Bose Lawsuit For Collecting Headphone Data Is Flimsy, But Highlights Continued Lack Of Real Transparency

from the dumb-tech-is-often-smarter dept

Being transparent about what private consumer data is being collected and sold appears to be a hard lesson for hardware vendors to learn. Earlier this month, Bose was hit with a new lawsuit (pdf) accusing it of collecting and selling personal subscriber usage data of the company's $350 QC 35 noise-canceling headphones. More specifically, the lawsuit claims that the Bose Connect smartphone companion app is collecting user preferences when it comes to "music, radio broadcast, Podcast, and lecture choices" -- and then monetizing that data without making it clear to the end user:

Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent...Though the data collected from its customers’ smartphones is undoubtedly valuable to the company, Defendant’s conduct demonstrates a wholesale disregard for consumer privacy rights and violates numerous state and federal laws.

To be clear, the complaint, filed last week by Bose customer Kyle Zak in federal court in Chicago, seems more than a little thin. The suit appears to piggyback on growing concern about the wave of internet of things devices (from televisions to smart dildos) that increasingly use internet connectivity to hoover up as much as possible about consumers. Often, this data is collected and transferred unencrypted to the cloud, then disseminated to any number of partner companies without adequate disclosure.

That said, while Bose marketing insists users need the app to "get the most out of your headphones" and get the "latest features" for their headphones, in this instance, users can avoid data collection by simply not using the Bose companion app. And while Bose only appears to be collecting metadata, the suit tries to somehow claim that collecting this type of metadata -- which any and every music service also happily collects -- somehow violates the Wiretap Act:

... customers must download and install Bose Connect to take advantage of the Bose Wireless Products’ features and functions. Yet, Bose fails to notify or warn customers that Bose Connect monitors and collects—in real time—the music and audio tracks played through their Bose Wireless Products. Nor does Bose disclose that it transmits the collected listening data to third parties.

Were Bose, say, using the headphone jack on a headset to monitor actual user communications, the case might have legs. That said, while the suit's central Wiretap Act claims may be weak, the suit once again highlights that consumer data collection policies, if disclosed at all, are often buried in overlong privacy policies few if any consumers actually read -- using language carefully crafted to obfuscate what precisely is happening. Bose doesn't really help its case all that much in a statement on its website that declares the lawsuit "inflammatory" and "misleading," before being a little misleading itself:

We understand the nature of Class Action lawsuits. And we’ll fight the inflammatory, misleading allegations made against us through the legal system. For now, we want to talk directly to you. Nothing is more important to us than your trust. We work tirelessly to earn and keep it, and have for over 50 years. That’s never changed, and never will. In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name.

While Bose insists it doesn't "sell your information" -- its app privacy policy does note that it "may partner with certain third parties" to "engage in analysis, auditing, research, and reporting" (hey, it's not selling if we call it something else). And while Bose may not personally identify you "by name," we've long noted that "anonymized" data is far from anonymous. Study after study has made it clear that it only takes a shred of additional contextual data to make "anonymous" data easily and personally identifiable. If "trust" were truly Bose's top priority, they'd actually explain precisely what the app is doing, who data is sent to, and why.

Again, many may not care that Bose is collecting this data. Especially in an age where everybody carries around a miniature computer in their pocket, happily oblivious that their every step and click are being monetized by cellular carriers, app vendors, OS makers, advertising networks, and everybody else in the food chain. The problem is that companies continue to believe there's nothing wrong with hoovering up every shred of data they can, then hiding this collection in overlong, carefully-worded privacy policies -- and the false sense of security "anonymization" is supposed to provide.

Filed Under: information, kyle zak, privacy, tracking, transparency, wiretap act
Companies: bose

Yes, There Are Other Laws That Protect Privacy, But FCC's Rules Were Still Helpful

from the setting-the-record-straight dept

There's been a lot of hype and confusion about Congress's decision (supported by the new FCC) to kill off the broadband privacy rules that were put in place late last year by the Tom Wheeler FCC, though they had not yet been officially implemented. As we noted, it's an unfortunate exaggeration (pushed by some well meaning folks) to say that ISPs will now be packaging up and selling individuals' specific browsing history. That's just not true. Some people responded to us by noting that just because that's not how the ad market works today, it doesn't mean that won't change. But... that's probably not the case. Don't get me wrong: getting rid of these privacy rules is still a really bad idea, but let's look a little deeper at what ISPs can't do, before we explain why those privacy rules are still important.

