Hacker News new | past | comments | ask | show | jobs | submit login
Bose Headphones Spy on Users, Lawsuit Says (fortune.com)
283 points by 0x0 on April 19, 2017 | hide | past | favorite | 209 comments



(Created an account to post this) I downloaded the app on android and listened to a few songs on Spotify to find out what information was being sent.

While the app is running, the app sends a HTTP (edit: HTTPS) request every time the track information changes or the volume changes. When the track information changes it sends the artist, album and song name. When you change the volume it sends the new volume level.

Every request includes standard meta-data such as

* An _anonymous-id_

* Device serial number

* Information about whether wifi or cellular are connected and carrier name

* Device name, model and manufacturer

If there is interest I will write a blog post about potential ways to stop the data collection without removing the app :)


Questions this brings up:

1. What's the estimated bandwidth impact of this data collection? Many users have very limited data use, and chatty messages on play/pause/volume change wouldn't be appreciated.

2. HTTP or HTTPS?

3. How does it work with other apps (like Google Music) that might provide more music details? Like does it send more information when the id3 tags have all the fields filled in? Things like comments, encoding, etc might also be transmitted. Streaming services like Spotify probably try to trim that as much as possible, but local files could have a lot more data.

4. Can you see anything about the anonymous id that might make it not that anonymous? I mean, the device serial number alone kind of defeats an anonymous id. But there's been a fair amount of work in reidentification of anonymous data, and many developers take shortcuts when generating their "anonymous" data. (https://arstechnica.com/tech-policy/2009/09/your-secrets-liv...).

5. It's sending this data in the background, correct?

6. What does it send (if anything) during calls, emails, texts, map navigation, and voice commands?


1. From the data I collected, the content of each message of is roughly 1000-2000 bytes. This is not much on it's own but over the course of a day it could end up. It appears as messages are queued and send in bulk when applicable, therefore I can't comment on bandwidth over time as the app may chunk its request. It may not even send messages when the screen is closed.

2. Everything is secured with HTTPS! All the analytics messages, messages to boses servers and firmware checks are all over HTTPS (The firmware file its self is downloaded over HTTP, but the URL is provided over HTTPS and the firmware may well be signed)

3. A good question that needs further investigation :)

4. The anonymous id doesn't have any glaring information at least not immediately from the analytics platforms documentation https://segment.com/docs/spec/identify/ however yes the other meta-data defeat the purpose of an anonymous id.

5. It is definitely sending the data while the app is in focus, and i believe while the app is open but not in focus. I am not 100% sure here as it was a very quick test.

6. Again something else to investigate :)


Assuming this app uses the Segment SDK, the SDKs are open source and you can see the implementation details yourself, e.g. https://github.com/segmentio/analytics-android. There's a high level overview at https://segment.com/blog/lifecycle-of-a-mobile-message.


I'd be really curious to see how this data is actually used on their end. I got my QC35s a few months ago and have been loving them, but was super disappointed when I read the article. I'll probably end up uninstalling the app for the time being, at least until it's resolved.

On another note, I wonder if any other wireless audio manufacturers are doing similar things.


I've been thinking about getting these. Does the app do anything particularly useful (I.e. Any important features I'd be missing out on by not having it)?

As a side note. I can imagine why they'd want this information. Seeing what people are listening to and what volume settings are commonly being used would potentially help them tune future products better for their "average user"


The app allows you to use 1 headphone as a relay to another bose bluetooth headphone to play music from the same source, as well as firmware updates, renaming the device name the headphone appears as under bluetooth and finally changing the language of the voiceover (which announces things like device connections and low battery)


I concur. Have and love QC35 (got them on right now). I only downloaded the app to test some settings change, I think. It's not particularly useful for anything else. Since I don't have to use it to pair, I'm not sure how I'd know when it was "running" or not, short of manually killing it in the iOS task launcher/killer thing. Time to just uninstall.


Did you packet sniff what is being sent out? Or do you have some intermediary running on the device itself?

Just curious if it was difficult to do. If more people knew how to, maybe this sort of activity wouldn't sneakily happen as often.


Unless an android app uses certificate pinning (https://security.stackexchange.com/questions/29988/what-is-c...), it is usually trivial to MITM its traffic passing through your phone.

Provided you own and have physical access to your phone, you can use any number of proprietary/open free/costly tools to do so. (E.g Fiddler http://www.telerik.com/fiddler, Burp https://portswigger.net/burp/ and mitmproxy https://mitmproxy.org/)

In this case I used fiddler, all I had to do generate a custom root certificate (Be warned this is not a good idea in general, look up super fish if you want an example of why installing custom root certificates can be bad), install that certificate on my device and then proxy my device through the computer running fiddler.

This process is far better documented here http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/Conf... if you need any more help or advice let me know


I recall older versions of one of those (forget which) generated a non-unique custom certificate, meaning anyone who had used it could be MITM'd with the same cert. It was changed later on, but it's a risk if you go with something poorly designed.


Not the above commenter, but here is a good summary of several ways it is possible to do this: http://stackoverflow.com/questions/9555403/capturing-mobile-...

I have used the approach of installing wire shark on a pc operating as an access point, and it was easy enough to set up assuming you have the requisite equipment.


This kind of interception is quite easy to setup with https://mitmproxy.org even for https requests and on iOS as well. (I'm not affiliated but have just used the software before for a similar task)


Wow, thanks for all the replies!


Oddly enough, my Bose Sound Link speaker requests a "sync contacts" bluetooth permission. Anyone know why?

http://m.imgur.com/JDiNdKz


Does it announce or display who is calling?


Reading about spying headphones on website where video with sound starts automatically and continues to play when pressing pause (but jumps to right corner, just like hoaxes for Windows 95 where "start" button evaded mouse) — we're living in adtechpunk world.


