Bose Lawsuit For Collecting Headphone Data Is Flimsy, But Highlights Continued Lack Of Real Transparency
from the dumb-tech-is-often-smarter dept
Being transparent about what private consumer data is being collected and sold appears to be a hard lesson for hardware vendors to learn. Earlier this month, Bose was hit with a new lawsuit (pdf) accusing it of collecting and selling personal subscriber usage data of the company's $350 QC 35 noise-canceling headphones. More specifically, the lawsuit claims that the Bose Connect smartphone companion app is collecting user preferences when it comes to "music, radio broadcast, Podcast, and lecture choices" -- and then monetizing that data without making it clear to the end user:
Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent...Though the data collected from its customers’ smartphones is undoubtedly valuable to the company, Defendant’s conduct demonstrates a wholesale disregard for consumer privacy rights and violates numerous state and federal laws.
To be clear, the complaint, filed last week by Bose customer Kyle Zak in federal court in Chicago, seems more than a little thin. The suit appears to piggyback on growing concern about the wave of internet of things devices (from televisions to smart dildos) that increasingly use internet connectivity to hoover up as much as possible about consumers. Often, this data is collected and transferred unencrypted to the cloud, then disseminated to any number of partner companies without adequate disclosure.
That said, while Bose marketing insists users need the app to "get the most out of your headphones" and get the "latest features" for their headphones, in this instance, users can avoid data collection by simply not using the Bose companion app. And while Bose only appears to be collecting metadata, the suit tries to somehow claim that collecting this type of metadata -- which any and every music service also happily collects -- somehow violates the Wiretap Act:
... customers must download and install Bose Connect to take advantage of the Bose Wireless Products’ features and functions. Yet, Bose fails to notify or warn customers that Bose Connect monitors and collects—in real time—the music and audio tracks played through their Bose Wireless Products. Nor does Bose disclose that it transmits the collected listening data to third parties.
Were Bose, say, using the headphone jack on a headset to monitor actual user communications, the case might have legs. That said, while the suit's central Wiretap Act claims may be weak, the suit once again highlights that consumer data collection policies, if disclosed at all, are often buried in overlong privacy policies few if any consumers actually read -- using language carefully crafted to obfuscate what precisely is happening. Bose doesn't really help its case all that much in a statement on its website that declares the lawsuit "inflammatory" and "misleading," before being a little misleading itself:
We understand the nature of Class Action lawsuits. And we’ll fight the inflammatory, misleading allegations made against us through the legal system. For now, we want to talk directly to you. Nothing is more important to us than your trust. We work tirelessly to earn and keep it, and have for over 50 years. That’s never changed, and never will. In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name.
Again, many may not care that Bose is collecting this data. Especially in an age where everybody carries around a miniature computer in their pocket, happily oblivious that their every step and click are being monetized by cellular carriers, app vendors, OS makers, advertising networks, and everybody else in the food chain. The problem is that companies continue to believe there's nothing wrong with hoovering up every shred of data they can, then hiding this collection in overlong, carefully-worded privacy policies -- and the false sense of security "anonymization" is supposed to provide.