GPS has to be on? Data is egressed to a third party? For headphones?
That is nasty...
When oh when will there be a rebellion against data slurping?
A chap in Chicago is suing headphone maker Bose after discovering how much personal information its app was phoning home to base – this slurped data includes songs listened to, for how long, and when. The class-action lawsuit, filed Tuesday in the US district court of Illinois by a one Kyle Zak, claims the Bose Connect …
True. but on the other hand, they at least warn you about it, before you start using the app. Zak will have difficulty saying he wasn't warned of this behaviour.
When he downloaded the app and saw what information they would be slurping, he should have not accepted the app and asked for a refund on the headphones.
What's that you say? He didn't read the UA?
Whilst I think the amount of data slurping is wrong, I don't think Zak has a leg to stand on.
I can also see why they would find the information useful, for tuning the headphones based on the type of music / audio being listened to. But that should be down to the user to enable / disable.
I bought a cheap (£15) webcam that turned out not to be a webcam as such. It only works with a special Android app. The app asks for the following permissions:
Device & app history
retrieve running apps
read sensitive log data
Contacts
read your contacts
Location
approximate location (network-based)
Phone
read phone status and identity
Photos/Media/Files
access USB storage filesystem
read the contents of your USB storage
modify or delete the contents of your USB storage
Storage
read the contents of your USB storage
modify or delete the contents of your USB storage
Camera
take pictures and videos
Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
Access download manager.
download files without notification
close other apps
view network connections
read battery statistics
pair with Bluetooth devices
send sticky broadcast
change system display settings
change network connectivity
allow Wi-Fi Multicast reception
connect and disconnect from Wi-Fi
disable your screen lock
control flashlight
full network access
close other apps
change your audio settings
run at startup
control vibration
prevent device from sleeping
modify system settings
"When he downloaded the app and saw what information they would be slurping, he should have not accepted the app and asked for a refund on the headphones."
Well, yes... but..
How boring would our lives be if everything we wanted to use had terms we didnt like.
I also think the whole world attitude to assuming its the norm to give up your data should be quashed to history like slavery.
I agree, which I would have asked for a refund, if I found out they were going to slurp that sort of data.
If I was a beta tester and getting the headphones for free, because I was providing them with data for them to improve the headset ahead of production, that would be fine. If I am paying that much money, I don't expect to be spied upon or used as a guniea pig.
@Daniel Hall
I also think the whole world attitude to assuming its the norm to give up your data should be quashed to history like slavery.
Have an upvote. I'd give you 100 if I could. It's REALLY time we did something about making privacy more than an (obsolete) word in the dictionary.
"What's that you say? He didn't read the UA?"
You mean the UA/EULA/TOC that's pages and pages of lawyer-speak, designed to obfuscate information and mislead the reader?
Let's say he did, does it matter? Not a bit, since they all say "You the customer and your descendants to the fourth generation are bound by this irrevocably forever and have no recourse to complain or sue. However, we can change this in any way at any time in ways we won't tell you about much less ask if you're still OK with it."
The universal TOC is really "You have no rights and never will. We have any right we want at any time. Click OK, you miserable ant.
"What's that you say? He didn't read the UA?"
UA or EULA or whatever "agreement" quickly passed by his eyeballs when he just purchased a device and wanted to use it... regardless of THAT, you missed the entire point:
THEY! SHOULD! NEVER! HAVE! SLURPED! THE! DATA! IN! THE! FIRST! PLACE!!!
Needless to say, until Bose ADJUSTS! THEIR! ATTITUDE! they won't be getting MY business.
/me wonders if it's ALSO designed to forward information on "illegally downloaded" music for future retribution by RIAA...
@smithwr101,
"Actually when you fire up Bose Connect it says "Apps using Bluetooth Low Energy are now required to have location access enabled. We don't like it either." So it looks like an Android or other third party constraint
That really sucks.
Taking a look over at Stack Overflow here and here reveals that this is an Android thing, and comparatively recent.
Sounds like the real culprit is Google. Again. Do no evil. Arse cakes.
Android has got better at letting you know which apps are using what dodgy permissions. When you download an app from the store, it will kindly list the permissions the app demands *before* you install it (GPS Location, photos, media files, permission to send and receive phone calls and messages, first dibs on your firstborn for a flashlight app, for example), and even if you still install, it's trivial to turn these permissions off afterwards. Of course, app providers are getting sneakier in their attempts to keep those permissions active ("your flashlight may not know how bright it needs to be unless it knows how dark it is where you are based on your GPS location and how much we can see through your camera").
