Sonos is spying on me (and you)

0
18

I recently decided to get a wireless speaker for our Kitchen. Sonos seems like an obvious choice these days. The sound quality and aesthetics were very appealing. So I ordered a Sonos One SL speaker.

In terms of sound quality and looks, I was very pleased. I’m not an audiophile but the sound quality seemed superb and the speaker just looks fantastic. A very clean and unassuming look.

what’s hiding underneath ?

As I later discovered, a dirty beast hides under the cool exterior.

My concerns started to grow almost immediately as I was setting up the new speaker. I downloaded the app, and started the setup process, soon to realize that I need to register with my email just to set up the device on my network… And of course, I had to accept the terms and conditions …. hmmm… ok, I guess.

I was then asked to allow sharing my location as well, which raised another alarm bell. Why does my speaker need my location? I’m not 100% sure, but if I recall, I had to allow it to access my location, or else I couldn’t continue.

Once the device was finally set up, I went through the settings, to explore and see what else is there. I was rather disappointed to find that “Additional usage data” was turned on by default. I live in Europe, and I thought that the EU regulations should prevent this kind of behaviour. They should explicitly ask my permission to track my usage, especially if it isn’t necessary for the device to function.

I could opt-out of it luckily, but it didn’t feel right to me.

What data is Sonos collecting, and why?

Digging into the Sonos privacy policy made my hair stand…

Functional Data:

This data is absolutely necessary for your Sonos Product or Service, including Sonos Radio, to perform its basic functions in a secure way and you will not be able to opt out from this data collection, sharing, and/or processing if you want to continue to use your Sonos Products.

We collect:

Registration data. This data includes your email address, location, language preference, Product serial number, IP address, and Sonos account login information (as described above).

System data. This data includes things like Product type, controller device type, controller operating system, software version, content source (audio line in), signal input (e.g. whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about WiFi antennas, system settings (such as equalisation or stereo pair), Product orientation, names of the music service(s) you added/enabled on your Sonos product, the names you have given your Sonos Product in different rooms, whether your Product has been tuned using Sonos Trueplay technology, system performance metrics (e.g. the temperature of your Product or WiFi signal strength) and error information.

(emphasis not mine)

So this is just the data that you cannot opt-out of. The data absolutely necessary to perform basic functions. And in case you wonder why they track this data, here’s what the privacy policy says

Why we collect Functional Data: We collect this information to help ensure that your Products are working properly, to provide you with customer support, to honour your audio preferences, and to guide product improvement and customer support decisions. We also collect this information to guide product improvement and customer support decisions which is our legitimate interest.

emphasis mine… we’ll go back to what legitimate interest actually means later on.

I’m not sure what basic functions for a speaker might be, that they require to share so much data with Sonos. And if this not enough, there’s also the (optional) Usage data that Sonos happily collects, by default, without asking for permission

Additional Usage Data:

In order to improve your experience with Sonos Products and to offer better, personalised Sonos Products and Services, including Sonos Radio, that meet the needs and expectations of our customers, we collect the following Additional Usage Data. The processing of this information is in our legitimate interest as further set out below (under Why). You can opt out of sharing this data by following the steps listed here.

We collect:

  • Performance Information. This includes things like the temperature of your Product, WiFi information like signal strength, how often you use music services you have connected to your Sonos system (including, for some services, your login username, but not password), information about how often you use the Sonos app versus other control mechanisms, flow of interactions within the Sonos app, how often you use the physical controls on the unit, the flow of interactions within the Sonos app, duration of Sonos Product use, and, as required for certain Services, location-based data using GPS (or similar technology, where available) and crowdsourced WiFi access points and cell tower locations collected from your third party device when the Sonos app is in use.
  • Activity Information. This includes duration of music service use, Product or room grouping information, command information (such as play, pause, change volume, or skip tracks), information about playlist or station container data including listening history (‘Recently Played’), and Sonos playlist or Sonos favourites information; each correlated to individual Sonos Products and your interactions with them. If you enable voice control or use Sonos Radio, we will additionally collect information about track data when using those features.

Why: We collect this information so that we can help ensure Sonos Products are functioning properly, provide a personalised experience for our customers, determine what types of Product or feature improvements would please our customers most, and to help predict potential problems with Sonos Products. Additionally, to provide Sonos Radio, we collect location-based information for licensing and reporting purposes. Collecting this data is our legitimate interest to support a user-friendly experience that meets your needs and help you with issues you may experience. It is your choice if you want us to collect this information, and therefore you can opt out of sharing this data by following the steps listed here.

Note: personalisation services (e.g. Recently Played), Sonos Radio, Voice Control, and Direct Control functionality require Additional Usage Data to function. If you decide to use any of these features and/or Services, the Additional Usage Data becomes functional. You can always clear all Recently Played by following the instructions in the Sonos app.

Again, the legitimate interest emphasis is mine…

If you read their privacy policy further, you could spot the real incentives and potential uses of the data, but I won’t dive into it here. I do recommend reading it though.

(il)legitimate interest

So what is this all about? Well, if you’re familiar with the General Data Protection Regulation (GDPR), you might guess the answer. I’m not a lawyer, so without going into too much detail, here’s my brief understanding of it.

First off, the GDPR is the regulation that aims to protect the privacy of all EU citizens. It’s meant to reduce privacy invasive practices, force companies to protect private data, and encourage companies to treat private data with care and respect.

But what’s “legitimate interest”, and why is it important?