First off, as we noted, the market for internet data is not in sharing some sort of dossier on what you like, but rather connecting into a marketplace, where the information is shared for the purpose of displaying ads, but not in a way where your actual info goes to the advertiser. That is, when you, say, go shopping for a camera, and then start seeing ads for cameras everywhere, it's not that the camera makers now know that you, Joe Schmoe, like cameras. Instead, what happens is that some company took that info (Joe Schmoe is shopping for cameras) and that gets put into a marketplace where some real time bidding happens for ad placement, such that when Joe Schmoe visits another site, there's a near instantaneous call out for who will pay the most for the ad slot, and with that info is, effectively, this otherwise anonymous person was just looking at cameras, and the camera company will say "I'll pay an extra $0.0002 for that ad compared to the TV maker" and thus the camera ad gets shown. The camera maker or retailer never knows its Joe Schmoe, and doesn't somehow "know" anything more about Joe.

But... but... but... people say. There are data brokers out there who do sell more personalized profiles on you. And... that's true. Many of those companies are pretty awful. But that's unrelated to any of this. And, no, the ISPs can't just turn themselves into the next big data brokers.

Even without the privacy rules, there are rules that prevent that from happening. Section 222 of the Communications Act still stops carriers from selling your info. Of course, that's part of Title II of the Telecom act, so if the FCC or Congress figure out a way to roll back Title II, there is at least some greater concern. Separately, as Orin Kerr notes at the Washington Post, certain other "surveillance" activities by service providers are limited by the Wiretap Act -- and there are some fairly stiff penalties should a broadband provider end up on the wrong side of that. Kerr (and others) have used these laws to suggest that the privacy rules repeal isn't that big of a deal. That's inaccurate.

Both of these things can be true: repealing the privacy rules does not magically create a free-for-all with your ISPs out there "selling" your browsing history to the highest bidder and the privacy rules were useful and should not have been repealed.

The issues are -- as with so many things -- a bit more nuanced than folks on either side of the debate are making them out to be. Again, part of this goes back to the way in which online advertising works and the ways in which your data is mined and used.

Broadband providers have a fairly terrible history in respecting your privacy. No, they haven't been directly selling browsing history dossiers, but they do have long histories of snooping on you in ways that were (1) totally hidden from you and (2) extremely difficult to block. Both AT&T and Verizon, for example, were caught using nearly undetectable "super cookies" to secretly track users across multiple devices and networks -- which (despite promises that they couldn't be abused) were abused by advertisers.

And this gets back to another point that I've made repeatedly over the years: privacy is not a "thing," rather privacy is about a set of trade-offs, in which individuals recognize that they give up some privacy for some benefit and then get to decide if it's worth the trade-off. The extreme example I've used in the past is that if you leave your home to go to the store to buy some milk, you are giving up a tiny bit of privacy. Someone may see you leaving your house. They may recognize you. They may see that you're buying some milk. For most people, it's easy to judge the costs and benefits of that trade-off and to decide that the minimal loss of privacy is worth it for the ability to buy the milk (some people -- such as celebrities with paparazzi followings -- may view the trade-off differently).

But the really important thing in privacy settings is making sure that two things are true for individuals: (1) that they have the information necessary to weigh the benefits and costs of the trade-offs and (2) they have some control over those trade-offs and can adjust at least some aspects of them, by having the options be more granular and controllable.

The problem with ISP snooping and the related advertising efforts is that neither of these conditions tends to be met. The snooping is done in a way that is surreptitious and not at all clear to the end user, and their ability to control how it's done, and perhaps change some of the factors involved, is basically non-existent. The FCC's rules (somewhat weakly) were put in place to change that. First, they required more transparency about what your access provider was actually doing and, second, gave the end user more control by requiring opt-ins to particularly "expensive" behavior and opt-outs to less privacy-invasive offerings.

