We need digital security for all the things — and privacy for all the people

Last week Access Now filed a complaint with the U.S. Federal Trade Commission concerning the Siime Eye, an internet-enabled sex toy with a built-in camera manufactured by Svakom (you can read about Svakom’s response here).

We realize that this is a sensitive topic, especially for users at risk of attack or exploitation — the very people whose rights we aim to defend. Some people are unwilling to talk about sexual experiences publicly; others simply don’t want other people to know about that aspect of their private lives, period. Meanwhile, many governments ban information on, or discussion about, sexuality, online or off, leaving people with few resources for educating themselves about these “adult” topics. It can be a fraught issue. But that’s why taking action on it is so important.

Internet of Things (IoT) products are increasingly a part of people’s everyday lives. They are in our homes, our offices, our streets, and on our bodies. They are even in our children’s playpens — and now, in our bedrooms. IoT products are often designed, built, and distributed by companies that have never before created something connected to the internet. Often they’re dealing with digital security and human rights issues that are completely novel — to them and to the world. However, that doesn’t mean they can ignore these issues, or only pay lip service to them. There is clear potential for significant harm. This is why Access Now has started a process to identify the human rights safeguards needed in the IoT space.

With internet-connected sex toys, the problems with digital security are even more serious than in other parts of the IoT space. In a session at RightsCon Brussels 2017, a security researcher was able to take control of the Svakom personal device in five minutes. Law and policy experts explored the privacy and security implications of remotely accessing such devices, including capturing data feeds. This type of invasion is very serious, and can potentially have long-ranging consequences for victims. However, it can also fall into a troubling legal gray area; while in some jurisdictions an attack like this would meet the standard for a criminal act — ranging from harassment to rape — in others it would not, since there may be no legal definition or standard on the books to fit. Even where the law is clear, it can be very difficult for victims of sex crimes to get timely and effective enforcement in jurisdictions as diverse as India, Canada, and beyond. This uneven access to remedy could mean even greater emotional distress for victims who cannot get  redress.

The discussion at RightsCon raised the question: Does the potential severity of consequences for hacking or otherwise exploiting data from IoT sex products mean they shouldn’t be produced at all?

Views were divided here. Some saw value in these products; for instance, some people might use them in long-distance relationships, or for exploring different facets of their sexuality. The products could also potentially have uses in medicine, such as self-help for patients with a high risk for certain diseases, or even rehabilitation for victims of assault. However, others argued that society may not be able to responsibly handle this type of product without causing unnecessary and unjustifiable harm.

Regardless of the answer, the genie is already out of the bottle and we must seriously consider what protections are necessary to keep people safe from harm, including new laws and regulations. Any company with plans to connect a product to the network must take steps to secure it. This can and should mean a “security by design” approach that entails discussions with technical experts, early and often, to identify potential vulnerabilities and recommend solutions. Companies should incorporate encryption as a key means of protecting user data. They should also have dedicated privacy and security policies that are made publicly available, which include details on how data are collected and retained. Finally, they ought to issue annual transparency reports.

Even if companies take all of these steps, no product is perfectly secure. For this reason, many technology developers and manufacturers have created clear mechanisms for vulnerability and bug reporting, and those in this market should do the same. Since there is high risk associated with networked products of a sexual nature, the companies should also consider offering programs to provide emotional and other support to any future victims of device hacking.

It is only with foresight and heightened awareness that we will adequately address these problems. We hope that companies like Svakom take the privacy and security of the people using their products seriously, and invest in a process to integrate respect for human rights in product design. We’ll be watching.