Forget about prying microwaves. The real spies might be sex toys.
That, at least, was a claim made by two plaintiffs in a class-action lawsuit filed in federal court in Chicago against Standard Innovation, a Canadian manufacturer of “smart” vibrators that allow users to remotely “turn on your lover” via a Bluetooth connection.
The class action came after two hackers demonstrated in a hacking conference last year that it was possible to remotely take control of the vibrator and activate it.
The company agreed this week to pay $3.75 million to settle the suit, which alleged that the firm violated privacy by accessing personal information. Under the terms of the settlement, Standard Innovation will also stop recording users’ personal information and destroy any collected data.
To use the We-Vibe vibrator’s full range of features and customized vibrations, including text and chat features, users were required to download the We-Connect mobile app from the Apple Store or Google Play. Once the app was installed and linked to the vibrator, consumers could use their smartphone to remotely access and control it, according to the company.
“The usage information collected by Standard Innovation through We-Connect is extraordinarily intimate and private,” according to court documents from the plaintiffs. The two lead plaintiffs were anonymous, including an Illinois woman identified as N.P. who said she bought a $130 We-Vibe Rave and downloaded the app but was never warned about the data collection, The Chicago Tribune reported.
“Standard Innovation collected individual-level usage information – often tied to users’ personally identifiable addresses,” they said, adding that the firm “breached its customers’ trust, devalued their purchases” and “violated federal and state law in the process.”
About 300,000 people purchased We-Vibe devices covered by the class action, and about 100,000 downloaded and used the app, according to a memo filed with the settlement agreement.
The security and data collection issues came to light last year at the Def Con hackers’ conference in Las Vegas during a talk called “Hacking the Vibrating Internet of Things,” by two hackers, The Guardian reported in August.
“A lot of people in the past have said it’s not really a serious issue,” one of the hackers, who goes by @Followr on Twitter, told the conference. “But if you come back to the fact that we’re talking about people, unwanted activation of a vibrator is potentially sexual assault.” His co-presenter was @g0ldfisk. They estimated that Standard Innovation had about two million customers for its products.
In the settlement, the company denied any wrongdoing.
“At Standard Innovation we take customer privacy and data security seriously,” a spokesman, Denny Alexander, said in an email on Tuesday, calling the settlement “fair and reasonable.”
In September, he said, “we responded rapidly to concerns about app privacy and security. We enhanced our privacy notice, increased app security, provided customers more choice in the data they share, and we continue to work with leading privacy and security experts to improve the app.”
This latest class action reflects growing concerns over internet-connected “smart” products in the home that can get, well, too smart. A string of reports in recent years about hackers targeting and remotely controlling items like baby monitors have raised alarm. And numerous experiments by researchers have shown how easy it is to hack into cars, medical devices and even dolls.
Last month, German regulators announced that they were banning sales of Cayla, a doll made by U.S.-based Genesis Toys, because they said hackers could use it to steal personal data by recording private conversations over an insecure Bluetooth connection.
The doll is also under scrutiny in the United States, where advocacy groups filed a complaint with the toymaker in December, alleging that the company records and transmits the voice prints of children to a software company.