Bose Lawsuit For Collecting Headphone Data Is Flimsy, But Highlights Continued Lack Of Real Transparency

from the dumb-tech-is-often-smarter dept

Being transparent about what private consumer data is being collected and sold appears to be a hard lesson for hardware vendors to learn. Earlier this month, Bose was hit with a new lawsuit (pdf) accusing it of collecting and selling personal subscriber usage data of the company's $350 QC 35 noise-canceling headphones. More specifically, the lawsuit claims that the Bose Connect smartphone companion app is collecting user preferences when it comes to "music, radio broadcast, Podcast, and lecture choices" -- and then monetizing that data without making it clear to the end user:

Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent...Though the data collected from its customers’ smartphones is undoubtedly valuable to the company, Defendant’s conduct demonstrates a wholesale disregard for consumer privacy rights and violates numerous state and federal laws.

To be clear, the complaint, filed last week by Bose customer Kyle Zak in federal court in Chicago, seems more than a little thin. The suit appears to piggyback on growing concern about the wave of internet of things devices (from televisions to smart dildos) that increasingly use internet connectivity to hoover up as much as possible about consumers. Often, this data is collected and transferred unencrypted to the cloud, then disseminated to any number of partner companies without adequate disclosure.

That said, while Bose marketing insists users need the app to "get the most out of your headphones" and get the "latest features" for their headphones, in this instance, users can avoid data collection by simply not using the Bose companion app. And while Bose only appears to be collecting metadata, the suit tries to somehow claim that collecting this type of metadata -- which any and every music service also happily collects -- somehow violates the Wiretap Act:

... customers must download and install Bose Connect to take advantage of the Bose Wireless Products’ features and functions. Yet, Bose fails to notify or warn customers that Bose Connect monitors and collects—in real time—the music and audio tracks played through their Bose Wireless Products. Nor does Bose disclose that it transmits the collected listening data to third parties.

Were Bose, say, using the headphone jack on a headset to monitor actual user communications, the case might have legs. That said, while the suit's central Wiretap Act claims may be weak, the suit once again highlights that consumer data collection policies, if disclosed at all, are often buried in overlong privacy policies few if any consumers actually read -- using language carefully crafted to obfuscate what precisely is happening. Bose doesn't really help its case all that much in a statement on its website that declares the lawsuit "inflammatory" and "misleading," before being a little misleading itself:

We understand the nature of Class Action lawsuits. And we’ll fight the inflammatory, misleading allegations made against us through the legal system. For now, we want to talk directly to you. Nothing is more important to us than your trust. We work tirelessly to earn and keep it, and have for over 50 years. That’s never changed, and never will. In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name.

While Bose insists it doesn't "sell your information" -- its app privacy policy does note that it "may partner with certain third parties" to "engage in analysis, auditing, research, and reporting" (hey, it's not selling if we call it something else). And while Bose may not personally identify you "by name," we've long noted that "anonymized" data is far from anonymous. Study after study has made it clear that it only takes a shred of additional contextual data to make "anonymous" data easily and personally identifiable. If "trust" were truly Bose's top priority, they'd actually explain precisely what the app is doing, who data is sent to, and why.

Again, many may not care that Bose is collecting this data. Especially in an age where everybody carries around a miniature computer in their pocket, happily oblivious that their every step and click are being monetized by cellular carriers, app vendors, OS makers, advertising networks, and everybody else in the food chain. The problem is that companies continue to believe there's nothing wrong with hoovering up every shred of data they can, then hiding this collection in overlong, carefully-worded privacy policies -- and the false sense of security "anonymization" is supposed to provide.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 26 Apr 2017 @ 11:41am

    "users can avoid data collection by simply not using the Bose companion app."

    But if I download the app it should make crystal clear and visible that they want to collect the data. As you noted, shame on Bose. Going without would work but if you don't know what's happening then you don't have the information to opt by going without.

    reply to this | link to this | view in chronology ]

    • identicon
      Phil Watkins, 3 May 2017 @ 10:34pm

      Re:

      Good point. What about teh Bose Soundtouch app. I found oiut today that Bose knows what Bose speakers I have turned on.

      Likely that same conduit that send Bose data abut what speakers I'm using, when etc. is likely sending data on what internet radio I'm listening too. Or what from my iTunes library am I listening too. Perhaps they even know have a complete list of all my iTunes library tittles. Totally sucks. I believe this goes back to when Bose stopped supporting AirPlay. Likely Apple refused to provide them the hooks to collect user data. So they decided to begin forcing there customers to use their app..

      reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 26 Apr 2017 @ 12:46pm

    you keep using that word....

    ugh.... it is not meta-data. It is data. Any information you collect and organize is data. Just because it is a summary of other information does not mean it is no longer data. The people who managed to change the meaning of what data is and find a term that minimizes what they are collecting are geniuses.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2017 @ 1:50pm

      Re: you keep using that word....

      Just because it is a summary of other information does not mean it is no longer data.

      It's metadata, which is a type of data. So it's both.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2017 @ 8:54pm

      Re: you keep using that word....

