Spying allegations - what is really collected

Animated Arbiter

Spying allegations - what is really collected

I did some real-life testing to figure out if there is any truth in these Bose App spying allegation. Since I don't want to just be source of more unsubstantiated rumours, here are the steps that anybody with Android phone can perform to verify my findings:

 

1. Install MITM proxy from https://mitmproxy.org/ on your laptop and start it. Proxy dashboard will open in a browser

2. On Android device, connect to wifi and in its settings set proxy to 'manual', IP to address of your laptop and port to 8080

3. Open browser and go to http://mitm.it . Select Android certificate and install it

4. Open Bose App and connect to the headphones. Look for calls to https://api.segment.io/v1/import on the proxy dashboard

5. Play some music in spotify, go back to Bose App, skip to next song, pause, play, etc.

6. Look for more calls to https://api.segment.io/v1/import and examine what data is being sent

7. After you finish playing remember to remove mitm certificate from your phone!!!

 

Results:

Example of captured data for 'Play' event: https://pastebin.com/8ddriFA2

 

Data that is definitely being sent:

- Phone info - manufacturer, exact model, screen size, some kind of unique id

- System info - android version, locale, timezone

- Network info - operator name, type of network (wifi/cellular/bluetooth)

- Headphones info - serial number, firmware version, product id (in my case "0x400C", i suspect it means QC35) - for 'connect' events

- Song info - album title, track title, artist name - for 'play', etc. events

- Volume - on 'volume changed' event

 

Every event (like connected to headphones, play, pause, next track) is timestamped, so it also knows when and how long I listened to each song, if I skipped to next, etc. . If our data is indeed not being sold, what could be a possible reason to track our listening habits?

Everything is sent to https://segment.io - their motto is "Stream data to every marketing integration your team needs."

 

I hope this will help everybody to judge Jason's statement and their own trust in Bose for themselves.

14 REPLIES
Silent Starter

Re: Spying allegations - what is really collected

I demand a full refund, and removal of all of the data sent related to my headphones and usage. 

Noisy Narrator

Re: Spying allegations - what is really collected

@qbast interesting investigation.  However, I have to ask:  since you were proxying all traffic, are you 100% sure the source of these messages is from the Bose Connect app?  You were streaming through Spotify--could it not be sending the analytics back? Are you a premium spotify user or free?  I could definitely see Spotify tracking these types of analytics, epecially for free users but probably for premium as well.  Did you try any other music/movie sources such as Google Music, Apple Music, youtube, Netflix, or local MP3 files?  If so, do you still see these similar messges?  If they are changed significantly based on the source service, I would imagine it could be the service(s) doing the tracking.  

 

I'm not saying you're wrong, just some follow up questions to help verify the claims.  Bose are publicly stating they are not doing this.  So, can we examine the possbiliity it's not Bose Connect sourcing the messages?

*** Please Note: I do not work for Bose; please don't private message me your support questions!
Animated Arbiter

Re: Spying allegations - what is really collected

Yes, I am completely sure it is Bose App sending the messages. Take a look at example message I linked to (the pastebin link). First part contains following data:  "app": "build": 27,"name": "Bose Connect","namespace": "com.bose.monet", "version": "4.0.0" } . So it clearly identifies Bose App as the source. The other reason is that there were other messages (I have not pasted them in pastebin) with events like "Connect' and information about serial number and product id of my headphones. I seen also messages generated by Spotify app, but they were completely different.

And Bose is not stating they are not doing this. Read Jason's message carefully: they are saying they are not 'wiretapping communications' (which is true), they don't use anything to identify us 'by name' (also true, they use some unique id) and that they don't sell the information (impossible to verify). 

I also encourage everybody to not take my word  and test for themselves - it takes 10 minutes to set it up.

Friendly Fanatic

Re: Spying allegations - what is really collected

@qbast thanks for this info!

BTW you're in Warsaw, PL? Same as me, maybe we could arrange headphones comparison?
Animated Arbiter

Re: Spying allegations - what is really collected

Unfortunately no, I live in Poznan.

Friendly Fanatic

Re: Spying allegations - what is really collected

My reading of Bose's statements is that they're collecting data in aggregate, but not using it to track individual users.  So they might now that x percent of their customers run an iPhone 6S, or that y percent of the tracks people play are classical, or whatever.  But they don't use it to say that that I listened to David Bowie.

 

And that makes sense.  It's important for them to know which phones people use with their products, just to make sure everything works the way it's supposed to, and maybe knowing something about what their customers listen to helps them tweak the sound profiles of their headphones.  But really, I doubt that knowing that I as an individual listened to David Bowie would very useful for them.  Everyone's hopped up on the idea that you can find crazy correlations in things, but I'm not sure that it would pan out in this case.

 

I don't think Bose's statement is inconsistent with the technical data that's been posted in this thread.  The data is going out to their servers, but once it gets there it's not being used in a way that invades anyone's privacy.  I was concerned at first, but my inclination is to accept Bose's statement at face value until I have some reason not to.

 

It's possible I'm biased because I would be very unhappy if I had to give up my Bose products.  In any event, I uninstalled the app yesterday and reinstalled it today after reading what Bose had to say.

Audible Advocate

Re: Spying allegations - what is really collected

Thank's for the information so far. I did the same with iOS, and confirm that the trackinfo and further information is sent to:

 

https://api.segment.io/v1/batch

 

I pasted a snippet here: https://pastebin.com/FmjugWR0

 

"In the Bose Connect App, we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name."

 

"by name" - I guess that would provide more anonymity to most users than identification via "anonymousId" and "device.id". Imho that's a contradiction. Anonymous - Identification.

 

@bose:

- For what purpose do you need to collect "Track Info Change", "Now Playing", "Volume Change", ... events globally?

- How can you make sure you delete my data? (I can provide my anonymousId for this.)

 

Also, I want my money back.

 

 

Animated Arbiter

Re: Spying allegations - what is really collected

Actually, if you registered your headphones, they do have enough information to link your listening habits to your name: registration provides them with your name and device serial number, the app reports device serial number and 'unique id' when it connects to the headphones and then 'play' events provide song information and unique id. So there is direct link from your name, through serial number and unique id to song information.

Jason assures as that "we don’t use anything we collect to identify you – or anyone else – by name." . But the collected data does not vanish, so it does not mean they can't identify people - simply they don't do it now.

Friendly Fanatic

Re: Spying allegations - what is really collected

"Jason assures as that "we don’t use anything we collect to identify you – or anyone else – by name." . But the collected data does not vanish, so it does not mean they can't identify people - simply they don't do it now."

 

I know I'm in the minority here.  Maybe I'm wrong.  But I believe them.  The aggregate data would be useful to them, drilling down to individuals much less so.  Bose's explanation passes the "smell test" for me.

 

Another thing which no one is talking about is that everything we do online is being collected and monitored.  People have posted JSON that gets transmitted when you use Spotify with Bose headphones. Why is Spotify OK and Bose nefarious?  Why would someone be OK with using Spotify, but outraged about Bose?

 

https://betanews.com/2016/07/22/spotify-sells-user-data-to-advertisers/

 

The idea that Bose is doing something unusual or malevolent in some way seems really wrong to me.  This is not to say that they're not making mistakes.  The fact that this is erupting and making customers upset is proof of that.

 

I'd like to see Bose do a better job with transparency, of telling us exactly what's going on, and creating a terms of service that binds them to follow the rules about personal data that they tell us they're following.  And I'd like to see them offer an opt out in the app.  If they offer the opt out, this all goes away.  And in the real world, the overwhelming majority of people won't care and won't use it, so Bose will still get its data, and people who care can keep their data private.