Bose Speaker performing a lot call backs to events.api.bosecm.com

[Geraner]

I'm using a Bose Wireless speaker which is reporting a lot of events back to: events.api.bosecm.com I blocked it since a couple of month in my PiHole blacklist. Events are been sent on each song change while streaming on Spotify, and periodically while steaming other content. For more information, see Bose's own policy: https://www.bose.com/en_us/legal/privacy_policy.html Especially point: "2. Information We Collect Through Automated Means -> Connected Bose Products.". The user has no possibility to block this other than blocking the domain written above. I also can confirm that software update of the product and all used steaming services are still working without any issues, after blocking the adress above.

[spirillen]

Thx for sharing this found, I'll copy this info to my own block-list :)

[anudeepND]

Thanks for reporting! Here is the snippet from their privacy policy:

"We automatically collect....

Usage information, including:

• Content stored on the SoundTouch system presets.
• SoundTouch system listening history and content data, including recently played stations, playlists, artists, albums, songs, or podcasts.
• SoundTouch system and software use and content patterns (including the duration and timing of system use and content streaming, button presses, etc.).

"Bose may receive additional information about you, such as demographic information or purchase history, from affiliates under common ownership and control, and from third parties, such as business partners, marketers, researchers, and analysts that we may use to supplement the information that we collect directly from you."

"We will retain your information for the period necessary to fulfill the purposes outlined in this Policy unless a longer retention period is required or permitted by law."

"Bose also may subcontract the processing of your data to, or otherwise share your data with, affiliates or third parties in the United States or countries other than your country of residence. The data protection laws in these countries may be different from, and less stringent than, those in your country of residence."

"However, no security program is foolproof, and thus we cannot guarantee the absolute security of your information."

[dnmTX]

@Geraner can you block on your side events-aws-useast.api.bosecm.com also and test it and if there are no issues and everything is working report back so @anudeepND can add it in the lists here. Thank you 👍

[Geraner]

@dnmTX This is not necessary. I have seen this adress as well in my DNS logs, before I started blocking events.api.bosecm.com . @anudeepND For me it looks like the events.api.bosecm.com is the first initial DNS lookup. Based on the location of the user, the following DNS requests will include events-aws.usest / uswest etc.. So just blocking events.api.bosecm.com is enough, because my Bose speaker can't reach it, it will then not try to reach any location based Bose AWS server. I initially had also the "east/west" address included in my PiHole blocklist, but never saw it blocking anything later on, because blocking "events.api...." was enough. :-)

[anudeepND]

@Geraner If you see it in your logs in the future please report it :)

[spirillen]

Nice information sharing :sweden: @Geraner and nice to see you have been working on the issue before posting :+1:

[Geraner]

Thanks for your comments @spirillen and I’m impressed that @anudeepND added the domain so fast to the list! 👍 I will for sure come back and report again if applicable domains are been found. 🤘