New sex toy standards are causing some sensitive details to slip
If this all sounds a little obvious, that’s on purpose. “The bigger, better-known brands stick to high quality and do their best, but they were really standards that you set for yourself,” says Rief. “But there are a lot of cheap products made in China because no one can stop you.” The ISO standards won’t prevent low-quality sex toys from rolling off the assembly line, but they do give high-end sex toy manufacturers a way to scrap their goods to distinguish. Much of the growing market is sourced from cheap “white label” manufacturers who make quick and dirty equipment for multiple retailers or make toys for small businesses.
“There are no standards with white label manufacturers, and you can see that with sex toys, too,” says Jen Caltrider, director of the Mozilla Foundation’s cybersecurity review program Privacy Not Included. ISO and other standard-setting organizations do not have the power of law or government regulations behind them, although testing companies sometimes issue certifications. They make it easier for manufacturers to agree on quality and safety levels – and to tell everyone in their marketing that they adhere to the standards.
This emphasis on fit and finish resulted in cybersecurity being excluded from the process. “They discussed it, but it wasn’t specifically recorded because it’s complicated and generally covered by local regulations,” says Rief. Something like the European General Data Protection Regulation, for example, could address privacy concerns. That’s a little ironic, because in 2017 the WOW Tech subsidiary became We-Vibe has agreed to a $ 3.75 million settlement in a class action lawsuit alleging that the app associated with the vibrator collected and maintained user data without consent. Mozilla’s Caltrider says We-Vibe has tightened things up since then. “We had this lawsuit and tried to learn from it,” says Rief. “Today we have our own app team and agencies trying to hack the app.”
It is certainly possible that security and privacy are not even a priority for most sex toy buyers. “I’m not sure if all toy-making or selling companies will take this seriously, but I think they will generally take it more seriously than some customers,” said Carol Queen, sexologist at Good Vibrations, a longtime supplier the same. No matter what focus these stores place on material safety, let’s say their customers often prioritize price and design. “The people who don’t care, probably will continue to care,” says Queen. Of course, in some countries sex toys are completely illegal, and in some places forms of sexual behavior that could track devices are criminalized. But many people are already accepting that their phones and smart speakers collect personal data; Sex toys cannot be any different.
On the other hand, probably people should care more. Large companies in the industry such as We-Vibe or Lovense already follow standards such as the use of encryption and the requirement of strong passwords. Smaller companies sometimes don’t. And for the privacy conscious, it’s a hot button category. Caltrider says Mozilla’s privacy project, which reviews hundreds of different products, gets more traffic to its sex toy reports than any other type of device.
Data protection is far from the only concern, either. Take the slanted reference in the new standards to vibrations. “I can imagine a situation where a manufacturer specifies the motor they need to start a low-frequency vibration that is capable of a much higher duty cycle and a much higher speed going up to 50 percent,” says Haines . “That doesn’t mean the chipset couldn’t accept a command that would get it 100 percent.” That would put a user on very shaky ground. Or, continues Haines: “When developing the device, they take into account a certain amount of battery consumption during normal use. With lithium-ion batteries, they react very badly if you put too much stress on them. ”By that he means they catch fire. And nobody wants someone to take control of their sex toys without permission – at least some injury and possibly bodily harm. So security precautions must take all types of consent into account.
These risks are not just hypothetical. In late 2020, a UK cybersecurity firm discovered that the Cellmate chastity cage – an app-controlled metal case that closes around a person’s penis – uses Bluetooth to do the actual locking and unlocking, but uses data like location and a unique device identifier on servers saved by the company, Guangdong-based Qiui. The security researchers warned that a hacker could forge the controls and prevent the device from being unlocked. The company updated its app, but apparently left an old version of the API online because a hacker allegedly attempted the exploit and required chastity cage customers to pay before they could be released. (It’s not clear if anyone was actually wearing their Cellmate when the lockdown hit, and to be fair, the new ISO standards to do say that locking devices should also have an integrated way of manually unlocking them.)
Engineers who rely on standards such as those issued by the ISO might also see good reasons to separate these types of problems from those specific to sex toy hardware. Perhaps battery standards should apply to any rechargeable device connected to it. Broader rules for the Internet of Things could address cybersecurity. But it is clear that the functions of sex toys are changing; People are so creative. The rules have to keep up.
More great WIRED stories