Enable the tab mute button that's existed in chrome for years but is still hidden:

Go to URL chrome://flags in a new tab Search for the ‘Enable tab audio muting UI control’ flag Hit the ‘Enable’ link Relaunch Chrome when prompted (on Chrome OS a full restart is required)

Now you can click the little speaker that appears next to the tab's close button when a tab is playing sound to stop that tab from playing audio.

God knows why this isn't enabled by default, somethingsomething advertising money...


I believe that the button is disabled because it's too easy to click by mistake. You can mute a tab in the right click menu without turning on any flags.


Didn't know that! Thanks


It's enabled by default in Firefox.


Wow, this is awesome. Thanks for mentioning this. I've been using Firefox for months now (switched from chrome) and never knew about this feature in either browser.


When you regularly have open 100+ tabs in more than one instance of Firefox across multiple VMs, this is an absolutely indispensable feature. Before its time you would basically have to shut everything down and start over instead of finding that obscure tab that suddenly started belting out news headlines


What are you using 100+ tabs for?


People can use a ton of tabs for a ton of reasons. I used to do the same thing at times, when I used Treestyle tab in Firefox. But it's an old type of extension soon to be deprecated, and was giving me bugs on browser updates (maybe due to it being a XUL extension).

The add-on put tabs on the side of the screen, and grouped them up into trees, which you could also collapse. So if you were to browse Wikipedia and click on all sorts of links, you'd have a whole tree with different branches. Then when you take a break, you just collapse the tree and start a new tree. Want to reference something from the Wikipedia tree? Just expand it again!

It worked really well with the session restore functionality of Firefox, which doesn't reload all tabs again when the browser launches. So you had very little performance impact for what felt like the perfect bookmark and tab integration.

So in order to reach 100+ tabs, it's just one hour of casual browsing per day and within a week you'll have 100 tabs open of Wikipedia trees, various clothing stores, a code problem tree or two, and a HN tree with all the little interesting links.

Then you may wonder why you wouldn't just bookmark pages and close tabs? Personally I open bookmarks a few times a year, but this Treestyle extension made me click around so many times per day.

(By the way, if anyone has found a similar add-on please let me know)


Wow I've never heard of that. The most tabs I've ever personally used is around 25 to do some server stress testing (very low-scale). The most I've ever seen is around 35 from one of my coworkers that uses tabs instead of bookmarks for some reason.


I said 100+ per instance ;)

It's closer to 500 or so at a given time. I have a few instances that only run up a dozen or two tabs in their lifetimes.

I do lots of research on a variety of topics, and break it up with ADHD wikipedia binges and the like, then with aggregators like HN it's very easy to open a dozen or two tabs and just start powering through them.

Some of these tabs sit for weeks, and some just rot away till they are irrelevant and I delete them. You could think of this as a temporary bookmarking system, much in the way you may have a filing cabinet but your desk still stays covered with mountains of papers that are relevant to your current work.

I keep a bookmark bar with just favicons and no text. Only my most-used sites for the domain on which the instance runs. When this bar fills up, that's it. I either make room for new items or they aren't important enough. I have a folder for more "long term" bookmarks that I basically never check. This way, I only keep links to stuff I currently need. Firefox doesn't load them on default so it's very quick and non-resource hungry. It has to be or I couldn't be running 3-4 instances of Firefox at once, when you factor in all of the VM overhead.

I don't use Tree Style tabs like sister comment suggests. I have an unorthodox browsing style that doesn't mesh well with the way it sorts tabs. Besides, the API it uses is indeed being phased out. I prefer using the location bar to quickly search my tabs.

In general, bookmarks just have a limited use-case for me because, if it's static and information-dense I would probably rather save an offline copy anyway in the spirit of doomsday prepping.


You can right click the tab and "Mute Tab" without having to enable anything in the flags.


I wish they also had "mute all other tabs."


Sounds like a simple enough addon :)


Me too!


You don't have to put up with that. Protect yourself. Install uBlock Origin and NoScript.


Or another option: uBlock Origin + uMatrix. Playing embedded videos will need such an amount of configuration that you'll really want to watch it before bothering. This could be a positive or a negative, depending on the person :)


I use NoScript, uBlock Origin AND uMatrix on most of my instances.

Noscript as the first line of defense against 3rd party scripts, uBlock in advanced mode for fine-tuning what content goes through, and uMatrix for being the safety net as well as providing cookie control and spoofing/referrer masking, since Cookie Monster still cannot work with multi-process mode.

I really wish uMatrix and uBlock would just combine forces or that uBlock would at least match uMatrix's privacy protection.


Don't you find that your surfing is a configurational nightmare? Using uMatrix was doable, but I finally gave it because it always interupted my browsing. Adding NoScript to the mix would probably drive me insane. Do you have any special techniques? :)


It usually only takes a moment to configure uMatrix for any given site. However, adding NoScript into the mix means that, each time I allow a new script or group of scripts, I have to refresh so that previously unallowed external requests can be made and uMatrix can register them. uBlock is usually not a problem and I usually don't have to touch it, but sometimes I have to let a request or two through.

Sometimes it's absolutely infuriating when I have to spend 5 minutes configuring a new site before I use it, incrementally configuring and reloading, but my anger directed isn't towards my addons. It's directed towards the shitty website that requires a thousand external APIs to function properly.

When it's bad enough, it's a sign that I don't need to be using that website. After all, what is the point of having three layers of blocking (not counting my other addons) if I just let everything through anyway in order to use the site? I also don't allow any third-party cookies and that is non-negotiable for any service.

