Governance & Risk Management , Privacy , Standards, Regulations & Compliance

Internet-Connected Sex Toy Maker Settles Privacy Lawsuit

Canadian Vibrator Maker Reaches $3.7 Million Settlement Agreement
Internet-Connected Sex Toy Maker Settles Privacy Lawsuit

Don't blindly trust the internet of things to maintain common-sense boundaries, or your privacy.

See Also: Cyber Insurance Assessment Readiness Checklist

Witness a lawsuit filed by two anonymous plaintiffs last year in Illinois district court against Ottawa, Canada-based "sensual lifestyle products" firm Standard Innovation, which manufactures a range of Bluetooth-enabled vibrators as part of its We-Vibe product line. The lawsuit alleges, in part, that the manufacturer collected information relating to how customers were using its products, tied to their email address, without notifying users.

The lawsuit was filed by plaintiffs - N.P. of Illinois and P.S. of Missouri, who respectively purchased devices that cost $130 and $193 - in September 2016 on behalf of all We-Vibe product users. "Due to the sensitive subject matter of this case, the plaintiffs' names have been withheld," according to court documents.

On March 13, Standard Innovation reached a tentative settlement agreement with the plaintiffs worth $3.7 million. U.S. District Court Judge Virginia M. Kendall has scheduled a final hearing date of Aug. 6, 2017, to decide if the proposed settlement agreement will be approved.

Standard Innovation didn't immediately respond to a request for comment on the settlement and its precise details. But legal news site Law360 reports that the settlement amount is the maximum amount that would be covered by an insurance policy Standard Innovation holds with Liberty International Underwriters.

Under the terms of the settlement agreement, Standard Innovation will stop collecting user data and destroy all data that it's collected to date, Legal360 reports, citing a copy of a memo in support of the proposed settlement.

Standard Innovation will create two settlement funds: $3 million for users of the app and $750,000 for purchasers of its Bluetooth-enabled vibrator, according to the memo. It says that about 300,000 customers have purchased the vibrators, and about 100,000 pair them with the app.

According to the memo, one-third of each fund will go to plaintiffs' attorneys, while the plaintiffs will each receive a $5,000 award from Standard Innovation.

Anyone who bought one of five We-Vibe products - including the WeVibe 4 Plus - or downloaded the We-Connect application and used it to control a We-Vibe product, in both cases before Sept. 26, 2016, would be eligible to receive compensation, according to court documents.

Eve-Lynn Rapp, one the plaintiff's attorneys, tells Law360 that the settlement "provides both exceptional monetary relief to class members and ensures their privacy rights will be protected in the future."

'Secretly Collect Intimate Details'

The lawsuit alleged that Standard Innovation, without notifying users, would "secretly collect intimate details about its customers' use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user ... and incredibly, the email address of We-Vibe customers who had registered with the app, allowing [the company] to link the usage information to specific customer accounts."

The lawsuit also alleged that information was secretly routed to Standard Innovation's servers in Canada, including details of vibrators' "temperature and battery life," despite the manufacturer having promised to maintain "a secure connection" between the smartphones of the device user and a remote partner.

"To fully operate the We-Vibe, users download defendant's 'We-Connect' application from the Apple Store or the Google Play store and install it on their smartphones. With We-Connect, users can 'pair' their smartphone to the We-Vibe, allowing them - and their partners - remote control over the vibrator's settings and features," according to the lawsuit.

The lawsuit noted that to take advantage of the device's features, users were required to download the proprietary We-Connect app from the Apple Store or the Google Play store.

But the lawsuit alleged that Standard Innovation failed to anonymize users' information or ensure their privacy, in that We-Connect would "collect and record highly intimate and sensitive data regarding consumers' personal We-Vibe use, including the date and time of each use and the selected vibration settings, and transmit such usage data - along with the user's personal email address - to its servers in Canada."

The We-Connect feature was first introduced in September 2014.

Don't Trust, Verify

The lawsuit is a reminder that whatever gets connected to the internet isn't magically protected against data leakage. Likewise, consumers should not simply trust that manufacturers will treat their personal details - name, email addresses and more - with the respect they deserve.

The same goes for any internet-connected device, including - unfortunately - children's toys.

Last month, for example, security experts warned that California-based Spiral Toys, which makes Bluetooth-enabled stuffed animals, had failed to protect the data it gathered, leading to the exposure of 800,000 email addresses and hashed passwords - at least some of which could be easily cracked, thanks to the company enforcing no minimum length or complexity requirements for passwords - as well as audio files of 2.2 million parent-child chats (see Don't Hug These Internet-Connected Stuffed Toys).

Sen. Bill Nelson, D-Fla., the ranking member of the U.S. Senate Committee on Commerce, Science and Transportation, is seeking answers from the toy manufacturer on a number of related fronts by March 23. According to a copy of Nelson's letter to the toy manufacturer - shared by Australian data breach expert Troy Hunt - Nelson wants to know if the toy manufacturer lets users access, correct and delete any information the company collects, as well as what measures the company has in place to protect the data it collects.

But some countries are taking stronger steps than others. Last month, the Bundesnetzagentur - Germany's telecommunications watchdog - banned the Bluetooth-enabled Cayla doll on privacy grounds, warning that it surreptitiously records local conversations and transmits them to a web service. The doll was introduced in 2014. Regulators have urged parents to destroy the doll.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.