I am the proud owner of a pair of $350 Bose QC 35 noise-canceling headphones, and I confess I love them. They sound great, and they’re very comfortable.
Their noise-canceling ability is effective enough on an airliner to eradicate the sound of engines, squalling babies, probably the tramp-tramp-tramp of storm troopers piling onto the plane to haul a passenger out of his seat to make room for a crew member, and perhaps even the sound of his screams as he’s dragged down the aisle. (I may find out the next time I fly United.)
But according to a lawsuit filed this week by headphone owner Kyle Zak in Chicago federal court, my QC 35s also are enabling Bose to spy on me. Via a smartphone app, Bose can tell when I’m using the device and the music I’m playing through them. This is done through a smartphone app called Bose Connect, which the manufacturer encourages me, and all other owners, to download and install. Bose says the app is necessary to “get the most out of your headphones,” which is absolutely untrue.
In fact, according to the lawsuit and the fine print that users typically skate over when installing and launching the app, it’s mostly useful for Bose.
Bose’s response to the lawsuit, emailed to me by a company spokeswoman, is both overwrought and suspiciously narrow. It calls Zak’s allegations “inflammatory” and “misleading,” and adds as a message to customers: “In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you — or anyone else — by name.”
This statement obviously acknowledges that the app collects something, but doesn’t say what. My request to Bose for details went unanswered. The statement’s reference to wiretapping is legalistic, since Zak filed his lawsuit under the federal Wiretap Act, but the actions he describes aren’t what most people think of as wiretapping.
Bose says it doesn’t “sell” customers’ information, but the fine print in the app disclosures states, “We may partner with certain third parties” to collect user information and “engage in analysis, auditing, research, and reporting.” That sounds as though it’s placing a very precise definition on the word “sell.” Among the partners disclosed by Bose is a company called Segment, which as Zak states in his lawsuit, is a data-mining firm that helps companies collect and use customer information.
“From time to time,” the policy says, “Bose may share anonymized and aggregated information about app users.”
The disclosure doesn’t specify that the app collects information about the music files being heard through the phones, which is the crux of Zak’s lawsuit. (He doesn’t say what makes him think this is part of the information stream being collected.) Zak asserts that even a small amount of “anonymized” personal data can speak volumes about a user. “For example, a person that listens to Muslim prayer services through his headphones or speakers is very likely a Muslim, a person that listens to the Ashamed, Confused, And In The Closet podcast is very likely a homosexual in need of a support system.” He’s right.
Zak’s lawsuit points to the growing privacy issues of the so-called Internet of Things: Our household devices are increasingly enabled to collect data about their surroundings, and us, and transmit it to manufacturers, service providers their commercial partners. These abilities are invariably portrayed as boons to the consumer, but more often than not they’re useless to anyone except the firms poised to exploit the information.
It’s hopeless to look to government to put a leash on this activity, especially under the current political regime. Last month, the Republican Congress voted to scrap Internet privacy rules, which will allow Internet service providers to sell the personal data they collect about their customers — browsing habits, apps, their travels with mobile devices — to any other buyers, even without customer permission. President Trump’s Federal Communications Commission, under its new chairman, Ajit Pai, is scrapping privacy protections instituted under his Democratic predecessor.
And that’s leaving aside other known hazards of our Internet-connected devices, including their vulnerability to being hijacked by hackers and used for mischief or crime.
Let’s be clear about a few things here. There’s absolutely no reason for Bose to collect any information whatsoever about users of its headphones or other devices. Most of what it claims to need pertains to its app, which isn’t needed to use the headphones. Its disclosure policy says it may use its collected information “to respond to subpoenas [or] court orders, … to investigate … illegal activities, … to facilitate the financing, securitization, insuring, sale … or other disposal of its business.” Some of this is none of Bose’s business, and some of it is not the users’ problem.
As for the app, it’s one of the more underwhelming on my smartphone. It allows me to connect the headphones by Bluetooth to my phone, computer or music player and to adjust the volume, but buttons on the headphones do that. It tells me how much charge is left on the headphones, but a voice prompt does that every time I switch them on. That’s about it.
But the app’s uselessness shows the best way to shut down Bose’s invasion of my privacy. As soon as I type the last word of this post, I’m deleting it forever.