If it's absolutely critical, as in work-related or I cannot find my information elsewhere, I spin up a thinly-provisioned untrusted VM to minimize my exposure to malware and spy/tracking agencies.

All of this effort is completely pointless if you let yourself get pixeled[0] or pinged with APIs like Google AJAX. And it's pretty much currently impossible to avoid getting pixeled entirely.

Until we fix the major security holes that allow beacons to track us, it's all just intellectual masturbation when we use these tools.

What I would like to see is an addon that intercepts all images and provides them as a tree to allow whitelisting of images, and a caching system similar to Decentraleyes[1].

[0] https://en.wikipedia.org/wiki/Web_beacon#Implementation

[1] https://addons.mozilla.org/en-US/firefox/addon/decentraleyes...


Sorry for going meta, but I find it very odd your comment was dead, as your GP post was not.

I've been seeing this quite a lot in the last 2-3 months, perfectly reasonable comments that are [dead] for no discernible reason; could this be trolling or a form of botting?


I use NoScript and uBlock.

If it's too much bother with NoScript making the page work, it probably wasn't worth wasting any time on it in the first place. So I gained time instead of lost!


I always suggest for people that are using Adblock+ to filter beacon, analytics, metrics, and other similar terms

It's a Procrustean approach but it works.


You don't need noscript if you enable dynamic filtering on ublock


AdNauseam is more fun.


We need in-page javascript popup blockers like we needed normal popup blockers 14 years ago.


Here's what I saw: http://imgur.com/a/B83o4


They have a video?? I didn't even notice! ;)

I've been "training" my Adblock+ and my NoScript for soooo long that by now most of the metrics/trackers/beacons/crap don't even load.


And recently rogue sites have figured out a way to hijack Chrome notifications to show ads.


Hmm, not pleased, we have two sets of the 35 earphones and I use the app - well, I have to, else I can't change some settings on the earphones. This is totally overstepping the boundaries of what earphones/headphones should be doing. Any company that collects my data and moves it from under my purview to theirs should have to display or expose this data in the exact form that it's collected to the user, so we can see exactly what it is. Not cool.


Bose (et al) thinks you're overstepping your bounds by having a problem with their monetization strategy.


I can't wait until my Bose® active suspension system tracks everywhere I drive and sells the data to local companies!

https://www.youtube.com/watch?v=q8sVDenpPOE


You'll be disappointed to know that project was axed more than a decade ago. The tech is incredible, but the only manufacturer they could interest in that level of performance at that high level of cost (Ferrari) had serious issues with the weight of the system. Ferrari declined to use it and invested more research into magnetorheological dampers, instead.

Source: I know one of the engineers who was on the project.


This reminds me of a bluetooth toothbrush I just bought that requires my location to be enabled to change the settings via the oral b app which is required since this model has less buttons than others.

The reason why I bought a bluetooth toothbrush was for a wireless hardware clock, brushing timer, and ranking system which also really doesn't work correctly even with the app.


> The reason why I bought a bluetooth toothbrush was for a ranking system

We are truly living in a modern fall of rome. We will choke on our bluetooth enabled toothbrushes, 700 dollar juicer machines, our fucking fitbits. We've ravaged the earth to adorn ourselves with decadent shackles and we will reap the consequences with fake tans and ultra clean teeth.

In the past year I've gone from being an environmentalist to a big fan of the end times. We're going to eat ourselves out of a home, and a few billion years later, the Earth will still be here, not missing us at all. Fuck it, get three bluetooth toothbrushes next time.


An age where "idiots are getting promoted for baseless ideas" is closer to the truth. This is why people who were traditionally more humble now have the obligation to speak out - but I often see them silenced at the tech companies they work for... These companies are often selectively listening to exactly the wrong people, who are usually in the minority in the company anyway!


>These companies are often selectively listening to exactly the wrong people, who are usually in the minority in the company anyway!

You don't appreciate the diversity?


You don't appreciate democracy? That's a pretty annoying way to start a discussion, if that's your intention here...


  We are truly living in a modern fall of rome
What on earth does this have to do with the fall of Rome? Why do you think the empire fell?


It is common to attribute the fall to decadence of Rome.

(It's probably historically wrong, but still a popular belief.)


>reap the consequences with fake tans and ultra clean teeth.

Fake tans are better than cancer and ultra clean teeth sounds like it would cut down on dental issues.


When you get a fake tan, how much of what chemicals is your body absorbing that all don't cause cancer?

Something like 70% of Americans are vitamin-D deficient. Get some damn sunlight.


cancers come in all shapes and sizes


Yep, all that money should have gone into raising intelligent children, the way natural selection intended it.


The reason why I bought a bluetooth toothbrush...

Phone apps...for a goddamn toothbrush. Were someone to ask me, "Mike, you do a lot of Bluetooth work, what if we BT-enabled our electric toothbrush...what kind of value could we add with that?" Because I'm horrible at coming up with creative ideas for new technologies, I'd come up with something lame like, say, maybe a "ranking system". I could add a "brushing timer", but a plain ol' Sonicare can do that without adding radios, so why bother? And my manager, because she's smart that way, says "meh, I guess it was a dumb idea, but never hurts to ask, right?" Except at Oral B they say, "outSTANDING, Jones! I think you're in line for a promotion!"

And don't take this personally, ecomhacker. You bought such a beast for your own good reasons and need not answer to me. I'm just both astounded and horrified that such a thing even exists.


Sorry for the late reply. I was hacking on some code.

I got the toothbrush because I am depressed/a drug addict and usually don't brush my teeth as often as I should. I was using a tracking app, but I figured since it was bluetooth I might be able to integrate it with the app I'm using for tracking. I figured it wouldn't support this out of the box, but I'm a CS/EE and figured if I was bored, it would be one more toy to play with.