Also the advantage of 3.5mm jack dumb phones, which inherently are better quality as any wireless earphones need an DAC anyway and have the additional overhead of Bluetooth. Space and power constraints also mean that five year old phone with 3.5mm analogue jack may have a better DAC and audio amp than the device(s) in the wireless headphones / earbuds.
Also the Analogue 3.5mm headphones work on anything without pairing, don't need an dataslurping app etc.
A BT earpiece is handy for handsfree conversation. I've got good BT stereo earphones and I've gone back to analogue, because no pairing and work on more stuff.
@Mage,
"Also the advantage of 3.5mm jack dumb phones, which inherently are better quality as any wireless earphones need an DAC anyway and have the additional overhead of Bluetooth. Space and power constraints also mean that five year old phone with 3.5mm analogue jack may have a better DAC and audio amp than the device(s) in the wireless headphones / earbuds."
<pedant mode>
<apologies>
The issue is one of audio compression on the Bluetooth link. It's not full, uncompressed 44.1kHz 16 bit stereo PCM. The loss of quality due to the compression artifacts would likely dominate any other impairments due to crummy DACs, etc. And generally music is stored / streamed compressed on a mobile phone, so it's a losing battle anyway.
Not that anyone who listens to todays modern popular beat combos would be able to tell hifi from cheapfi, given the appallingly reckless and discordant nature of such music.
</pedant mode>
"Also the Analogue 3.5mm headphones work on anything without pairing, don't need an dataslurping app etc."
Shhhh! Don't go giving the bastards bad ideas!!!!
The issue is one of audio compression on the Bluetooth link. It's not full, uncompressed 44.1kHz 16 bit stereo PCM.
A song stored in 44.kHz 16-bit WAV format is typically 40-50MB. However, most people will be listening to that song from an MP3 or AAC file, that was squashed down to 4MB or less using lossy compression. Bluetooth is not the weakest link in that signal chain.
> include not being able to afford Bose headphones.
I can afford Bose headphones, but I actually like music so I bought some real headphones instead.
They cost 1/3 of the price, don't require GPS to operate and don't make me look like a posing twat. Thanks to a 2nd hand blue-tooth brick they can also be wireless when I need them to be.
Music is but a small part of the QuietComfort experience. It's nice to have music, but the superior noise reduction these bring to the table (vs. el-cheapo Sony cans) is worth every damn penny. I put them on, I still hear some of the conversation from people who never learned the difference between their "inside voice" and "outside voice" in the open-floorplan hell almost all of us are forced to work in, and then I turn them on... Sweet, sweet (mostly) silence. Not quite a snowy day out in the country, but as close as I can get without screaming at everyone to "shut the fuck up for once". Adding my favorite music covers up the rest of the conversation.
n.b. I don't work for Bose, nor have I met a Bose. I just don't like having to listen to random twats prattle on all day long. The $350 I handed over to The Bezos for my QC35s was a fantastic investment in my sanity and employability.
"but the superior noise reduction these bring to the table (vs. el-cheapo Sony cans)"
Now there's where you and I differ.
I use a pair of Sony* outdoorsman earphones because I want to listen to my music and be aware of my surroundings.
(Wouldn't want to miss such outside sounds as *HONK*, *Look out!*, and "MY God! He's gotta gun!!") ☺
For just enjoying the music and nothing else, nothing beats a decent set of speakers and a quiet room.
* *Spit*, Only Sony product I own. Dates back before they let the media wing consume all that was good in the company. (Yes, the headphones are *that* good and durable!)
+1. I've got a large-ish collection of headphones. The QC35s are my every day carry. The sound isn't going to blow you away; the bass is paltry and the highs a bit thin, but they are sturdy, very comfortable, the battery lasts for ages, the call quality is good, the bluetooth performance is great and the noise cancelling is the best I've ever used.
I spend far too much of my life on trains and planes and in other people's noisy offices, so just being able to flick a switch and have it almost disappear is a godsend. Also means you can run the headphones themselves at a much lower volume, which is good for your ears.
If only wearing them didn't mark you out as that prick who dropped £300 on a pair of sub-standard cans...
You can't use all the functionality of the headphones without the app, so spend $350 then discover either, they revert to $50 [equivalent] 'phones, or "all your data are belong to us". Like all Bose gear a bit flawed, but otherwise awesome.
