Security Experts:

Bose Wireless Headphones Spy on Users, Lawsuit Claims

Bose Headphones Join the Internet of Spying Things

Bose wireless headphones, that sell for up to $350, collect the listening habits of users via an associated app. This data is transmitted to Bose, who then passes the data to a marketing company, a lawsuit alleges. One aggrieved user brought the class action suit against Bose, alleging infringement of the federal Wiretap Act and numerous state laws.

Illinois case 17-cv-2928, brought by Bose customer Kyle Zak "on behalf of others similarly situated" claims the case is worth more than $5 million; but without specifying damages, seeks a jury trial.

The lawsuit states that Bose introduced a mobile phone app, the Bose Connect, in 2016 to remotely control and manage the headphones via a Bluetooth connection. Bose advertised this with the claim, the "Bose Connect app unlocks current and future headphone features. Download now."

Unknown to the customer, states the lawsuit, Bose "designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties -- including a data miner -- without its customers' knowledge or consent."

Since Bose also asks for the name, email address and the product's serial number, it is able to build detailed listening habits of known individuals.

These listening habits can help produce a personal profile of the customer. The lawsuit claims that "numerous scientific studies show that musical preferences reflect explicit characteristics such as age, personality, and values, and can likely even be used to identify people with autism spectrum conditions." Audio podcasts can be even more revealing, potentially identifying the race, religion, sexual orientation and health issues of the listener.

Such privacy issues usually revolve around the concept of informed consent. Zak claims that he would not have purchased the headphones had he been aware of the data collection. The privacy policy with the app, however, makes it clear that Bose collects data, tracks the user and shares that data. "We share the information that we collect with a variety of third parties. Additionally, other third parties collect information directly through the app."

This clear statement would be a red flag to any privacy-conscious user. However, by the time it is seen, the user will almost certainly have already spent up to $350 on the headphones themselves. Although they can function without the app, it is the app that maximizes their quality.

Zak is represented by Christopher Dore, a partner at Edelson PC. According to Reuters, Edelson specializes in suing technology companies over alleged privacy violations. Dore told Reuters that customers do not see the Bose app's user service and privacy agreements when signing up, and the privacy agreement says nothing about data collection.

This last comment is either wrong, or the app's privacy policy has since been updated.

In February 2017, Smart TV manufacturer Vizio agreed to pay an FTC settlement of $2.2 million over allegations that it collected information on users viewing habits without their knowledge. Although the settlement did not include an admission of 'guilt', Vizio will now prominently display its wish to collect data, and ensure it obtains affirmative express consent.

Late last year, a team of researchers demonstrated how a piece of malware could spy on users by silently turning their headphones into a microphone that can capture audio data from a significant distance. Early this year, German regulators banned an internet-connected doll called "My Friend Cayla" after warning that it was a de facto "spying device".

Related Reading: Shazam for Mac Keeps Listening Even When Disabled

Related Reading: Malware Can Spy on Users via Headphones: Researchers

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.