With the internet of things, previously innocuous devices have been rigged up to collect all sorts of data about their users—including sex toys. According to a recently filed US lawsuit, at least some people are unhappy with the privacy risk this could pose.
In the complaint, an unnamed plaintiff claims one "smart" sex toy collected identifiable details on her use of the device without her knowledge, and she is now seeking punitive damages. That data allegedly included details such as when the device was used, and what intensity setting the user selected.
Although this sort of data collection may come as a surprise to some, researchers have discovered that other similar devices are also pooling sensitive information, highlighting a looming privacy threat: What if the company is hacked, and those details are released? Even if the data is kept secure, some customers perhaps don't want unknown employees to have access to a wealth of data on how they spend their most personal time.
"It's one matter collecting data about your usage of a smart coffee machine. It's a whole different matter gathering data about your sex toys," Ken Munro, a researcher from cybersecurity company Pentest Partners, which has previously analysed smart sex toys, told Motherboard in an email.
The company behind the We-Vibe said it collected some of the data for market research purposes
The lawsuit, first reported by the Courthouse News Service, centres around a device called the We-Vibe: a vibrator which can be remotely controlled with a smartphone app.
The complaint alleges that the app was designed to "secretly collect intimate details about its customers' use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user," and the user's email address.
According to the complaint, "Plaintiff would never have purchased a We-Vibe had she known that in order to use its full functionality, Defendant would monitor, collect, and transmit her Usage Information."
Read More: Yes, Your Smart Dildo Can Be Hacked
The lawsuit appears to be based on the work of security researchers known as g0ldfisk and followr, who told an audience at the Defcon hacking conference in August how they took apart the We-Vibe and discovered the sort of data it was sending back to the company. At the time, Standard Innovation, the Canadian company behind the We-Vibe, said it collected some of the data for market research purposes. The company gave the example that if lots of customers kept using the We-Vibe's highest intensity setting, then perhaps the device was a bit too weak overall.
Standard Innovation told Motherboard in a statement that, "As a matter of practice, we use certain limited data in an aggregate, non-identifiable form to help us improve our products."
The We-Vibe is far from the only smart sex toy on the market collecting user data. In one case, Pentest Partners found an Android sex toy app that stored very personal temporary images on /sdcard/, which is either the physical or the emulated SD card.
"If you lose your phone, or someone pops your SD card, some highly private content could be exposed," Munro said.
As for the We-Vibe lawsuit, the company said, "There's been no allegation that any of our customers' data has been compromised. However, given the intimate nature of our products, the privacy and security of our customers' data is of utmost importance to our company. Accordingly, we take concerns about customer privacy and our data practices seriously."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.