While the app is running, the app sends a HTTP (edit: HTTPS) request every time the track information changes or the volume changes.
When the track information changes it sends the artist, album and song name. When you change the volume it sends the new volume level.
Every request includes standard meta-data such as
* An _anonymous-id_
* Device serial number
* Information about whether wifi or cellular are connected and carrier name
* Device name, model and manufacturer
If there is interest I will write a blog post about potential ways to stop the data collection without removing the app :)
1. What's the estimated bandwidth impact of this data collection? Many users have very limited data use, and chatty messages on play/pause/volume change wouldn't be appreciated.
2. HTTP or HTTPS?
3. How does it work with other apps (like Google Music) that might provide more music details? Like does it send more information when the id3 tags have all the fields filled in? Things like comments, encoding, etc might also be transmitted. Streaming services like Spotify probably try to trim that as much as possible, but local files could have a lot more data.
4. Can you see anything about the anonymous id that might make it not that anonymous? I mean, the device serial number alone kind of defeats an anonymous id. But there's been a fair amount of work in reidentification of anonymous data, and many developers take shortcuts when generating their "anonymous" data. (https://arstechnica.com/tech-policy/2009/09/your-secrets-liv...).
5. It's sending this data in the background, correct?
6. What does it send (if anything) during calls, emails, texts, map navigation, and voice commands?
2. Everything is secured with HTTPS! All the analytics messages, messages to boses servers and firmware checks are all over HTTPS (The firmware file its self is downloaded over HTTP, but the URL is provided over HTTPS and the firmware may well be signed)
3. A good question that needs further investigation :)
4. The anonymous id doesn't have any glaring information at least not immediately from the analytics platforms documentation https://segment.com/docs/spec/identify/ however yes the other meta-data defeat the purpose of an anonymous id.
5. It is definitely sending the data while the app is in focus, and i believe while the app is open but not in focus. I am not 100% sure here as it was a very quick test.
6. Again something else to investigate :)
On another note, I wonder if any other wireless audio manufacturers are doing similar things.
As a side note. I can imagine why they'd want this information. Seeing what people are listening to and what volume settings are commonly being used would potentially help them tune future products better for their "average user"
Just curious if it was difficult to do. If more people knew how to, maybe this sort of activity wouldn't sneakily happen as often.
Provided you own and have physical access to your phone, you can use any number of proprietary/open free/costly tools to do so. (E.g Fiddler http://www.telerik.com/fiddler, Burp https://portswigger.net/burp/ and mitmproxy https://mitmproxy.org/)
In this case I used fiddler, all I had to do generate a custom root certificate (Be warned this is not a good idea in general, look up super fish if you want an example of why installing custom root certificates can be bad), install that certificate on my device and then proxy my device through the computer running fiddler.
This process is far better documented here http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/Conf... if you need any more help or advice let me know
I have used the approach of installing wire shark on a pc operating as an access point, and it was easy enough to set up assuming you have the requisite equipment.
Go to URL chrome://flags in a new tab
Search for the ‘Enable tab audio muting UI control’ flag
Hit the ‘Enable’ link
Relaunch Chrome when prompted (on Chrome OS a full restart is required)
Now you can click the little speaker that appears next to the tab's close button when a tab is playing sound to stop that tab from playing audio.
God knows why this isn't enabled by default, somethingsomething advertising money...
The add-on put tabs on the side of the screen, and grouped them up into trees, which you could also collapse. So if you were to browse Wikipedia and click on all sorts of links, you'd have a whole tree with different branches. Then when you take a break, you just collapse the tree and start a new tree. Want to reference something from the Wikipedia tree? Just expand it again!
It worked really well with the session restore functionality of Firefox, which doesn't reload all tabs again when the browser launches. So you had very little performance impact for what felt like the perfect bookmark and tab integration.
So in order to reach 100+ tabs, it's just one hour of casual browsing per day and within a week you'll have 100 tabs open of Wikipedia trees, various clothing stores, a code problem tree or two, and a HN tree with all the little interesting links.
Then you may wonder why you wouldn't just bookmark pages and close tabs? Personally I open bookmarks a few times a year, but this Treestyle extension made me click around so many times per day.
(By the way, if anyone has found a similar add-on please let me know)
It's closer to 500 or so at a given time. I have a few instances that only run up a dozen or two tabs in their lifetimes.
