Not sure what I can answer but for years my company worked on an Automatic Content Recognition project using tools from a team called Cognitive Networks who were bought by Vizio and makes up the tech that did this. If I understand correctly the founder of Vizio kept this tech for himself in the sale of Vizio.
When developing this we would work directly with Cognitive checking sync'd apps. We knew for a long time that they could see our content in their office while we tested.
Note LG got caught on this about 2-3 years ago and made ACR apps opt-in which pretty much killed it for LG.
AFAIK Samsung never did the exact same thing a bunch of providers saw the writing on the wall and dumped this sort of technology a few years back. It had some really cool applications for interactive sync to broadcast apps but the privacy concerns killed it for a lot for a lot of manufacturers.
Thanks for posting this. When I saw the original FTC story I recalled reading about this once or twice in the past but couldn't think of any key phrases or sources.
In response to some of the other comments here, basically what they are guilty of isn't spying but failing to properly disclose and opt-in users. There is a particular major AV vendor who is selling raw clickstream data of millions of their user's internet usage directly to marketers and other parties right now. As far as I can tell, as long as it is buried somewhere in the terms and conditions no one cares.
Of course, other companies that are actually serving the content are doing far more than just passively monitoring your viewing habits.
From my best guess, Facebook is logging every signal it can from content/pictures/videos it displays to users. Even if you didn't click like, comment, or click through the link it knows the story captured your attention.
I had an interesting case with Instagram where after viewing enough pictures of women's butts it started also showing men's bare butts in my feed too.. at least until I never opened any of them, and they disappeared.
Users should consider that content providers are going to have extremely deep data sets of even the most minute dimensions of their political leanings, porn viewing habits, dating preferences, and gullibilities. All of this will make what TV shows you watched between Netflix and NBC beyond mundane.
With an open web, where we get content from the source, this shouldn't actually be possible. Thank the platform business model.
Is it possible to bring about a similar complaint against Facebook with the FTC? Or, if the FTC is the wrong agency, what would be the right one?
Of particular concern are "shadow profiles" - dossiers on people who have never even used or consented to using Facebook[1]. I'm no lawyer, but there could be precedent per this Vizio case.
In my opinion Facebook is hugely overstepping people's privacy bounds, even if they do bury what they do with some of the data in their terms of service. I never even knew about DeepFace, or mouse cursor movements, or any of the multitudes of violations of privacy outlined in the article below, and frankly it scares me and makes me angry.
By that logic, we shouldn't buy or use Vizio TVs either. But the issue here with the FTC complaint is that there was not a prominent warning that the data was being collected or used in such a way.
I certainly never read or even saw any warning about facial matching in all my photos or my children's photos.
Besides all that, people with shadow profiles who never even used Facebook or agreed to their TOS are being tracked. This is not ok.
I feel like there is a double standard here: we are vilifying Vizio - a company that has mutliple competitors - for much less wrongdoing than what Facebook is guilty of, even though FB has a de facto monopoly on social networking.
And every other company. Go live in a cave because thats where all companies are going and no one is slowing the process down. This consumer choice gambit very well be a false statement in the future.
Except a lot of people are forced to use FB either for work or by friends/family. Without the right IRL social network these people are very disadvantaged given that practically everything social (as in, real life people hanging out, not "social" media) is on FB nowadays
On the one hand, Facebook is ubiquitous enough that the government could probably step in and regulate them and it wouldn't be entirely unreasonable. On the other hand, I don't use Facebook and I'm getting along just fine. I have an account but log in about once a year. "Don't use it" is a legitimate option.
>here is a particular major AV vendor who is selling raw clickstream data of millions of their user's internet usage directly to marketers and other parties right now. As far as I can tell, as long as it is buried somewhere in the terms and conditions no one cares.
ugh. Name them please! If it's in the ToS they shouldn't mind being called out.
However "AVAST may publish or share such information with third parties that are not part of the AVAST Group but will only ever do so after removing personally identifiable information."
> I had an interesting case with Instagram where after viewing enough pictures of women's butts it started also showing men's bare butts in my feed too.. at least until I never opened any of them, and they disappeared.
This truly is technology run amok. "Welcome to buttstagram, for your butt viewing pleasure."
When I think about this situation it makes me want to stay entirely away from social media and off the internet. Yet it's ubiquity in our lives makes it difficult to be integrated and participant in society without the technology. And a lot of the features really do disappear when you remain entirely anonymous (via tor, incognito, not having accounts etc).
I had a similar thing happen a year or two ago: At some point in the past I shut down my Facebook page, but a year later I created a new minimalistic one so I could stay in touch with my family. I posted a picture of a Vespa scooter I'd been restoring in the garage, and suddenly my suggested friends list started overflowing with guys in Indonesian scooter gangs and young asian ladies in head scarfs. (I friended one guy and we exchange "likes" every once in a while but even google translate doesn't understand 3/4 of what he says.)
> Yet it's ubiquity in our lives makes it difficult to be integrated and participant in society without the technology.
