The third video in the VIRT-EU Ethical Unboxing Series is about the smart technologies we bring into our bedrooms and our beds. We decided to focus on two devices from the same company – Beurer – and were surprised to find that the data was managed differently in each device. How is the consumer supposed to know this?
“What we see here, is a little bit of a disconnect – the company, clearly, is trying to be very open about what they’re doing with the data, but the don’t quite go the extra mile. What they don’t do is they don’t tell us: Do they get the data? And if they do, what do they do with it? And if they don’t, what I would like to see is a statement that they actually don’t. It doesn’t mean you shouldn’t use these devices, but you should know what you’re getting into.”
– Irina Shklovski
We looked at the Beurer SE80 Sleep Sensor and the Beurer SL70 Snore Stopper – two devices that are available in stores in Copenhagen, Denmark. Although many of us buy our devices online, we often have to look for information ourselves. We expected the shop attendants would help us find out about these devices, but got little information. Since these devices collect data while we are in bed, we were interested in finding out what data is being stored. Who gets to access this data? Can the company use these data and how? What happens to these data after we stop using the device?
Since sleep tracking devices depend on collecting data to fulfil their purpose, they are often connected to smartphone apps to help users adjust settings and keep track of their data. Although these devices are from the same company, they connect to different apps that can be found on Google Play. The sleep sensor connects to the SleepExpert app, and the snore stopper can be connected to the SleepQuiet app. So we did research online, read those privacy policies and terms of service, and unboxed products, to find out what happens to the data these sleeping devices collect. It turned out that the SleepQuiet app is developed and run by a different company from outside the EU. Does that mean that our data is being accessed by that company? Their terms of service state that it is the users’ sole responsibility to protect themselves – what could this mean?