Class action suit: smart sex toys spy on their owners and transmit their masturbation habits

An anonymous woman has filed a class action suit against Standard Innovation, a company that makes We-Vibe "smart" sex toys that record exactly how their owners masturbate and transmit detailed dossiers, along with personally identifying information, back to the company.

The vibrator requires an account to unlock most of its features, which consist of "playlist" of vibrational patterns; these accounts live in We-Vibe's servers, and the vibrator sends telemetry from each use to We-Vibe to add to the account's file on its associated, named user.

NP, the anonymous woman suing Standard Innovation, says that she didn't realize the device was tracking her sexual activity until two researchers presented on the full scope of the device's data-gathering and transmission facility at the Defcon hacking conference, last summer.

In its defense, Standard Innovation says it has clarified its terms of service, and that the data it retained was "mostly anonymized" (note that most computer scientists believe that this is not possible). It will now allow its customers to opt out of spying during their sexual activity (assuming those users bother to read the new terms of service and understand what they mean).

Any data you collect will probably leak; any data you retain will definitely leak. If the NSA can't stop its secrets from leaking, what chance does Standard Innovation stand?

The Internet of Things business model is this: hardware margins start at 2% before falling to 0% (or negative); the only way to make money is to lock your customers into buying apps/consumables/parts/service from you (with DRM) and/or by collecting your customers' data in the hopes that someone will pay you for it. IoT startups have 6 months' runway courtesy of their investors, and every dollar they spend on security is a dollar they can't spend on runway to keep things rolling until they attain profitability (rare) or get acquired (a little less rare). IoT devices have the minimum viable security to keep them from actually bursting into flame as soon as they are plugged in, and they are maximally spying, and they use DRM to make it illegal to do security audits on them — and the people who make these decisions assume that when they destroy the lives of their customers, the company will either be out of business, or will be absorbed into Google or Facebook and thus this will not be their problem.

Apply that to sex toys, and it's easy to see how nightmarish it is. But it's not much better for nannycams, thermostats or home automation systems.

The smartphone app lets users "customize" their We-Vibe experience, unlock app-only "bonus" vibration modes such as the "cha-cha-cha" and the "crest," and "create unlimited custom playlists," according to the product's website. In the suit, N.P. says she bought a We-Vibe in May and used it "several times" until she realized that it was sending data about her usage practices back to Standard Innovation's servers, including when she used it, which vibration settings she used, and her email address.

The two researchers, known only as "followr" and "g0ldfisk," said they discovered the amount of data the app transmitted back to Standard Innovation when looking for security flaws (not an unheard of possibility when it comes to internet-enabled sex toys). After the presentation, a spokesperson for the company told CNET it would "clarify" its terms and conditions to make it more obvious that the app could transmit data, which was "mostly anonymized" was being used for "market research." It would also add the ability to opt-out. The company also posted a "commitment to customer privacy and security" on its website.

'Smart' Dildo Company Sued For Tracking Users' Habits
[Sara Morrison/Vocativ]