Or: Yet the ubiquity in our lives of Stuff that was never built for us (pretty sure I never gave the billionaires at FB and Goog as much as a single dollar), but merely to lure us, makes it difficult to be integrated with and unwittingly enabling that Stuff without installing and using that Stuff.
What Facebook is doing is quite frankly scary. This Sunday over a birthday meeting with some friends, one of them was telling us about a restaurant called "Lucuma" (this is in Guadalajara, Mexico). My wife did nothing with her cell-phone, except having it with her during the conversation.
Later that day when we are back at home, she showed me an ad about that same restaurant. We never searched for something similar (this is a vegan restaurant), but only talked about it on our way home.
The restaurant most likely bought some ads that targeted your wife and your friends' demographic. It's far easier to do that than covertly access your phone's mic.
Here in NY recording people without their consent is definitely against the law and is likely to piss off important people. As fun as this CT is it seems extraordinarily unlikely that FB employees would risk going to jail for this feature.
This is why i torrent behind a VPN despite being subscribed to HBO now, Netflix, and Amazon Video. My guilt is ameliorated and at least a sliver of ny privacy is maintained.
You misunderstand how it works. This worked by fingerprinting audio and video at the TV display level, it's not part of the networking layer. If your content was shown on the TV you could be tracked regardless of source.
Thanks and noted. If I ever end up getting a SmartTV (due to dumb TV's no longer being sold), it's never getting on my network and going to be banned at the mac address level.
It needs to be physically disconnected or on a network without Internet connection. The Mac address is the easiest to spoof. If it has any kind of radio like WiFi you need to de-solder it, as the data could be collected by a car driving by, or via your neighborers Wifi.
> as the data could be collected by a car driving by, or via your neighborers Wifi.
What?
How is it going to connect to your neighbours wifi? How is someone driving past going to connect to your TV? Is the TV going to set itself up as an access point?
I'm completely behind not connecting random devices in my house to the internet but suggesting they are somehow trying to get data out by connecting to random networks or will just broadcast it for anyone to hear is a bit much.
Multiple compromised nodes working together to identify you.
We already see this with things like ultrasonic communication. A compromised (has sketchy app installed) phone could, for example, communicate with your television or computer speakers and mic via ultrasonic frequencies to determine what ads you have seen, or what digital streaming content you are consuming.
An app could take it even a step further and use a root exploit and secretly take a short recording every 10 minutes or so to relay to someone who wants to know what song or movie you were consuming.
This isn't just possible, things like this have already been found in the wild.
And you can bet your bottom dollar these snaky companies would keep their mouths shut under a NSL if it meant they could keep tracking you.
It doesn't even require anything that complex. If I remember correctly, even if your smartphone never connects to wifi AP's, while thhe WiFi radio is on, it does periodically scan for AP's in the area while either surrendering some identifiable information or establishing a pattern that can be used to identify you.
I think the parent is being purposefully hyperbolic ... however, a router manufacturer could have a ghost APs that domestic goods could try to send via. It perhaps wouldn't be the weirdest invasion of consumer privacy story either.
In the UK nearly everywhere send to have a BT WiFi signal as they give out routers with a commercial side-channel that anyone can pay to access. If your smart device had access to BT WiFi they'd get a signal out in many places regardless of whether the TV owner had WiFi.
The neighbours might have an access point without a password. But I think if the vendor is really interested in collecting personal data he could just install a GSM modem with a prepaid SIM card inside so that the device doesn't depend on Internet connection.
I thought Netflix and related services work the same way Spotify does: they pay content providers a small fee based on actual content viewing. If you pay Netflix a monthly subscription but never view any content on your account, I would assume Netflix keeps all of the revenue and doesn't pay out anything to the actual content providers. Just a guess, but it's possible your plan is backfiring by paying the company you don't want to support (since Netflix is the one implementing the tracking) instead of the companies you do (that actually create the content you like).
> your plan is backfiring by paying the company you don't want to support (since Netflix is the one implementing the tracking) instead of the companies you do (that actually create the content you like).
TBH, that's for too deep for my moral calculus. The only things I view/pirate from Netflix are Netflix original series and PBS documentaries/educational programs. I'm paying the former directly and the latter isn't really out to maximize profit but to enlighten and educate and it's somewhat supported by my tax dollars.
No - as a general rule, Netflix pays a fixed royalty for the content that they license from third parties, regardless of how many people watch it. This is why the quality of their predictive models is so important; the better they can forecast, the better they can determine whether the price they would have to pay is worth it.
(Of course, the royalty is different for every piece of content, but the amount is negotiated ahead of time; it is not on a per-usage basis.)
This is different from iTunes movies, Amazon (non-Prime) Video, Vudu, Google Play, etc., which license on a revenue share basis.
Actually no, in contrast to Spotify, they generally secure licenses for content for a flat fee and a 1-3 year time frame. It doesn't matter how much content is actually viewed, other than Netflix deciding whether it's worth trying to renew or not.
