Edelson, the lawyers acting on behalf of customer Kyle Zak of Illinois, claim that information about what Zak has been listening to through his Bose headphones was being collected without his knowledge or explicit consent every time he used a Bose companion mobile app called Bose Connect. The app allows customers to interact with the headphones, updating software and also managing which device is connected at any time with the headphones. If the headphones are being used to listen to something, details about what is being played will show up in the Connect App.
This information is then collected by Bose and sent to third parties, including companies like Segment, who facilitate the collection of data from web and mobile applications and make it available for further analysis.
The lawyers are contending that Bose’s actions amount to illegal wire tapping and that the information being collected could reveal a great deal of personal information about customers. Allegedly, Kyle Zak would not have bought Bose headphones if he had known that this information would be collected and he further claims that he never gave his consent for this information to be collected.
Given the app’s limited functionality, it is really unclear why anyone would use the Connect App for this purpose on a continuous basis.
Most software uses tracking
The majority of apps installed on a phone will be collecting data about its usage and sending it back, de-identified, for analysis. This data may well be aggregated without giving any detail about any individual user. So, it would not be possible for example to say whether people who use an app every day are more likely to use particular features. Of course, some companies do collect this level of detail.
So what is this tracking data used for?
Developers use this information to track a range of things including statistics about usage of the app. Companies usually track how many daily and monthly active users they have and how many users stop using the app after opening for the first time.
Developers are also interested to find out if the app experiences problems, like crashes for example. They are also interested in what features of the app do customers use, what sequence did they use them and for how long.
A range of companies, including Apple and Google provide means of collecting anonymous statistics from users. The data is sent back to a server and made available for analysis. This type of tracking is very different from the tracking that is done for advertising purposes. In this case, information is collected that is identifiable and used to personalise ads to be delivered either directly through the app, or through other services.
Hidden privacy statements are not enough
Privacy statements for apps, websites and other software should make it clear, and before the user starts using the app, what information the software is collecting, who it will be shared with, and for what purposes. Most software however, does not do this. Companies simply skip showing a user the privacy statement and make reference to the fact that the statement can be accessed somewhere on a website or in the app, at a later time.
Another problem with a great number of privacy policies, is that they are written in legal language and do not make explicit what information is being collected and for what purpose.
Privacy should be treated as a fundamental driver of design in software. This situation has been changing, especially as companies have focused on protecting customers’ privacy, not from the companies themselves, but from law enforcement agencies, secret services and the government in general. Perhaps also, the threat of legal action by companies like Edelson, will prove another incentive to do the right thing.
Authors: David Glance, Director of UWA Centre for Software Practice, University of Western Australia