The law isn’t ready for the internet of sexual assault

What happens when our most intimate devices get hacked?

If the Mirai botnet taught us anything, it's that no device connected to the internet is safe from hacking.

In that incident, malware hijacked thousands of devices, including DVRs, modems and security cameras. But as the worlds of sex and technology begin to intersect, the threat of hacking will enter a new, potentially more dangerous realm. Already, one connected vibrator has had its security called into question, and it won't be the last. When the inevitable happens, is there a legal framework to deal with such a crime?

The following article contains a discussion of topics that some may find upsetting.

There is no universal definition of rape. In the US, the law varies from state to state, but the FBI and Title 10 of the United States Uniform Code of Military Justice both reflect a common standard. For rape to occur, there needs to be penetration of a person's anus or genitals (the FBI includes "mouth" in its definition). This penetration can either be with the attacker's body or with an object.

It's crucial to prove that the act took place without the consent of the victims. That can be because they did not consent, their consent was obtained under duress or they were incapable of giving consent. In addition, it's not legal to "trick" a person into consenting by withholding information or actively deceiving them.

We are slowly approaching a world in which people can be intimate without being physically close to one another. The internet allows us to have sex with people situated on the opposite side of the world. To bridge that distance, we use web-connected devices like masturbation sleeves and vibrators.

What would the legal implications be if, say, skilled and malicious hackers were able to hijack one of these devices? On one hand, they will have gained control of an object that is used to penetrate, and therefore are potentially responsible for it. On the other, the device's owner is likely to have overall control of the hardware and, we assume, consents to its use.

"That would, I suppose, be sexual assault," says robot ethicist Dr. Kate Devlin, a senior lecturer at Goldsmiths, University of London. Writer and broadcaster Girl on the Net agrees, saying that "controlling someone's sex toy without their consent is sexual assault." She adds that "you're doing something that someone has not fully consented to, at least by not knowing who you are."

But it may be the case that US law, as of right now, doesn't support these assertions about what constitutes online sexual assault. Much like the definition of rape, the country has a patchwork of laws that cover the crime, many of which require unwanted sexual touching. For instance, Title 18 of the US Code states that "sexual contact" must be made -- but where is it in our example?

Think about the hacking of a sex toy: The offense is electronic, but the harm it causes is human.

A functional criminal justice system creates a series of boxes into which you can categorize offenses and their punishments. We do this in order to avoid individuals being punished differently for committing a materially similar crime. But when these laws were written, there was no idea of what the future would hold. Think about the hacking of a sex toy: The offense is electronic, but the harm it causes is human. There are other crimes that, as of right now, are enabled and magnified by the internet yet aren't yet codified in statute.

Another example: In 2011, a Los Angeles court sentenced California resident Luis Mijangos to six years in federal prison. Mijangos was found to have hacked into dozens of computers, many of which were owned by underage girls. Mijangos appropriated nude images and recorded their keystrokes, webcam feeds and intimate voice conversations. He then threatened to publish those files to the girls' close friends and family unless they provided more images to him.

Those threats weren't idle. When one of his victims attempted to raise the alarm through a friend, Mijangos knew. In revenge, he posted nude images of her to her MySpace page for all to see. In court, District Judge George H. King said that Mijangos had engaged in "psychological warfare" and "cyberterrorism." His victims say they have been traumatized and terrorized, with many exhibiting signs of severe stress.

But the crime that Mijangos committed -- covered under the umbrella of "online sextortion" -- doesn't exist in either federal or state law. It's an issue that was highlighted by the think tank the Brookings Institution. It published a paper early last year explaining how digital sextortion was not anticipated by the law.

Like online sexual assault, digital sextortion is a sexual crime, and as such, getting accurate data on the issue is a problem. Brookings researchers admitted that they struggled to find cases for analysis, thanks to issues with underreporting. America's largest anti-sexual-violence organization, RAINN, believes that two out of every three instances of sexual violence are not reported.

"These cases ... produce wild, and in in our judgment indefensible, disparities in sentencing."

The Brookings Institution

It should be noted that in instances involving crimes against minors, stringent child-pornography laws are in place. But, as the Brookings paper outlines, adult sextortion crimes are prosecuted under a "hodgepodge of state and federal laws," a Wild West of lawmaking that results in "indefensible disparities in sentencing." Mijangos, for instance, was given a "dramatically lighter sentence" than he would have received for a physical attack on a "fraction of the people" he victimized. Another perpetrator, Joseph Simone, was sentenced to just three years in jail despite "victimizing up to 22 young boys."

The Brookings paper points out that predators can take advantage of this inconsistency to target their attacks. Because there is such a wide disparity in sentencing, it's possible to seek out victims who are based in states with weaker laws. A well-read criminal could direct attention toward victims in Rhode Island, where punishments are soft, and avoid Maryland, where penalties are far harsher.

