Maker of smart vibrator sued for snooping on customers’ use

It’s been a tough month for the makers of teledildonics.

For starters, hackers at the Def Con security conference in August revealed that they’d reverse-engineered Bluetooth- and internet-enabled adult toys to show that the internet of vibrating things is as full of vulnerabilities as the regular old non-vibrational internet of things (IoT).

They chose to reverse-engineer one particular product: the We-Vibe 4 Plus from a company named, blandly enough, Standard Innovation Corp.

As Gizmodo reports, the hackers revealed that the smart vibrators transmit user data that includes heat level and vibration intensity to the company in real time.

An example: the vibration settings for We-Vibe cover standard sensations like pulse and wave, as well as some more exotic settings, like echo, peak and “cha cha cha.”

After Def Con and its cha-cha-cha revealing session, things got worse still for Standard Innovation. Things got, in fact, litigious.

As Courthouse News reports, a woman from Illinois has filed a class action suit against the company.

The five-count complaint reportedly asserts violations of the Federal Wiretap Act and Illinois Eavesdropping Statute; intrusion upon seclusion; unjust enrichment; and consumer fraud.

The woman, identified in court papers only by the initials N.P., bought herself a vibrator from an Illinois retailer in May.

We-Vibe vibrators can be connected to users’ mobile phones by way of the We-Connect app.

Then away we go, ramping up the intensity and, apparently, the data suckage.

According to the 2 September complaint, N.P. used it several times without realizing that “We-Connect monitors and records, in real time, how [users] use the device.”

The complaint also asserts that Standard Innovation failed to mention that it transmits the collected private usage information to its servers in Canada.

What’s at stake, N.P. claims, are intimate details such as …

…the date and time of each use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user, and incredibly, the email address of We-Vibe customers.

Yes, Standard Innovation confirmed, it does in fact collect “certain limited data”. It also pledged to make its terms and conditions clearer to consumers.

Last week, it put out a statement pledging “to improve transparency and to continue to enhance our data security measures.”

The company also said that it has engaged external security and privacy experts to conduct “a thorough review of our data practices with a view of further strengthening data protection for our customers.”

The We-Vibe maker said that the company’s updating the We-Connect app later this month. The update will include new in-app communication regarding privacy and data practices and a new feature for consumers to control how their data may be used.

We may have a tendency to nervously laugh at adult-themed content when it crosses over into the realm of privacy and information security, but things can get serious fast: that was made clear with last year’s horrific breach at cheaters’ site Ashley Madison.

That breach led to massive online dumps of user data and related extortion attempts.

It’s hard to imagine how people’s vibrator usage patterns could be used to extort them. However, it’s not so tough to see how crooks who get their hands on users’ email addresses could have a cyberbullying bonanza.

Slashdot reader BarbaraHudson, for one, argued on behalf of  Standard Innovation, saying that to enable these kind of smart devices, you can’t get around sharing information:

It kind of has to share that information if it’s going to be remotely controlled by someone else.

So where does that leave us if we want to have our smart phone-enabled sharing fun and keep our privacy?

We could start with learning how to secure the IoT. Here are 7 tips from Sophos’s Chester Wisniewski on how to do that!