I do lots of research on a variety of topics, and break it up with ADHD wikipedia binges and the like, then with aggregators like HN it's very easy to open a dozen or two tabs and just start powering through them.
Some of these tabs sit for weeks, and some just rot away till they are irrelevant and I delete them. You could think of this as a temporary bookmarking system, much in the way you may have a filing cabinet but your desk still stays covered with mountains of papers that are relevant to your current work.
I keep a bookmark bar with just favicons and no text. Only my most-used sites for the domain on which the instance runs. When this bar fills up, that's it. I either make room for new items or they aren't important enough. I have a folder for more "long term" bookmarks that I basically never check. This way, I only keep links to stuff I currently need. Firefox doesn't load them on default so it's very quick and non-resource hungry. It has to be or I couldn't be running 3-4 instances of Firefox at once, when you factor in all of the VM overhead.
I don't use Tree Style tabs like sister comment suggests. I have an unorthodox browsing style that doesn't mesh well with the way it sorts tabs. Besides, the API it uses is indeed being phased out. I prefer using the location bar to quickly search my tabs.
In general, bookmarks just have a limited use-case for me because, if it's static and information-dense I would probably rather save an offline copy anyway in the spirit of doomsday prepping.
Noscript as the first line of defense against 3rd party scripts, uBlock in advanced mode for fine-tuning what content goes through, and uMatrix for being the safety net as well as providing cookie control and spoofing/referrer masking, since Cookie Monster still cannot work with multi-process mode.
I really wish uMatrix and uBlock would just combine forces or that uBlock would at least match uMatrix's privacy protection.
Sometimes it's absolutely infuriating when I have to spend 5 minutes configuring a new site before I use it, incrementally configuring and reloading, but my anger directed isn't towards my addons. It's directed towards the shitty website that requires a thousand external APIs to function properly.
When it's bad enough, it's a sign that I don't need to be using that website. After all, what is the point of having three layers of blocking (not counting my other addons) if I just let everything through anyway in order to use the site? I also don't allow any third-party cookies and that is non-negotiable for any service.
If it's absolutely critical, as in work-related or I cannot find my information elsewhere, I spin up a thinly-provisioned untrusted VM to minimize my exposure to malware and spy/tracking agencies.
All of this effort is completely pointless if you let yourself get pixeled or pinged with APIs like Google AJAX. And it's pretty much currently impossible to avoid getting pixeled entirely.
Until we fix the major security holes that allow beacons to track us, it's all just intellectual masturbation when we use these tools.
What I would like to see is an addon that intercepts all images and provides them as a tree to allow whitelisting of images, and a caching system similar to Decentraleyes.
I've been seeing this quite a lot in the last 2-3 months, perfectly reasonable comments that are [dead] for no discernible reason; could this be trolling or a form of botting?
If it's too much bother with NoScript making the page work, it probably wasn't worth wasting any time on it in the first place. So I gained time instead of lost!
It's a Procrustean approach but it works.
I've been "training" my Adblock+ and my NoScript for soooo long that by now most of the metrics/trackers/beacons/crap don't even load.
Source: I know one of the engineers who was on the project.
The reason why I bought a bluetooth toothbrush was for a wireless hardware clock, brushing timer, and ranking system which also really doesn't work correctly even with the app.
We are truly living in a modern fall of rome. We will choke on our bluetooth enabled toothbrushes, 700 dollar juicer machines, our fucking fitbits. We've ravaged the earth to adorn ourselves with decadent shackles and we will reap the consequences with fake tans and ultra clean teeth.
In the past year I've gone from being an environmentalist to a big fan of the end times. We're going to eat ourselves out of a home, and a few billion years later, the Earth will still be here, not missing us at all. Fuck it, get three bluetooth toothbrushes next time.
You don't appreciate the diversity?
We are truly living in a modern fall of rome
(It's probably historically wrong, but still a popular belief.)
Fake tans are better than cancer and ultra clean teeth sounds like it would cut down on dental issues.
Something like 70% of Americans are vitamin-D deficient. Get some damn sunlight.