This is what makes people -- quite reasonably -- upset. If they were given transparent understanding of what was happening, with at least some ability to control the situation, then they could decide for themselves what information is worth giving up for what services. But, instead, the internet access industry and the online ad industry apparently continue to believe that the only way they can do what they want to do is to trick people into letting themselves be spied on, and to hide the reality of the situation. This is dumb, and will do much more harm than good to the internet in the long run.

The danger here is not so much that Verizon will be selling me the websites that you visited. It's that these ISPs, which get tremendous insight into where you surf, will make use of that data in ways you don't understand and don't control, and do things that make you feel more and more uncomfortable, and less interested in using services that can and do provide tremendous benefit. That is not good for anyone. It makes people less trustful of their services, and less willing to use the internet in unique and innovative ways. If there were a truly competitive broadband market, then that situation would be limited. Verizon or AT&T's bad behavior would be limited, because people could go elsewhere. But the issue we have today, in the US especially, is that for many users, there really are no other options -- which is why those companies have been repeatedly caught doing those kinds of sketchy, privacy-invasive things in ways that its paying subscribers both are kept in the dark about and given little to no way to block.

So, no, these new privacy rules won't create new data markets of your browsing history -- and, yes, there are other laws in place that block them from doing truly egregious activity. But the lack of a competitive market, and the nature of online advertising, combined with the fairly stupid belief that people need to be tricked into giving up their info, creates a dangerous environment, one that will harm both end users and innovation. The former FCC privacy rules took a (very small) baby step towards preventing that kind of situation... and now they're dead.

Filed Under: ajit pai, broadband, congress, fcc, privacy, wiretap act

Vizio Fails To Dodge Class Action Over Its Spying 'Smart' Televisions

from the watching-you-watching-me dept

So if you hadn't been paying attention, most of the "smart" products you buy are anything but intelligent when it comes to your privacy and security. Whether it's your refrigerator leaking your gmail credentials or your new webcam being hacked in minutes for use in massive new DDoS attacks, the so-called "smart" home is actually quite idiotic. So-called smart-televisions have been particularly problematic, whether that has involved companies failing to encrypt sensitive data, to removing features if you refuse to have your daily viewing habits measured and monetized.

Last month Vizio joined this not-so-distinguished club when it was discovered that the company's TVs had been spying on users for the last several years. Vizio's $2.2 million settlement with the FTC indicates that the company at no time thought it might be a good idea to inform customers this was happening. The snooping was part of a supposed "Smart Interactivity" feature deployed in 2014 that claimed to provide users with programming recommendations, but never actually did so. In short, it wasn't so much what Vizio was doing, it was the fact the company tried to bullshit its way around it.

And while Vizio may have settled the FTC investigation into its snooping televisions, the company now faces an additional class action after a California federal judge late last week denied the company's motion to dismiss. The court ruled that Vizio customers' claimed injuries were "sufficiently concrete" to bring suit under the Video Privacy Protection and Wiretap Acts:

"Congress has determined that the interception of a person’s electronic communications and the unauthorized disclosure of a person’s video viewing history are sufficiently harmful to warrant private causes of action," and in response to Vizio's contention that the information it allegedly discloses is not personally identifiable, adds, "Taken to its logical conclusion, Defendants’ argument absurdly implies that a court could never enter judgment against a plaintiff on a VPPA claim if it found that the disclosed information was not within the statutory definition of personally identifiable information; instead, it would have to remand or dismiss the action for lack of jurisdiction."

U.S. District Court judge Josephine Staton also supported the lawsuit's claim of "highly offensive" conduct by Vizio by reiterating that the "Smart Interactivity" feature that did the spying was difficult to disable (impossible, initially), and was often reset after every Vizio firmware update:

"Plaintiffs point to a report by the security software company Avast, which concluded that Smart Interactivity’s “off” function was not operational “for months, if not years.” So, even if consumers believed they had opted out of Vizio’s data collection practices, Vizio was still collecting their data for a considerable period. In addition, Vizio’s...Smart Interactivity software switches back on without warning if the Smart TV ever reverts to the factory settings—as can occur through Vizio’s software updates. Consumers would likely not realize for a significant period that Vizio’s collection and disclosure software has been re-enabled because the opt-out feature is allegedly buried in an obscure settings menu."

