New Sex Toy Standards Let Some Sensitive Details Slide

New Sex Toy Standards Let Some Sensitive Details Slide 1
The industry now has official guidance on design, materials, and more, but not security and privacy best practices. 

Last week the International Organization for Standardization—which goes by its European initialism ISO—released its first-ever set of guidelines for the construction of dildos, vibrators, butt plugs, and the rest of the variegated world of human orgasmogenic creativity. ISO 3533, “Sex toys: Design and Safety Requirements for Products in Direct Contact with Genitalia, the Anus, or Both,” lays out specs for sex, from the types of materials safe for contact with mucosal membranes to the tolerable range of vibratory frequency to the need for flanges or wide bases on objects designed to be inserted into one’s tuchus. As in all things, form should follow function, especially when that function is funcking.

Still, the new standards might not go deep enough. They’re aimed at drawing a line between nominally higher-quality manufacturers who already abide by similar rules and smaller, cheaper companies that don’t as they all jostle for a piece of the growing $30 billion global market. But the guidelines largely fail to address connected devices, a dominant sex toy subcategory. Security researchers who specialize in sex toys have been pointing out the potential risks of “teledildonics” for years. To them, the new ISO standards—which don’t address privacy and barely touch on security—are something of a missed opportunity.

“A purely electromechanical device—a battery, an on-off switch, and a motor—it’s basically a glorified pager,” says Brad Haines, who uses the handle RenderMan and runs the sex device security site Internet of Dongs. “When you’ve got digital control with external communication, it’s a whole new ball game.”

The emphasis on hardware in the ISO standards makes sense, given their origin. Four years ago, a Swedish physician named Martin Dahlberg decided he’d spent enough time putting a forceps up people’s rectums (or worse, cutting people’s guts open) to retrieve objects inserted into the anus for sexual purposes. Dahlberg went to the Swedish Institute for Standards, an engineering and manufacturing rules-setting organization, with some ideas for how to talk about sex toys. That got bumped up to an ISO committee, which is when 75 more experts—engineers, retail folks, and designers—got involved. “The original start was the shape of sex toys and how to use them,” says Johanna Rief, global PR director and head of sexual empowerment at the sex device maker WOW Tech, which participated in the rule-making effort. “While they were working on it, it was extended to materials, which is super important for us.”

The new standards warn manufacturers away from materials like bisphenol-A and pigments called azo dyes, or phthalates, “plasticizers” that make rubber and silicone more flexible but also have shown harmful reproductive effects in some animals. And they remind makers to check out other ISO standards covering potential bodily harm, like the one specifying how hot something can get before it’ll burn a person (auto-shutoff at 118 degrees) or how hard and how long it can vibrate before it’ll hurt. (Tricky, because some people are looking for some hurt from their sex toys, but the ISO standards recommend that devices delivering electric shocks, for example, be evaluated by qualified experts for overall safety.)

If it all sounds a little obvious, that’s on purpose. “The bigger, more known brands, they kind of stick to high quality and tried their best, but it was really standards you created for yourself,” Rief says. “But there are a lot of cheap products produced in China because nobody’s stopping you.” The ISO standards won’t stop subpar sex toys from rolling off the assembly line, but they give high-end sex toy makers a way to distinguish their wares from the junk. A vast proportion of the growing market is sourced to cheap “white-label” manufacturers who build quick-and-dirty gear for multiple retailers or contract to build toys for small companies.

“White-label manufacturers, there are no standards there, and you see that with sex toys, too,” says Jen Caltrider, lead for the Mozilla Foundation’s cybersecurity reviews program Privacy Not Included. ISO and other standards-setting organizations don’t have the force of law or government regulation behind them, though sometimes testing companies will provide certifications. They do make it easier for manufacturers to agree on levels of quality and safety—and to performatively tell everyone in their marketing that they’re following the standards.

That emphasis on fit and finish meant cybersecurity got left out of the process. “They discussed it, but it was not included specifically because it’s complicated and generally covered by local regulations,” Rief says. Something like Europe’s General Data Protection Regulation might address privacy concerns, for example. That’s a little ironic, because in 2017 WOW Tech subsidiary We-Vibe agreed to a $3.75 million settlement in a class action lawsuit alleging that its vibrator-connected app collected and maintained user data without consent. Mozilla’s Caltrider says We-Vibe has tightened things up since then. “We had this lawsuit and tried to learn from that,” Rief says. “We have nowadays our own in-house app team and agencies that try to hack the app.”

It’s certainly possible that security and privacy aren’t even a priority for most sex toy buyers. “I don’t know for sure that all companies that make or distribute toys are going to take this seriously, but I think they will generally take it more seriously than some customers will,” says Carol Queen, staff sexologist at Good Vibrations, a longtime purveyor of same. For whatever emphasis those stores might put on material safety, let’s say, their customers often prioritize price and design. “The folks who don’t care probably will continue to not care,” Queen says. To be sure, sex toys are outright illegal in some countries, and some places criminalize forms of sexual behavior that devices might track. But many people already accept that their phones and smart speakers collect personal data; sex toys might be no different.

On the other hand, people probably should care more. Major companies in the business, like We-Vibe or Lovense, already follow norms like using encryption and requiring strong passwords. Minor companies sometimes don’t. And for the privacy-conscious, it’s a hot-button category. Caltrider says Mozilla’s privacy project, which audits hundreds of different products, gets more traffic to its sex toy write-ups than those on any other type of device.

Privacy’s also far from the only concern. Take the new standards’ oblique reference to vibration. “I can see a situation where a manufacturer specs out the motor they need to get a low-frequency vibration going that’s capable of a much higher-duty cycle and speed, so they put a software limit that the app would only ever tell it to go to 50 percent,” Haines says. “That doesn’t mean the chipset couldn’t take a command that would take it to 100 percent.” That’d put a user on very shaky ground. Or, Haines continues, “when they’re designing the device, they’re accounting for a certain amount of draw from the battery under normal usage. For lithium ion batteries, if you put excessive draw on them, they react very badly.” By which he means they catch fire. And no one wants someone taking control of their sex toy who isn’t permissioned—a violation, at a minimum, and potentially an assault. So security provisions have to account for all different kinds of consent.

These risks aren’t just hypothetical. In late 2020, a British cybersecurity company found that the Cellmate Chastity Cage—an app-controlled metal enclosure that locks around a person’s penis—used Bluetooth to do the actual locking and unlocking but stored data like location and a unique device identifier on servers owned by the company, Guangdong-based Qiui. The security researchers warned that a hacker could spoof the control and prevent the device from unlocking, at which point the only way to get it off would involve bolt cutters or an angle grinder. The company updated its app but apparently left an old version of the API online, because a hacker reportedly tried the exploit, demanding that chastity cage customers pay up before they could achieve release. (It’s not clear whether anyone was actually wearing their Cellmate when the lockdown hit, and to be fair, the new ISO standards do say that locking devices should also have a built-in way to unlock them manually.)

Engineers who rely on standards like the ones ISO puts out might also see good reason to keep those kinds of problems separate from the ones specific to sex toy hardware. Maybe battery standards should apply to any connected, rechargeable device. Broader internet of things regulations could deal with cybersecurity. But it’s clear that the functions of sex toys are changing; people are creative that way. The rules will have to keep up.


More Great WIRED Stories