Bose Corp. looks pretty bad for allegedly “spying” on users of its Bose Connect headphone app. A class-action lawsuit filed yesterday in the Northern District of Illinois, alleges violations of the Federal Wiretap Act and other laws that protect consumer privacy.
Plaintiff Kyle Zak (rather, his attorneys) claims Bose collects listener information through the app, and shares that data with at least one party: the data-mining firm Segment.io.
The lawsuit uses a bunch of damning language, lambasting Bose for “secretly collecting, transmitting, and disclosing its customers’ private music and audio selections to third parties, including a data mining company.”
The attorneys note that one’s personal audio selections “provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity.”
Music selections, for example, could reveal if a listener is Muslim, gay, HIV-positive or autistic.
Indeed, such data if exposed could enrich a lot of companies or destroy a lot of individual lives. But there’s no suggestion in the lawsuit that Bose actually shared any data outside its walls except for Segment.io.
Segment.io helps companies crunch data from their users in order to inform their product, marketing and strategic roadmaps.
I’m guessing in this case, Bose didn’t actually share personal identifiable information with anyone at Segment (or Bose itself). Rather, they likely used Segment’s API to crunch the numbers. I’m guessing also that Bose – with all its fancy lawyers – is pretty protective of this data and the privacy of its customers.
Let’s just assume Bose didn’t share consumer data with any third-party entity beyond the Segment servers. Let’s also assume the data allegedly collected was done so in aggregate, without clues as to the identity of any individuals.
Should companies be prohibited from “sharing” or “transmitting” data with subcontractors, including “virtual contractors” like cloud-based servers and APIs?
Virtually every respectable purveyor of electronic devices monitors those devices for product performance, user experience, diagnostics, marketing, security, and so many other purposes.
What if Bose were running consumer data through a third-party security provider to check for malware? Would such “sharing” be prohibited under privacy laws?
One important allegation in the lawsuit is that Bose failed to warn consumers about data collection or dissemination.
Even if that’s the case, at what point must suppliers disclose collection or dissemination of data? At what point do we need to advise connected consumers that their connected products might be monitored?
Instead, maybe we should warn consumers, “No one monitors your data; therefore, we cannot look for security breaches, and we cannot make improvements to your devices.”
The plaintiff alleges “few, if any, of its customers would have purchased a Bose Wireless Product in the first place had they known that it would monitor, collect, and transmit their Media Information.”
We know that plaintiff owns a smart phone. Presumably he owns a smart TV or an Internet-connected computer, maybe a connected security camera or alarm system.
And he wouldn’t have purchased a Bose wireless headphone, nor use the Connect app?