some damn
sunlight.

------
raspasov
Ok, this is DEFINITELY NOT cool (+ the fact I own those and I have the app
installed).

One small note of optimism (but not coming from Bose) is this:
[http://imgur.com/a/ezLUi](http://imgur.com/a/ezLUi) (i.e. the iOS on/off
setting for Background App Refresh - I have it globally off for the whole
device, always). So I don't think once the app is not running that there's an
easy/Apple approved way for them to keep running to app to transmit data, etc.

I also just turned off Cellular Data for this...

If someone from Bose is reading this - just wow...

~~~
krrrh
It could easily store and forward data the next time you open the app though.

~~~
raspasov
Correct, if it has meaningful storage on the headphones - anyone know if
that's the case?

In any case, I would encourage everyone to delete the app at this point.

------
sandstrom
Leave a review, may help warn/notify some 'normal' users about this.

\- [https://itunes.apple.com/us/app/bose-
connect/id1046510029?mt...](https://itunes.apple.com/us/app/bose-
connect/id1046510029?mt=8)

\-
[https://play.google.com/store/apps/details?id=com.bose.monet...](https://play.google.com/store/apps/details?id=com.bose.monet&hl=en)

------
danbee
As an aside, who's idea was it at Fortune to have an autoplaying video that,
when paused, starts playing again the moment you scroll down the page?!?

~~~
dboreham
Don't know but presumably they were awarded a bonus.

~~~
RationPhantoms
"SVP of Digital Assemblance Strategy and Social Media Marketing"

------
theseatoms
Is anyone compiling a black-list of companies that implicitly charge users by
quietly (or not-so-quietly) collecting their data? This is increasingly
becoming the consumer protection issue of our time.

A white-list of companies that do NOT do this could also be useful, especially
as alternatives to companies on the black-list.

~~~
HenryBemis
I think that for ANYTHING that requires an app and connection to the internet,
we all should take for granted that:

1) data is being collected (e.g. my precious steps/vitals/food intake on
fitbit)

2) data is being transmitted to "mother ship" and then sold to everyone that
is willing to buy (e.g. why on earth did iOS fitbit app wanted to connect to
facebook??? and then I stopped using fitbit - of course I was using a
throwaway email and false name/DoB to begin with)

3) data is being correlated and adding more juice to each user's profile (e.g.
iOS fitbit app getting my IP, fake-name, throwaway-email, vitals, not-my-iOS
advertising identifier)

No way around this. Only using a good hosts file, PMP, and Firewall IP (on iOS
and for jailbroken devices). Anyone who runs stock iOS or Android is in the
mercy of all "these people".

~~~
medecau
If you jailbreak your device you open yourself up to other threats.

------
hashkb
> According to the complaint, Bose ... shared it with ... Segment whose
> website offers to "collect all or your customer customer data and send it
> anywhere."

Using Segment as an example of an evil destination for data shows that this
reporter is under-qualified to cover this story. I am not defending Bose here;
just pointing out that the reporter doesn't exactly know the domain.

------
crazygringo
I would understand it if the app were tracking how often the headphones were
connected, when they were actually being used, or possibly even which app is
playing audio (e.g. how much are the headphones being used for listening to
music vs podcasts vs videogames) -- although this should all be done
anonymously.

But the idea that the app can detect _which_ music or podcasts I'm listening
to, and build a profile from that -- if true, that would be shocking. Can
anyone answer, is that even possible via iOS API's?

~~~
0x0
The app shows metadata about the currently playing track, such as title and
artist, so it really does look like it has full access to what is currently
playing. This is discomforting. What if I am playing a locally synced file
"board meeting xyz company case abc something secret in the title.mp3"

~~~
snovv_crash
Or even worse, something HIPPA protected. They could be in for a world of hurt
here.

~~~
dragonwriter
Bose is not a HIPAA-covered entity and, if a user is or is working for one,
probably they haven't had Bose sign a BAA, so Bose is not in any kind of
trouble for any unauthorized disclosure of PHI.

The user, again if they are or are employed by a HIPAA covered entity, might
be, though.

------
draugadrotten
I live in Europe. Next year I and all other Europeans should be able to make a
GDPR request for information to Bose and, at no cost, get a complete copy of
all information Bose keeps on me.

[https://ico.org.uk/for-organisations/data-protection-
reform/...](https://ico.org.uk/for-organisations/data-protection-
reform/overview-of-the-gdpr/individuals-rights/the-right-of-access/)

