We-Vibe Lawsuit and the IoD

The idea for the IoD project started long ago, but it was created with the same concerns that the recent We-Vibe Lawsuit suddenly brought to the forefront of everyone's attention. In fact that lawsuit accelerated the launch of the IoD website before everything was finished being built.

It has been reported that Standard Innovation, the company behind the We-Vibe is settling the lawsuit for as yet undisclosed damages.

This lawsuit is an interesting case because it shows the kind of dangers these new generation connected devices create, but it also shows that it's not just technological, but also legal and transparency issues that vendors need to take into account in their products.

Full Disclosure: I submitted a talk to Defcon that had found the exact same issues that Goldfisk and Follower had found. Their talk which was ultimately selected over mine. I was also sitting front row center for their talk and talked with them at length and continue to do so

At issue was the information that Goldfisk and Follower discovered and presented at Defcon 24 by reverse engineering the app, monitoring traffic and the Bluetooth communications with the device. They discovered that a great deal of "Interesting" information was being sent to Standard Innovations servers in the course of using the app/device. They discovered that the internal temperature of the device was being sent, along with what vibration pattern, the intensity, and due to timestamps, the date, time and duration of usage. Combined with email addresses used for logging into the app, there are justifiable concerns about what this data is being collected and used for.

Now, this kind of diagnostic data and usage data is routinely collected by a great many products we use. It helps vendors understand how customers use their devices in order to improve them. It can help to diagnose a defect in the device or other systemic problems. In most cases, this collection is justifiable and useful and routine. What makes it justifiable though is informed consent.

The problem with the We-Connect app was that none of this data collection was disclosed to the users. There was a privacy policy in the app, however it was the one covering any data collected by the We-Vibe website, and not the data collected by the app. You could see that, since they had a privacy policy in the app, they were trying, but through some error, the wrong text was included.

There is no evidence that the information was being used for any nefarious purposes or was combined with login data to profile individual users. That said, nothing was noted about the length time data would be stored or if third parties (aside from legal requirements from law enforcement) would get access to the data. It was just not known to the users because it was not disclosed.

The plaintiff in the case made the argument that, had they known this data collection was being done, they would not have bought and used the product. While I think it's an overreaction, that is their right and is the point of such disclosure in privacy policies; to inform the user and obtain their consent.

So a small oversight on the privacy policy disclosure text was enough to launch a class action lawsuit and presumably cost standard innovation a fair chunk of change and lose some customers as well.

Now, in defense of the We-Vibe, of the preliminary set of devices I'd audited for my proposed Defcon talk, the We-Connect app was one of the best ones out there in terms of security and design. Since the lawsuit, they re-engineered much of the apps internals and raised the bar even higher. They removed the need for an account to login (no longer needing to provide them your email), their SSL/TLS communications are vastly improved (certificate pinning seems to be in place for some of it), and they now have a very good, plain language privacy notice. They also have a much greater awareness and commitment to security and privacy as a result of all this.

If they were the high water mark for security before, they raised the bar significantly and show that high levels of security and privacy are achievable in regard to these apps and devices. It just takes the initiative and the will to do so. That said, there is always room for improvement and researchers will always have a place to keep an eye on things.

Now, you have to thing that if We-Connect is the high water mark, can you imagine how many others are well below that mark, and in worse ways than We-Connect ever was. It's actually quite frightening to consider the amount of intimate data being sent over some very insecure software.

This is why the IoD project was founded; to get the industry ahead of the curve and to solve problems before there is an incident, law suit, or (hopefully never) a user is harmed. We've already found and help fix some much more serious bugs and potential privacy violations in products than We-Connect was sued over. We can also bring best practices from the information security world to help minimize risks from the start.

We want to work with the industry. We want to help them understand the unique threats that exist for their devices. What works for other "Internet of Things" (IoT) devices may not be the best for IoD devices due to the sensitive and intimate nature of their use. As the lawsuit showed, what is routine diagnostic and usage data collection for IoT, may not be well received with IoD products.

Hopefully this lawsuit will have a legacy of being the starting point of a change in the industry towards more secure and private devices and software. The IoD project will hopefully be a part of that change and help guide the industry into this new connected world of teledildonics.