TLDR, I've got money to burn and I'm spending it to avoid personal responsibility


Offtopic but that was an incredibly honest answer.


I actually don't mind a phone app for a toothbrush, but I surely do mind a proprietary phone app for just a toothbrush. Give me a generic app that allows me to discover local bluetooth and IoT devices and prevents configuration for them through an open and highly standardized configuration protocol, and we'll have shifted back a bit more to utopia from distopia, IMO.


> change the settings via the oral b app which is required since this model has less buttons than others.

I find it disturbing that we're moving to an era where even simple devices require the equivalent of a sonic screwdriver to make work.

I really, really wish we had a generic discovery, configuration and reporting protocol (like HTML forms but much more rigid and no styling) for configuring bluetooth devices that was open, and popular enough that companies would feel pressured to use it.

Then again, I really wish we had the exact same thing for IoT devices on the local network.

I swear, if it was good enough, and you marketed it to the Chinese knock-off manufacturers (who I assume would love to take some open source embedded code and not write their own), it might actually get enough momentum to force the brand names to support it as well.



I mean something that hasn't been overcomplicated and extended to the point that it's impossible to assume simple standard behavior.

That is, SNMP might make a good underlying protocol that something that is much more constrained might sit on top of. Ideally, a simpler markup language that can compile down to SNMP.

E.g. a "device" has one or more named "config-forms" (which an app might choose to represent each as a separate tab or section), with a well defined set of settings with a name, type (integer, decimal, sized string) and description. A device might have one or more "reports" which provide a consolidated view of particular variables.

Very simplistic, but with simplicity comes interoperability. SNMP by itself is far too general to support this without some constraints put on top of it (as far as I know, at least. I have experience with SNMP, but not a huge amount, and not for a long time).


Sure. I don't think SNMP is complete in any way for this solution... For instance, it communicates in OIDs, while a user interface would want names and data constraints at a minimum. But I also agree that it would make a good base to build on top of. I mostly just wanted to avoid the xkcd standards problem [0].

I'm pretty much in the same place on SNMP... Had to do some integration with it 10 years ago. Had to even do some Google-fu to remember the name, since the only thing that would come to mind was SMTP.

[0] https://xkcd.com/927/


There's a version of Poe's law at work here. I legitimately can't tell if you're seriously into some sort of competitive toothbrushing or if this is satire.


I am very surprised at the negativity in the reply to this. Of all things to gameify, brushing your teeth is a fantastic subject. It helps develop good habits for a personal and typically solitary activity.


Ranking system?!


I suppose you can compete with other people on who brushes the teeth more regularly and for the full required time.

Gamification of dental health! I think this is a good thing.


Better than gumification.


Submit your dental hygiene score to a central site. Build score boards and have monthly competitions! BRUSHER OF THE MONTH!


This reminds me of the time when a mass effect toothbrush helped save my ship from being stolen by my clone...


Huh. I always wonder if there are people who buy the garbage they show off at CES. I guess there are.


I also have two sets, they....were... awesome. I can't believe Bose would betray users trust like that when they're known for high quality products.


Sennheiser Momentum Wireless 2 headphones have better audio quality, and no need for an app.

The downside is that ANC is on all the time, with no way to disable it. But they're actually better headphones.


You don't need to use the app for QC35, I didn't know about it till I had them for a month.

The reason I got the app is because it does firmware updates. They've released quite a few updates to improve audio quality, noise cancelling, and compatibility with some devices.


Unfortunately the Bose QC35s also have ANC on all the time with no way to disable it.


With the QC35's you can plug them directly into a wired jack and shut the power switch off. They run fine with no ANC and without using battery.


/Not sure if serious.


I assume you're wondering if the "high quality" part is serious. The fact is, they do generally make good quality products. They may be overpriced for what they are (the "Bose tax"), but they're still good quality. Their current noise canceling headphones are considered among, if not the, best ones available right now.


I'm not a fan of Bose stereo equipment, but QC35 headphones is excellent is basically every way.


What settings can you change in the app that are not available through the headphones?


Language, device name, firmware updates, voice-prompts, auto-off-timer, list of paired devices, multi-headset-mode, and so on. The app is almost mandatory, especially since iOS pushes you to download it on connect.


Interesting. I have QC35s but have never downloaded the app, although I have Android so I'm not sure how pushy iOS is. I've been able to use the headphones regularly without the App. The features you mention don't seem that important to me.


I've also never downloaded the app and, in fact, didn't even know it existed. I've never been notified about it in any fashion on iOS?


It isn't obvious, but the mention of the app is on the inner flap of the packaging

https://imgur.com/a/Uvzak


I have these headphones paired to a number of devices and the app makes managing that simpler (if, say, I want to prioritize the output from my phone instead of my laptop).


Ok, this is DEFINITELY NOT cool (+ the fact I own those and I have the app installed).

One small note of optimism (but not coming from Bose) is this: http://imgur.com/a/ezLUi (i.e. the iOS on/off setting for Background App Refresh - I have it globally off for the whole device, always). So I don't think once the app is not running that there's an easy/Apple approved way for them to keep running to app to transmit data, etc.

I also just turned off Cellular Data for this...

If someone from Bose is reading this - just wow...


It could easily store and forward data the next time you open the app though.


Correct, if it has meaningful storage on the headphones - anyone know if that's the case?

In any case, I would encourage everyone to delete the app at this point.



As an aside, who's idea was it at Fortune to have an autoplaying video that, when paused, starts playing again the moment you scroll down the page?!?


Don't know but presumably they were awarded a bonus.


"SVP of Digital Assemblance Strategy and Social Media Marketing"


Is anyone compiling a black-list of companies that implicitly charge users by quietly (or not-so-quietly) collecting their data? This is increasingly becoming the consumer protection issue of our time.

