If Your Vibrator Is Hacked, Is It a Sex Crime?

Image: Jim Cooke/Gizmodo

On a recent trip to Berlin, Alex Lomas’ acquaintance posed him
a challenge: Can you find a Bluetooth-enabled butt plug in the
wild, and can you turn it on without its owner’s help? Lomas, a
penetration tester with the British cybersecurity firm Pen Test Partners, pulled
out his phone, consulted the detection app LightBlue, and
quickly identified a Lovense Hush, purportedly “the most
powerful vibrating buttplug on the market,” that Lomas says was
nestled in the rear end of a stranger. What’s more, that Hush
was vulnerable, open to hacking by anyone who knew how.

As the world hurtles toward total app-connectivity, the gap
between what our devices could do and what the law can address
widens, particularly with teledildonics—or, sex tech that you
can control remotely, over the internet. A sex toy hacking
situation like the one Lomas identified isn’t likely to occur
outside a lab, but linking a vibrator to the internet opens up
the possibility that it might, and we should be ready to
discuss it.

Lomas published the results of his experiment on the Pen Test Partners blog, and
coined the term “screwdriving,” a sexualized play on wardriving
(or the drive-by stealing of other people’s wi-fi). In a Skype
interview with Gizmodo, he summarized the procedure in layman’s
terms: Hush uses Bluetooth Low Energy, basically the more
modern version of Bluetooth, to connect with smart devices. If
you are wearing the butt plug out in public, and a designated
partner is standing within about 30 feet of your tuchus, then
that partner can control its vibration speed and pattern
discreetly from their phone. Which is all well and good, Lomas
said, unless that person wanders out of (admittedly limited)
connectivity range. In that case, Hush “will sort of fail open
into a discovery mode, ready for other people to discover and
then take control,” to pair with the plug—there’s no password
protection, or the PIN is an easily guessed 0000 or 1234—and
pilot your anal experience, uninvited. (In an email, a Lovense
rep explained that this is indeed the case, although the toy
does have a function that automatically turns it off if the
connected device falls out of range. Lomas pointed out that the
customer would have to know that any of this is even possible,
which many won’t.)

Lomas did not sync with the Hush and dial up the vibration, but
he could have, and therein lies the problem. A consumer could
venture out into the world, intending to have a secret erotic
experience with one person, but end up having telesex with
someone else entirely. But what kind of crime even is
that—cyber, sex, or some kind of newfangled hybrid? And is
anyone out there equipped to handle it?

The answer seems to lie somewhere in the neighborhood of not
really slightly surprising as news of sex toy vulnerability
becomes more and more frequent. White hat hackers have already
exposed a number of adult companies—Lovense, WeVibe—as unstable repositories for the
surprisingly detailed stores of intimate user data they’ve been
collecting, mostly unbeknownst to their customers. WeVibe’s
data insecurity led to invasion of privacy lawsuits
and modest settlements, yet the possibility that random third
parties could insert themselves into a mutual masturbation
session on Skype or a camming platform like Chaturbate has been
less widely discussed. Hush isn’t the only assailable toy:
Pretty much any BLE-enabled toy (or indeed device, whether
that’s a hearing aid or a smoke detector) could be opened to
outside probing. Products connected to apps like Body Chat seem
pretty open to outside intervention, while the camera-equipped
Siime Eye vibrator is easily hijacked by anyone
with the know-how, potentially affording strangers vividly
detailed views of your genitalia. That victim would certainly
be able to claim invasion of privacy, but a
breach of that scale seems more significant.

To be fair, the possibility that an unwanted third party could
hack a sex toy is sliver slim: As Lovense explained in its
response to Lomas’
experiment and in an email exchange with Gizmodo (of the
Internet of Things sex toy makers contacted, Lovense was the
only one to respond), Hush can only connect to one device at a
time, and screwdriving would require sophisticated knowledge of
BLE and “Lovense protocol,” along with “BLE sniffing hardware”
most people don’t have. Even if someone did manage to pounce on
your butt plug’s lapsed BLE connection, they’d need to be
extremely close: within 30 feet and “a clear line of sight,”
so, probably following you around. But it’s possible to buy
long-range Bluetooth transmitters and receivers, and Lomas
reported that a number of readers tweeted at him
post-publication to say they’d successfully located their
neighbors’ toys through a shared wall.

Lomas acknowledged that some Hush buyers may be into a
stranger’s surreptitious involvement, and that’s perfectly
fine; the problem, as he sees it, is that the average consumer
probably won’t realize they’ve consented to a semi-private
experience—that they are, “essentially, walking around with a
giant butt plug transmitter” broadcasting out their anuses, or
inadvertently offering a telescopic tour inside their vaginas.

