Privacy Lessons From the Intimate of Things

The Internet is already everywhere, but we expect it to penetrate our lives even further, interacting with all of the devices, infrastructure, and environment around us. This phenomenon is known as the “Internet of Things” (IoT), described in 2014 by Jacob Morgan in Forbes as follows,

Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig.

The IoT has been in vogue for the past several years, giving rise this week to a new technology accelerator program launched in Toronto focusing on smart city innovation.

The possibilities of interconnecting the world around us are limitless, but also give rise to security and privacy concerns. This is especially true when you consider how much sensitive information is gleaned from the interconnection of different data points, which is emphasized by Daniel Burrus in Wired,

…the real value that the Internet of Things creates is at the intersection of gathering data and leveraging it. All the information gathered by all the sensors in the world isn’t worth very much if there isn’t an infrastructure in place to analyze it in real time.

That said, there are some devices which are simply more intimate than others. Consider, for example, the We-Vibe product, which is owned by a Canadian company. We-Vibe provides an intimate pleasure device which connects to a smartphone by Bluetooth. The device is then controlled from the phone by an app, which also allows the user to communicate and interact with a partner.

Those connecting to their phone, and online, are subject to We-Vibe’s privacy notice, which states,

Using the We-Connect app

As with many applications, certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users.

But that’s not all that the app collects, according to class action plaintiffs in an American lawsuit. They allege that information about customers’ usage habits were also collected without their consent, including:

(1) the date and time of each use,

(2) the vibration intensity level selected by the user,

(3) the vibration mode or pattern selected by the user, and

(4) where available, the email address of customers who registered with the app.

In conjunction with each other, this combination of information proved to be particularly sensitive to the plaintiffs, who claimed a violation of the Federal Wiretap Act, intrusion upon seclusion, and unjust enrichment,

21. To collect its customers’ Usage Information, Defendant designed and programmed We-Connect to continuously and contemporaneously intercept and monitor the contents of electronic communications that customers send to their We-Vibe devices from their smartphones, such as operational instructions regarding the users’ desired vibration intensity level and desired vibration “mode” or pattern. In other words, whenever users interact with their We-Vibe through We-Connect, Defendant intercepts the content of those interactions sent to the We-Vibe devices.

22. Defendant also designed and programmed We-Connect to transmit the contents of the Usage Information to its servers in Canada.

On March 14, 2017, a federal judge in the Northern District of Illinois provided preliminary approval of a settlement in the action, including monetary damages, deletion of the contentious data collected, and changes to the company’s privacy policies. We-Vibe agreed that they would no longer require registration through the app, would not collect email addresses outside of communications or registration purposes, that they would update their privacy policies to be more transparent, and provide an opt-out option for any disclosure of information.

The case helps illustrate that new and innovative technologies come with a particular risk of offending consumers, especially in the early days of the IoTs, and particularly when dealing with sensitive matters.

The interjurisdictional nature of these claims, given that the data is sent through the Internet, is worth noting. In this case it was largely American consumers who had sued a Canadian company.

Finally, the fact that the data was hacked last year at a defcon conference, may have triggered the suit. Vulnerabilities in interconnected devices may be exposed by interested third-parties, even though there may not be any actual breach to complain about.

David Brown of BakerHostetler states,

As the IoT market continues to expand and more devices become interconnected, privacy concerns over the data collection practices of IoT device makers as well as the security of those devices may lead to more class actions and increased regulatory scrutiny. Although the We-Vibe maker maintains that users consented to the conduct alleged in the complaint and that it disclosed the collection of data in its privacy policy, this settlement highlights the importance of drafting company- and product-specific privacy policy disclosures as opposed to pro forma policies that use generalized statements.

Comments are closed.