Phone apps...for a goddamn toothbrush. Were someone to ask me, "Mike, you do a lot of Bluetooth work, what if we BT-enabled our electric toothbrush...what kind of value could we add with that?" Because I'm horrible at coming up with creative ideas for new technologies, I'd come up with something lame like, say, maybe a "ranking system". I could add a "brushing timer", but a plain ol' Sonicare can do that without adding radios, so why bother? And my manager, because she's smart that way, says "meh, I guess it was a dumb idea, but never hurts to ask, right?" Except at Oral B they say, "outSTANDING, Jones! I think you're in line for a promotion!"
And don't take this personally, ecomhacker. You bought such a beast for your own good reasons and need not answer to me. I'm just both astounded and horrified that such a thing even exists.
I got the toothbrush because I am depressed/a drug addict and usually don't brush my teeth as often as I should. I was using a tracking app, but I figured since it was bluetooth I might be able to integrate it with the app I'm using for tracking. I figured it wouldn't support this out of the box, but I'm a CS/EE and figured if I was bored, it would be one more toy to play with.
TLDR, I've got money to burn and I'm spending it to avoid personal responsibility
I find it disturbing that we're moving to an era where even simple devices require the equivalent of a sonic screwdriver to make work.
I really, really wish we had a generic discovery, configuration and reporting protocol (like HTML forms but much more rigid and no styling) for configuring bluetooth devices that was open, and popular enough that companies would feel pressured to use it.
Then again, I really wish we had the exact same thing for IoT devices on the local network.
I swear, if it was good enough, and you marketed it to the Chinese knock-off manufacturers (who I assume would love to take some open source embedded code and not write their own), it might actually get enough momentum to force the brand names to support it as well.
That is, SNMP might make a good underlying protocol that something that is much more constrained might sit on top of. Ideally, a simpler markup language that can compile down to SNMP.
E.g. a "device" has one or more named "config-forms" (which an app might choose to represent each as a separate tab or section), with a well defined set of settings with a name, type (integer, decimal, sized string) and description. A device might have one or more "reports" which provide a consolidated view of particular variables.
Very simplistic, but with simplicity comes interoperability. SNMP by itself is far too general to support this without some constraints put on top of it (as far as I know, at least. I have experience with SNMP, but not a huge amount, and not for a long time).
I'm pretty much in the same place on SNMP... Had to do some integration with it 10 years ago. Had to even do some Google-fu to remember the name, since the only thing that would come to mind was SMTP.
Gamification of dental health! I think this is a good thing.
The downside is that ANC is on all the time, with no way to disable it. But they're actually better headphones.
The reason I got the app is because it does firmware updates. They've released quite a few updates to improve audio quality, noise cancelling, and compatibility with some devices.
One small note of optimism (but not coming from Bose) is this: http://imgur.com/a/ezLUi (i.e. the iOS on/off setting for Background App Refresh - I have it globally off for the whole device, always). So I don't think once the app is not running that there's an easy/Apple approved way for them to keep running to app to transmit data, etc.
I also just turned off Cellular Data for this...
If someone from Bose is reading this - just wow...
In any case, I would encourage everyone to delete the app at this point.
A white-list of companies that do NOT do this could also be useful, especially as alternatives to companies on the black-list.
Open source isn't a panacea when no one reads the code.
1) data is being collected (e.g. my precious steps/vitals/food intake on fitbit)
2) data is being transmitted to "mother ship" and then sold to everyone that is willing to buy (e.g. why on earth did iOS fitbit app wanted to connect to facebook??? and then I stopped using fitbit - of course I was using a throwaway email and false name/DoB to begin with)
3) data is being correlated and adding more juice to each user's profile (e.g. iOS fitbit app getting my IP, fake-name, throwaway-email, vitals, not-my-iOS advertising identifier)
No way around this. Only using a good hosts file, PMP, and Firewall IP (on iOS and for jailbroken devices). Anyone who runs stock iOS or Android is in the mercy of all "these people".
Using Segment as an example of an evil destination for data shows that this reporter is under-qualified to cover this story. I am not defending Bose here; just pointing out that the reporter doesn't exactly know the domain.
But the idea that the app can detect which music or podcasts I'm listening to, and build a profile from that -- if true, that would be shocking. Can anyone answer, is that even possible via iOS API's?
The user, again if they are or are employed by a HIPAA covered entity, might be, though.
General Data Protection Regulation Introduction:
Thats just an analytics provider.. I wonder if this claim is true, based on that example. Bose could just be collecting app logins, crashes, looking for usability pain-points, etc. Consulting agencies just throw that crap everywhere because it sounds good to a client.
