| 14.6°C Dublin

Sex toys that spy on you highlight 'Internet of Things' privacy threat


TJ McIntyre is a lecturer in the UCD Sutherland School of Law

TJ McIntyre is a lecturer in the UCD Sutherland School of Law

TJ McIntyre is a lecturer in the UCD Sutherland School of Law

A few years ago the idea that your sex toys might be spying on you would have been the stuff of science fiction.

But last week a company agreed to pay consumers up to $3.75m (3.5m) in damages after it emerged that it had been storing information about how its customers used their smart vibrators, including the date, time, vibration mode and "intensity levels" of each use.

As the name suggests, the We-Vibe toys were intended for couples and came with Bluetooth and a smartphone app that acted as a remote control.

What customers didn't know was that each time they used the app it recorded the vibrator settings, which were then sent to the manufacturer and linked to the individual customer's email address.

Following litigation in the United States, the manufacturer entered into a settlement under which they will destroy the data and pay customers up to $10,000 (€9,346) each if they used the app, or up to $199 (€184) if they bought the vibrator but never used the app.

Irish users are, however, out of luck. Although the We-Vibe toys were sold in Ireland, the settlement applies only to customers in the United States.

Media coverage has been extensive and prurient, unsurprisingly. But the snigger factor of the case obscures the serious issues it raises. Smart vibrators record particular sensitive personal information, but the security and privacy problems highlighted by the We-Vibe are common to many more types of devices.

In 2015 researchers found that the most popular internet-connected baby monitors had fundamental flaws which allowed strangers to spy on homes and even to talk to children. In 2016, a report by data protection authorities around the world found that two-thirds of 'Internet of Things' devices - such as fitness trackers, internet-connected thermostats and heart-rate monitors - failed to meet basic privacy standards by collecting excessive information about their users and sharing it with other companies and advertisers.

Just last month, smart TV manufacturer Vizio was forced to pay $2.2m (€2.04m) to settle charges that it collected second by second information about what individual users watched and sold the information to advertisers, along with details of the users' sex, age, income, marital status, household size, education level, home ownership and household value.

These cases differ in their details but what they have in common are flawed incentives which encourage companies to put profit before privacy. At best privacy is not a priority: manufacturers do not take adequate care when rushing products to market. More often privacy is a commodity: companies cynically gauge that they can profit twice over by selling products to users, then selling their users to advertisers.

What can we do to remedy this? Consumer and data protection law already prohibits many of these practices, but enforcement in Europe has been patchy.

It is no accident that the high-profile settlements in the We-Vibe and Vizio cases came from US rather than European litigation.

Although US privacy law is not as comprehensive as European data protection law, in practice it can be more effective due to aggressive enforcement mechanisms such as class actions and investigations by the Federal Trade Commission.

The new General Data Protection Regulation (GDPR) offers an opportunity to fix this. When it comes into effect in May 2018 it will give EU regulators new powers, including the ability to levy fines of up to 4pc of total worldwide annual turnover for serious breaches.

It will also give individuals the right to sue for distress caused by invasion of their privacy and to take part in group claims against firms, similar to US class actions.

As more and more devices become internet connected, it is essential that we use these powers to bring effective security and privacy to the Internet of Things.

The alternative is, quite literally, a world in which our vibrators, TVs and fitness trackers monitor our activities for the commercial benefit of third parties.

Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law and chair of Digital Rights Ireland

Indo Business