Are Your Sex Toys Putting Your Privacy At Risk?

Photographed by Karen Sofia Colon.
There’s an especially juicy episode of Sex and the City in which Charlotte gets really into her rabbit vibrator — so much so that she starts ditching plans with her friends to stay home with it. Eventually, Carrie and Miranda feel compelled to step in and conduct what they call a “rabbit intervention.” And now, much like the iconic besties, Mozilla is here to give us our own sex toy intervention. This one, though, is all about privacy. 
This week, the nonprofit behind the Firefox browser has released the Valentine’s Day edition of its *Privacy Not Included guide, in which they reviewed the privacy policies of 26 sex toys and 24 dating apps using their own criteria. The findings: Half of the sex toys and 87% of the dating apps they reviewed had policies that left user information vulnerable to privacy or security breaches, the guide claims.
The risks involved with using less-than-secure sex toys or dating apps are wide-ranging. The companies themselves may share your data with marketing companies, which will then send you targeted ads, says Jen Caltrider, the lead and researcher on the project. Other lapses in their security and privacy systems can have more sinister results. Hackers could access your personal information to steal your identity, or even find your location and potentially harm you. They could also gain control of certain sex toys from a distance, which is a form of sexual assault.
For instance, the guide calls out the Qiui Cellmate, a “connected” chastity cage intended to be locked around one’s penis. The Qiui device lets one user operate its lock from anywhere in the world using a digital key. But internet security researchers found multiple vulnerabilities that makes the device easy to hack. A random person with enough tech know-how could lock a user into the cage, preventing the owners from unlocking it. In fact, this has happened at least once before. “Having a vulnerability in your vibrator is worrying but having a vulnerability in a chastity cage is dangerous,” Caltrider says.  
Qiui didn’t respond to Refinery29’s request for comment, but in a BBC story about the Cellmate’s hackability last year, the company noted that, if digitally locked by a hacker, the product could still be cracked open manually with a screwdriver (though it doesn’t sound like much fun, considering the precarious position of the device). Affected customers could also call a hotline to be released.
The risk to users doesn’t end there. “Although a lot of the headlines around the Qiui Cellmate focused, perhaps understandably, around the involuntary locked-in aspect, our concern was more the ability to access people's private messages, photos, phone numbers, passwords, and exact location,” notes Alex Lomas, a security researcher at Pen Test Partners, a security firm that initially exposed the vulnerabilities of the Cellmate in a YouTube Video
This sort of breach was also a concern with the dating apps Mozilla reviewed. The apps collect so much sensitive personal information, from your political party, to drug use, to your HIV status, Caltrider says. If this information isn’t protected, it can be catastrophic. The Ashley Madison hack, for instance, ruined lives. “If you’re gay, lesbian, or transgender, depending on where you live, it can be very dangerous to have your information put out into the world,” Caltrider adds. 
Many of the larger sex toy companies — OhMiBod, Lovense — are doing a fair job of protecting your privacy, Mozilla’s guide shows. If they do have a privacy issue, they usually work to fix it once it’s brought to their attention, Caltrider says. 
Mozilla credited WeVibe, for instance, for cleaning up its privacy policy in 2016 after a class action lawsuit called them out for collecting user data without consent. In a statement to Refinery29, WeVibe stated: “While it is true that we settled a U.S. class action suit in 2016, we want to emphasize that no customer data has been hacked or compromised, and no one's individual app use was monitored.” They note their data is protected by encryption, and that they never “sought to track people's sex lives.”
Brad Haines, the creator of the sex toy security and advocacy platform Internet of Dongs, who goes by RenderMan, has been critical of Mozilla’s *Privacy Not Included guide, especially about the fact that they reach their conclusions by examining the companies’ privacy policies, not by purchasing and using the toys and apps themselves. He also believes that some of the information in this guide might seem scarier than it actually is, and that Mozilla should provide more context around issues like location sharing. The nonprofit reports that all the sex toys they reviewed track users’ locations. Seems shady? In many phones, location permission is necessary to connect to Bluetooth, RenderMan says. “Very few apps I've run across ever actually query the user location, and those that do, are pretty obvious about it,” he notes. 
Despite his criticisms, RenderMan says it’s nice to see organizations generally highlight privacy and security. In addition to taking a critical look at the privacy policies of the apps and connected devices we use, Caltrider and other experts say anyone who decides to use a connected device or an app (because you can always opt out entirely) should also follow a few strategies to keep their data as safe as possible. 

Rename Bluetooth devices 

Say you have a vibrator that’s controlled by an app via Bluetooth. Name it something innocuous, such as “toothbrush,” rather than “vibrator” or the toy’s actual name (“MysteryVibe Crescendo”), Caltrider suggests. Sex-related devices could be easy targets for any neighborhood hackers, who might spot the name and decide to try to connect to and control your toy. 

Use a fake email address

When connecting to a vibrator that has an app, use an alternate email that doesn’t include your full name, Lomas advises. If the company has a data breach, this may help conceal your identity. Hopefully it goes without saying, but definitely don’t use a company email address. “Back when Ashley Madison was breached, many U.S. government and military email addresses were disclosed,” Lomas says. 

Don’t give away your exact location 

iPhone iOS 14 allows users to activate a ‘approximate location’ feature, to keep your home or work address more secure, Lomas says. To adjust this by app on your iPhone, go to Settings -> Privacy -> Location Services, then tap on specific  apps; you’ll be able to  toggle a button for “precise location” off. For Androids, you can choose to share your location with an app all the time, never, or only when using it — but there doesn’t seem to be a way to choose between “precise” and “approximate” location sharing. 

Avoid linking apps to Facebook 

Don’t link your Facebook page and your dating app; use a phone number instead. “This is my number one recommendation,” says Caltrider. “Dating apps and Facebook have the worst track records with protecting user’s data…. Almost every dating app in our guide has had some major data breach in the past 10 years that’s given up millions of people’s information. Facebook has done the same.” When you link the two, there’s a possibility that the dating app is pulling information from Facebook and vice versa. 

Be selective about the information you give away

Caltrider doesn’t recommend disclosing drug use or other illegal activities to apps, even if they ask (which some dating apps do). You can always bring up that sort of info in person, once you’ve made a match.

Look for a privacy policy 

You don’t have to do as much research as Mozilla did, but if you’re thinking of buying a sex toy or joining a new app, at least make sure that they have a privacy policy. Not every company does, Caltrider says, adding,  “And if it’s really hard to find the privacy policy, that’s a red flag too.” 

Get back the data you can 

You can contact companies — including Facebook — to ask them to “return” your data, or delete it from their sites. (Caltrider says many companies and Facebook especially may not delete all of it, but some is better than nothing.) The Washington Post has a great guide on invoking your right to ask some large companies such as DoorDash, Facebook, and Uber to delete your data. 

More from Wellness

R29 Original Series