More generally, states don't seem to be able to join up their thinking on how to sentence connected crimes -- yet. In New York state, for instance, hacking someone else's computer is a Class E nonviolent felony that carries a sentence between 16 months and four years on probation. Sexual assault, meanwhile, is a Class B violent felony that carries a custodial sentence of anything up to 25 years.

If we are to avoid similar controversies in the future, it is likely that we will need to create a law that covers this type of crime. The Brookings paper asserts that there needs to be a federal sextortion law that will cover threats of online sexual exploitation. Similarly, it seems clear that we need legislation that will cover instances of online sexual assault. Thankfully, we may be able to draw inspiration from a good example on the opposite side of the pond.

Neil Brown is an English lawyer and co-founder of decoded:Legal, a law firm with a specific interest in technology law. He says a clause in the Sexual Offenses Act 2003 could be the magic bullet. "When you look at the act," he says, "you've got this quite interesting provision at Section 62." In it, people are guilty of a sexual offense if they commit any offense with the intent to commit a sexual offense.

"There is a lack of current legislation to deal with online sexual issues."

"Let's say that it was an internet-connected vibrator," says Brown, and someone hacked the device "with the intent of committing either sexual assault or assault by penetration." The crime is likely to fall "both under the computer-misuse framework and the provisions of Section 62." This hybrid offense would also aid sentencing; Brown says that a computer-misuse crime has a maximum "of up to two years in prison. "But," Brown adds, "if you commit a computer-misuse offense with an intent to commit a sexual offense, then that can go up to 10 years."

California attorney Michael Fattorosi, who has expertise in adult law, agrees about the need for new laws to cover such a crime. "There is a lack of current legislation to deal with online sexual issues," he said, "whether it be rape, revenge porn or sexual assault." The issue will continue to exist "until more legislators around the US wake up and understand current technology," he said.

Anatomy of a sex-toy scare

If we're going to begin creating legislation based on the potential harms of digital sex crimes, it's worth analyzing if those dangers are real.

Svakom is a sex-toy manufacturer based in the US and China that produces the Siime and Siime Eye lines of connected vibrators. These devices are famous, or infamous, for having a small camera embedded in the tip. Such technology caters to those with a penchant for footage taken from a more anatomical angle than is usual in traditional pornography. It is also sufficiently attention-grabbing to have received special attention from security researchers.

Earlier this year, British security firm Pen Test Partners purchased a Siime Eye to examine the security of its camera feed. Pen Test claimed it was possible to gain access to the device remotely over the internet. As well as the risk of having the device controlled by a third party, users are also at risk of having strangers see images of their genitals. In addition, because the device offers itself up as a WiFi hotspot, broadcasting its SSID, it risks outing its owner.

Of course, Siime Eye is such a niche device that reporting on the story provided an easy win for journalists. Some tabloids called it a "spybrator," while others said that the hardware could be hijacked remotely over the internet to let hackers "livestream the inside of your vagina." Other stories latched onto a throwaway comment in the report suggesting that there was potential for the Siime Eye to connect to a Skype account. The controversy prompted US privacy organization Access Now to demand that the FTC ban the device from sale.

RenderMan is the pseudonym of a Canadian security researcher who runs the Internet of Dongs project, an initiative to educate sex-toy manufacturers on the risks that connected devices face. He posted a rebuttal to the Pen Test report, saying that its findings were both "sensationalist" and "designed to make a splash in the press."

In an interview with Engadget, RenderMan explained that the Siime Eye's key WiFi vulnerability does not enable remote attacks. Only users within the device's 30-meter broadcast range would be able to attempt to gain access to it. And on that point, RenderMan quipped that "if you're that close that you're connecting to it and issuing commands directly, I mean, stick a camera in the window." He added that an issue like this is not likely to affect general internet users or "every single [Svakom] customer" but is likely to be isolated "to that one person with a stalker."

"Wardriving" is the practice of touring a location like a city and cataloging the SSIDs of local WiFi networks. Wardrivers upload their findings to an open database, like, that allows other users to search the information. But RenderMan believes the risk of being outed by the device's SSID in this way has been overstated. He said that in the two years since the device has been on sale, only two have ever been found in this way, and both were demo units in a Tokyo sex shop.

Anuj Saroch is the digital marketing manager for Svakom, makers of the Siime Eye, who disputed some of Pen Test's claims. For instance, he says that the "WiFi features of Siime Eye do not support networking" and that the device "cannot connect to Skype" at all. Pen Test "did so much research to hack this device," Saroch adds, but "we don't agree that they really hacked the device."

Saroch believes that "currently, the device is still secure" and that his company has "answered each and every question" asked of it. Despite this, Svakom is working on an update to the product that he says will arrive within two months. The fix will ensure that the Siime Eye will connect only to smartphones, and the app will remind users to update their passwords.