A white-list of companies that do NOT do this could also be useful, especially as alternatives to companies on the black-list.


If it has proprietary software and uses an internet connection, assume it is collecting your data.


"If it uses an internet connection, assume it is collecting your data." - FTFY.

Open source isn't a panacea when no one reads the code.


Hey, at least there you have the ability to intervene with telemetry quite easily.


I think that for ANYTHING that requires an app and connection to the internet, we all should take for granted that:

1) data is being collected (e.g. my precious steps/vitals/food intake on fitbit)

2) data is being transmitted to "mother ship" and then sold to everyone that is willing to buy (e.g. why on earth did iOS fitbit app wanted to connect to facebook??? and then I stopped using fitbit - of course I was using a throwaway email and false name/DoB to begin with)

3) data is being correlated and adding more juice to each user's profile (e.g. iOS fitbit app getting my IP, fake-name, throwaway-email, vitals, not-my-iOS advertising identifier)

No way around this. Only using a good hosts file, PMP, and Firewall IP (on iOS and for jailbroken devices). Anyone who runs stock iOS or Android is in the mercy of all "these people".


If you jailbreak your device you open yourself up to other threats.


> According to the complaint, Bose ... shared it with ... Segment whose website offers to "collect all or your customer customer data and send it anywhere."

Using Segment as an example of an evil destination for data shows that this reporter is under-qualified to cover this story. I am not defending Bose here; just pointing out that the reporter doesn't exactly know the domain.


I would understand it if the app were tracking how often the headphones were connected, when they were actually being used, or possibly even which app is playing audio (e.g. how much are the headphones being used for listening to music vs podcasts vs videogames) -- although this should all be done anonymously.

But the idea that the app can detect which music or podcasts I'm listening to, and build a profile from that -- if true, that would be shocking. Can anyone answer, is that even possible via iOS API's?


The app shows metadata about the currently playing track, such as title and artist, so it really does look like it has full access to what is currently playing. This is discomforting. What if I am playing a locally synced file "board meeting xyz company case abc something secret in the title.mp3"


Or even worse, something HIPPA protected. They could be in for a world of hurt here.


Bose is not a HIPAA-covered entity and, if a user is or is working for one, probably they haven't had Bose sign a BAA, so Bose is not in any kind of trouble for any unauthorized disclosure of PHI.

The user, again if they are or are employed by a HIPAA covered entity, might be, though.


I live in Europe. Next year I and all other Europeans should be able to make a GDPR request for information to Bose and, at no cost, get a complete copy of all information Bose keeps on me.

https://ico.org.uk/for-organisations/data-protection-reform/...


I wonder if the UK will keep that particular EU regulation after its exit...


"The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR."

General Data Protection Regulation Introduction:

https://ico.org.uk/for-organisations/data-protection-reform/...


Time to make a playlist full of songs with these names and see if you can crash Bose servers:

https://github.com/minimaxir/big-list-of-naughty-strings/blo...


Their example of 'shared it with marketing companies, including a San Francisco firm called Segment whose website offers to "collect all or your customer customer data and send it anywhere."'

Thats just an analytics provider.. I wonder if this claim is true, based on that example. Bose could just be collecting app logins, crashes, looking for usability pain-points, etc. Consulting agencies just throw that crap everywhere because it sounds good to a client.


This is increasingly more common. Companies building in data collection to products and marketing it as a 'feature'. Especially in cars manufacturers, who are openly offering to sell this data. The unsettling part is most customers don't seem to mind.


The unsettling part is most customers don't seem to mind.

A lot of consumers don't even know, as we see here.

Those who do know often don't understand the full implications.

The state of privacy and security in modern cars is particularly disturbing, as you say, and really needs a blunt, in-your-face public information campaign and preferably statutory regulation. But that would require the relevant governments to understand the dangers themselves, and I don't think most politicians are any better at knowing and understanding these things than anyone else.


wow! I own a couple of these headsets, and while I've never used the app (I don't feel the need to install an app for an headphone device thank you very much), I'm disappointed in Bose.

Does anyone know any other headphone manufacturer that's got as good a sound + build quality as Bose?


I'm loving my Sennheiser Momentum wireless phones. However, apparently the current king of the hill is the new Sony MDR-1000X. Better noise cancelling than Bose, and sound quality as good as the Sennheiser.


Haven't owned any high end equipment, but an audiophille friend really likes SHURE.


MKBHD (https://www.youtube.com/user/marquesbrownlee) has some really good, honest reviews of various consumer products. There is also The Wirecutter (http://thewirecutter.com/leaderboard/headphones/) for more of a consolidated overview.


Audio Technica is quite good.


So what are the chances this never goes anywhere thanks to a clickwrap EULA that's shoved into your face in 3pt font the moment the app starts?

"Well, your honor, he agreed.."


EULA for other Bose app (Connect EULA seems not to be available online): https://hearphones.bose.com/eula

"YOUR USE OF THE SOFTWARE ALSO OPERATES AS YOUR CONSENT TO THE COLLECTION, TRANSMISSION AND STORAGE OF CERTAIN STANDARD NETWORKING INFORMATION, DEVICE USAGE DATA, AND BOSE PRODUCT INFORMATION VIA THE INTERNET TO SERVERS OWNED OR CONTROLLED BY BOSE OR OPERATED BY THIRD PARTIES ON BEHALF OF BOSE"


IANAL, but haven't courts thrown out terms in click-through EULAs because a user wouldn't reasonably have been aware of what they were agreeing to?


Thanks Bose. This is enough to make sure I never touch the crap you sell


I read it on my device but it said NOTHING about tracking listening. Though of course it did say "we may collect data.. this data MAY INCLUDE date/time of opening the app.."