~~~
jdmichal
I wonder if the UK will keep that particular EU regulation after its exit...

~~~
acqq
"The GDPR will apply in the UK from 25 May 2018. The government has confirmed
that the UK’s decision to leave the EU will not affect the commencement of the
GDPR."

General Data Protection Regulation Introduction:

[https://ico.org.uk/for-organisations/data-protection-
reform/...](https://ico.org.uk/for-organisations/data-protection-
reform/overview-of-the-gdpr/introduction/)

------
cwkoss
Time to make a playlist full of songs with these names and see if you can
crash Bose servers:

[https://github.com/minimaxir/big-list-of-naughty-
strings/blo...](https://github.com/minimaxir/big-list-of-naughty-
strings/blob/master/blns.txt)

------
siphor
Their example of 'shared it with marketing companies, including a San
Francisco firm called Segment whose website offers to "collect all or your
customer customer data and send it anywhere."'

Thats just an analytics provider.. I wonder if this claim is true, based on
that example. Bose could just be collecting app logins, crashes, looking for
usability pain-points, etc. Consulting agencies just throw that crap
everywhere because it sounds good to a client.

------
kirykl
This is increasingly more common. Companies building in data collection to
products and marketing it as a 'feature'. Especially in cars manufacturers,
who are openly offering to sell this data. The unsettling part is most
customers don't seem to mind.

~~~
Silhouette
_The unsettling part is most customers don 't seem to mind._

A lot of consumers don't even _know_ , as we see here.

Those who do know often don't understand the full implications.

The state of privacy and security in modern cars is particularly disturbing,
as you say, and really needs a blunt, in-your-face public information campaign
and preferably statutory regulation. But that would require the relevant
governments to understand the dangers themselves, and I don't think most
politicians are any better at knowing and understanding these things than
anyone else.

------
ohstopitu
wow! I own a couple of these headsets, and while I've never used the app (I
don't feel the need to install an app for an headphone device thank you very
much), I'm disappointed in Bose.

Does anyone know any other headphone manufacturer that's got as good a sound +
build quality as Bose?

~~~
snovv_crash
I'm loving my Sennheiser Momentum wireless phones. However, apparently the
current king of the hill is the new Sony MDR-1000X. Better noise cancelling
than Bose, and sound quality as good as the Sennheiser.

------
Karunamon
So what are the chances this never goes anywhere thanks to a clickwrap EULA
that's shoved into your face in 3pt font the moment the app starts?

"Well, your honor, he agreed.."

~~~
pinewurst
EULA for other Bose app (Connect EULA seems not to be available online):
[https://hearphones.bose.com/eula](https://hearphones.bose.com/eula)

"YOUR USE OF THE SOFTWARE ALSO OPERATES AS YOUR CONSENT TO THE COLLECTION,
TRANSMISSION AND STORAGE OF CERTAIN STANDARD NETWORKING INFORMATION, DEVICE
USAGE DATA, AND BOSE PRODUCT INFORMATION VIA THE INTERNET TO SERVERS OWNED OR
CONTROLLED BY BOSE OR OPERATED BY THIRD PARTIES ON BEHALF OF BOSE"

~~~
jdmichal
IANAL, but that language does not seem to permit selling of the data to third
parties.

~~~
marak830
It doesn't say they cant resell it - or transfer it.

~~~
jdmichal
I suppose that's really the heart of the matter, isn't it? When _should_ a
company be able to collect what would otherwise be private information
protected by law? And if they do collect it, what does the law provide as
default protections on selling or transferring that private information?

The "Privacy Policy" bits posted by aaronpk [0] only speaks to collecting what
engineers would call telemetry information. It has zero mention of collecting
other data, and zero mention of reselling the data.

I know the US is relatively weak on such laws compared to some EU countries.
This lawsuit might not go anywhere here, but there could very well be a strong
case in, say, Germany.

[0]
[https://news.ycombinator.com/item?id=14148461](https://news.ycombinator.com/item?id=14148461)

------
Arizhel
What I think would be interesting is: what if a company like this made an app
like this, but then clearly stated to users that it'd be collecting data on
them and sending it to marketers? They could even pitch it as helping to keep
prices "low". How much would this hurt sales? Would it even hurt sales at all?
Given the proliferation of "smart TVs" and various IoT devices, I'm extremely
skeptical that a company would experience any decrease in sales by simply
being honest about their collection of data. The only reason these companies
are getting in trouble is because they're sneaky and dishonest and try to hide
their data-collection activities. Google has a gigantic business involving
collecting user data, without hiding this fact, and they're extremely
successful.