Have the risks of having your connected sex toy taken over by a malicious third party been overstated and sensationalized? RenderMan doesn't believe so; he says he has found "many instances of account takeover vulnerabilities" in his research. "It's a very real threat, but one that, so far, has remained thankfully theoretical," he added.

Svakom is not the only company that has come under public pressure for its attitude toward privacy.

In 2016, Standard Innovation was the subject of a class-action lawsuit stemming from its data-collection policies. The company, which produces the We-Vibe range of connected vibrators, tracked the temperature of each hardware unit and the vibration patterns used.

Standard Innovation later explained that the data collection was for hardware diagnosis and that it needed to be more explicit about its policy. It had to pay around $3.75 million in settlement fees to customers whose information had been stored without their consent. Standard Innovation's motivation may have been innocent -- as far as it claims -- but the idea of collecting data in this way troubles many.

Devlin, the University of London robot ethicist, believes that such data collection creates two distinct risks for users. In the short term, the information could be compromised, "like the Ashley Madison breach." From there, it's a short step to hacking, blackmail and, according to some reports, even suicide.

In the longer term, however, users who buy devices from companies that harvest all of their relevant data could be at even greater risk. "You're signing the terms and conditions now," she said, "but what is going to change further down the line? ... There are people who say, 'If you've got nothing to hide, you've got nothing to fear,' but I don't think that's true at all."

You could travel to another country where your private life could land you in trouble. "You say, 'Why would they care about my sex tech records?'" Devlin says. But imagine if during a trip to, for example, Chechnya, and people learn you are gay. Given that gays and lesbians are currently being murdered in that region, this type of data collection is a potential threat to people's lives.

This sort of oppression also takes place in the United States, and Devlin is reminded of Alabama's Anti-Obscenity Enforcement Act. The law prohibits the sale of sex toys in the state, and those in violation face up to 10 years in jail. It's not that far from where we are at the moment, now that surveillance agencies can learn "something about your sexual behavior that could be used to discriminate against you."

Privacy researcher Sarah Jamie Lewis believes that the ability to collect and track data is even more pernicious. She said data stored by quantified sex devices -- such as the quantified cock ring Lovely -- could be enough to identify individuals. "If you do a blowjob in such a way that it has very unique characteristics when you observe the data," she said, "then you could identify that pattern in the data and track back." At this point, it's all "very theoretical and messy," but there is a potential that anonymous tracking data could be used to "fingerprint" people.

Brown agrees, saying that manufacturers need to "think long and hard" about whether their devices need to be connected. His concern is that, much like in the Ashley Madison breach, these companies' central repositories make a good target for hackers. He added that it's virtually impossible to anonymize the data "so that it doesn't identify an individual, or [is] stored in such a way that it simply cannot be compromised." And, much like Devlin, Brown feels that the risks to reputation, well-being and life cannot be overstated.

We know that there is a hole in the current law, and we know that there is a risk -- however small -- that this may take place.

Users should be educated about those dangers; as Girl on the Net says, "All sexy situations involve some level of risk." But, she adds, those who are dipping a toe into the world of teledildonics "are unprepared for what can happen." Potential attackers too should be reminded about the real harm their actions could cause.

RenderMan believes there is a huge moral imperative for manufacturers to do everything they can to ensure the security of their devices. He says that "the emotional trauma from a remote assault may be on par with a physical assault." Prevention, therefore, is better than cure. "The possibility of remote hacking should be front of mind," says Girl on the Net.

Those inside the industry agree, with Svakom's Anuj Saroch says manufacturers will "have to take care of these things." Stephanie Alys, co-founder of MysteryVibe, a British sex-toy manufacturer, says that "like any other industry, [sex toy] companies have a responsibility to protect their customer data."

Alys also believes that to avoid another We-Vibe-esque situation, businesses need to be up front about data collection. "We are talking about sex, so people should be able to give informed consent," she added.

Lewis thinks that manufacturers are already missing out on easy methods of improving their security. "Communication between sex devices should be like a Signal or WhatsApp message — end-to-end encrypted." In addition, there should be "no way for a company to be able to extract that data out of the device." The alternative is "a very weird and complex issue around what happens when this data is stolen, interfered with or swapped," she says.

Lewis says users should closely scrutinize the data-collection practices of the companies they buy toys from, ensure their devices are encrypted, and take care not to leave any piece of gear with someone they do not trust. Alys, meanwhile, suggests that users create separate online identities to connect to their sextech to help avoid detection.

We cannot, and should not, blindly trust manufacturers to be eternally vigilant about threats against us. We must be thoughtful and careful about how we use our connected sex toys. We must also accept that, inevitably, this theoretical issue will become a practical one. As a consequence, we should urge our lawmakers to develop a proper federal framework to ensure that those who commit crimes are punished for it, and as few people suffer as possible.