A lot of consumers don't even know, as we see here.
Those who do know often don't understand the full implications.
The state of privacy and security in modern cars is particularly disturbing, as you say, and really needs a blunt, in-your-face public information campaign and preferably statutory regulation. But that would require the relevant governments to understand the dangers themselves, and I don't think most politicians are any better at knowing and understanding these things than anyone else.
Does anyone know any other headphone manufacturer that's got as good a sound + build quality as Bose?
"Well, your honor, he agreed.."
"YOUR USE OF THE SOFTWARE ALSO OPERATES AS YOUR CONSENT TO THE COLLECTION, TRANSMISSION AND STORAGE OF CERTAIN STANDARD NETWORKING INFORMATION, DEVICE USAGE DATA, AND BOSE PRODUCT INFORMATION VIA THE INTERNET TO SERVERS OWNED OR CONTROLLED BY BOSE OR OPERATED BY THIRD PARTIES ON BEHALF OF BOSE"
Listening data was not mentioned under a MAY INCLUDE section, however of course its' covered by the blanket "data".
I know the US is relatively weak on such laws compared to some EU countries. This lawsuit might not go anywhere here, but there could very well be a strong case in, say, Germany.
No indication that the data collected (independently of Boise) is even anonymized.
The courts have repeatedly shown that a meeting of the minds is not required to be bound to an EULA contract. The consuemr does not have to comprehend or understand their loss of rights in order to have them stripped.
I have no idea if their app collects this information too, but it's just a matter of time before someone becomes interested to it as it happens with any kind of data that can be used to profile people.
A person who listens to music at unusually loud levels SHOULD be charged more for insurance. Just as a 24 year old Asian single male software engineer in Mountain View gets charged more for car insurance. And if you have poor hearing skills, I sure as hell don't want you on my Marvel Studios audio engineering team (example)
It seems that your really want everyone to be treated equally when in reality it will never happen, and in fact comments like yours increase the disparity.
No one who I know personally, outside one or two folks who also work in tech and would fit perfectly with HN's demographic, cares about tech spying on them.
Friends of mine have gotten home assistants, video game console, smart TVs, etc for years without one thought of their data being sold to a third party.
And it is one reason why we are hurtling inexorably to Idiocracy...
Considering that code has creation and maintenance costs, I doubt this would ever actually reduce the price. They would just inflate the final price to cover the cost. And if it collects enough data to actually make money, the price reduction would probably not significant enough to match perpetual data theft. Not to say that some people wouldn't go for it. It's amazing the lengths people will go to for free or cheap products.
But there's still the many liabilities of collecting, transferring and securing sensitive data. People who know the risks and hassles involved with identity theft would be very selective about these services.
Of course it would. What is the consumer benefit derived from the collection of this data?
If someone familiar with Amazon's hardware business and Kindle sales numbers could chime in, we could get a sense of whether the transparency approach works.
I'm curious if anyone knows a way to temporarily disable/enable apps without having to uninstall them. Android used to have a "Disable" button in the App Manager, but my current 6.0.1 phone isn't showing that for any apps. Am I missing something?
Bose is hardly the only app I would want to block. There are dozens of apps I might use only occasionally - a month or a year might go by between uses. But having to reinstall is just a cumbersome step.
I downloaded it again just now. Again, nothing I needed, deleted.
A side note:
One day I noticed the gps icon on my iphone was lighting up one evening even through non of the apps were using it. I opened up the app drawer to see which app was using it and it was Outlook. I immediately deleted the app and then I saw another app without gps permissions access it..
I got goosebumps immediately and powered off my phone. Without a doubt in my mind I believe there's built in remote access tracking software in IOS. I know I sound crazy and a bit paranoid but I can't explain it.
Avoid """"smart"""" devices made by hardware manufacturers because hardware manufacturers don't know how to write software.
While I sympathize for the people who are affected by this, everyone should really avoid buying such manifestly bad products in the first place. We should really be doing our best to avoid "smart" TVs, "smart" headphones, and other superfluous and poorly done computerization.
If that works for you, get any decent pair of Shure IEMs (or anything that uses the MMCX connector). Then you can purchase a Bluetooth receiver that connects to any brand of MMCX IEMs. This is nice because now the most expensive part (the IEM) you can keep using for as long as you want while periodically upgrading the wireless component as new technologies emerge.
