The post originally appeared on AVNation.tv April 27, 2017
At the time I wrong this piece I was employeed by Harman Professional which was a competitor of Bose. Harman has similar policies I disagree with. As a result while I have both brands’ products I do not run their software – September 13, 2020
This time last week (April 18, 2017) a class action lawsuit was being filed in the United States District Court for the Northern District of Illinois, Eastern Division claiming that Bose collected data without telling their users that they were. You can read the complaint (17-cv-2928) on the Sribd service. My previous writings have shown my preference for privacy in the digital age. I do not like that Bose is collecting that much information about its users. It might be legal and an accepted business practice at the moment, I still don’t like it. [Bradford’s note: I do work for a competitor. This discussion is about data tracking not products. I don’t use some of my employer’s software because of the data tracking policies.]
When I started this piece, I indicated that I was going to come out supporting Bose and their situation. However, in doing research for the column, I have changed my mind. Bose was very close to having done the right thing, telling people what they were monitoring. However, they did not quite get it right as they had inconsistent information available. What they are currently collecting through Bose Connect is your listening habits; what are you listening to, how long are you listening for, when are you listening, where are you listening and other things. The crux of the case in my opinion is this statement in the filing: “Bose Connect collects and record the titles of the music and audio files its customers choose to play through their Bose wireless products. They also transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.” In my view that last sentence is false completely and should be removed from the conversation. Bose does indicate that they use a third-party.
Something to consider as you examine this issue is that this application is just one part of the entire digital media playback system. Using iTunes one can know the last time a media file was accessed and if it was listened to completely, that information is shared with Apple. There is a massive part of me that says, as soon as one became part of the digital media ecosystem one must work to stay private. The amount of data about customers that is available can be mind boggling. All of the information that the plaintiff is worried about is likely available already from other sources. Additional information such as where and when was the content was acquired is easy to gather if one uses the typical online services.
After I finished reading the filing, I started reading was on the Bose website. There is a link to their privacy policy at the bottom of basically every page within their website. I clicked the link in Bose’s footer and was directed to here; it is confusing as they do not directly indicate or discuss the Bose Connect App. However reading through I found this section that would have caused me pause:
"If you use a Bose SoundTouch system or the SoundTouch software or mobile app, Bose also collects additional information about you, including technical information (such as your IP address, computer attributes and system ID); location information derived from your IP address; and product usage information (such as system presets and recently played content)."
While reading the document, I started getting confused. Is the Bose Connect App the “mobile app” listed in the policy? It is a mobile application, but they don’t call it out explicitly. Other hardware and software is listed by name. More research was required. I figured the best way to understand the experience and information provided to the user is to install the Bose Connect application and read the documentation.
I went to the Google Play store to look at the Android version. That was interesting as the information provided there was minuscule. There was the Google Permission information that indicated the application is granted access to:
- bind to an accessibility service
- view network connections
- pair with Bluetooth devices
- access Bluetooth settings
- full network access
There was also a link to the Privacy Policy, https://downloads.bose.com/ced/bose_connect/privacy_policy.html. I created a PDF of it to read later.
I next went to the iTunes/App Store to do the same thing. I am traveling with an iOS device, so that was a more realistic experience. On the iTunes product page there is a link to the privacy policy and the license agreement. The privacy policy also directs one to the same location as the Google Play store. iTunes embeds the license agreements within the application window, so I have simply combined captures (click here) so I could read it all.
I was now ready to review all of the documentation. I started with the privacy policy. This section quickly jumped out at me [yes there are errors, I took this section verbatim from the Bose site]:
“What Information We [Bose] Collect About You
The app does not collect any information that Bose or our service providers can use to identify you personallyAs discussed below, however, the app does automatically collect certain information from the mobile phone, tablet, or other device that you use to access the app.
Log data. When you use the app, we or our service providers may automatically receive and record certain information from your mobile phone, tablet, or other device. This may include such data as your software and hardware attributes (including device OS version and hardware model information), the date and time you use the app, whether and when you update the app and your Bose products, and certain other tracking information. To do this, we may use web logs or applications that recognize your device and gather information about its online activity.
Analytics and related tracking mechanisms. We may use mechanisms to track and analyze how you use the app. We also may partner with third parties who do so on our behalf (see below in the section entitled “How We Share Information with Third Parties”). These mechanisms can be used, for example, to collect information about your use of the app during your current session and over time, when and why the app crashes on your device, and a variety of information about the mobile phone, tablet, or other device that you use to access the app. Such mechanisms may include software developer kits (“SDKs”), pixels, scripts, or other tracking mechanisms. Some of these mechanisms involve storing small files on your mobile phone, tablet, or other device. Others involve transmission of information to a third-party server through other means.”
That was when my opinion changed from Bose educated the user about data collection to they made a mistake. I believe that Bose clearly documented for the end user that a third-party is being used to analyze the data. The fact they listed incompletely what items they are collecting is where the problem occurs in my mind. In the general privacy policy they spelled out more clearly what they are collecting. The Bose Connect policy differs from the general privacy policy so it would appear that there are different conditions of data collection for each software. Whether the user was informed correctly now comes down to the question, “What conclusion would a reasonable person create from this information?”
That moment was also when Josh Srago and I started to disagree. Initially, we agreed that we thought Bose was in the clear, not necessarily right but had met their obligations to inform. We both still believe tracking the information is bad and should be stopped. We both think that clearly spelled out that they are using a third-party service. The disagreement started when Josh referred to the End User License Agreement (EULA) and pointed out a paragraph that states the user consents to Device Data Usage collection.
Josh indicates that he believes Device Data Usage includes what content or data you are using on your device. I do not think that most people, i.e. not me or Josh, would consider that approach. Most people would process that phrase as if they transferred or use 2GB of data or 3GB of data that month.
Josh and I both agree that tracking is wrong. We both know EULA and privacy policies are purposely written to be as vague as possible. Collecting usage information has value to product development, such as is there enough battery life for the person to use the headphones in a typical day. We also agree it is very rare for a user to read the EULA or Privacy Policy.
What we disagree on is what amount of information was provided to the user. That is something for the courts to decide.
A few notes I want to include that just didn’t flow in writing:
- The use of the application is not required as indicated in this video from the Bose site. Yes, you get more functions, the payment is Bose gets more data about you. Think of it as a frequent shopper card or a Starbucks registered card.
- If you want to review the documents of the case yourself and you don’t like the privacy policy used by Scribd, you may also view the filing at https://ecf.ilnd.uscourts.gov/doc1/067119015846p.
Thank you for reading.
Bradford