Skip Navigation

Sex Toys

As we previously saw with video game consoles, it is possible for a device to combine the worst tracking features of two other types of devices. In this lesson, we’re going to look at Internet-connected sex toys, which combine the problems of mobile phone apps with the concerns raised by fitness trackers.

Page Contents

Speaking of Fitness Trackers

An ordinary fitness tracker can track and report sexual activity if a person is wearing it at the time. Several individuals (some of them journalists) have volunteered to wear fitness trackers during various different types of activity and report the results. A female journalist for Bustle wore a fitbit through several activities, including watching TV and dancing (as controls), solo activity both with and without a vibrator, and several different positions with a male partner, arriving at the conclusion that doggy style burns the most calories.1 Another female volunteer used a fitbit to measure heart rate over about 9 minutes, showing a peak at the point of climax.2 Data recorded by a male journalist wearing a Motiv ring indicated a low heart rate while performing cunnilingus, increasing to “maxed out” effort during intercourse.3

These data points were reported voluntarily by people using ordinary fitness trackers. However, companies have created special-purpose “fitness” trackers specifically for measuring sexual activity. For example, a device called Lovely attaches around the male organ and records speed, thrusting, and other types of body movements. This device is, of course, paired with a smartphone app for data collection. It is perhaps fitting that the byline of an article describing this device is: “Are you ready to let a little data into your love life?”.4

Beyond Fitness Trackers

At least someone who uses a fitness tracker and voluntarily shares their data with the world has given informed consent to do so. Another class of Internet-connected devices might not give users this opportunity. Companies have responded to the perceived needs of customers in long-distance relationships by creating Internet-connected sex toys that interface with smartphone apps in order to provide remote capabilities. For example, Lovense creates both a vibrator and male masturbator that are designed to pair with each other over a remote connection, allowing the vibrator to respond to thrusts from the other device.5 According to the Lovense Privacy Policy, the company may collect “[a]udio, electronic, visual, thermal, olfactory, or similar information,” may share these data with other companies, and may retain the data “for the period necessary to fulfill the purposes outlined” in the policy (in other words, indefinitely).6 The Lovense End User License Agreement disclaims liability, requires parties to arbitrate any disputes in Hong Kong, and is governed by the “Hong Kong Special Administrative Region of the People’s Republic of China.”7

Moving to the second company on Good Housekeeping’s list of long-distance sex toys (yes, that Good Housekeeping), the We-Vibe company produces a vibrator that can be remotely controlled from an app that allows the selection of “eight different rhythms and speeds.”5 Unfortunately, We-Vibe already has a less-than-stellar track record, as they were forced to settle a $3.75 million lawsuit for collecting data without customer consent and linking these data to the user’s email address – actions which it claimed the user had given consent via its privacy policy.8 This data collection was discovered after the WeVibe device was hacked at a security conference, and the collected information included the temperature of the device, intensity setting, and frequency of use.9 As part of the settlement, the company stopped collecting email addresses and updated its privacy policy.8

To be fair, at least Lovense and WeVibe have privacy policies. Further down the Good Housekeeping list are companies with names that can only be found in the Amazon Marketplace, like the somewhat humorous MOOLIGIRL (in all caps, no less) Rose Toy, which “has a vibrating dildo at one end and a rose at the other that simulates tongue-licking.”5 This device apparently has an associated phone app for remote control purposes. I’ll admit that I didn’t perform exhaustive research, but the website I found for this product (which curiously lacks the MOOLIGIRL brand name) does not have an obvious privacy policy.10 There is no telling what kind of data this device (or its phone app) might be collecting.

Not every Internet-connected sex toy out there made Good Housekeeping’s list. A company called Svakom developed a Web-connected vibrator called the Siime Eye, which has a flashlight and camera embedded in the end of the device (apparently, the end opposite from the handle, either for dual use as a medical device or for people who are just into that sort of thing). Security researchers in the United Kingdom “penetration tested” (in the security sense) the device and its app and found laughably bad security. The app used hardcoded login credentials and communicated with the vibrator via WiFi instead of Bluetooth. An immediate privacy issue resulted from the fact that the WiFi used a fixed name, which would show up on the scans of any nearby phone or laptop. Further testing demonstrated that the video feed could be hijacked, and that a Telnet server could be started on the vibrator device itself.11 (For those unfamiliar with Telnet, it is an ancient, unencrypted communications protocol that is universally regarded as insecure today.)

