A class action lawsuit against an internet-connected pleasure device highlights the potential pitfalls a growing number of companies will face as they embrace connected technologies and seek to capitalize on the nascent internet of things (IoT).
Canada-based Standard Innovation owns We-Vibe, a “premium sensual lifestyle products” company that sells smart vibrators that can be controlled by a mobile app.
In 2016, hackers at the Def Con security conference in Las Vegas revealed how one of the company’s smart vibrators could be hacked, allowing an unauthorized user to take control of the device.
The hackers also revealed that the devices were sending usage data to Standard Innovation every minute. That data included the temperature of the device, and when the intensity of the vibration was changed. With that information, it would be possible for Standard Innovation to determine precisely when its customers were using their devices.
“Market research” or privacy violation?
Despite the fact that the We-Vibe privacy policy disclosed the data collection and the company issued a statement indicating that the data was to be used for “market research” purposes to improve its products, a class action lawsuit was filed last year alleging that not only was usage data being sent by devices to Standard Innovation, but that the email addresses of customers were being collected too.
According to reports, up to 300,000 people bought We-Vibe’s smart vibrator, and up to 100,000 people used the associated app.
As is common with class action lawsuits, Standard Innovation decided to settle rather than duke it out in court. On Monday, without admitting any wrongdoing, it agreed to pay $3.75 million to customers. In addition, it said it would stop collecting their email addresses and update its privacy policy to make its data collection practices clearer.
While the nature of the We-Vibe product makes for intriguing headlines, the reality is that companies in far less exotic lines of business are going to find themselves in similarly thorny situations as more and more of them embrace internet connected products ranging from intelligent assistants to thermostats to wearables.
Privacy pitfalls and the Internet of Things
The proliferation of the Internet of Things is considered one of the biggest opportunities that exists today. Some estimates peg the potential value of the IoT opportunity at upwards of $10 trillion.
But the security risks and privacy challenges created by the IoT are significant and every company that gets involved in the IoT in some fashion will have to consider the risks and privacy implications.
These not only have the potential to cause financial harm to companies when things go wrong, but IoT security problems and privacy mix-ups could inflict long-lasting reputational harm that could threaten companies’ ability to take advantage of the IoT altogether.
We-Vibe understandably captured lots of attention, but it’s hardly the only company that is already learning the hard way that security and privacy cannot be taken for granted when it comes to connected devices. A few of a growing number of examples:
- CloudPets, which makes a stuffed animal that can be connected to a mobile app so that children and parents can exchange audio messages, was apparently hacked, giving the attackers access to audio recordings of customers’ messages.
- Samsung came under fire when it was revealed that its Smart TV’s voice recognition system could capture “personal or other sensitive information” and that this information could be “transmitted to a third party.”
- Amazon was recently gearing up to fight a police department’s demand that it turn over information collected from a murder suspect’s Echo. The matter was resolved when the suspect consented to Amazon providing the information, but the case highlighted the potential for future conflicts over data collected by voice-activated intelligent assistant devices.
Obviously, despite the risks, businesses shouldn’t necessarily shy away from the IoT out of fear. But with lawyers ready to pounce, companies will need to make security and privacy their top two priorities when pursuing IoT opportunities.