We have been approached by a number of concerned individuals in the U.K. following the news that the company behind the “smart sex toy” We-Vibe is settling Group Action claims in the U.S. for collecting user data without proper consent.
We have now taken on a multitude of cases as we investigate the circumstances surrounding the collection of data without the consent of users here in the U.K., which we allege is a breach of the Data Protection Act.
The Canadian manufacturer of We-Vibe, Standard Innovation, was fined CAD $4 million (£2.4 million) after they were found to be collating and using their customers’ data without explicit consent.
Information that was collected and processed
The device is intended to keep couples connected over long distance, but connecting sex toys to the internet has proven to be riskier than anticipated.
The sex toys, which include the We-Vibe Classic and Rave by We-Vibe, are designed primarily for couples to use, allowing partners to control the devices via Bluetooth and a Smartphone app.
Researchers first discovered the data security breach and learned that the company was reportedly using the Smartphone app to gather data about how customers used the devices. According to reports and court documents, the app collected information such as the temperature of the device and the intensity during use, and how often the toy was used.
Claims in the U.S.
Though We-Vibe gave assurances to users that none of their data was maliciously hacked by an outsider, the company reportedly couldn’t guarantee that the data collection was used for lawful purposes. As a result, a number of concerned users filed a class action lawsuit against the company behind We-Vibe.
Given the significantly private nature of peoples’ sex lives and sexual preferences, the court allowed the users to litigate anonymously using initials.
The innovators of We-Vibe, Standard Innovation, believe that a “fair and reasonable” settlement has been reached in the U.S. In the settlement, users are compensated up to $10,000 (£8,000) if they can show that they used the app to control the toy, as well as providing their full name, phone number, and other details. For those who only purchased a We-Vibe connected device, up to $199 (£160) is being offered.
A spokesperson for Standard Innovation said:
“We are pleased to have reached a fair and reasonable settlement in this matter. At Standard innovation we take customer privacy and data security seriously. We have enhanced our privacy notice, increased app security, provided customers more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app.”
Privacy concern
One of the most worrying issues at hand is that most innovators don’t realise the serious risks of internet connected devices they sell, and their security vulnerabilities. This is detailed in our previous blog regarding smart fridges and smart locks, where manufacturers don’t pay enough attention to potential security flaws in our view, and instead just seek to push forward the innovation of the product.
Many of the security and privacy vulnerabilities of the We-Vibe toy were highlighted by hackers Goldfisk and Follower at the Defcon 24 conference in 2016. It’s a device that has evidently not properly secured their users’ private data, and hackers said that, very worryingly, the app could be hacked in to and allow a hacker to control the device themselves.
This is incredibly alarming.
The Data Leak Lawyers consider this a Data Breach Action
Though the company may suggest they collected user data for legitimate reasons – e.g. to improve their service – it’s private and most certainly intimate.
Ken Munro, a researcher from cybersecurity company Pentest Partners recognised this intimacy, stating:
“It’s one matter collecting data about your usage of a smart coffee machine. It’s a whole different matter gathering data about your sex toys.”
Many We-Vibe users have come forward to claim against the invasion of their privacy. In the U.K., companies that collect, use, and hold your personal information must do so in accordance with the Data Protection Act (DPA). It must be fairly and lawfully processed with explicit consent. As we believe that We-Vibe collected data and processed it without consent, we say that they are in breach of the Data Protection Act, and victims can claim with our specialist lawyers.