Until hackers discovered the internet of things, a maker of kitchen appliances didn’t have to worry about the security of its toasters. Now, though, the proliferation of networked devices—from televisions to refrigerators to, someday, self-driving cars—has spawned a new form of cyber attack. This is not only because the points of vulnerability multiply as a network expands, but also because many of the consumer-product manufacturers who now produce networked devices have no experience with digital security. And few internet-of-things product categories better demonstrate the urgent need to improve security standards than connected sex toys.
Arthur Rizer (@arthurrizer) is national security and justice policy director with the R Street Institute, a think tank focused on free markets. Amie Stepanovich (@astepanovich) is the US policy manager and global policy counsel at the human rights organization Access Now.
In late 2016, a pair of hackers at DefCon, an annual US hacking conference, revealed that one company’s connected vibrator, the We-Vibe, not only tracked sensitive data related to customers’ usage, but also that third parties could access that information. Even more troublingly, hackers were able to take control of the devices remotely.
At RightsCon Brussels 2017, a security researcher showed how another connected vibrator, this one with a built-in camera, could be hacked to allow unauthorized access to the video feed. These breaches highlight just a few of the wide array of connected products with potential vulnerabilities.
Talk of sex toys may elicit snickers. In fact, one company famous for distributing so-called stalkerware—software that enables surveillance—went so far to focus on sex toys for an elaborate April Fools’ joke, advertising the sale of malware that allegedly could allow strangers to hack into and control a wide range of devices. The people at FlexiSpy seemed to find it funny that a product could “take remote charge of a sex toy’s power button, speed, and preference settings—even when in use.”
But it’s no laughing matter, and these examples raise serious questions: Where does liability reside in a completely connected world, and what are the policy and legal ramifications of such widespread vulnerability?
Remember the We-Vibe that was hacked at DefCon? Standard Innovation, the Canadian company that manufactured the device, eventually doled out settlements to its US customers as a result of a class-action lawsuit filed after the 2016 hacking demonstration. The litigation relied on the DefCon demonstration to prove that the company was collecting information like the temperatures of the devices, as well the intensity of vibration and frequency of use, without users’ consent.
While it was the data collection that led to the settlement, another part of the 2016 DefCon demonstration showed an even darker potential use of the device: Using Bluetooth to connect the We-Vibe to the We-Connect app would allow a user to permit another user to control the device’s settings remotely. This was advertised as a way for partners to “keep their flame ignited— together or apart.”
That connection, however, also could be hijacked by a stranger or even a stalker to assert control over the device. This is possible by exploiting the connection to the device and monitoring its data.
This type of unwanted conduct begins to resemble sexual assault, and, based on a review of the law in jurisdictions across the US and around the world, may actually qualify as such in several areas. To press such charges, a victim first would need to overcome the threat of stigmatization, identify the attack’s perpetrator, and deal with the inherently thorny question of legal liability. Even if a victim could overcome those challenges, no state or federal legislature to date has actually considered this type of activity within the scope of criminal laws. Prosecutors, judges, and juries will undoubtedly face a steep learning curve when—not if—the first case is brought.
Sex toys aren’t the only connected device that highlight these kinds of legal ambiguities. State and federal law also largely remain unclear about the extent to which breaches of nonfinancial, but nonetheless personal, data require companies to notify users and respond to any problems. Many companies have recently had to tackle head-on the potential losses to users caused by inadequate security. Given the number of high-profile breaches, even large, established corporations sometimes fail to consider the potential nonfinancial harms (such as from the publication of personal photos or hyper-personal data about sexual activity) their users might suffer.
As we learned in the celebrity iPhone breach in 2014 and are learning again with connected sex toys, these are not hypothetical scenarios. While it’s likely impossible to prevent every one of these types of hacks, an approach to security that specifically considers these risks to the user could help make sure we’re preparing for them.
The March 2017 Vault 7 leak highlighted the Central Intelligence Agency’s history of hacking smartphones and smart TV microphones, which already reside in many citizens’ bedrooms. What happens when the device is intentionally designed to collect data about our most intimate encounters? No law would effectively prevent national security or law-enforcement from hacking these devices if those agencies thought the intrusion could produce information relevant to an investigation. One might fairly assume the intelligence community is not interested in monitoring sexual devices, but that could change fast and without notice. That means these questions are unlikely to go away absent legislation.
The cybersecurity, privacy and criminality concerns of so-called teledildonics are serious and should be taken seriously. They also showcase problems that apply across the entire realm of internet-connected devices. Legislators and policymakers might be uncomfortable talking about the intimate nature of these devices, but they must engage in a dialogue on legislative and policy solutions to each of these issues now, starting with ensuring that connected sex toys cannot be hacked to violate their users with impunity. If we wait until after a breach, we’ve waited too long.
Arthur Rizer (@arthurrizer) is national security and justice policy director with the R Street Institute, a think tank focused on free markets. Amie Stepanovich (@astepanovich) is the US policy manager and global policy counsel at the human rights organization Access Now. WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here.