~~~
hammock
> Would it even hurt sales at all?

Of course it would. What is the consumer benefit derived from the collection
of this data?

~~~
ahakki
In the given example the benefit is stated as lower prices.

~~~
Etheryte
This example would only work if you had the same product in two different
price ranges, e.g 350$ without tracking and 300$ with tracking or something
similar.

------
rynop
I have the 35s. How does one get in on signing the class action? Or can you
only do this after it has gone to trial and has gone in favor of plaintiff?

------
codeisawesome
Disgusting... I just deleted the app, however I hadn't opened it for a while,
anyone know / can guess if it had still been sending stuff out (e.g. as a
background process of some sort)?

------
burntwater
Timely, considering I was just thinking about buying a Q35 tonight. (Oh who am
I kidding, I'm probably still going to do it).

I'm curious if anyone knows a way to temporarily disable/enable apps without
having to uninstall them. Android used to have a "Disable" button in the App
Manager, but my current 6.0.1 phone isn't showing that for any apps. Am I
missing something?

~~~
crazygringo
I've got a Q35, I installed the app to set it up, but deleted it later, and
have never been prompted again or anything, and everything works fine. So I
think you can just delete it no problem.

~~~
burntwater
I'm sure I could, but I would be missing out on the features I may want to
occasionally use/change.

Bose is hardly the only app I would want to block. There are dozens of apps I
might use only occasionally - a month or a year might go by between uses. But
having to reinstall is just a cumbersome step.

~~~
rconti
You don't need the app. I used it once, just to see what it did.

I downloaded it again just now. Again, nothing I needed, deleted.

------
thisisnotanexit
Just checked in the app, and they're very clear that they collect data and
share it with 3rd parties.

------
prisonerOfwar75
Not surprised - I just assume every company that has my data which explicitly
says it does not sell your data does.

A side note:

One day I noticed the gps icon on my iphone was lighting up one evening even
through non of the apps were using it. I opened up the app drawer to see which
app was using it and it was Outlook. I immediately deleted the app and then I
saw another app without gps permissions access it.. I got goosebumps
immediately and powered off my phone. Without a doubt in my mind I believe
there's built in remote access tracking software in IOS. I know I sound crazy
and a bit paranoid but I can't explain it.

~~~
JimmyAustin
Devils advocate: If iOS did have remote access tracking software built in, why
would it tell you via the UI?

------
wyager
Avoid Bose headphones because they're overpriced and riding off brand
recognition.

Avoid """"smart"""" devices made by hardware manufacturers because hardware
manufacturers don't know how to write software.

While I sympathize for the people who are affected by this, everyone should
really avoid buying such manifestly bad products in the first place. We should
really be doing our best to avoid "smart" TVs, "smart" headphones, and other
superfluous and poorly done computerization.

~~~
philfrasty
If you have a better suggestion for bluetooth + active noise cancelling
please...be my guest...

~~~
wyager
If you don't mind IEMs, they offer superior sound blocking to over-ear
headphones with active noise cancelling, especially with foam earpieces.

If that works for you, get any decent pair of Shure IEMs (or anything that
uses the MMCX connector). Then you can purchase a Bluetooth receiver that
connects to any brand of MMCX IEMs. This is nice because now the most
expensive part (the IEM) you can keep using for as long as you want while
periodically upgrading the wireless component as new technologies emerge.

~~~
portlander12345
Ok, what if you do mind IEMs?

~~~
satori99
I think he is referring to _In-Ear Monitors_.

