Sonos is spying on me… (and you)

Functional Data:

This data is absolutely necessary for your Sonos Product or Service, including Sonos Radio, to perform its basic functions in a secure way and you will not be able to opt out from this data collection, sharing, and/or processing if you want to continue to use your Sonos Products.

We collect:

Registration data. This data includes your email address, location, language preference, Product serial number, IP address, and Sonos account login information (as described above).
System data. This data includes things like Product type, controller device type, controller operating system, software version, content source (audio line in), signal input (e.g. whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about WiFi antennas, system settings (such as equalisation or stereo pair), Product orientation, names of the music service(s) you added/enabled on your Sonos product, the names you have given your Sonos Product in different rooms, whether your Product has been tuned using Sonos Trueplay technology, system performance metrics (e.g. the temperature of your Product or WiFi signal strength) and error information.

Why we collect Functional Data: We collect this information to help ensure that your Products are working properly, to provide you with customer support, to honour your audio preferences, and to guide product improvement and customer support decisions. We also collect this information to guide product improvement and customer support decisions which is our legitimate interest.

Whilst Sonos tries very hard to meet those first two tests with their policies (but in my opinion, have a very weak position there), I think it clearly fails the balancing test. Sonos blatantly violates its customer privacy by excessively tracking, analysing and making use of very detailed information about them. They capture their listening preferences, their location, neighbouring Wifi access points and lots more. And worse of all, they do it without asking for explicit consent. It’s all hidden in the privacy policy, and set to expose all this data by default.

What’s the purpose of collecting all this data? Sonos claims that their purpose is “[To] help ensure Sonos Products are functioning properly, provide a personalised experience for our customers, determine what types of Product or feature improvements would please our customers most, and to help predict potential problems with Sonos Products”. This seems fairly clear as a purpose. Still rather widespread and invasive, but there’s a purpose.

But is collecting all this data necessary to meet this purpose? I don’t think so. I think they collect far too detailed information, and they could meet the same purpose with far less data, or by using non-private / anonymised data.

For example: how does the IP address of the customer help with any of those stated purposes? Or why do they need to map neighbouring Wifi access points? I guess Sonos would claim something along the lines of “if a customer has a problem, these details help us support this customer and troubleshoot the problem”. But then is it necessary to collect this data constantly, even when there are no problems?

To drive product decisions and understand usage trends, they can collect data that’s been anonymised and still be able to improve features. In my mind, most of this collection is unnecessary. Rather than collect all this data indiscriminately and bundle all those purposes together, each purpose and data collection should be examined individually. The necessity argument easily breaks if you look at individual purposes and the data being collected to fulfill the specific purpose. Do they need to collect all this personal data about me to determine what feature improvements would please their customers most? I don’t think so.

Here’s a quick data point to you, Sonos: I’m not pleased by your excessive data collection.

And finally, let’s look at whether this excessive collection overrides the individual’s interests, rights and freedoms. I think the answer is as clear as day. The Sonos speaker works totally fine, even without an Internet connection. It meets the criteria of most customers who buy a speaker: it plays music via Wifi. The data collection that Sonos does isn’t primarily to help their customers. It’s to help Sonos learn more about its customers, sell aggregate data, and advertise to its customers. I’m pretty sure that if you ask a Sonos customer whether they want a “personalized experience” from their Sonos speaker, they will look back at you with a confused look on their faces… It’s a speaker. It plays what I ask it to play… If I buy a speaker, do I want it to manipulate me with ads based on my listening preferences? No. Can a reasonable person even imagine that so much data about their usage is being collected, by default, when they buy a speaker? absolutely not. This is far from balanced. It weighs heavily in Sonos’ interests, and those do not align with the interests of its customers.

I therefore find it very hard to believe that Sonos can really meet the legitimate interest tests. They are clearly using “legitimate interests” in the privacy policy language to protect themselves against a potential GDPR claim. However, I think it’s a thin veil, and they clearly fail to balance the privacy needs of their customers.

What can you do about it?

There are a few things I think we should collectively do to stop this kind of practice.

On the practical/technical level: try to block Sonos from collecting data about you. This requires some technical knowledge unfortunately, so most people won’t be able to do much. But even if you’re not technical, you can still do a lot.

• Opt-out of Additional data usage: this is a super-simple thing you can do inside your Sonos app to reduce the amount of data you share with Sonos.
• Don’t connect your Sonos to 3rd party services: Sonos would encourage you to give it access to your Spotify account, Amazon, Apple or any other 3rd party music service. You don’t actually need it in most cases. You can use the music service directly, and just play it on your Sonos speaker as a destination (e.g. using Airplay).
• Block Sonos from accessing the internet: many routers allow you to block individual IP or MAC addresses from accessing the internet. Beyond the initial setup, your Sonos speaker can work fine without an internet connection. If you can and know how to, block it.
• Use a privacy-blocking DNS product or service: For example: Pi-hole, Nextdns, or Adguard home all offer options to block your Sonos (and many other privacy-invasive apps and services) from sending personal data, without affecting other functionality.
• Complain to Sonos about it: let them know that you’re unhappy. If they truly look at ways of pleasing their customers, they should collect some data that this practice makes their customers unhappy.
• File a GDPR complaint: if you are a EU citizen or live in Europe. You should be protected by the GDPR. The more complaints about Sonos, the higher the chances of the regulators taking action against Sonos and forcing them to stop those practices.
• Become a member to support NOYB. This is a non-profit privacy-focused organization that helps fight against privacy violations. Disclaimer: I am a member, and I’m in discussion with one of their lawyers to promote some privacy initiatives. Other than promoting their cause, I have nothing to gain (financial or otherwise) from endorsing them.

UPDATE: thanks to Guillaume Besson who posted a link to his open-source (and privacy-respecting) Soundsync. That’s another option for the more tech-savvy crowd.