Monetizing data, without consent

You can still download the application if you want. But if you believe what Kyle Zak has to say about it, it’s not something you would do. Not unless you don’t mind the trade-off between ease-of-use and the reams of information you will allegedly provide to the popular audio maker Bose Corp.

The lawsuit filed by Zak against Bose is the latest to allege companies of surreptitiously tracking consumers, without their consent, to collect data and then to either solicit more business or sell it to third parties. Early this year Ottawa-based sex toy maker We-Vibe settled a privacy lawsuit for $5 million after a line of its vibrators were found to have secretly collected and transmitted “highly sensitive information” about consumers without their knowledge or consent. In February 2017, Vizio Inc., one of the world’s largest television maker manufacturers and sellers of internet-connected “smart” televisions, agreed to pay US$2.2 million to settle charges by the Federal Trade Commission that it installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent.

The proposed class action against Bose alleges that the popular Boston-based audio manufacturer secretly collected, transmitted and disclosed its customers’ private music and audio selection to third parties, including a data mining company, The suit seeks an injunction to stop and prohibit Bose’s “wholesale disregard for consumer privacy rights” who download the companion app. Zak is also seeking millions of dollars in damages for consumers who purchased Bose’s wireless headphones and speakers.

“I have Bose headphones, and I love them,” said Ann Cavoukian, former Ontario privacy commissioner. “But if this proves to be true, I will be throwing them out. I will not tolerate this kind of activity that is taking place without the consent of the users.”

Introduced in 2016, the app, called Connect, allows customers to remotely control their Bose wireless products, and ostensibly makes it easier to pair different music sources such as an iPhone with Bose speakers and headphones. The proprietary software allegedly is programmed to continuously record in real time the music and audio tracks played through Bose wireless products.

“The music and audio tracks that people listen to reveal sensitive information about themselves,” alleges the suit in Kyle Zak v. Bose Corp. Case No. 17-cv-2918. “In other words, knowing what music, radio broadcasts, lectures, and podcasts a person chooses to listen to is enough to make accurate judgments and predictions about their personalities and behaviors.”

Bose disputes the allegations. “We’ll fight the inflammatory, misleading allegations made against us through the legal system,” said Bose in its website on April 20th. Three days later, Bose stated that

“You’ll find that the Connect App collects standard things to make your experience, and our products, better — like device information, app performance, and app and product usage. That includes information about songs playing on the device, the volume they’re played at and other usage data.”

On April 25th, Bose underlined that its Connect app “will be updated” so that consumers can opt out of having it collect data. “Any information collected before the opt-out is available will be altered, so it can’t be linked to you or your device by anyone,” added Bose. On May 3rd, the Connect app was updated.

The Office of the Privacy Commissioner of Canada (OPC) is not investigating the matter. If the Office receives a complaint, then it could launch an investigation, said Tobi Cohen, a spokesperson with the OPC.

However, the OPC launched an investigation in 2015 into a similar matter involving Bell Canada. While the case is not about a company “directly selling people’s information, it is an example of monetizing personal data,” noted Cohen

In August 2013 Bell caused an uproar after it announced that it would use customers’ network usage and account information to enable the serving of targeted advertisements. Bell intended to track the Internet browsing habits of customers, along with their app usage, TV viewing and calling patterns. By combining the information with demographic and account data already collected from customers, and creating highly detailed profiles, that enabled third parties to deliver targeted ads to Bell’s customers for a fee. The program involved combining customer information from several Bell affiliates offering a range of mobile, home phone, Internet and TV services. The OPC concluded that “Bell was not, via its opt-out model, obtaining adequate consent” for its “Relevant Advertising Program.” After the release of the OPC’s report, Bell decided to withdraw its program, stated that it would delete all existing customer profiles related to the program, and said that if it launches a similar program in the future, it would do so using express opt-in consent.

The crux of the problem is that companies and consumers and privacy commissioners do not see eye-to-eye over what constitutes personal information. Privacy policies shed a bit of light over what companies deem to be personal information. But as Pam Dixon, the executive director of the World Privacy Forum, noted recently, the definition of “personally identifiable” is usually up to the company.

“It should not be up to companies to determine what is personally identifiable,” said Cavoukian. “Personally identifiable information means any information linked directly or indirectly with personal identifiers that identify you. So we’re not just talking about names and addresses. There could be indirect linkages that when connected with some other information point to you.”

But data has become an extremely valuable commodity. When a subsidiary of the gambling group Caesars Entertainment filed for bankruptcy in 2015, its most valuable asset was considered to be the data it held on its 45 million customers who joined its customer-loyalty program. It was evaluated at $1 billion. Another example is Uber. Its worth is estimated at $68 billion, in part because of the data it has on drivers and passengers for personal transportation. Even Bell acknowledged the value of data. “Bell asserts that by providing targeted (and thus more relevant) ads to users and more powerful and effective functionality to advertisers, it can improve its customers’ overall online experience, better compete in a global online advertising market with strong international advertising players, and ultimately generate greater advertising revenue,” according to the OPC’s report.

The tension over privacy between companies and consumers is not likely to fade. Consumers will likely continue to be caught between a rock and a hard place. The terms and conditions outlined by privacy policies are impenetrable. On top of that, consumers often no choice to accept them if they want to use the app they have downloaded.

But consumers, at least in Europe, will have another weapon at their disposal to keep companies in line, said Cavoukian. As of May 2018, the European Union’s General Data Protection Regulation (GDPR) strengthens people’s control over their data as it requires companies to get explicit consent for how they use data. Fines for breaches under GDPR will be stiff – up to four per cent of global revenues or US$22 million.

That is an example that should be followed in North America, said Cavoukian. While unlikely, companies nevertheless doing business in Europe will have to pay attention. “You are going to see a lot of action next year on the heels of the GDPR,” said Cavoukian. “You are going to see changes because people are getting increasingly concerned about their privacy, and governments are responding.”

Leave a Reply

Your email address will not be published.