------
6stringmerc
Brand loyalty can be tough. As an outsider to Bose, but a Sennheiser fan, that
feeling of finding out you were not getting a fair deal in this case is pretty
bad. Bummer.

~~~
alex_anglin
Agreed. I've been a Bose customer for over the past decade, buying a new pair
of headphones every couple years. While I get that people criticize them for a
number of good reasons, I don't mind paying a bit more for a premium product
that I use daily. That they offered great discounts for returned/broken
headphones has kept me a customer for a long time. In the next year or two
I'll probably be getting a new pair of wireless headphones, as that seems to
be clearly the way that things are going. Bose would have been a simple
choice, but now they're not. As a customer it's frustrating to see companies
whose products I enjoy using compromise my trust in them with such short
sighted actions.

------
40acres
I haven't downloaded the app, does that mean that I was not "spied" on? Is
there any indication that Bose could collect data w/o use of the app?

~~~
Etheryte
Since the headphones only have bluetooth available, it's hard to imagine it
transporting the information anywhere without the application, even if the
headset still aggregates information.

------
wbraun
I own both the headphones and the speaker mentioned in the article and have
the app installed. It's a sad reflection on the state of privacy, but my first
reaction to reading the article was getting excited about possible class
action $$. Data collection like this is so commonplace nowadays its hard to be
surprised. Still disappointed in Bose though.

------
ajdlinux
Lawyerly people - the class action lawsuit defines the class as restricted to
customers who bought their headphones in the United States.

Are there rules that prevent a US class action from including non-American
customers? How hard would it be to commence a similar class action outside the
US?

~~~
dragonwriter
IANAL, but:

> Are there rules that prevent a US class action from including non-American
> customers?

Yes; purchases outside the US would generally be governed by the law of the
jurisdiction in which they occurred.

> How hard would it be to commence a similar class action outside the US?

Depends on the applicable local law; class action might be easy, hard, or not
available at all, depending on the jurisdiction.

------
intopieces
I deleted the app based on this allegation.

However, can some explain to me how this differs from other app analytics? Or,
is the main issue that they failed to disclose this data collection and failed
to offer an "opt out" toggle in settings?

------
robterrell
I skimmed the document but I didn't see any proxied traffic, packet traces or
other evidence. What am I missing? Is it normal to file a class-action lawsuit
like this without a giant pile of forensic evidence?

------
justabystander
For those that missed it, a representative from one of the other companies
named in the suit helpfully dropped in to provide additional context on their
company's part in this. It even had a super positive "happy to answer ...
questions" attitude. It was deleted in a few minutes as they realized how
poorly that was going to turn out.

The reaction wasn't unexpected. Especially since, while _they_ were supposedly
not directly purchasing or selling the data, they did help collect the data
that Bose allowed themselves to buy or sell. And the TOS allows for third-
party collection and use of data with little restriction.

I did grab a snapshot and the text, but it's quite full of personally
identifying information - name, position and company, as well as links to
their dropbox account. I think the information is important, but I'll try to
leave out those details. Not that it would stop anyone determined to dig
through case details.

In any case, maybe this will help people to discuss the points they were
making and share their attitudes about them without receiving a massive
Twitter storm.

> 1\. The suit implies that [Company x] buys the data from Bose for marketing,
> advertising, targeting or profiling. We don’t do that. We help Bose collect
> event tracking data (like you send to Google Analytics) and send that data
> to their product analytics tools (like Mixpanel, Amplitude, Crashlytics,
> Crittercism, AWS Redshift, etc.) Analytics tools like this are used to
> create reports to understand how a product is being used or how a product is
> performing.

> 2\. The suit claims that the event tracking was done unexpectedly and in
> secret, but that’s not true. We require that our customers (like Bose) get
> appropriate customer consent, not collect any data in violation of the law,
> and not pass segment any sensitive customer information as defined in
> applicable laws. To the best of our knowledge, Bose complies with all of
> that. On the main screen of the app, there’s a link to “Privacy Policy”
> front and center

To be clear, no one thinks that you didn't do your job from the beginning in
attempting to cover your legal bases. We're aware that analytics is a valid
business. And that it has some valid use cases. But analytics is also an
industry that gets abused frequently and doesn't self-regulate.

In this particular case, people are upset because the hardware is not
completely functional without the app - so people can't just not use it or
"opt out" without losing part of what they just paid a fair amount of money
for. No one would use the app except for that functionality, so collecting
information on "app use" when the use of the app is a manufactured scenario
seems quite unfair for a high-end product.

When collecting data in these scenarios, you need to be explicit about what
you're collecting and not deviate from it. Data overreach and intentionally
vague language are both received poorly. It _could_ be that they're only
collecting audio metrics. But their TOS would also allow them to collect
information on every running app at any time (ostensibly it could effect
quality) or on phone contacts (like if you made a call using the hardware),
device location, texts, calls, and could conceivably transmit even more
sensitive information.

All it takes is one wide tie with a bright idea to slip that "feature" in.
Furthermore, there's nothing stopping Bose from changing their TOS at a later
point. So these "protections" don't really protect the consumer.

Bose chose language that gave them too much potential freedom, and they're
paying for that. You just did your job, yes, but honestly the job probably
wasn't required for this particular product.

------
kspy
So is this only if you're using the app it's able to build a profile? I love
these headphones but I believe I only ran the app the first time I used them
to pair it

------
Qub3d
That's frustrating. I am glad I chose a different brand of wireless headphones
than Bose for yet _another_ reason!

------
kragen
This link has an autoplay video with sound. Can we get some kind of title
warning on these, like the [pdf] or [1927] warnings? I really don't want to
click on these without being prepared. Lacking a better alternative, for now,
I'm just flagging it.