Listening data was not mentioned under a MAY INCLUDE section, however of course its' covered by the blanket "data".


IANAL but in the EU it doesn't matter what the EULA says unless the app makes it very explicit that it's tracking this kind of personal usage data.


IANAL, but that language does not seem to permit selling of the data to third parties.


It doesn't say they cant resell it - or transfer it.


I suppose that's really the heart of the matter, isn't it? When should a company be able to collect what would otherwise be private information protected by law? And if they do collect it, what does the law provide as default protections on selling or transferring that private information?

The "Privacy Policy" bits posted by aaronpk [0] only speaks to collecting what engineers would call telemetry information. It has zero mention of collecting other data, and zero mention of reselling the data.

I know the US is relatively weak on such laws compared to some EU countries. This lawsuit might not go anywhere here, but there could very well be a strong case in, say, Germany.

[0] https://news.ycombinator.com/item?id=14148461



Scary. "The third parties are not bound by this privacy policy, but by their own privacy policies, which we won't link to or spell out all of our third party companies."

No indication that the data collected (independently of Boise) is even anonymized.


High chances.

The courts have repeatedly shown that a meeting of the minds is not required to be bound to an EULA contract. The consuemr does not have to comprehend or understand their loss of rights in order to have them stripped.


What I think would be interesting is: what if a company like this made an app like this, but then clearly stated to users that it'd be collecting data on them and sending it to marketers? They could even pitch it as helping to keep prices "low". How much would this hurt sales? Would it even hurt sales at all? Given the proliferation of "smart TVs" and various IoT devices, I'm extremely skeptical that a company would experience any decrease in sales by simply being honest about their collection of data. The only reason these companies are getting in trouble is because they're sneaky and dishonest and try to hide their data-collection activities. Google has a gigantic business involving collecting user data, without hiding this fact, and they're extremely successful.


The problem is that they could do some damage to the user even in perfect good faith. Just think about someone who listens music at unusually high levels or with channels heavily unbalanced compared to someone with normal hearing abilities. That innocuous information if leaked could hurt the user insurance or job opportunities.

I have no idea if their app collects this information too, but it's just a matter of time before someone becomes interested to it as it happens with any kind of data that can be used to profile people.


> Just think about someone who listens music at unusually high levels or with channels heavily unbalanced compared to someone with normal hearing abilities. That innocuous information if leaked could hurt the user insurance or job opportunities.

A person who listens to music at unusually loud levels SHOULD be charged more for insurance. Just as a 24 year old Asian single male software engineer in Mountain View gets charged more for car insurance. And if you have poor hearing skills, I sure as hell don't want you on my Marvel Studios audio engineering team (example)

It seems that your really want everyone to be treated equally when in reality it will never happen, and in fact comments like yours increase the disparity.


Honestly I don't think so.

No one who I know personally, outside one or two folks who also work in tech and would fit perfectly with HN's demographic, cares about tech spying on them.

Friends of mine have gotten home assistants, video game console, smart TVs, etc for years without one thought of their data being sold to a third party.


I think, sadly, that this is the essence of the "problem". That is, few people outside of those who know about consumer data collection actually care about it.

And it is one reason why we are hurtling inexorably to Idiocracy...


> They could even pitch it as helping to keep prices "low".

Considering that code has creation and maintenance costs, I doubt this would ever actually reduce the price. They would just inflate the final price to cover the cost. And if it collects enough data to actually make money, the price reduction would probably not significant enough to match perpetual data theft. Not to say that some people wouldn't go for it. It's amazing the lengths people will go to for free or cheap products.

But there's still the many liabilities of collecting, transferring and securing sensitive data. People who know the risks and hassles involved with identity theft would be very selective about these services.


Today's discount is tomorrow's fee waiver.


> Would it even hurt sales at all?

Of course it would. What is the consumer benefit derived from the collection of this data?


Many consumers don't see their meta data as having any value to them so see giving it up as zero cost... Hence they don't care at all about tracking.


In the given example the benefit is stated as lower prices.


This example would only work if you had the same product in two different price ranges, e.g 350$ without tracking and 300$ with tracking or something similar.


Amazon does this with Kindles.

If someone familiar with Amazon's hardware business and Kindle sales numbers could chime in, we could get a sense of whether the transparency approach works.


Depends on the price reduction. Those earbud noise cancellation speakers go for like $200. If you could cut the price in half, I'd get them. They'd pretty much know which movies I watch and what flight I'm on, but so do a lot of other people that give me no benefit.


I have the 35s. How does one get in on signing the class action? Or can you only do this after it has gone to trial and has gone in favor of plaintiff?


Disgusting... I just deleted the app, however I hadn't opened it for a while, anyone know / can guess if it had still been sending stuff out (e.g. as a background process of some sort)?


Timely, considering I was just thinking about buying a Q35 tonight. (Oh who am I kidding, I'm probably still going to do it).

I'm curious if anyone knows a way to temporarily disable/enable apps without having to uninstall them. Android used to have a "Disable" button in the App Manager, but my current 6.0.1 phone isn't showing that for any apps. Am I missing something?


I've got a Q35, I installed the app to set it up, but deleted it later, and have never been prompted again or anything, and everything works fine. So I think you can just delete it no problem.


I'm sure I could, but I would be missing out on the features I may want to occasionally use/change.

Bose is hardly the only app I would want to block. There are dozens of apps I might use only occasionally - a month or a year might go by between uses. But having to reinstall is just a cumbersome step.


You don't need the app. I used it once, just to see what it did.

I downloaded it again just now. Again, nothing I needed, deleted.


Just checked in the app, and they're very clear that they collect data and share it with 3rd parties.


