This is exactly why I refuse to use an app for setting up hardware. Bose pushes really hard to get you to use an app for something that really doesn't require an app.
I switched from a Bose QC35 to a Sony WH-1000XM3 about half a year ago, and the Sony app on iOS was egregiously requesting permission for location access, even while the app is in background. The cited reason for location access sounded rather flimsy and suspicious. Luckily, everything that can be done with the app can also be done with the physical buttons on the headphones. I guess their design philosophy is that if you want the convenience of using an app with the product that you’ve already paid a lot of money for, you’ll need to pay for it with your location info.
I own the WH-1000XM2 (same app for both models) and the reason the app requests location is for a singular feature called 'Adaptive Sound Control'. This feature lets the app change sound profiles based on where you are, so yes - location access is required.
Stating that this is "their design philosophy" is a stretch here. I realize Sony doesn't have a stellar track record but in their defense if you don't use 'Adaptive Sound Control' the app does not and will not try to enable Location access unless you turn said feature on and the app doesn't already have access.
So, no - you don't need to pay for the convenience of Sony's app by allowing Location access as it's not required but for a singular feature that is fundamentally based around setting profiles based on your location.
> So, no - you don't need to pay for the convenience of Sony's app by allowing Location access as it's not required but for a singular feature that is fundamentally based around setting profiles based on your location.
I reinstalled the app to see if I was misremembering it.
The app requests for always on location information upon installation and pairing with the headphones. The garden path in the UX of the app is to allow location access. If the user chooses to not allow location access by tapping the tiny "Later" button, the main screen prominently features a Switch control (which is off) for Adaptive Sound Control, tempting the user to toggle it on, which requests always on location access. Given all of this, it's very difficult to interpret this "feature" in a favorable light.
Fortunately, the app's privacy policy[1] does not seem to mention anything about them collecting location information (but they do claim to collect "country or region"). On the other hand, the manual for the app[2] also has no mention of it requesting always on location access either, which doesn't inspire much confidence. Not to mention the 27 month data retention policy and the policy of sharing with their "affiliates".
After having read the privacy policy, I'm glad I chose not to use the app and will continue to do so.
> Given all of this, it's very difficult to interpret this "feature" in a favorable light.
What would you rather they do? They ask for permission for a specific feature and when denied, the feature is turned off. When you try to turn on the feature, it requests access for that feature. It sounds like it works exactly as it should.
I would rather that they document why they need background location access and not try to hoodwink their users into granting them carte blanche access to the users' location data. There's a fairly established pattern in mobile apps where they show a screen informing the user of the reasons why an app needs location access before requesting it from the OS. And that isn't the case with the app in question. Nowhere in their product documentation (for both the app and the headphones) do they mention that their product needs background location access.
Also, let's not forget the context of the post here. The Bose Connect app (at least on iOS) does not demand access to the user's location. They got sued for lesser privacy violation (in my subjective opinion) and rightly so. Any app demanding background location access, especially an app for a pair of headphones is a serious concern, IMO.
The other commenter in this thread seems to be insinuating that I have a bias against Sony. But that's certainly not the case. I've spent a lot of money on Sony's mirrorless cameras and lenses and continue to do so. Sony undoubtedly makes great hardware, but on the other hand, privacy is also very important to many of us. One could argue that privacy is far more important than the fancy hardware.
Finally, coming back to the "feature" in question, "Adaptive Sound Control". The feature seems to be built around classifying whether the wearer of the headphones is standing still, or walking or running or using a mode of transport and applying the user selected profile based on the activity. Couldn't this be implemented in a much more efficient manner in hardware with an accelerometer in the headphones? I understand that this would mean a slightly reduced battery life on the headphones for people using the feature, but would be a better trade off, IMO. And yes, decisions like this are a product of a company's design philosophy.
> Also, let's not forget the context of the post here. The Bose Connect app (at least on iOS) does not demand access to the user's location. They got sued for lesser privacy violation (in my subjective opinion) and rightly so. Any app demanding background location access, especially an app for a pair of headphones is a serious concern, IMO.