It's a bit like agreeing to the EULA inside they sealed box when you buy physical software media, which I believe is outlawed/unenforceable in some countries. [Oz, France? CBA searching]
Slurping!? Just ---->
It is illegal in Germany to apply terms to a EULA that weren't clearly readable on the retail box, before you get to the checkout (or in the case of mail order, before you open the packaging).
That is why a Hackintosh wasn't exactly illegal here, until they stopped selling retail copies of OS X - the relevant paragraphs in the EULA about not using it on non-Apple branded hardware were inside the sealed packaging and therefore could not be enforced in Germany.
"That is why a Hackintosh wasn't exactly illegal here (Germany)..."
In the USA, on one hand it is a DMCA violation, and one company has been ordered to pay $2,500 for each PC they shipped with MacOS X installed. On the other hand, in practice Apple does nothing _unless you claim in public that it is legal_. They don't care much if you make a copy of MacOS X. They care _a lot_ if you make a copy of MacOS X and claim it is legal.
"It's a bit like agreeing to the EULA inside they sealed box when you buy physical software media,"
Usually the way this works is that acceptance of the EULA is part of the contract. So you open the box with the software, find the EULA, don't like it, and you either go back to the store and ask for your money back, and they _have_ to give your money back because the sales contract was never finished, _or_ you don't accept the EULA, install the software and commit copyright infringement (but nobody can prove that you didn't accept the EULA), or you accept the EULA.
Yes, I can understand that's mildly annoying, but asking for $5 million shows him to be nothing more than a money grabbing twat.
To be fair, that's probably only $1,000 for him and $4.999m for the legal vultures really running this claim and looking forward to that third home in the Hamptons.
Plenty of downvotes for my previous comment, but can someone clarify why?
I agree that sending this data to Bose is unnecessary, but I really despair when people feel the need to sling multi-million dollar lawsuits every time they feel slightly put out. If the Bose app forced you to enter credit card details, social security numbers, address details etc, before the headphones could even perform their primary function of playing any music, then this might have some traction. But to sue a company because, in essence, you haven't read the T&C's, and Bose might find out that someone (though may not even know who, other than an identifier) actually willingly listened to Kanye West at 3PM on a Tuesday? *
I'm presumably in the minority here, but I just don't like the stance of trying to sue for millions for first-world problems. By all means complain to them, call them out on social media, name and shame on relevant news sites etc, but to feel the need to claim for "damages"? I just don't get it.
* - Though that in itself is a crime against music.
"Plenty of downvotes for my previous comment, but can someone clarify why?"
Because businesses that pull this sort of trattery need to be taught otherwise. A suit which makes a sizeable enough dent for upper management to start thinking about it has that effect. Asking for his money back doesn't.
Any less and they don't care and don't stop.
Even criminal fines are often regarded as "cost of business" if not severe and also because the top managers don't suffer unless the consequences seriously upset shareholders.
Senior managers / CEO etc need to be also personally liable for their management.
Untill such time those heads of industry are physically on the block with a sharp blade at the ready, nothing will be done.
Ok.. so you whack off the head of an exec. Does the change the exec? Was there actually a brain in that head or is it hidden? Too many execs I've met had their brains in their ass....
"despair when people feel the need to sling multi-million dollar lawsuits every time they feel slightly put out."
Other reasons to do so besides *KA-CHING*:
>Said publicity alerts more people to the problem, so more people less likely to fall in same trap or sue if they're in the same situation, and company is more likely to settle quickly to make bad publicity go away.
> Company is likely to offer to counter-offer that more in line with what he really wants.
>Because he's fucking pissed, and this is the version of two fingers up that the company understands and respects..
If he was presented with accurate and detailed disclosures and provided informed consent he may have a difficult case ahead. I guess there is also the question of whether the product itself provided enough notice prior to purchase that functionality is dependent on agreeing to terms of use and data sharing.
Data slurping is commonplace - a good % of apps (particularly free ones) collect more than strictly necessary to fulfil their function, what happens to the data collected and who it is shared with should be what worries us.
Bose's use of GPS is probably the most concerning - it doesn't take many time indexed GPS locations from a device to get to PII levels of data...
Play list suggestions,
Carly Simon - you belong to me
Lionel Richie - Hello
or the seminal classic,
The Police - every breath you take
I'm sure there's more but $350 for head phones and they have the cheek to sell your data as well. When will people learn? Interestingly though is there not a way for this case to be successful due to the fact it's not on the packaging of the purchased head phones. (It may be, I don't know) You could argue that the data collection was not explicitly stated when purchasing the item and that to use all the functionality you have to use their app.