*edit put the x in the wrong place
Are there rules that prevent a US class action from including non-American customers? How hard would it be to commence a similar class action outside the US?
> Are there rules that prevent a US class action from including non-American customers?
Yes; purchases outside the US would generally be governed by the law of the jurisdiction in which they occurred.
> How hard would it be to commence a similar class action outside the US?
Depends on the applicable local law; class action might be easy, hard, or not available at all, depending on the jurisdiction.
However, can some explain to me how this differs from other app analytics? Or, is the main issue that they failed to disclose this data collection and failed to offer an "opt out" toggle in settings?
The reaction wasn't unexpected. Especially since, while they were supposedly not directly purchasing or selling the data, they did help collect the data that Bose allowed themselves to buy or sell. And the TOS allows for third-party collection and use of data with little restriction.
I did grab a snapshot and the text, but it's quite full of personally identifying information - name, position and company, as well as links to their dropbox account. I think the information is important, but I'll try to leave out those details. Not that it would stop anyone determined to dig through case details.
In any case, maybe this will help people to discuss the points they were making and share their attitudes about them without receiving a massive Twitter storm.
> 1. The suit implies that [Company x] buys the data from Bose for marketing, advertising, targeting or profiling. We don’t do that. We help Bose collect event tracking data (like you send to Google Analytics) and send that data to their product analytics tools (like Mixpanel, Amplitude, Crashlytics, Crittercism, AWS Redshift, etc.) Analytics tools like this are used to create reports to understand how a product is being used or how a product is performing.
To be clear, no one thinks that you didn't do your job from the beginning in attempting to cover your legal bases. We're aware that analytics is a valid business. And that it has some valid use cases. But analytics is also an industry that gets abused frequently and doesn't self-regulate.
In this particular case, people are upset because the hardware is not completely functional without the app - so people can't just not use it or "opt out" without losing part of what they just paid a fair amount of money for. No one would use the app except for that functionality, so collecting information on "app use" when the use of the app is a manufactured scenario seems quite unfair for a high-end product.
When collecting data in these scenarios, you need to be explicit about what you're collecting and not deviate from it. Data overreach and intentionally vague language are both received poorly. It could be that they're only collecting audio metrics. But their TOS would also allow them to collect information on every running app at any time (ostensibly it could effect quality) or on phone contacts (like if you made a call using the hardware), device location, texts, calls, and could conceivably transmit even more sensitive information.
All it takes is one wide tie with a bright idea to slip that "feature" in. Furthermore, there's nothing stopping Bose from changing their TOS at a later point. So these "protections" don't really protect the consumer.
Bose chose language that gave them too much potential freedom, and they're paying for that. You just did your job, yes, but honestly the job probably wasn't required for this particular product.
Are we really getting this finicky now? Like, I'm usually on the more compassionate side of listening to people's concerns, but being offended by a video playing is just... sissified to the max.
Also looms are destroying cottage industry and maybe it isn't too late to riot some more against the enclosure of common grazing lands.
You're being sarcastic, but do we really need an app to deliver sound to headphones? I think that's a solved problem.
Software is a tool. People can't use tools that don't exist. If you want free software to win, get off your high horse and focus on making more/better free software.
>The lead plaintiff in the lawsuit is a man named Kyle Zak, who claims he followed the company's suggestion to "get the most out of your headphones" by downloading the Bose Connect app, and supplying information such as his name, phone number and email address.
It's promoted as the only way to update the headphones and to control what they connect to over Bluetooth.
The ONLY feature I can see using is the managing bluetooth devices. I had 4 devices in my list -- old computer, new computer, old phone, new phone. Unless you're around 3+ devices you regularly connect to, its not really an issue.
My computer and phone are the only 2 devices that will be in range so I'll never need to "manage" this. Again, think of all of the other devices that only support connecting to ONE other device and don't need a proprietary app to manage this.
(i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and
(ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.
This right here. Music titles are bad enough, but titles and sources of podcasts and videos played through the headphones should be enough to upset even the most naive consumers. This amounts to a slice of your browsing history as it relates to audio and video content.
And this doesn't even account for the "third party SDKs, bound by privacy policies not covered in this document".