• United States



Sonos: Accept new privacy policy or devices ‘may cease to function’

Aug 23, 20176 mins
Internet of ThingsPrivacySecurity

Those high-dollar wireless speakers won't be bricked, but they won't get updates and may stop working if you don't agree to Sonos' new privacy policy and additional data collection.

Sonos, that’s a really jerky thing to do — to tell your customers they must accept your new privacy policy or else those high-dollar wireless speakers will slowly die.

Sonos speakers are certainly not cheap, but those who weren’t afraid to pull the trigger and outfit their home with the wireless speakers are being rewarded for their loyalty by being threatened…do what we say or else.

A company can candy-coat the “or else” — such as Sonos claiming in its new privacy policy: “Sonos respects your privacy and your rights to control your personal data” — but it still boils down to do as we say or else. If Sonos really respected your privacy and right to control the data collected from devices that are in the privacy of your home, then you would be able to opt out of the policy.

On August 17, an email arrived from Sonos announcing, “We’re updating our privacy statement.” The company knows if you opened the email due to the embedded pixel it uses to tell if you viewed it. It contains a link to Sonos’ updated privacy statement, as well as a blog post about the new policy that tries to explain why the company wants to start collecting more data.

Users will be able to opt out of some of the collected data, but not others. Regarding functional data, Sonos says:

“You will not be able to opt out from this data collection, sharing and/or processing.”

Functional data, for example, includes the data collected when you register Sonos equipment; if you want it to work, you must register. Sonos collects your name, phone number, email address, location data, your Sonos account password, passwords hints, IP address, language preference and product serial number.

Functional data also includes system data:

This data includes things like Product type, controller device type, operating system of controller, software version information, content source (audio line in), signal input (for example, whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about Wi-Fi antennas, audio settings (such as equalization or stereo pair), Product orientation, room names you have assigned to your Sonos Product, whether your product has been tuned using Sonos Trueplay technology, and error information.

If you don’t agree to the updated terms, you might as well start shopping for wireless speakers again. A Sonos spokesperson told ZDNet, “The customer can choose to acknowledge the policy, or [they] can accept that over time their product may cease to function.”

Sonos added: “If a customer chooses not to acknowledge the privacy statement, the customer will not be able to update the software on their Sonos system, and over time the functionality of the product will decrease.”

At first, I thought Sonos was about to brick my speakers. It was a great deal of work several years back to make Sonos cooperate with SmartThings in order for guests entering my house to get a specialized message or song as they entered. But a Sonos spokesperson told The Register, “If you choose not to provide the functional data, you won’t be able to receive software updates. It’s not like if you don’t accept it, we’d be shutting down your device or intentionally bricking it.”

No functionality or security updates

Yet refusing to accept the new privacy policy and the collection of functional data means you won’t get updates to improve functionality or security.

One of the new functionalities users have been waiting on is the ability to use voice control to play music through the Sonos speakers. Sonos has been promising that functionality for more than year, back when it teased that users could use one of Amazon’s Alexa-enabled devices to “play, pause, skip or control volume on any Sonos home sound system using the power of their voice.”

But it’s not just Amazon’s voice assistant. A Sonos spokesperson told Variety the new privacy policy “also covers Sonos-made speakers with integrated mics: ‘It covers those things that we’ve already talked about like Alexa integration, currently in private beta. It also covers future voice experiences like additional voice assistants and any future products with integrated microphones.’”

Dammit, Sonos, your speakers are not cheap, but this do-it-or-else move — after users have dropped big bucks for a Sonos system — is cheap.

The plan to collect more data on users without the ability to opt out worked out so well for Plex; users revolted, planning to give up the service, then Plex made some changes.

Is that IoT device worth the risk?

A service, however, is not the same as devices we bring into the privacy of our homes in order to make them more convenient or “smart.” IoT devices have notoriously bad security, so users first must decide if the risk is worth the reward. Hopefully that includes checking out the permissions in the accompanying app; a product can sound good until you see the overreaching permissions it requires.

An even bigger trend than companies changing privacy policies with no opt-out is users being forced to accept new permissions in smart device apps. A device, or even service, may work fine without needing access to camera and microphone (and/or contacts, location, etc.), but don’t be surprised when those permissions are added. No, you don’t have to accept, but if it is a smart device, you won’t get access to updated firmware — often closing security vulnerabilities — without accepting the permissions for the updated app.

As for the change Sonos is making, it comes down to deciding if I want my home theater experience, as well as speakers for music, to slowly degrade. I have eight Sonos speakers, which was a big investment for me. And I’m not even a tiny bit happy that if I want to voice-control music via all those Sonos speakers, via Alexa and her many microphones which was a gift, then I have to agree to changes affecting my privacy that came after I spend so much on Sonos.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.