Bose accused of spying on users, illegal wiretapping via Bose Connect app

A lawsuit alleges the Bose Connect app secretly intercepts and shares what you listen to.

bose qc35 on seamus
Seamus Bellamy

Those high-dollar Bose headphones? A lawsuit filed in Chicago contends Bose has been spying on users via the Bose Connect app, which enables users to remotely control their Bose headphones, and violating their privacy rights by selling the information about what they listen to without permission. Furthermore, Kyle Zak accused Bose of illegal wiretapping.

The lawsuit claims the app also has a data miner called Segment, the company behind the data miner, advertises, “Collect all of your customer data and send it anywhere.”

The complaint is a proposed class action for all people in the U.S. who bought a Bose wireless product and installed the Bose Connect app. It specifically mentions the Bose products QuietComfort 35, SoundSport Wireless, SoundSport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II.

Bose allegedly designed the Bose Connect app to scoop up data. It claims the app was designed to “continuously record the contents of the electronic communications that users send to their Bose Wireless Products from their smartphones, including the names of the music and audio tracks they select to play along with the corresponding artist and album information, together with the Bose Wireless Product’s serial numbers.”

The lawsuit alleges that what a person listens to—music, radio broadcasts, Podcasts, lectures and audio books—reveals their political and religious views “thoughts, sentiments and emotions.” It “is enough to make accurate judgements and predictions about their personalities and behaviors.”

If you look on Google Play, installing Bose Connect grants permission for access to several listings under Other: bind to an accessibility service, view network connections, pair with Bluetooth devices, access Bluetooth settings and full network access. That alone gives no hint that Bose is doing what the lawsuit proposes.

Bose failed to first obtain consent from customers “before intercepting, monitoring, collecting and transmitting their media information,” the lawsuit claims. In fact, Bose “concealed its actual data collection policies.”

A big part of the lawsuit revolves around the fact that Zak never gave his consent to Bose to “monitor, collect and transmit” his media information. Since Bose designed its app to “contemporaneously and secretly collect” information about what a user listens to, then Zak—an Illinois resident—and his attorney contend the interception of content means Bose is in violation of the Federal Wiretap Act.

“Bose is not alone here,” said Bob Noel, director of strategic relationships and marketing for Plixer International. “A recent webinar reviewed how several companies are stealing personally identifiable information (PII) from their customers.”

Noel added, “One important part of the equation to understand in this case is whether or not there is an end user license agreement (EULA) outlining the PII that Bose is taking. In many cases, the EULA you agree to when you download an application gives the manufacturer the right to collect and/or sell that data.

"An important factor to consider is whether consumers have the ability to verify the data collected aligns to what was agreed upon when the EULA was accepted. In many cases this can be difficult because the data collection occurs across an encrypted tunnel. You know data is being collected, but as a consumer, it is impossible to verify what data is being taken and what the manufacturer is doing with that data.”

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)