So many of these companies wouldn't be facing settlements and lawsuits if they'd simply been transparent about what they were collecting in the first place. But time and time again we see "smart" IOT vendors trying to bullshit their way around what they're doing, bury settings that control privacy settings under layers of intentionally intimidating menus, or simply refuse outright to offer consumers working opt out tools in the first place.

Filed Under: class action, iot, smart tvs, video privacy, wiretap act
Companies: vizio

Court Says Man Can Sue Maker Of Web-Monitoring Software For Wiretap Act Violations

from the webwatching-your-way-to-an-easier-divorce! dept

The Sixth Circuit Court of Appeals has decided a man whose communications were snagged by commercial spyware can sue the software's maker for violating federal wiretap law.

The plaintiff, Javier Luis, became involved in an online relationship with an unhappily married woman. Her husband, Joseph Zang, installed Awareness Technologies' "WebWatcher" on his wife's computer in order to keep tabs on her online communications. After discovering his communications had been intercepted, Luis sued the software's maker (along with the husband, who has already settled with Luis and is no longer listed as a defendant).

The Appeals Court doesn't form an opinion on the strength of Luis's claims -- only noting that they're strong enough to survive dismissal. Awareness Software will be able to more fully address the allegations in the lower court on remand, but for now, the Appeals Court finds [PDF] the software's "contemporaneous interception" of electronic communications to be a potential violation of the Wiretap Act.

Two allegations in the complaint support this inference. First, Luis alleges that the communications at issue “were not originally stored on the computer’s hard drive.” The communications were instead acquired by Awareness “as [they were] being written and communicated between senders and recipients.” This allegation directly supports the proposition that the communications were still “in flight” for the purposes of 18 U.S.C. § 2511.

[...]

Second, Luis alleges that “WebWatcher immediately and instantaneously rout[e]s the intercepted communications to their [i.e., Awareness’s] servers located in California.” (Emphasis in original.) This allegation directly supports an inference of contemporaneous interception because, if WebWatcher does in fact “immediately and instantaneously” copy and send communications “as [they are] being written,” then the acquisition of the communications likely occurs before the communications have come to rest in electronic storage.

Somewhat illogically, Awareness suggested that the supporting evidence provided by Luis could have referred to a different product (not made by Awareness) that has an identical name.

Awareness is of course correct that some possibility exists that the marketing materials might refer to another device carrying the trademark “WebWatcher” that is unaffiliated with Awareness’s own WebWatcher. This argument, however, is far-fetched at best, and the more “plausible inference,” see id. at 682, is that the materials do in fact apply to Awareness’s WebWatcher that Joseph allegedly used.

Slightly more logically, it suggested that it cannot be held liable under the Wiretap Act because it's the end user that actually violates the Act when they install the software and put it to use. This is what the lower court found in its decision, based on a Report and Recommendation (R & R) put together by a magistrate judge.

With respect to the claimed violation of 18 U.S.C. § 2511, the R&R concluded that Awareness itself did not “intercept” Luis’s communications because it was Joseph [Zang]—not Awareness—that installed the WebWatcher program on the computer used by Catherine. And with respect to the claimed violation of 18 U.S.C. § 2512, the R&R concluded that Awareness could not be held liable simply for manufacturing a product that others—such as Joseph—used to violate the Wiretap Act.

Awareness also argued that WebWatcher's interception of communications wasn't "contemporaneous" and therefore isn't a violation of the Wiretap Act. Instead, it claimed it grabbed communications in "near real-time" and stored a copy on its servers for access by users. The Appeals Court notes that Awareness's own promotional efforts seem to tell a different story.