Indeed, in considering teledildonic hacks
from a legal perspective, consent should be a big part of the
equation: instinctually, a stranger surprising you with genital
vibrations reads as a violation. Legally, sexual assault doesn’t
require penetration, merely “sexual contact or behavior that
occurs without the explicit consent of the recipient.”
According to Shanlon Wu, a defense lawyer
in Washington D.C. and a former federal sex crimes prosecutor,
the absence of consent like what would result from a remotely
controlled, hacked sex toy signals sex assault.

“The typical definition of a felony-type sexual abuse is an
unconsented-to penetration,” whether it’s with a body part or
an object, Wu said. As regards the latter, he doesn’t see the
legal equation changing if it’s a hand or a device controlling
the object’s movement. Wu acknowledged that some lawyers might
get bogged down in the virtual aspect of the offense, and view
wearing a teledildonic device as blanket consent to its use.
But consent is not transferrable, he said.

Wu offered an analogy: “If I’m entering a boxing match … I’m
consenting, obviously, to the contest with my opponent. If he
hits me, I can’t be yelling, ‘Oh, he assaulted me, he punched
me!’ because we’re consenting to punching each other. But if
his corner man, his manager, comes out and clocks me in the
head during the match, they can’t argue, ‘You consented to a
boxing match, so anybody gets to beat up on you.’” Similarly,
if you consent to someone using a sex toy on you, that’s not an
invitation for any passerby to join in.

“Consent is consent whether
it’s in person or whether it’s remote.”

“Consent is consent whether it’s in person or whether it’s
remote, and I think that’s the thing to focus on,” Wu said. He
sees this form of cyberstealthing as a straightforward sexual
assault prosecution, but Stewart Baker—a partner at the law
firm Steptoe & Johnson where his practice covers cyberlaw
and technology-related issues—disagreed.

“I’m having trouble fitting this neatly into a sex crime
framework,” Baker told Gizmodo. “If somebody breaks
into your dildo, they’re criminally responsible,” he said, but
the question is how.

While Baker agreed that vibrator hijacking skewed the concept
of consent, he also speculated that trying it as a sex crime
could raise complicating questions about agreed-upon partner
participation. If the sex toy in question comes with a built-in
camera, that could implicate its owner in ways that won’t sit
well with many people: Baker noted that consensual sexting
between teens has already translated to several child pornography
prosecutions, and if two minors are using a camera-equipped
vibrator with one another on Skype or any other
internet-connected video platform, they could inadvertently
land themselves in a similar world of legal hurt. The clearest
path forward Baker sees is prosecuting screwdriving as a cyber
crime, under the 1986 Computer Fraud and Abuse Act, which
encompasses all wittingly unauthorized access of a computer as
well as the filching of its contents. While it does not
specifically address teledildonics, the CFAA arguably offers a
means of placing consent in a cyber context.

“The difference between being authorized and having consent is
vanishingly small,” Baker said, “and so if you don’t have
authority to do something with somebody else’s dildo, then if
you’re doing it remotely over the internet, you’ve committed a
crime that could turn out to be a felony [under the CFAA].”

Who’s likely not liable, though? The manufacturers, unless
they’ve somehow misrepresented the product, Baker said. (The
Lovense rep with whom Gizmodo spoke said they would broach the
idea of adding a clarifying label to product packaging with the
CEO.) While civil suits have resulted from toymakers’ insecure
data collection methods, when it comes to a telesex hack, the
only person responsible is the hacker. Which means it’s
reasonable to request that both the manufacturers and the law
figure out how to address sex toy vulnerabilities.

For both Wu and Baker, screwdriving cases remain relegated to
the realm of the hypothetical and some disagreement on
prosecuting such a crime likely stems from a lack of precedent.
A CFAA violation and a
sexual assault are both
felony crimes, though, and their possible sentences vary
widely. Arguably more important are the implications of
treating a sex toy hijacking as a computer-related crime,
rather than a crime against a person. Doing so risks minimizing
an offense that ultimately hinges on unasked-for intimate
contact, and a lawyer who argues that wearing a device like
Hush in public is opening themselves to its unauthorized use is
victim blaming.

The legal approach to screwdriving, though, would likely depend
on whatever real life victims materialize, and as sex tech
veers increasingly toward IoT connectivity—syncing with an app,
virtual reality masturbation sessions, setting off a
cross-country partner’s vibrator—without manufacturers pausing
to patch security holes, it seems reasonable to expect they
will. And while it’s probably not time to agonize over whether
or not a hacker is waiting in the wings of your Skype sex
session, ready to hijack your vibrator at any moment, it might
be time to start thinking about what the future of sex crimes
looks like. Better now than after we’ve arrived.

You may also like...

Lasă un răspuns

Adresa ta de email nu va fi publicată. Câmpurile obligatorii sunt marcate cu *