Not surprised - I just assume every company that has my data which explicitly says it does not sell your data does.

A side note:

One day I noticed the gps icon on my iphone was lighting up one evening even through non of the apps were using it. I opened up the app drawer to see which app was using it and it was Outlook. I immediately deleted the app and then I saw another app without gps permissions access it.. I got goosebumps immediately and powered off my phone. Without a doubt in my mind I believe there's built in remote access tracking software in IOS. I know I sound crazy and a bit paranoid but I can't explain it.


Devils advocate: If iOS did have remote access tracking software built in, why would it tell you via the UI?


Avoid Bose headphones because they're overpriced and riding off brand recognition.

Avoid """"smart"""" devices made by hardware manufacturers because hardware manufacturers don't know how to write software.

While I sympathize for the people who are affected by this, everyone should really avoid buying such manifestly bad products in the first place. We should really be doing our best to avoid "smart" TVs, "smart" headphones, and other superfluous and poorly done computerization.


If you have a better suggestion for bluetooth + active noise cancelling please...be my guest...


If you don't mind IEMs, they offer superior sound blocking to over-ear headphones with active noise cancelling, especially with foam earpieces.

If that works for you, get any decent pair of Shure IEMs (or anything that uses the MMCX connector). Then you can purchase a Bluetooth receiver that connects to any brand of MMCX IEMs. This is nice because now the most expensive part (the IEM) you can keep using for as long as you want while periodically upgrading the wireless component as new technologies emerge.


Ok, what if you do mind IEMs?


I think he is referring to In-Ear Monitors.


Sony MDR-1000X. Better than Bose in both ANC and sound quality in every review I've read.


sony mdr-1000x

*edit put the x in the wrong place


As someone who's actually currently hunting for wireless noise-canceling cans, what's your suggestion? (other than IEMs or something I have to plug into another receiver) I'm quite satisfied with the sound of my Seinnheiser 598s but they have a cable and are open back.


Brand loyalty can be tough. As an outsider to Bose, but a Sennheiser fan, that feeling of finding out you were not getting a fair deal in this case is pretty bad. Bummer.


Agreed. I've been a Bose customer for over the past decade, buying a new pair of headphones every couple years. While I get that people criticize them for a number of good reasons, I don't mind paying a bit more for a premium product that I use daily. That they offered great discounts for returned/broken headphones has kept me a customer for a long time. In the next year or two I'll probably be getting a new pair of wireless headphones, as that seems to be clearly the way that things are going. Bose would have been a simple choice, but now they're not. As a customer it's frustrating to see companies whose products I enjoy using compromise my trust in them with such short sighted actions.


I haven't downloaded the app, does that mean that I was not "spied" on? Is there any indication that Bose could collect data w/o use of the app?


Since the headphones only have bluetooth available, it's hard to imagine it transporting the information anywhere without the application, even if the headset still aggregates information.


I own both the headphones and the speaker mentioned in the article and have the app installed. It's a sad reflection on the state of privacy, but my first reaction to reading the article was getting excited about possible class action $$. Data collection like this is so commonplace nowadays its hard to be surprised. Still disappointed in Bose though.


Lawyerly people - the class action lawsuit defines the class as restricted to customers who bought their headphones in the United States.

Are there rules that prevent a US class action from including non-American customers? How hard would it be to commence a similar class action outside the US?


IANAL, but:

> Are there rules that prevent a US class action from including non-American customers?

Yes; purchases outside the US would generally be governed by the law of the jurisdiction in which they occurred.

> How hard would it be to commence a similar class action outside the US?

Depends on the applicable local law; class action might be easy, hard, or not available at all, depending on the jurisdiction.


I deleted the app based on this allegation.

However, can some explain to me how this differs from other app analytics? Or, is the main issue that they failed to disclose this data collection and failed to offer an "opt out" toggle in settings?


I skimmed the document but I didn't see any proxied traffic, packet traces or other evidence. What am I missing? Is it normal to file a class-action lawsuit like this without a giant pile of forensic evidence?


For those that missed it, a representative from one of the other companies named in the suit helpfully dropped in to provide additional context on their company's part in this. It even had a super positive "happy to answer ... questions" attitude. It was deleted in a few minutes as they realized how poorly that was going to turn out.

The reaction wasn't unexpected. Especially since, while they were supposedly not directly purchasing or selling the data, they did help collect the data that Bose allowed themselves to buy or sell. And the TOS allows for third-party collection and use of data with little restriction.

I did grab a snapshot and the text, but it's quite full of personally identifying information - name, position and company, as well as links to their dropbox account. I think the information is important, but I'll try to leave out those details. Not that it would stop anyone determined to dig through case details.

In any case, maybe this will help people to discuss the points they were making and share their attitudes about them without receiving a massive Twitter storm.

> 1. The suit implies that [Company x] buys the data from Bose for marketing, advertising, targeting or profiling. We don’t do that. We help Bose collect event tracking data (like you send to Google Analytics) and send that data to their product analytics tools (like Mixpanel, Amplitude, Crashlytics, Crittercism, AWS Redshift, etc.) Analytics tools like this are used to create reports to understand how a product is being used or how a product is performing.

> 2. The suit claims that the event tracking was done unexpectedly and in secret, but that’s not true. We require that our customers (like Bose) get appropriate customer consent, not collect any data in violation of the law, and not pass segment any sensitive customer information as defined in applicable laws. To the best of our knowledge, Bose complies with all of that. On the main screen of the app, there’s a link to “Privacy Policy” front and center

To be clear, no one thinks that you didn't do your job from the beginning in attempting to cover your legal bases. We're aware that analytics is a valid business. And that it has some valid use cases. But analytics is also an industry that gets abused frequently and doesn't self-regulate.

