April 24, 2014

avatar

Your TV is spying on you, and what you can do about it

A recent UK observer with a packet sniffer noticed that his LG “smart” TV was sending all his viewing habits back to an LG server. This included filenames from an external USB disk. Add this atop observations that Samsung’s 2012-era “smart” TVs were riddled with security holes. (No word yet on the 2013 edition.)

What’s going on here? Mostly it’s just incompetence. Somebody thought it was a good idea to build these TVs with all these features and nobody ever said “maybe we need some security people on the design team to make sure we don’t have a problem”, much less “maybe all this data flowing from the TV to us constitutes a massive violation of our customers’ privacy that will land us in legal hot water.” The deep issue here is that it’s relatively easy to build something that works, but it’s significantly harder to build something that’s secure and respects privacy.

What should you do about it? Decide which device or devices you intend to trust. Those get plugged into your network. The others don’t. For me, that means I trust a Google TV box and a TiVo box. My flat panel TV is too old to have an Ethernet jack, but if it did, it wouldn’t be plugged in. Yes, of course, the TiVo and Google TV boxes are also potentially leaking private data, but it’s at least under my control. TiVo provides an opt-out that, so far as anybody has noticed, seems to work. Likewise, Google TV allows third party apps to play things you download from the Internet. (I use the open-source ViMu.)

Also, ask yourself what you get in return for giving up your privacy. Maybe that’s customized recommendations (useful) versus targeted advertisements (creepy). Maybe you get to influence the popularity of your shows, in an aggregate, non-personally-identifying sort of way, and help keep them on the air (fantastic!), or maybe your personal information is used to profile you, in particular, and you get targeted postal advertisements (creepy). You’d think that vendors would avoid the creepy and focus on the useful, but that isn’t a given.

Of course, it would be awfully nice if regulators could catch up with this and start enforcing better behavior on these vendors. There’s no intrinsic reason that vendors can’t avoid the creepy things yet still make money (e.g., getting a referral fee when directing you to a movie that you can buy from an online streaming service), which is something that should help smooth the path to a happy medium for everybody. Meanwhile, there’s no rule that says your “smart” TV needs to be connected to anything more than an HDMI input from something else.

Comments

  1. Jarrod says:

    “For me, that means I trust a Google TV box” okay buddy

    • Johnny says:

      Agree, the author is naive.

      I don’t want to give my info to LG but will gladly give it to Google bc they are “open”?

      LG has to compete with the richer Samsung in many cutthroat profitless markets.

      Android is open so competition is tough and all competitors need to find after sales revenue. Just like Google….

  2. Jason says:

    “For me, that means I trust a Google TV box”.

    Hilarious.

  3. Lewis Baumstark says:

    “My flat panel TV is too old to have an Ethernet jack”

    An ethernet jack isn’t required; HDMI 1.4 and up has an ethernet channel.

  4. Steve says:

    I should point out that not all people find targeted advertising (electronic or postal) “creepy.” There are certainly consumers out there that believe it’s a good thing. And not good in the sense of “oh it’s just the price I pay for free services” kind of good but good in the sense of “this is great because it shows me things that I’m actually interested in.”

    It’s also completely baffling to me (and apparently others based on the comments) why you find Google any more trustworthy than LG. Is it just because they are more up-front about invading your privacy?

    • Dan Wallach says:

      I’m surprised there’s so much anti-Google vitriol here, when I’m telling you that I’m deliberately disclosing all my viewing habits to TiVo. The GoogleTV box doesn’t see what I’m watching. Yes, it does have HDMI pass-through, but I’m reasonably confident that they’re not trying to parse the video and leak that information out. What I used GoogleTV for is that it’s really just an Android platform that supports third-party apps, like the ViMu video player that I use. Again, Google learns nothing about what I watch with ViMu. It’s open source. If I wanted, I could compile it myself and install the APK by hand.

  5. axel arnbak says:

    the Dutch data protection authority, the FTC equivalent when it comes to privacy enforcement, issued a blistering report on smart TV’s in august 2013. It found TV Vision, that sells its technology to a.o. Philips which has a huge share of the smart TV market in The Netherlands, was in breach of more or less all the essential data protection regulations. If TV Vision won’t comply in the future, it will be subject to fines and more imporantly, more public outcry. It was quite a huge story in Europe. Here’s the report by the DPA, Google Translate will go a long way: http://www.cbpweb.nl/pages/pb_20130822-persoonsgegevens-smart-tv.aspx

  6. BBald says:

    Mr. Wallach,

    I don’t have a flat panel TV that can or is hooked to the internet and have wondered wither the TV companies were tracking users and wither they were thinking about keeping that information secure. To find out that they aren’t doesn’t surprise me knowing that practically every other computerized device tracks information about its use or whereabouts.

    I enjoyed reading your thoughts on the subject using the utilitarianism framework of Cost vs. Benefit but I wonder if it is even ethical for the companies to track the information in the first place. Thinking about the Deontology framework, is it possible that companies have a “duty” to the users to keep users data secure and untracked? For example the other day I was standing behind someone who had their ipad turned on in front of me and was browsing the internet. If I wanted to I could have seen everything he/she was doing. However that would have been considered rude and unethical by many (including me). So I in effect had the “duty” to not look and ignore what I could see if I wanted to as the person wasn’t purposely placing the ipad were I was supposed to and could see it. So again I wonder do companies have a “duty” to not “look” over our shoulders and track everything we do or see?

    Perhaps I’m wrong but I think that they do in a small but perhaps important way. I feel that when companies track your habits without first asking you if it’s alright for them to do so would be like me, in the above example, looking over that persons shoulder at what they were doing on their ipad. However, if the software perhaps provided a way of asking the user “hey can we track you?” then it goes over much better as it is viewed in a much better light.

    What are your thoughts?

    Thanks.

  7. phils says:

    Now that we know the address that tis is being sent to, time for a DoS attack

  8. Derrick says:

    People have divided opinion when it comes to targetted advertisement. but no one would like it when his/her TV too is usedas a means of collecting information. I think most security agencies will welcome this idea as it’ll be an easier way of monitoring people. But the question that arises anytime people complain about their privacy is why should people worry if they know you are not doing anything contrary to laid-down laws. I think we all have a shared resposibility of ensuring the safety of the nation. Insofar as the TV collects information just for advertisers to use to reach a targetted gorup of people, it is recommendable because it builds businesses. I’m not saying people should seek their interest at the expense of others. But once there is no illegality isconcerned, Isee nothing wrong with that.