Final settlement in the We-Vibe lawsuit
As was reported widely late last year, and discussed here on this site, Standard Innovation (SI), the company behind the We-Vibe was being sued in US court over their failure to disclose data their app collected. Well, they finally settled the lawsuit for a ridiculous sum of $5 million (CAN).
The lawsuit stemmed from the research of Goldfisk and Follower at Defcon 24. They showed several vulnerabilities present in the We-Connect software, but more to the point of this article, the app was sending some interesting data to SI servers. Data such as favourite vibe pattern, "paired" partner and the users email (login name) was sent to SI servers. As well, basic diagnostic info like the internal temperature of the chip set (note: not body temperature) and battery power level were included in regular updates to the SI servers, all of which was time stamped.
Such data is often collected by devices and software we use everyday. Usually its mentioned as part of the End User License Agreement. You know, the thing that we all just habitually press "I Agree" to whenever we install new software or fire up a new shiny product. This data can help vendors ascertain if devices are failing prematurely or the conditions before a major failure (think Samsung exploding batteries), or simple market data like favourite vibe style for a future update to make the product better for customers.
So far, nothing out of the ordinary here. Thousands of companies collect far more data without issue.
The issue that cost SI so much was that the privacy policy in their app was not the right one. It was actually the wording from their website, not the wording meant for the app. As a result, they technically didn't disclose to the user that they were collecting any of this data in the app, where is was going, and for what purpose. This was the legal hot water they fell in.
Seriously, that was the issue. What basically amounts to a paperwork snafu, became a $5 million (CAN) lawsuit payout. Likely a programmer was given the wrong file to include or mixed them up somehow. Such things happen quite regularly without incident.
Its worth noting that throughout this lawsuit, there has been zero evidence that the data sent to SI was ever abused, disclosed to third parties or otherwise mishandled. The lawsuit hinged on one relatively minor issue; the app failed to disclose to the user, either through a EULA or through the apps privacy policy that they were collecting such data. The plaintiffs took issue that they were not warned and would not have bought the product had they known via proper disclosure.
This annoys the crap out of me because it totally missed some other gigantic issues.
Yes, failure to disclose was not cool. Users should be informed about what their devices and software are doing with private data. However, in this case, since no evidence of maleficence was show, no loss of the data was noted, where is the damage?
This case perfectly illustrates the issue that drives the IoD project. What is a persons sense of privacy and integrity worth? What happens when someones sense of bodily integrity is violated but not necessarily their body? Is it worth any more or less?
It's not about preventing future lawsuits and saving vendors money; It's about preventing people from being hurt and this case and the coverage missed so much that is at stake here.
Imagine one day getting a surprise remote control session request from your partner who's away for a few days. You feel in the right mood and decide to enjoy the experience. As these devices are designed, you enjoy yourself and go on with your day. Later, when your partner returns, you thank them for the surprise and how much you enjoyed the experience. They give you a surprised look and tell you, they didn't send any requests and whatever happened, it wasn't them who was controlling it. Imagine the sense of violation you'd feel. The sense of horror of knowing that some stranger was controlling you in such an intimate and personal way. Imagine the partners sense of horror at this revelation.
In some jurisdictions, hijacking a remote session like I described above would constitute sexual assault or even rape. Think about it. The sense of violation is what matters. Society now has to deal with the reality of remote-rape.
This scenario raises some interesting realities. You were willingly using the IoD device, as designed and for why you purchased it. During the remote control session, and until your partner returned, you felt good and enjoyed the experience since you believed it was your partner controlling it. Once you found out the truth, all those feeling vanished and were replaced with horror and violation.
What changed? It was the same device, same software, same data being sent to the device as your partner would send, but now you know it was a stranger. What changed was your sense of choice, of bodily integrity and violation. In the end, this is not a technological issue, but an emotional one. It's the same as having sex and then noticing your partner is not who you thought it was (a twin brother for example).
The point is, your sense of bodily integrity is invaluable to you and the value of the loss is incalculable. Regardless if its a physically present or a remote controlled violation.