In this particular case, people are upset because the hardware is not completely functional without the app - so people can't just not use it or "opt out" without losing part of what they just paid a fair amount of money for. No one would use the app except for that functionality, so collecting information on "app use" when the use of the app is a manufactured scenario seems quite unfair for a high-end product.

When collecting data in these scenarios, you need to be explicit about what you're collecting and not deviate from it. Data overreach and intentionally vague language are both received poorly. It could be that they're only collecting audio metrics. But their TOS would also allow them to collect information on every running app at any time (ostensibly it could effect quality) or on phone contacts (like if you made a call using the hardware), device location, texts, calls, and could conceivably transmit even more sensitive information.

All it takes is one wide tie with a bright idea to slip that "feature" in. Furthermore, there's nothing stopping Bose from changing their TOS at a later point. So these "protections" don't really protect the consumer.

Bose chose language that gave them too much potential freedom, and they're paying for that. You just did your job, yes, but honestly the job probably wasn't required for this particular product.


So is this only if you're using the app it's able to build a profile? I love these headphones but I believe I only ran the app the first time I used them to pair it


That's frustrating. I am glad I chose a different brand of wireless headphones than Bose for yet another reason!


This link has an autoplay video with sound. Can we get some kind of title warning on these, like the [pdf] or [1927] warnings? I really don't want to click on these without being prepared. Lacking a better alternative, for now, I'm just flagging it.


"This link has an autoplay video with sound."

Are we really getting this finicky now? Like, I'm usually on the more compassionate side of listening to people's concerns, but being offended by a video playing is just... sissified to the max.


I don't read your parent as being offended. I'm annoyed by autoplay videos myself. I don't think a tag is necessary, but I understand where they're coming from. Please be a little more charitable in reading others comments. No matter how they post, there's never a reason to make it worse.


Depends if you click the link while at work in an open plan office, so you can checkout the tab later and the audio starts playing.


Just like [year] warnings are for people offended by dates! Damn sissies, right?


Video? No. Sound? hell yeah.


That's not what flagging is for.


Maybe it should be.


That's certainly a debate I'm willing to have, but as of right now flagging doesn't exist to let HN admins know you don't like a website's ad structure.


Soo. Do we get money? Or smth. I use bose wireless headphones.


Yes, look out for your $2.4M check in the mail.


So, do we get money or something? That would be nice. I use Bose Wireless headphones.


Yet another spying case that could be avoided if people stopped using non-free software.


Maybe they should take it a step further and not use software at all.

Also looms are destroying cottage industry and maybe it isn't too late to riot some more against the enclosure of common grazing lands.


> Maybe they should take it a step further and not use software at all.

You're being sarcastic, but do we really need an app to deliver sound to headphones? I think that's a solved problem.


I'm tired of the implication that using non-free software for which a free alternative does not exist is inherently stupid.

Software is a tool. People can't use tools that don't exist. If you want free software to win, get off your high horse and focus on making more/better free software.


Looks like you need to download a special app to enable this "feature"

>The lead plaintiff in the lawsuit is a man named Kyle Zak, who claims he followed the company's suggestion to "get the most out of your headphones" by downloading the Bose Connect app, and supplying information such as his name, phone number and email address.


The Bose Connect App is not a special feature.

It's promoted as the only way to update the headphones and to control what they connect to over Bluetooth.


Bose describes the Bose Connect app as being for firmware updates and advanced settings tweaking (noise reduction, sharing music between two headphones, etc). No mention of traffic monitoring and/or distribution to ad scum.


It's the app you're being pushed heavily into downloading (even by iOS itself as it is the "accessory accompanying app" as detected by the OS when connecting the headset), for things like updating the headset firmware and setting the bluetooth device name.


Thing is, no other bluetooth device I own needs its name to be set. I don't care. I don't need to change the language. I don't plan to update the firmware frequently, though if I do I can always just download the app, update, and delete the app.

The ONLY feature I can see using is the managing bluetooth devices. I had 4 devices in my list -- old computer, new computer, old phone, new phone. Unless you're around 3+ devices you regularly connect to, its not really an issue.

My computer and phone are the only 2 devices that will be in range so I'll never need to "manage" this. Again, think of all of the other devices that only support connecting to ONE other device and don't need a proprietary app to manage this.


Suing companies for improving your products is not a great idea.


...Whereas underhandedly surveilling people who are naive enough to buy a product from you and then profiting from the fruits of one's panty-sniffing is a brilliant one?


That completely depends upon the fine that is imposed, if any at all..


Not completely. I suspect the value Bose attaches to their brand name exceeds zero.


How would providing third parties with the information on what I'm listening to improve the headphones?


They are probably just tracking the quality of sound through the signals. Don't you think?


Don't you think? Nobody that read the article or the complaint itself thinks that.

https://www.scribd.com/document/345620278/Bose-Privacy-Compl...

(i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.


> and audio files

This right here. Music titles are bad enough, but titles and sources of podcasts and videos played through the headphones should be enough to upset even the most naive consumers. This amounts to a slice of your browsing history as it relates to audio and video content.


Got it. I thought it was routine telemetries data from other comments.


Wouldn't it be a good idea to actually read the article before commenting on it?


Who needs relevant facts when it would just distract from this perfectly good preconceived opinion I have right here?


What makes you believe this? Why would they not also send through names and fingerprints of played music so they can use those tracks to "improve compression over bluetooth for the things people are actually listening to"? I could see quite a few engineers thinking this is perfectly acceptable, without considering the repercussions.

And this doesn't even account for the "third party SDKs, bound by privacy policies not covered in this document".


Naive


Suing companies that are making your product worse is a great idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: