Dec 03 2017

Yes, a sex toy recording audio without consent is still a big deal

A few weeks ago, a post popped up in Reddit's /r/sex community claiming that the Lovense Android app was taking audio recordings when the company's "connected" sex toys were in use, and saving them to the device SD card. This was quickly corroborated by other Android-using Lovense owners, and then quickly spread through the media like wildfire, with a heavy dose of speculation on whether the app sent this sound data to Lovense. A few days later, the company chimed in:

Regarding the sound file in question, it has already been confirmed that this is a minor bug - a temporary file that is created when someone uses the Sound Control feature. Your concern is completely understandable. But rest assured, no information or data is sent to our servers.

In the interim, RenderMan posted on the website of Internet of Dongs, his sex toy security auditing project, in an article entitled Destroying the Reddit Lovense Remote Vuln Conspiracy (emphasis in original):

Given that the function the user was using the app, the "Ambient Sound" function, I do wonder about them. Presuming they know that the louder the sounds around them, the more the device vibrated, I would ask a very simple question: "How did you think that the app knew what the ambient sound levels were without using the microphone?". To my knowledge, phones are not telepathic (yet. I bet Google's has a project trying to do that right now).

Android permissions are not that granular. Granting an app a permission for the microphone and camera allows any part of the app to use those functions should it want to. You cannot (though it would be nice to) have granular control of when you want to allow permission in an app or not.

Putting aside RenderMan's insistence on repeatedly belittling a layperson for not being as clever as he is, I have a few issues with this response.

This isn't how this feature should work

RenderMan asks above, in so many words, "well, what did you think this feature would do?" I would have expected that the app records sound into a short buffer of some kind, perhaps does a bit of post-processing, calculates the amplitude over a short period of that data, and sends that to the toy to update its vibration intensity. I wouldn't have expected the app to store sound data for more than a few seconds, if that, and I certainly wouldn't expect it to store an entire session of sound data and leave it lying around on disk afterwards.

A user with less technical knowledge might not express it in the same way, but would probably expect the same; after all, the app doesn't need to know what the ambient sound intensity was ten seconds or one minute or ten minutes ago; it only needs to know what it is right now, so why would it keep that data around?

RenderMan sort of acknowledges that the file didn't need to be written to disk:

While this file could be stored in RAM, it is much easier and more efficient to stream it to disk for temporary storage (500mb of RAM is more useful than 500mb of disk). This makes sense, especially when it was clear that the file was meant to be purged once it was no longer needed.

The thing is, the file didn't need to be 500MB either; a few seconds of uncompressed audio is only a few hundred kilobytes.

Recording people having sex is still kind of a big deal

So we know, both from RenderMan's analysis and Lovense's response, that the data was never sent anywhere, it just stayed on disk until it was overwritten by the next use of that feature. That's better than the alternative, but the fact remains that the app stored a recording of its users without their consent.

That would be a problem in any case, but this is an app whose primary purpose is use during sexual activity. Not only are plenty of people self-conscious about the sounds they make during sex, but recordings of people having sex or masturbating—even though they're perfectly normal things most adults do, and even when those recordings are made or shared without consent—can ruin careers and lives. (Fortunately, these recordings are just sound with no video, which probably makes them less desirable in the unscrupulous parts of the Internet where these things are shared should they leak, but there are other parts of the Lovense app that do use video.)

As soon as those recordings are made, they're a liability, and making them without telling the user is careless at best. They might not get sent to Lovense's servers, but they're still lying around on disk, unbeknownst to the phone's owner, waiting to be discovered by a "friend" that thinks shoulder-surfing someone's PIN code and browsing through an unattended phone is okay, or exfiltrated by a third-party app that's been granted unrestricted disk access.

RenderMan comes so close to realising why people are so bothered by this—yet so, so far:

Authors Note: I can't imagine the usefulness of Ambient sound recordings of users IoD usage would be of any use to vendors. Have you ever stepped back and listened to people have sex? People make some of the most ridiculous sounds mid coitus, so it's only useful for comedy purposes I think

This isn't, as Lovense suggested, a "minor bug".

It wasn't malevolent, but that doesn't make it okay

RenderMan correctly points out that Lovense have nothing to gain from collecting this data, and there's no reason to accuse them of maliciously spying on their users. In reality, there's probably something like this floating around in Lovense's codebase:

// TODO: only store what we need,
// rather than writing everything to disk

People make mistakes. Software developers, despite what we like to think about ourselves, are particularly adept at it. Lovense, to their credit, fixed the bug as soon as it was brought to their attention.

Connected sex toys, though, are something that users are putting a lot of trust in—literally putting them in, on or around the most sensitive and private parts of their bodies, then connecting them to a network shared by half the world's population—meanwhile the tech industry more broadly seems to be bent on proving itself unworthy of public trust. PR departments like Lovense's downplaying a problem with their products is par for the course, but when independent security researchers do the same, then proceed to belittle users that have concerns, it really doesn't help that perception.