The plaintiffs sense of violation is very real and in no way am I diminishing the validity of their feelings or how violated they felt by the revelations of Goldfisk and Followers research. However, I get the feeling that their lawyers or someone else in the process were opportunists that saw an issue with a new technology that people didn't understand and thus were able to cash in on. I have no evidence of that, but it seems likely.
Remember that it was data being sent through the companies servers as part of the normal function of the device for which they made an error in using the wrong wording where they should have disclosed this.
The plaintiffs may have felt wronged, but one would think a simple apology, data purge, and app update and perhaps some compensation would have been appropriate. However, we are talking about highly litigious US courts where some people hear the ring of a cash register. However, not having talked to the plaintiffs, it's impossible for to assess their actual sense of violation.
Because the data being "collected" was of a very intimate and sexual nature, suddenly SI's failure to disclose took on a higher level of violation in the courts mind. This is a result of (primarily western) societies "taboo" on sexual topics. I personally would have no issues with the data that was moving through the companies servers in this case provided it's protected in transit and at rest. I have far more issues when companies use my data with third parties to direct targeted advertising to me. That was not happening here in this case.
The bitter irony is, We-Vibe was better than most apps in terms of security (at the time) and only collected some minor information (as noted above). This info was not abused in any way, but its collection not disclosed. That was probably the smallest privacy and security problem ever in any of these devices and apps, and yet it was worth $5 million (CAN)?
By the courts logic then, I must then be sitting on the equivalent of the gross national product of Liberia.
In my testing of various devices and apps, I've managed to enumerate several user databases and extract personal user details like Email addresses, remote control partner "pairings", even GPS coordinates. All much more personally damaging than what We-Vibe was doing. The only reason We-Vibe was targeted was because they were in the press as a result of the presentation at Defcon 24, but more importantly, they did not have a vulnerability disclosure program.
How do I know this? Well, before officially launching the IoD website, I'd been poking at the We-Connect app for over a year. I had submitted literally the same talk to Defcon as Goldfisk and Follower. Same findings and everything (and actually even more vulnerabilities than they had). I had reached out to the company several times as early as May 2016 (well before the infamous presentation) via email, twitter, and other methods in order to report these issues and more. I never got a response, and even post-lawsuit, my inquiries are still not being replied to. Goldfisk and Follower ran into the same thing. They got stonewalled.
I even had a canary to tell if they had read and understood my communications but just were not replying. I've been ranting for almost a year that you cannot browse we-vibe.com over SSL/TLS. Go ahead, click here and try it over https. It won't connect or will give an error if its still broken (which it is as of 3/14/17). I mentioned this in each of my communications. So if they had read and understood my communications, they should have fixed this simple but important issue.
It's been broken for at least 2 years based on the long expired (and wrongly named) certificate it was presenting for the longest time.
Had SI/We-Vibe responded, I would have gladly handed over my research and helped them before I gave my version of the presentation. I cannot speak for Goldfisk and Follower, but I'm sure they wanted to do the same thing. It would have likely saved them $5 million (CAN).
That's why this project exists; to ensure that customers privacy and security are being looked after in IoD devices by helping the vendors understand the risks. We are helping make sure the vendors are not getting the crap sued out of them for honest ignorance about what they got themselves into. By creating a culture of security internally, and creating a path for researchers and the public to report security issues that are treated seriously and promptly, then vendors can take care of themselves.
I'm glad that the lawsuit is over and that the industry is now acutely aware of the risks they face and why they should pay attention to researchers and the work we are doing here at the IoD (especially our vendor resources).
I'm going to go and sit on my $2 Billion (CAN) worth of vulnerability and exploit data for IoD vendors while they fix it all. I'll also continue to help vendors understand security and privacy best practices and to setup vulnerability disclosure programs (all for free I might add). All this in the hopes of never seeing a stupid lawsuit like this happen again and never hearing of anyone being harmed by and IoD device or data from one.