I'm not sure you are understanding the feature. It allows you to set profiles for your location automatically. Like if you're at home maybe you care more about ambient noise while cancelling is enabled. Maybe while you're at work you want to dial it down. Yes, you can switch between profiles in other ways but this allows your phone to do it automatically for you. The app does not "demand" access, I wish you'd stop saying this because it is not true. Again if you do not use the feature it, literally, will never ask you for location permissions until you try to turn the feature that requires it on.
> Finally, coming back to the "feature" in question, "Adaptive Sound Control". The feature seems to be built around classifying whether the wearer of the headphones is standing still, or walking or running or using a mode of transport and applying the user selected profile based on the activity. Couldn't this be implemented in a much more efficient manner in hardware with an accelerometer in the headphones? I understand that this would mean a slightly reduced battery life on the headphones for people using the feature, but would be a better trade off, IMO. And yes, decisions like this are a product of a company's design philosophy.
You're wrong here. Maybe try to understand the feature before making a bunch of incorrect assumptions. You think an accelerometer is going to be able to differentiate your work and home location? No. It's a pair of headphones and a feature that has been blown way out of proportion with your strawman. Finally, a feature does not a company's design philosophy make as, again, you assume here with absolutely zero basis to back up your argument. Not only have you failed to show how this feature is ill used by Sony you've also failed to comprehend what it actually is or how it's used.
> You're wrong here. Maybe try to understand the feature before making a bunch of incorrect assumptions. You think an accelerometer is going to be able to differentiate your work and home location? No. It's a pair of headphones and a feature that has been blown way out of proportion with your strawman. Finally, a feature does not a company's design philosophy make as, again, you assume here with absolutely zero basis to back up your argument. Not only have you failed to show how this feature is ill used by Sony you've also failed to comprehend what it actually is or how it's used.
Perhaps I am. This seems like right occasion to pull out my trusty old iPhone 6S Plus from my drawer that I keep around for testing dodgy apps.
I installed the latest version of the "Sony | Headphones Connect" from the iOS App Store on the aforementioned phone with a throwaway app store account. Also, I allowed it the full location access that it had been asking for, to enable the "feature". I took screenshots of every screen along the way. I've uploaded them here[1]. You'll only need to see the first 4 screenshots there to see what I'm talking about. The screenshots are in reverse chronological order and have been cropped to remove the iOS status bar.
As evidenced by the screenshots, the only modes the "Ambient Sound Control" "feature" is able to differentiate in between are "Transport", "Running", "Walking", and "Staying". Now, it's amply evident that you're either lying or using some special version of the app that isn't publicly available and allows your pair of headphones to distinguish between when you're using them at home and when you're using them at work.
Also, to cite from another contradictory comment[2] of yours on this thread:
> I've never allowed any permissions for this app and have yet to have any functionality diminished.
If you've never allowed permissions for this app, then how did jump to the false conclusion about the app being able to differentiate your work and home location? It looks like the only way to ascertain that would be to allow location access to the app.
The certitude with which you state your opinions on this thread and the extent to which you're willing to ignore the facts, makes me suspicious of your motives here.
Agreed. I feel like the argument against in this thread is a poor strawman. I've never allowed any permissions for this app and have yet to have any functionality diminished. The app doesn't require any registration (which is not oft the case these days) and as others have pointed out most all functionality can be had via direct controls on the headphones. You can get away with not using this app for most everything except firmware updates and location specific features.
A company should exist that simply takes wonderful products, removes the offending bits, and resells them, perhaps at a premium. Both headphones are really good, and I certainly would pay a $100 premium if the maker was "one of the good ones" and provided, e.g., an optional, open-source app with minimal permissions.
I'm 100% right there with you. But the inner pessimist in me isn't holding my breath. Said new company would perhaps start with an excellent and wholesome mission statement, make some great products and then take on funding, need to experience exponential growth, maybe have an IPO, and eventually betray it's users in the quest for "maximizing shareholder value" and providing a "better user experience". If it can happen to Google it can happen to anyone...
Also, can I even buy a sound bar for my TV that doesn't listen to me and need an internet connection these days... It's unreal the unneeded complexity and bullshit they put in some electronics.
