If it all sounds a little obvious, that’s on purpose. “The bigger, more known brands, they kind of stick to high quality and tried their best, but it was really standards you created for yourself,” Rief says. “But there are a lot of cheap products produced in China because nobody’s stopping you.” The ISO standards won’t stop subpar sex toys from rolling off the assembly line, but they give high-end sex toy makers a way to distinguish their wares from the junk. A vast proportion of the growing market is sourced to cheap “white-label” manufacturers who build quick-and-dirty gear for multiple retailers or contract to build toys for small companies.
“White-label manufacturers, there are no standards there, and you see that with sex toys, too,” says Jen Caltrider, lead for the Mozilla Foundation’s cybersecurity reviews program Privacy Not Included. ISO and other standards-setting organizations don’t have the force of law or government regulation behind them, though sometimes testing companies will provide certifications. They do make it easier for manufacturers to agree on levels of quality and safety—and to performatively tell everyone in their marketing that they’re following the standards.
That emphasis on fit and finish meant cybersecurity got left out of the process. “They discussed it, but it was not included specifically because it’s complicated and generally covered by local regulations,” Rief says. Something like Europe’s General Data Protection Regulation might address privacy concerns, for example. That’s a little ironic, because in 2017 WOW Tech subsidiary We-Vibe agreed to a $3.75 million settlement in a class action lawsuit alleging that its vibrator-connected app collected and maintained user data without consent. Mozilla’s Caltrider says We-Vibe has tightened things up since then. “We had this lawsuit and tried to learn from that,” Rief says. “We have nowadays our own in-house app team and agencies that try to hack the app.”
It’s certainly possible that security and privacy aren’t even a priority for most sex toy buyers. “I don’t know for sure that all companies that make or distribute toys are going to take this seriously, but I think they will generally take it more seriously than some customers will,” says Carol Queen, staff sexologist at Good Vibrations, a longtime purveyor of same. For whatever emphasis those stores might put on material safety, let’s say, their customers often prioritize price and design. “The folks who don’t care probably will continue to not care,” Queen says. To be sure, sex toys are outright illegal in some countries, and some places criminalize forms of sexual behavior that devices might track. But many people already accept that their phones and smart speakers collect personal data; sex toys might be no different.
On the other hand, people probably should care more. Major companies in the business, like We-Vibe or Lovense, already follow norms like using encryption and requiring strong passwords. Minor companies sometimes don’t. And for the privacy-conscious, it’s a hot-button category. Caltrider says Mozilla’s privacy project, which audits hundreds of different products, gets more traffic to its sex toy write-ups than those on any other type of device.
Privacy’s also far from the only concern. Take the new standards’ oblique reference to vibration. “I can see a situation where a manufacturer specs out the motor they need to get a low-frequency vibration going that’s capable of a much higher-duty cycle and speed, so they put a software limit that the app would only ever tell it to go to 50 percent,” Haines says. “That doesn’t mean the chipset couldn’t take a command that would take it to 100 percent.” That’d put a user on very shaky ground. Or, Haines continues, “when they’re designing the device, they’re accounting for a certain amount of draw from the battery under normal usage. For lithium ion batteries, if you put excessive draw on them, they react very badly.” By which he means they catch fire. And no one wants someone taking control of their sex toy who isn’t permissioned—a violation, at a minimum, and potentially an assault. So security provisions have to account for all different kinds of consent.
These risks aren’t just hypothetical. In late 2020, a British cybersecurity company found that the Cellmate Chastity Cage—an app-controlled metal enclosure that locks around a person’s penis—used Bluetooth to do the actual locking and unlocking but stored data like location and a unique device identifier on servers owned by the company, Guangdong-based Qiui. The security researchers warned that a hacker could spoof the control and prevent the device from unlocking, at which point the only way to get it off would involve bolt cutters or an angle grinder. The company updated its app but apparently left an old version of the API online, because a hacker reportedly tried the exploit, demanding that chastity cage customers pay up before they could achieve release. (It’s not clear whether anyone was actually wearing their Cellmate when the lockdown hit, and to be fair, the new ISO standards do say that locking devices should also have a built-in way to unlock them manually.)
Engineers who rely on standards like the ones ISO puts out might also see good reason to keep those kinds of problems separate from the ones specific to sex toy hardware. Maybe battery standards should apply to any connected, rechargeable device. Broader internet of things regulations could deal with cybersecurity. But it’s clear that the functions of sex toys are changing; people are creative that way. The rules will have to keep up.
More Great WIRED Stories