The marketing materials attached to Luis’s complaint support this conclusion. As Luis notes, the materials state that WebWatcher lets its users review a person’s electronic communications “in near real-time, even while the person is still using the computer.” The materials further note that any deviation from real-time monitoring results not from delays regarding when the communications are acquired, but from variations in “the Internet connection speed of the computer being monitored.”

This near real-time monitoring is significant. If a WebWatcher user can in fact review another person’s communications in near real time, then WebWatcher must be acquiring the communications and transferring them to Awareness’s servers as soon as the communications are sent. The program, in other words, does not wait for the communications to be stored; instead, the program as described captures and reroutes the communications so that a WebWatcher user can review the communications at nearly the same time as they are being transmitted.

In addition, the marketing materials state that “[e]ven if a document is never even saved, WebWatcher still records it.” This feature indicates that WebWatcher does not wait for electronic communications to be saved in a computer’s electronic storage. Rather, the product records the communications as they are being sent, without regard for whether a copy is ever placed in the storage of the affected computer. This aspect of WebWacher’s operations thus implies that the alleged acquisition of Luis’s communications indeed occurred while the communications were still “in flight.”

The court also notes that Awareness's own marketing materials suggest there are few wholly-legal uses for its WebWatcher software. Given its function, most end user deployment is almost certain to violate federal or state wiretap laws. (This explains the following disclaimer on the WebWatcher site: "Awareness Technologies Terms of Use and End User Licensing Agreement require that you only install its software on computers that you own or have permission to monitor and that you inform all users of those computers that they are being monitored.") Because of this, the court finds that Awareness cannot dodge civil liability simply because it performs no interception of communications until a purchaser installs and deploys its software.

[W]e today hold that a defendant such as Awareness—which allegedly violates § 2512(1)(b) by manufacturing, marketing, and selling a violative device—is subject to a private suit under § 2520 only when that defendant also plays an active role in the use of the relevant device to intercept, disclose, or intentionally use a plaintiff’s electronic communications.

So even though Awareness itself did not initiate the specific action that “intercepted, disclosed, or intentionally used” Luis’s communications in violation of the Wiretap Act, it is alleged to have actively manufactured, marketed, sold, and operated the device that was used to do so. This is enough to establish that Awareness was “engaged in” a violation of the Wiretap Act in a way that defendants such as those in Treworgy and Amato—who simply possessed wiretapping devices—were not.

The dissenting opinion, however, points out that allowing the plaintiff to pursue Awareness under the Wiretap Act not only shifts some responsibility off the shoulders of the person who initiated the interception (the aggrieved husband) but also more than "liberally construes" the content of Javier Luis's pro se filing.

The majority accepts Luis’s argument on appeal that the complaint directly implicates Awareness in paragraph 77. But this reading is much more than just charitable—it grasps at straws. In describing how WebWatcher operates, Paragraph 77 uses only a possessive pronoun that lacks any antecedent: “WebWatcher immediately and instantaneously routs the intercepted communications to their servers located in California to be stored for their subscribers to later retrieve at their leisure.” Awareness is neither named nor the subject of the action. This paragraph, located amidst Luis’s allegations against the other defendants, does not give rise to the plausible inference that Awareness intentionally intercepted Luis’s communications.

[...]

It does not put Awareness on notice that it—the manufacturer and seller— could be liable for anonymous customer Joseph Zang’s misuse of the WebWatcher. Luis’s novel theory of liability does not appear even to have been tried, much less to have been successful, in any previous case. Neither Awareness nor the district court should have been expected to divine it from Luis’s allegations against the other defendants. I would affirm the district court’s dismissal of Luis’s § 2511 claim against Awareness. I would affirm the dismissal of Luis’s state-law claims for the same reason.

That's the downside of this reversal by the Appeals Court: manufacturers and developers will now face an increased risk of civil litigation if their products could possibly be used to violate laws. This negative side effect is diminished somewhat by Awareness's participation in the interception -- the storage of communications on its servers -- but it's still the sort of thing that could encourage speculative litigation aimed at the target with the deepest pockets, rather than the entity that actually broke the law.

Filed Under: javier luis, joseph zang, spying, web monitoring, webwatcher, wiretap, wiretap act
Companies: awareness technologies, webwatcher