The real heroes the world needs are just independent founders that use slow growth over several generations and never sell the business, thus minimizing incentives other than having a lifestyle business and making great stuff. But the money is just too tempting eventually, or the business just isn't feasible at that scale.
For the first few years of its life, Google (nee BackRub) was a business-model-less company that just ran a search indexer. They looked like they were heading toward the Inktomi model of selling their compiled search-index (or access to their index data warehouse) to companies to use. Google Ads came later, and was honestly quite a shock to everyone who was telling their friends that Google is an unalloyed good as the new AltaVista.
Sure, but Google was a search engine since 1996. They only incorporated once they figured out a potential business model. Until then they were “a company” in the sense of being founders working together on an idea with the goal of monetizing it; but, since they had nothing to sell yet, no brand, and no salaries to pay, they didn’t bother to wrap a legal company around the “company in their hearts.”
IIRC, and I'm quite confident about this particular one, ads used to be served based on the site you were visiting or the search had typed.
Some people hate all ads.
For me I felt old google ads were OK.
Some people will say this isn't a good enough business model and to that I'll point out that google was widely profitable back then as well, again IIRC.
Google ads on desktops on Google’s site aren’t that bad. But, because of limited real estate, almost all ads on mobile devices are bad. Web page ads on other sites have gotten so annoying that the web is horrible without an ad blocker.
Strangely enough, ads in feeds like Facebook, LinkedIn, or Twitter don’t annoy me as much.
I also think the ads in the iOS App Store are horrible.
You are describing the Rick and Morty episode with the Devil to a t. “Let’s just pay at this store, you don’t pay with money evil laugh.” “You pay with curses right?... I’ll just get them remove at Curse Purge Plus!”
We need that for user-hostile businesses, except run by someone who won't abandon it when it gets boring.
The main obstacle will be the convoluted IP mess user-hostile companies create, through laws preventing you from reversing and replacing the firmware, and through tying the hardware to an Internet service.
On iOS location access is a workaround for being able to kinda stay awake in the background. Some photo sync apps do that so they can (near) constantly sync your photos.
On that subject, I really wish Apple would allow me to use photos app to sync with a network share.
Ok. What’s wrong with that? Wouldn’t you want a file transfer to your own server happen when you are at home?
If you are worried about the privacy implications, when an app tells iOS that it wants to be notified when it is in a certain location. It doesn’t get your location until you are there. It doesn’t have the ability to continuously track you.
Pre-GDPR Sony’s terms claimed a very wide scope of data collection (“content” of the device the headphones were connected to) without opt-out UI. It appears that the terms have been narrowed now to cover only the technical attributes of content, such as codec. Is there now a way to opt out of data collection?
> I switched from a Bose QC35 to a Sony WH-1000XM3 about half a year ago, and the Sony app on iOS was egregiously requesting permission for location access
I did too, and I stopped using them largely because of the amount of information the app collects. If this lawsuit gets a class certified, an analog for Sony might be something I look into.
It uses your movement and location to determine what noise-cancelling mode to put the headphones in. It is awful at picking though, not worth the privacy implications or battery life drain.
Which, IIRC, is because having BLE access equates to having location permissions, in the sense that you can reconstruct someone’s location from the BLE tags (Bluetooth MAC addresses) you sense, using location correlates of those tags in a separate database you’ve purchased. (This is equivalent to how phones reconstruct their location—in absence of GPS signal—using a wi-fi SSID triangulation database.)
Due to the bad layering of the BLE model it’s next to impossible to actually hide from the app the data of what peers are around the device, while still allowing the app to communicate over BLE. This isn’t true of regular Bluetooth, but BLE is solving a harder problem, sort of like how WebRTC is solving a harder problem than HTTP.
Still, you’d hope they’d come up with some way to obscure the peer BT MAC addresses or something. Maybe an approach like Apple used with device IDs, where each app sees the device ID hashed with a per-app salt—each app would see a separate list of virtual BT MACs that, when it sent messages to, the OS would translate back to the real MACs. Like BT “file handles”, almost.