Some “smart” sex toys attempt to minimize privacy issues by using communications means that seem anonymous at the surface. For example, companies can provide one-time codes to use with their devices instead of requiring users to create accounts. While this approach might give the user a feeling of anonymity, we already know from previous lessons that the connection has to go through an Internet Service Provider that can associate the device with the person using it. Furthermore, security on devices that utilize this approach is not always that great. For example, Vibratissimo Panty Buster was a device that was designed to be worn inside underwear, allowing a partner to remote control its vibrations. Unfortunately, the technique used to create its one-time access code just incremented a global counter, making it easy for any random hacker to guess the unique ID and start controlling the appliance. The Bluetooth connection between the device and its owner’s phone was also insecure, allowing any nearby attacker both to detect the device and to hijack it directly.12

Mitigation

In a 2019 Wired piece, Emily Dreyfuss said it all with the headline: “Don’t Get Your Valentine an Internet-Connected Sex Toy.”13 Sex toys are a great example of a category of products that are mostly harmless by themselves but quickly turn into a privacy nightmare when they gain so-called “smart” features. If you’re in the market for a vibrator or other sex toy, stick to the “dumb” models that are controlled only by a switch on the device and use disposable batteries. A rechargeable model is somewhat likely to use a USB charging port, opening up the potential that data could also be sent over the USB connection. Stop using and destroy any existing “smart” versions you might have acquired (or have been given) in the past. If a partner tries to give you such a device, send them a link to this page, and politely refuse it. There is simply no way around it: “smart” sex toys represent a significant privacy risk for dubious benefits.

Some folks may take issue with the forcefulness of the advice in the previous paragraph, especially the types of people who are willing to write news stories about how many calories they’re burning in various different positions (such as the first few sources in this lesson). It’s possible that a person is so comfortable with their own sexuality that they aren’t concerned about privacy, and there isn’t anything wrong with that sentiment. However, even if a connected sex toy doesn’t represent an immediate cybersecurity threat (which is far from a guarantee), the data it collects are still making money for the company the person already paid when they purchased the device. Someone who is open to the degree of being fine with public dissemination of intimate information would be better served to monetize that data themselves and collect the profits (e.g. OnlyFans), instead of letting some company do it covertly.

Notes and References

  1. Gabrielle Moss. “How Many Calories Sex Burns According to My FitBit.” Bustle. August 15, 2014. 

  2. Lizzie Dearden. “Woman has sex wearing Fitbit - here is what happened.” The Independent. August 13, 2015. 

  3. Jeremy Glass. “I Used a Fitness Tracker to Track My Activity Level During Sex.” Men’s Health. April 18, 2018. 

  4. Cassie Murdoch. “Meet Lovely, the sex toy that’s like a FitBit for your dick.” Mashable. January 30, 2017. 

  5. Zee Krstic. “16 Best Long-Distance Sex Toys Ever, According to Real Couples.” Good Housekeeping. November 4, 2024. 

  6. Lovense Privacy Policy. October 10, 2024. 

  7. Lovense End User License Agreement. October 10, 2024. 

  8. Camila Domonoske. “Vibrator Maker To Pay Millions Over Claims It Secretly Tracked Use.” NPR. March 14, 2017. 

  9. Arthur Rizer and Amie Stepanovich. “The Next Security Risk May Be Your Vibrator.” Wired. June 8, 2017. 

  10. The Rose Toy

  11. Sebastian Anthony. “Internet-connected vibrator with built-in webcam fails penetration testing.” Ars Technica. April 6, 2017. 

  12. Zack Whittaker. “This smart vibrator can be ‘easily’ hacked and remotely controlled by anyone.” ZDNET. February 1, 2018. 

  13. Emily Dreyfuss. “Don’t Get Your Valentine an Internet-Connected Sex Toy.” Wired. February 14, 2019. 

Fitness Trackers

Health and Fitness Data
Data Fusion
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.