~~~
jmcdiesel
"This link has an autoplay video with sound."

Are we really getting this finicky now? Like, I'm usually on the more
compassionate side of listening to people's concerns, but being offended by a
video playing is just... sissified to the max.

~~~
grzm
I don't read your parent as being offended. I'm annoyed by autoplay videos
myself. I don't think a tag is necessary, but I understand where they're
coming from. Please be a little more charitable in reading others comments. No
matter how they post, there's never a reason to make it worse.

------
heyravi
Soo. Do we get money? Or smth. I use bose wireless headphones.

~~~
orthecreedence
Yes, look out for your $2.4M check in the mail.

------
heyravi
So, do we get money or something? That would be nice. I use Bose Wireless
headphones.

------
snakeanus
Yet another spying case that could be avoided if people stopped using non-free
software.

~~~
zepto
Maybe they should take it a step further and not use software at all.

Also looms are destroying cottage industry and maybe it isn't too late to riot
some more against the enclosure of common grazing lands.

~~~
orthecreedence
> Maybe they should take it a step further and not use software at all.

You're being sarcastic, but do we really need an app to deliver sound to
headphones? I think that's a solved problem.

------
clubm8
Looks like you need to download a special app to enable this "feature"

>The lead plaintiff in the lawsuit is a man named Kyle Zak, who claims he
followed the company's suggestion to "get the most out of your headphones" by
downloading the Bose Connect app, and supplying information such as his name,
phone number and email address.

~~~
0x0
It's the app you're being pushed heavily into downloading (even by iOS itself
as it is the "accessory accompanying app" as detected by the OS when
connecting the headset), for things like updating the headset firmware and
setting the bluetooth device name.

~~~
rconti
Thing is, no other bluetooth device I own needs its name to be set. I don't
care. I don't need to change the language. I don't plan to update the firmware
frequently, though if I do I can always just download the app, update, and
delete the app.

The ONLY feature I can see using is the managing bluetooth devices. I had 4
devices in my list -- old computer, new computer, old phone, new phone. Unless
you're around 3+ devices you regularly connect to, its not really an issue.

My computer and phone are the only 2 devices that will be in range so I'll
never need to "manage" this. Again, think of all of the other devices that
only support connecting to ONE other device and don't need a proprietary app
to manage this.

------
perseusprime11
Suing companies for improving your products is not a great idea.

~~~
_jal
...Whereas underhandedly surveilling people who are naive enough to buy a
product from you and then profiting from the fruits of one's panty-sniffing is
a brilliant one?

~~~
russdpale
That completely depends upon the fine that is imposed, if any at all..

~~~
_jal
Not completely. I suspect the value Bose attaches to their brand name exceeds
zero.

