The makers of an Internet-connected sex toy have settled to pay a small amount to some 300,000 owners of a vibrator which was used to spy on their sex habits, which the manufacturer collected as individually identifiable data. Additionally, the bluetooth-controlled sex toy device was utterly insecure, allowing remote anonymous administration. In the mess of IoT devices spying on us, we now need to add the bedroom.

In Las Vegas in 2016, at Defcon, hackers g0ldfisk and followr originally disclosed the We-Vibe vibrator vulnerability, observing that anybody in bluetooth range could take control of the device. As the duo noted during their presentation, such an intrusion would amount to sexual assault – meaning we can now add sexual assault to the list of possible consequences of unsecured IoT devices.

This vulnerability – along with a shockingly audacious and undisclosed data collection about its users’ sexual habits, like temperature and sexual intensity, collected insecurely as identifiable data connected to their e-mail addresses – has led up to the class action lawsuit, which has been settled now. The manufacturer, We-Vibe, will pay four million Canadian dollars – expecting this to result in maybe C$500 for a violated individual at best.

The lawyers for the anonymous plaintiffs contended that the app, “incredibly,” collected users’ email addresses, allowing the company “to link the usage information to specific customer accounts.” — US NPR

This is just the start of devices made by engineering morons who may understand their original field – sex toys – but have absolutely no clue about Internet-level security. They are not alone: corporations as large as the biggest banks enjoyed the comfort of having a private network up until just recently, and have had to wake up in a hurry to the fact that all input must be regarded as hostile until proven friendly. The engineering principle of “your code is the last piece of code standing” was something that woke Microsoft up as late as fifteen years ago, and they were late in the IT game, but that’s nothing compared to non-IT players wanting in on the Internet of Things and the Fun Profitable Apps who still haven’t learned.

We can add sexual assault to the list of possible consequences of insecure IoT devices.

Maybe the most egregious thing about all this is that the vibrator maker continues to collect the private data, just with a “clarified” privacy policy, where two things immediately stand out. First, the collection of sex habit data is opt-out, meaning that your sex life will be spied on unless you take active action to not have it be so (having this “opt-out” is strictly illegal in several parts of the world, and for good reason). Second, they reserve the right to sell such data to anyone they like, but dress it in language suggesting the opposite: “We will never sell your usage data to a third party … except for as specified in our policy”. That last part makes the first part completely useless; what this means is “we will sell your usage data to a third party as specified”.

Maybe the most egregious thing about this story is that the vibrator maker continues to collect the private data, just with an obscure-and-opt-out privacy policy saying so.

Your privacy indeed remains your own responsibility.