      It seems you are the one trying to change the meaning of words.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2017 @ 1:27pm

    "only appears to be collecting metadata"

    And here I thought Metadata was just as revealing as content if not moreso! That's been the consistent position of TechDirt's authors in the past when its come to government surveillance. Why is it "just" metadata this time around?

    reply to this | link to this | view in chronology ]

    • icon
      OldMugwump (profile), 26 Apr 2017 @ 3:12pm

      Re: "only appears to be collecting metadata"

      I think TD meant to say that Bose "appears only" to be collecting metadata. (Not "only appears".)

      That is, they really are collecting something (it's more than an appearance). But what they're collecting is only metadata (song lists).

      Whether it can be de-anonymized or not matters. As the article notes, in many cases supposedly anonymized data can be pretty easily de-anonymized.

      It's not clear if that's the case here.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2017 @ 2:07pm

    Fuck Bose and their shitty app

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2017 @ 2:24pm

    Gotta update the motto

    Buy Other Surveillance Equipment

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 26 Apr 2017 @ 2:37pm

    Some courts accept that for the purpose of copyright infringement lawsuits, an IP address is insufficient to identify the person doing the download.

    This story may give copyright trolls another tool: When a song is downloaded, they could get a court order demanding to know whether someone at the same IP address with Bose headphones listened to it later. And if so, what name is associated with those headphones.

    It would not be unreasonable to suspect that like Bose, Windows 10's default "Groove" music app - as well as iTunes and others - are reporting your playlist even when you play music off your local drive. Any guesses on whether the RIAA and MPAA will demand mandatory data collection and access "to stop criminals?"

    reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 26 Apr 2017 @ 3:19pm

    Bose may be hiring 3rd parties, not selling data to them

    To be fair to Bose,

    "may partner with certain third parties to engage in analysis, auditing, research, and reporting"

    MAY mean that they hire 3rd parties to analyze the data for them.

    Or not. It may mean they license others to use the data.

    I really don't have a problem with this, on condition the data is properly and irreversibly anonymized.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2017 @ 3:54pm

    OK, so this is just "metadata". But anyone can recover the entire "data" from it, using only publicly-visible data. (Which is quite often nearly true, although in this case it's so obvious that even an idiot--no, even an MBA!--could see it.)

    reply to this | link to this | view in chronology ]

  • icon
    discordian_eris (profile), 26 Apr 2017 @ 4:04pm

    Two things. Recent efforts have shown that very little data can actually be completely anonymized. And this fetish for transparency is corrosive when, again, events have shown that the big boys can then say: "See? We are perfectly transparent so quit yer bitching." Transparency, or full disclosure, leads to industries trying to get away with everything they can think of. And succeeding. Just look to the pharma industry for an example. We told you that this drug could kill ya, and it did, well that's you're problem. We told ya that your data wasn't safe with us (on page 57 of the EULA) so the fact it was stolen, and then your identity was, is your problem.

    Instead of efforts to force de-anonymization and transparency, they should simply be banned from collecting anything but the most basic, and absolutely required, data.

    (Well, that and ban contracts of adhesion, but that's a different ball of wax.)

    reply to this | link to this | view in chronology ]

    • icon
      OldMugwump (profile), 27 Apr 2017 @ 8:25am

      Re: banned from collecting anything

      A ban is a terribly blunt instrument.

      It removes the option for people to make mutually advantageous agreements.

      By all means, require real and meaningful disclosure (not buried "on page 57 of the EULA").

      But let consenting adults make the deals with each other they want to make.

      reply to this | link to this | view in chronology ]

  • icon
    discordian_eris (profile), 26 Apr 2017 @ 6:05pm

    correction

    Should have been anonymization and transparency in second to last paragraph. Dang lack of editing. (And not re-reading it a third time before posting.)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Howard II, 27 Apr 2017 @ 9:05am

    I just wanted some bloody headphones.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Apr 2017 @ 12:52pm

    Friends don't let friends buy Bose

    "Friends don't let friends buy Bose" has a been a saying for decades in audio-lover* circle.
    The basic reason for that saying is a common opinion that over the years Bose has generally offered low sound quality per dollar spent.
    Now Bose has given us another reason!
    A bit of history and for another reason read up on the Bose vs Consumer Reports (CR). Bose sued CR over a review of one of their speakers in 1970. CR won in the Supreme Court, but it almost bankrupted CR.
    However, Bose did win something: Bose speakers were and still are rarely mentioned in the audio press. Meanwhile, through heavy advertising and successful marketing, and without any pesky negative reviews, Bose grew into one of the biggest if not the biggest speaker company in the US.

    *I saw "audio-lover," instead of "audiophile." Audiophiles are often snobbish and foolish (audiophools), and buy into audio quackery and spend too much $$$$ etc. I know; I consider myself one. By audio-lover I mean anyone, including rational people, who likes good sound reproduced through audio equipment. In audio circles there are many audio-lovers who are not "audiophiles."

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.