This itself should be a red flag. If they heavily push something for a task that clearly has no reason to require that something then it’s probably fishy.
Same scenario about PayPal offering that I receive receipts in Messenger or Deliveroo offering WhatsApp notifications.
Instagram does this in several ways. You can't post 'stories' unless you give camera and microphone permission - even for existing videos and photos, when you have no desire to use their app to record. At first you could, now it's more restrictive.
Same for adding location to photos. On iOS you can deny the permission and still enter location manually. On Android, you can't enter a location manually unless you give the app location permission. Totally not useful, either - location info is already embedded in the photo and I really don't need the help of GPS to determine my current location.
Instagram is owned by Facebook and is thus cancer so not surprising. It’s like installing malware and then being surprised it’s doing something malicious.
On a similar note though, I just tried sending a tracking link for my Uber trip to my friend, and it tried to get contacts access permission (which I obviously denied) before giving me the link. I guess it preys on the fact that most people wouldn’t risk denying it thinking it won’t allow them to use the feature otherwise. Uber doesn’t seem to have anything to do with ads/stalking but it seems like nothing is safe in this day and age.
On iOS, it is purposefully a separate permission to allow photo access and to allow the app to access the location metadata of the photo. There have been too many incidents of accidental location leakage.
If you want to use the Alexa/Google button on the QC 35 II, you’d need the app. Also to configure Bluetooth settings and update the headphones’ firmware. I use it daily to connect or disconnect named devices from the headphones to either improve connectivity (fewer devices connected, better bandwidth) or save battery (fewer devices connected, battery lasts a bit longer).
I’m happy to report there’a a toggle in the app’s settings and that it now clearly indicates it sends the song data for diagnostic purposes if checked. (And yes, I disabled it.)
I assume that is checked by default, so the instant you installed everything they can swoop up from any and all caches is transmitted. Then any random update they can forget to preserve that setting and redo it. It breaks my heart that it isn't even hyperbole.
The future sucks.
It seems the goal of most companies is to create a seemingly legitimate need for apps/permissions, no matter how convoluted, just so they can get access to data.
If you're not averse to downloading and running their update application on OS X or Windows instead - you can update your headphone's firmware much more quickly from their website, through that application (http://btu.bose.com/ )
Yeah, but if you download the app again today you will see a new prompt that forces you to agree to waive your right to class action and agree to arbitration over privacy policy violations. No option to cancel or opt out of course. Nice timing Bose.
I bought the QC35 just before the new edition came out. I never downloaded the app because "yeah fuck that..." and all I wanted was some nose-cancelling headphones. I'm still very much in the fence about voice recognition.
The only reason I use the app is also the most useful: switching between paired devices. I have them paired to 4 different products (laptop, phone, tablet, and tv) so switching the active ones is much easier with a visual menu.
I just use the switch on the side to change devices. It reads out the name of each device as you switch so it’s still clear what you’re changing to.
I never installed the app purely because I’ve never had a reason. Then the spying stuff just reinforced my hatred of every single device these days needing one. I now specifically look for hardware devices that don’t need an app or cloud service account.
Unfortunately the switch only allows you to connect to one device at a time - if you want to use the dual source feature (which is a huge bonus for me when i’m at my desk) you gotta use the app to manage it.
You mean audio from from two sources at once? I didn't realize that was a feature. That's wild but I'm not going to install and use an app for just that feature.
My headphones will sometimes automatically switch between sources when it recognizes I'm using another device. Like when I'm listening to music on my PC, if I start browsing my phone I'll start heading audio from it instead.
That’s odd because I swear mine does. I don’t use that feature but I’ve definitely had it connect to multiple at once as I rotate through then I change again to get the single device I want.
I'm not so sure. Mine will automatically connect to both my MacBook (even when closed) and phone, usually selecting as primary the one I didn't care for (the second source has a perceptible delay) making me cycle over all the combinations. I've never installed the app not changed any configuration.
I noticed this a while ago. I can't see any reason besides Google finding a nice submarine for getting everybody to leave location services enabled constantly. As Bluetooth slowly becomes ubiquitous, eventually everyone will need location turned on 24/7.