"Connect app and while it's certainly very grabby on data – you need to have both GPS and Bluetooth turned on to use it"
While I do not see the need for the GPS I do have some sympathy for wanting the Bluetooth to be enabled what with them requiring the Bluetooth for Yer actual connectivity.
It's an optional app. It is not required to use Bose headphone with the app. If it was required, then Bose headphone won't work on other music device.
Then again, hardware company decided to develop apps? that's just calling for trouble. They deserve it (just like Lenovo laptop adsware, Samsung android, every IoT, etc)
When re-doing secret questions for an online service as I'd clearly made my last lot so secure even I couldn't get them right.. one of them was "who was your favourite musician growing up?" or something along those lines. Maybe "what was your favourite band?".
You really don't want your headphones providing an answer to that question to some data slurper.
Does it actually need GPS or just location services? On android I believe location services have to be enabled in order to use bluetooth because google. That doesn't excuse Bose for slurping data tho.
The play store says the required permissions are:
bind to an accessibility service
view network connections
pair with Bluetooth devices
access Bluetooth settings
full network access
On android I believe location services have to be enabled in order to use bluetooth because google.
Then Android is F*sked up. Since bluetooth connects audio devices and maybe keyboards, why do the devices need location services?
It might be linked with the continued and growing use of bluetooth beacons for the delivery of context local information (in museums and the like). No that this is any reason for Bose to continues this piracy. On a related note, I have a set of Sony MDR11s (I think) - they are imho better than the Bose equivalent they are competing with and not having any leads is remarkably convenient when travelling/ No data is slurped and no access other than bluetooth pairing is necessary. After many years of despairing to Sony's attempts to circumvent privacy they may be getting it right (or maybe they just have not got round to it :-(
"It might be linked with the continued and growing use of bluetooth beacons for the delivery of context local information (in museums and the like)."
But BT is very short range, so by definition, your location is "known" to a BT beacon far more accurately and reliably than any location service can provide, especially indoors in a museum.
"On android I believe location services have to be enabled in order to use bluetooth"
Your belief is wrong; Bluetooth and location services on Android are entirely separate things.
As for whether it needs location services to work, it seems a bit weird. I just tried installing it to check, and there was no mention of needing location services. Turning bluetooth off made ithe app immediately complain and refuse to do anything else until turned back on, but turning location on and off made no difference. However, there are reviews on the Play store going back to at least February which claim location services are needed to make it work.
In addition, the description of the app says this near the end:
"The Bose Connect app does NOT use GPS or your device's location for anything."
which seems to be protesting rather too much for an app that doesn't ask for permission to see your location or have any reason to want it. I've never seen an app feel the need to make this kind of declaration before. Given all this, I suspect that the lawsuit has been coming for a while, and El Reg did their test before the new version was released (on March 16th) which removed the need for location and goes out of its way to deny it would ever want something like that. The lawsuit has only just been filed, but could easily have been a month in the works with journalists lined up to publish once the filing is public. A flood of bad reviews on the Play store in the last couple of days suggests they've planned a bit of a media offensive to coincide with the filing.
Alternatively, maybe the app is just terribly written and forces you to turn location on once it's connected to something (I don't have a Bose speaker, so it never got past the connection stage) even though it doesn't actually have permission to access it.
Sorry, you must not do much Android development. Under Android 6 Bluetooth Low Energy scanning requires location services. That is a well documented FACT, not an opinion or belief. I suggest you look up the requirements of ScanSettings.Builder().setScanMode(ScanSettings.SCAN_MODE_LOW_POWER) before making additional blanket statements.
It is simple -- if they wanted to be able to scan for devices using the standard API in order to discover the speaker and make it easier for the user to connect, then Android requires that location services be enabled. There are workarounds, but implementing them comes with other costs in terms of handset compatibility.
As you admitted during your "test", you don't even have a Bose speaker and so never got to the point of doing a scan, therefore your "test" is completely meaningless as you could never have duplicated the issue.
> Here at Vulture West we downloaded the Bose Connect app and [...] there's a section in the software detailing Bose's privacy policy that clearly states that the app collects data and sends it to third parties.
It's possible that's a result of this legal action, and may not have been in place (or even in the same form), beforehand.
