A class action lawsuit has been filed against smart vibrator manufacturer Lovense for transmitting intimate customer data without their consent.
According to court papers from the ongoing case in California, the business was unlawfully intercepting intimate user data from its Lush smart vibrator beyond the limitations of what the Federal Wiretap Act allows.
In other words, the court is arguing that Lovense’s parent company, Hong Kong-based Hytto Ltd, has been storing sensitive customer data, despite promising users in its disclaimer that their privacy is taken “very seriously”. These things include the precise date and time paired Lovense devices are used, the vibration intensity level users select via the app and the email addresses of users sending and receiving commands.
Previously, Hytto had argued it was exempt from the US law as its headquarters are in China. But the judge ruled that as the site’s default shipping destination and currency is the US and US dollar, and 40 percent of its web traffic comes from US customers, it is “aware of its significant customer base” and must comply with the US Wiretapping Act.
By intercepting the transmissions of Body Chat app users, Hytto targeted its wrongful conduct at customers, some of whom Hytto knew, at least constructively, were residents of the US
In the hearing, Hytto argued that “it is commonly understood” that apps collect information from users about usage and, therefore, its data gathering is not “highly offensive.”
However, the anonymous plaintiff put forward a screenshot from the Lovense.com website that reads: “We take your privacy very seriously. We have designed our system to record as little information about our users as possible. Absolutely no sensitive data (pictures, video, chat logs) pass through (or are held) on our servers. All data transfers are peer-to-peer. Furthermore, we encrypt the data before passing it along to your partner.”
But what constitutes “sensitive data”? This is where the case gets interesting. Under the Act, it’s expected that so-called “record information” will be transmitted with user-generated messaging. Record information is typically automatically-generated data, which is “incidental to the use of the communication device”.
On the other hand, “content” is protected under the Act. “Content” is a person’s intended message to another person and the “essential part” of a communication. And unlike record information, content is not generated automatically, but through the intent of the user.
Lovense’s Body Chat app works by transmitting a user’s desired strength of touch, through – like many sex toy apps – tapping a pattern on a smartphone’s interface. So the question really comes down to whether communicating through “touch” was incidental to the messaging (“record information”), or whether it was intentional (“content”).
Hytto argued that this data does not constitute “content” of “electronic communication” under the Act, but the judge ruled that “the vibration intensity is entered into an app only at the user’s instigation; unlike record information, vibration intensity is not automatically generated data.”
This is not the first time a smart sex toy manufacturer has been involved in a privacy case. In 2017, Canadian firm Standard Innovation, the parent company of We-Vibe, was ordered to pay a total of $4m (£2.5m) to claimants who bought one of its devices and used the accompanying app.
Hytto CEO Dan Liu told SEXTECHGUIDE: “Hytto takes the privacy of its customers very seriously. As a company, we invested heavily in the HackerOne Bug Bounty program. The program allows “white hat” hackers to attempt to gain access to our data and identify any weaknesses in our data security, which permits us to ensure our users’ privacy.
“As to the complaint filed in California, we are confident that the facts, once they are revealed to the Court, will show that we did not store any “intimate” details from the communications between our users. To the extent that our servers received any information, it was only to communicate that information to the partnered user – not to store it or use it for any purpose of our own.”
Attorney Patrick M Jones added: “Similar cases have attempted to apply a more than sixty-year-old statute that was designed to prevent the interception of phone calls over wires to complex, modern communications made via the internet. Hytto does not, as the facts will show, intercept communication. Nonetheless, cases like these threaten to disrupt the global internet-connected App industry, which is one of the many reasons why we believe that they will not be successful.”
For now, the case continues. The judge has allowed the anonymous plaintiff to add state privacy violations to the lawsuit, giving them until June 14 to modify the suit.
Read Next: Privacy-invading camera tech is a problem that authorities will always struggle to combat
