Access Now asks U.S. FTC to investigate vulnerabilities in internet-enabled sex toy

Washington D.C. (April 26, 2017) — Today Access Now submitted a complaint against intimate product manufacturer Svakom with the U.S. Federal Trade Commission (FTC). Svakom has produced and distributed an inadequately secured internet-enabled device that allows third parties to access highly personal data, including the video stream from a camera embedded in the device.

See a copy of the complaint here.

Svakom released the “Siime Eye” in 2016, its first internet-enabled product. The Siime Eye is a vibrator with an embedded camera that can be controlled via an app on a smartphone, tablet, or computer. In the complaint filed today, Access Now alleges that the company engaged in unfair and deceptive trade practices by releasing the product with grossly inadequate security.

The complaint stems from research that was demonstrated at the 2017 convening of RightsCon, Access Now’s conference on the future of the internet. On a panel called, “Let’s talk about sex toy security,” Ken Munro of Pen Test Partners was able to run code he had written to hack the Siime Eye and take control of the device in less than five minutes.

“Selling an easily hackable sex toy is the epitome of an unfair and deceptive trade practice. The Federal Trade Commission must send a clear message to the adult Internet of Things (IoT) industry that bad security will not be tolerated,” said Amie Stepanovich, U.S. Policy Manager at Access Now.

The ramifications of internet-connected sex toys with poor security and privacy settings go far beyond the problem of third-party access to internet data. Particularly for devices that can be manipulated or controlled remotely, the unauthorized access of those controls open the door to legal claims of rape, harassment, or assault. Hacked sex toys could also expose victims to further harassment, stalking, blackmail, or anxiety and depression. In addition, victims might fear seeking legal redress for these harms because they are afraid of stigmatization or character assassination.

“Within the internet of things space no product embodies the need for a robust system of protections more than the intimate products industry. These devices can give access to people’s most private information and they are being put on the market with laughably weak security settings,” said Stepanovich.

The IoT space is expanding at what appears to be an exponential rate, and there have been issues with privacy and security across the board. But in a world where we often question whether or not a device should be connected to the internet at all, any IoT product that is developed must at minimum have sufficient security controls to protect users.