Google clearly wants this, but can't do anything overt about it without attracting bad press. So they attached location permissions to a new technology they know everybody will use eventually.
This is a guess: if an app can do a Bluetooth scan it can then look up the device IDs online and figure out where you are. So it needs location permission. Perhaps Android should give apps anonymized Bluetooth IDs.
> The application can locate Tiles beyond the 100-foot Bluetooth range, using "crowd GPS": if an item with an attached Tile device is reported lost and comes within range of another user's Tile application, the nearby user's application will send the item's owner an anonymous update of that item's location.
It's reasonable if you look at it from user's point of view: this application can calculate your location through BLE[0], giving BLE access is essentially giving coarse location access, so we should let the user know.
Permissions ideally shouldn't overlap, but in this case, they somewhat do.
--
[0] - and given the disastrous lack of ethics in the tech sector, it's very likely it will do that, or one of 30 adtech libraries it includes will.
Bluetooth can also be used to track location with those beacon things shops us. I believe this is the reason they changed it (Bluetooth didn't used to need Location perm).
I build software systems which integrate a software front-end app with hardware, and I don't think I agree with the supposition that using an app to set up hardware is a negative.
Its just that I think that an app/hardware integration ethic definitely has a place in the world. For example, hardware which works with Apple, without allowing third-party (not even Apple) involvement, is a battle being fought.
Hardware vendors should be encouraged to ensure their hardware remains useful for generations, in my opinion. Apps always go stale while the hardware remains operational.
Of course: none of this forgives the vendors using it to spy on its customers.
Hardware like this, anyway imho at this market, is a platform battleground. In all honesty, we have more computer vendors battling it out now, than ever before.
More than likely, putting "compatible with iOS" on the box of an expensive speaker means more shelf-shopping customers. Alas, Bose and Apple probably have, at least, MFI-level involvement...
How do you feel about a 30 page TOS and privacy policy being necessary to use said app? Something of that length tells me that the company likely wants to get a lot of data from me. Reading it is hardly necessary with the way these are typically written to be as friendly to whatever the company wants to do as possible.
This is why I have never used the Bluetooth features on my QC35s. They're mostly dumb headphones to me since I won't accept their user agreement. This seems counterproductive for the company, unless they simply don't care about user privacy and expect users to roll over.
This is why I never work in a technical capacity where I am being 'managed' by lawyers and other non-technically competent means of business org.
I truly do believe, as do you, that the TOS and Warranty world is another desperate subject from where the execs/lawyers/owners of the company desire to eek every penny.
There are many other realms where the TOS is simply: use the thing, have fun with it, if you want to tell us about yourself, press this button/fill in this card. For sure, consumers 'never read the TOS', because - hopefully - the device is now set up, everything works, it is time to rock ..
For sure, tech can be used against the user. But it can also work for the user, too.
I think the shame of it is that 95% of most TOS's are as you said, essentially harmless or nearly harmless boilerplate. My concern is more about privacy policies which could in many cases be very short if user privacy is being respected.
In either case, if I'm presented with pages upon pages of small font #888888 text, I defensively assume these is something nefarious hidden there (e.g. "we don't share any of your data with anyone except our 3rd party affiliates, marketing partners, your nosy relatives, people who claim to be law enforcement, anyone who wants to connect to our open s3 buckets, etc.")
I would hope there could at least be standardized agreements developed so that I could decide which I'm okay with or not and have enough companies using them to make it worth the effort to read once. I'm thinking of various flavors of FOSS or CC licenses as an idea template.
This is why I firewall my phone, so when Bose (that e.g. as the app to fine tune the frequencies etc) is installed, I immediately "block all" on mobile data and Wifi, so even if the app does want to 'speak' to someone, ET won't phone-home.
On android devices one (at least on my Huawai)(to the degree that I trust the Settings) can regulate whether an app has connectivity. I block 90% of my apps completely (e.g. workout apps, or an offline Chess app)
The joke is the app does nothing, other than upgrade the firmware of the headphones. No settings to change or alter the behavior of buttons, initial volume, etc. Nada. Nothing.