Essentially, companies aren’t simply allowed to store any customer data they want. They need a “good reason” to do so. Or in other words, they need to have a legitimate interest in storing such data. Otherwise, they’re simply not allowed to store it at all.

So now, can I just ask someone who accesses my website “What’s your home address”? and store it, if they give it to me. I need to have a real reason to ask for this address. It can be my legitimate interest to ask it if, for example, I’m going to send you a free gift. I obviously can’t send you a gift without knowing your address.

As you can imagine, “legitimate interest” can be interpreted in many different ways. Is it legitimate interest to ask for an email address in order to send marketing emails? well, actually it might be. There’s no black and white answer here.

Putting it to the test

There are 3 tests for “legitimate interest”:

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

Whilst Sonos tries very hard to meet those first two tests with their policies (but in my opinion, have a very weak position there), I think it clearly fails the balancing test. Sonos blatantly violates its customer privacy by excessively tracking, analysing and making use of very detailed information about them. They capture their listening preferences, their location, neighbouring Wifi access points and lots more. And worse of all, they do it without asking for explicit consent. It’s all hidden in the privacy policy, and set to expose all this data by default.

What’s the purpose of collecting all this data? Sonos claims that their purpose is “[To] help ensure Sonos Products are functioning properly, provide a personalised experience for our customers, determine what types of Product or feature improvements would please our customers most, and to help predict potential problems with Sonos Products”. This seems fairly clear as a purpose. Still rather widespread and invasive, but there’s a purpose.

But is collecting all this data necessary to meet this purpose? I don’t think so. I think they collect far too detailed information, and they could meet the same purpose with far less data, or by using non-private / anonymised data.

For example: how does the IP address of the customer help with any of those stated purposes? Or why do they need to map neighbouring Wifi access points? I guess Sonos would claim something along the lines of “if a customer has a problem, these details help us support this customer and troubleshoot the problem”. But then is it necessary to collect this data constantly, even when there are no problems?

To drive product decisions and understand usage trends, they can collect data that’s been anonymised and still be able to improve features. In my mind, most of this collection is unnecessary. Rather than collect all this data indiscriminately and bundle all those purposes together, each purpose and data collection should be examined individually. The necessity argument easily breaks if you look at individual purposes and the data being collected to fulfill the specific purpose. Do they need to collect all this personal data about me to determine what feature improvements would please their customers most? I don’t think so.

Here’s a quick data point to you, Sonos: I’m not pleased by your excessive data collection.

And finally, let’s look at whether this excessive collection overrides the individual’s interests, rights and freedoms. I think the answer is as clear as day. The Sonos speaker works totally fine, even without an Internet connection. It meets the criteria of most customers who buy a speaker: it plays music via Wifi. The data collection that Sonos does isn’t primarily to help their customers. It’s to help Sonos learn more about its customers, sell aggregate data, and advertise to its customers. I’m pretty sure that if you ask a Sonos customer whether they want a “personalized experience” from their Sonos speaker, they will look back at you with a confused look on their faces… It’s a speaker. It plays what I ask it to play… If I buy a speaker, do I want it to manipulate me with ads based on my listening preferences? No. Can a reasonable person even imagine that so much data about their usage is being collected, by default, when they buy a speaker? absolutely not. This is far from balanced. It weighs heavily in Sonos’ interests, and those do not align with the interests of its customers.

I therefore find it very hard to believe that Sonos can really meet the legitimate interest tests. They are clearly using “legitimate interests” in the privacy policy language to protect themselves against a potential GDPR claim. However, I think it’s a thin veil, and they clearly fail to balance the privacy needs of their customers.

What can you do about it?

There are a few things I think we should collectively do to stop this kind of practice.

On the practical/technical level: try to block Sonos from collecting data about you. This requires some technical knowledge unfortunately, so most people won’t be able to do much. But even if you’re not technical, you can still do a lot.

  • Opt-out of Additional data usage: this is a super-simple thing you can do inside your Sonos app to reduce the amount of data you share with Sonos.
  • Don’t connect your Sonos to 3rd party services: Sonos would encourage you to give it access to your Spotify account, Amazon, Apple or any other 3rd party music service. You don’t actually need it in most cases. You can use the music service directly, and just play it on your Sonos speaker as a destination (e.g. using Airplay).
  • Block Sonos from accessing the internet: many routers allow you to block individual IP or MAC addresses from accessing the internet. Beyond the initial setup, your Sonos speaker can work fine without an internet connection. If you can and know how to, block it.
  • Use a privacy-blocking DNS product or service: For example: Pi-hole, Nextdns, or Adguard home all offer options to block your Sonos (and many other privacy-invasive apps and services) from sending personal data, without affecting other functionality.
  • Complain to Sonos about it: let them know that you’re unhappy. If they truly look at ways of pleasing their customers, they should collect some data that this practice makes their customers unhappy.
  • File a GDPR complaint: if you are a EU citizen or live in Europe. You should be protected by the GDPR. The more complaints about Sonos, the higher the chances of the regulators taking action against Sonos and forcing them to stop those practices.
  • Become a member to support NYOB. This is a non-profit privacy-focused organization that helps fight against privacy violations. Disclaimer: I am a member, and I’m in discussion with one of their lawyers to promote some privacy initiatives. Other than promoting their cause, I have nothing to gain (financial or otherwise) from endorsing them.

LEAVE A REPLY

Please enter your comment!
Please enter your name here