When I was a boy I used to look forward to living in the future, flying cars and video screens everywhere. I never expected that I would be longing for the 'good old days' where privacy was something everybody had and nobody was out to invade it. Now your OS, fridge, TV, fucking headphones, etc are all taking their slice and many idiots think it is fine and even defend the practice. I read 1984 and theought it was good but chilling book that would never come true. How wrong was I...
"Sadly Mr Zak's musical tastes aren't detailed, but we can bet there are some stinkers in there."
I must admit ad hominems against the subject of an article apparently not supported by any evidence in the article itself (particularly against someone who's sole "offence" is not being a pushover) is a new low.
It was just a silly cheap joke. There was obviously nothing serious to it.
The Register has posted like this for like ever. You have been here ages too, so when did you turn into a prissie SJW?
Oh no! Someone make a joke about my music taste, the horror! I'm so triggered!!!
sigh, mumsnet and/or the daily mail are that way ----------->
Everyone is racing to make a stupid "app" that does little more than spy on us and assumes we'll happily install them all. Endless data for free forever, whee! Well sorry, but now I barely install any apps at all. The egregious screw-you toward customers and sociopathic spying have made me turn off the tap for everyone. I carefully check app permissions and have with regret decided to avoid many.
Yeah, I'm a paranoid pro geek, most people are not. I still expect a future backlash similar to what the freewheeling screw-you ad-slingers bought for themselves. There are several consumer pushbacks having a real effect on stupid and selfish industries, so there's some hope. The backlash against HFCS and other mystery chemicals has food companies scrambling to make Real Food products now. Anyway, I hold out a little hope, if the masses can be annoyed enough.
I'm scanning my music collection, punk section, for an appropriate track.
Ah, there is it. "F*** right off you f****** c***s"
Derek and Clive, actually.
It all depends on WHEN he was told. IANAL, but it is my understanding that contractual obligations can't be added after a purchase. Only before.
The dispute will probably hinge on the fact that the app was not bundled with the headphones.
He'll probably argue that he purchased the headphones based on the availability of the app, and the headphone case didn't say "conditions apply" or something.
If the app was free, he's probably SOL.
If the app was free, he's probably SOL.
No, because then you still have the issue of false advertising. For the full functionality you need the app. The app comes with conditions not presented at the time of purchase of the headphones, yet the capability is advertised, ergo a misleading sale.
There's lots of leverage here for an intelligent lawyer, and I suspect BOSE will soon make use of that staggering loophole under US law to cough up without admitting fault.
Did it say that stuff about sending data to third parties before the lawsuit or did you just download an updated version that says it now?
Anyway, regardless, the extent of the slurping is a problem because of your playlist being linked to your identity. I think the problem here isn't that it's sending usage data, but that in combination with your registration details (needed for the "warranty") it can personally identify you and your listening habits (which add the lawsuit says, can link you to podcasts that determine your interests and even your personality).
Why do headphones need an app? Are they some kind of special headphones that don't work if you plug them into the phone, or sync them via bluetooth (if they are wireless)
If I bought headphones and they told me to download an app, I'd ignore them, because I'd figure I've already got music playing apps on my phone and don't need a me-too from Bose. If I found it was required, I'd be returning the headphones without ever trying them out!
I don't understand why people don't object to data slurping
It's all they've ever known. When we reminisce to millennials about things like "privacy," it's like when our grandparents talked to us about fetching water from the well or churning butter. It's so far outside their experience that they have no frame of reference for it.
So Glad i bought the QC25's not the 35's
Incidentally your personal playlist and your GPS location is under GDPR "personal information" so Amir Bose can expect to pay 4% of his global turnover next May -unless he fixes it (I wonder what he will do :¬) )
But in Trumpton any data slurping by anyone is to be allowed and it can be sold to anyone. good luck and "have a nice day"
I was the girlfriend of a very wealthy and powerful man (Riklis) back in the 1980s-1993. When I had to flee my NYC apartment and move to Los Angeles my then "boy-friend" insisted that he was going to send me a new stereo and speakers. I thought it odd at the time but he purchased a small stereo for me with BOSE speakers. He then had this shipped from New York City to my new apartment in Los Angeles, California. I suspected at the time based on information I knew about him that the speakers (his family has been involved with radio wavelengths forever) had a spyware on them. The word was not a common word at the time. This morning as I was reviewing my notes of long ago for a project I am working on I stumbled across this lawsuit against BOSE for spyware. **This goes back decades and should, imo, be investigated further.** -Kirby Sommers, New York City