Why not, when you are abroad it is kinda the only way you can watch many of the content that is not available in other countries. Even subtitles are not available in English in some countries like Sweden.
Because Netflix blocks VPNs since a few months. It's really hard to find a vpn that works with netflix. Even setting up your own won't work, most ip ranges that are used by data centres are blocked by default.
Facebook categorises a video view as anything seen for more than three seconds, so draw your own conclusions from that.
Instagram was purely chronological until mid way through last year. And it only shows you content you've subscribed to. So it's possible an account you were following changed its posting habits.
I'm curious, did anyone on your team raise any ethical concerns in regards to the potential privacy violation? If not, how was the topic handled by employees/management?
Not really - we talked about it and expected more consumer concerns from other outlets. This work was not being done in secret, when ACR was the hot item it was well known in the industry how it worked. We figured the the vendors would deal with the issues as they were raised - and they did despite some of the potential of the technology for some cool interactive apps the most part it died.
The difference between what we worked on and what Cognitive/Inscape eventually did and got dinged for was that we were using this technology to build sync to broadcast apps not for tracking viewing and usage habits. The work we did never got to large scale deployments and we honestly forgot a bit about it. I knew what Inscape was doing - nothing secret just kind of in the industry weeds - post Vizio sale but honestly didn't think that much about it until now.
If we expect employees speaking up to fix this, we are going to live in constant disappointment. The pro-privacy people live in a very small, but loud, echo chamber. We need to be proactive with developing pro-privacy technologies if we expect something to be done about this.
The majority of the population and the majority of developers seem to not care at all about intimately targeted ads.
It's not just apathy, it's also because there's often so much you can do without pissing off the management or generally looking like a "bad culture fit". And then they'll get someone else to do it anyway.
At my current job, I don't have any privacy-related issues, but I have to handle occasional clueless ideas from the customer. It usually goes like this:
They: We want to have this security-related change X.
Me: Uh ok... but are you sure it's a good idea? What's your threat model?
They: ???
Me: You see, this change will make it more difficult for user to do Y, with no real
benefit to security, because A, B and C.
They: Uh... yes, you're right; let's not do it then.
Fast-forward one or two other attempts at proposing the same change and half a year later, I find the change implemented in the codebase anyway. Turns out some other manager on customer's side asked someone else in my company to implement it.
A whistle blower is a term for an insider who leaks a company's criminal practices to the government. They can get a percentage of monies recovered through lawsuits
going to be really curious how siri/alexa/google voice activated devices in home are going to be treated in the future. eventually even these will likely have video in ability
What proof do you have for what you're claiming, please? If you have intimate knowledge then you should know that many (me included) could accuse you of trying to push an agenda or divert the attention by posting what you did.
How do you really know LG stopped their data collection? Sure they might have made a checkbox be switched off by default, but what does that say about the underlying software? IMO, nothing. It might have been a PR damage control campaign without an actual change.
Nothing I've said is "secret" anyone active in the Smart TV or Interactive TV space knew this was going on and how it worked. When I said intimate I didn't mean secret, I mean I actually used the technology being discussed, and at its very nascent stage.
There were multiple ACR Vendors doing the same thing (Gracenote, Samba TV are two at top of my head, there were many failed vendors in this space)
What proof could they actually provide? Given the medium, anything they said is probably easily forgeable or illegal to share. That being the case, demanding proof is just a way for you to look "skeptical" without providing much of value to the conversation. I'm guessing you meant well, but apparently others thought differently.
We all know people lie on the internet sometimes. We can't explicitly bring up the possibility everytime someone makes any statement, or half the internet would be "careful, this might not be true!".
Not to mention non-disclosure agreements and such.
What I want to know is, how did Vizio get caught? Was there a whistle blower. This article doesn't mention (unless I just missed it) how the FTC discovered this.
Quick tip: If you actually care about being downvoted, dont complain about being downvoted. Many people will do so just for mentioning it, it is against the rules, and it's whining about imaginary, non-transferrable internet points
> Personally I think it's fine to complain about being downvoted if no-one has responded constructively.
I understand that often often times people will use downvotes as a substitute for disagreeing, despite that being explicitly against its true function. Ultimately, you're complaining about fictitious karma points.
If you are a regular contributor who follows the rules, over time your karma will accrue and this can be a fuzzy way to weigh your importance to the community. The danger of valuing karma too much will cause the system to be gamed by marketers and astroturfers (see Reddit for Example A)
>people will use downvotes as a substitute for disagreeing, despite that being explicitly against its true function. //
Early on with HN pg stated that downvoting for disagreement was proper behaviour on HN. My opinion is that's wrong but, in contrast to other fora, downvoting to disagree is thus explicitly a part of proper behaviour here.
That said, I don't care about the points, it's a matter of social value - if you don't know why people are disagreeing then you can't address that concern or reassess your own position, the downvoted adds no value whilst a comment may.
As a former Cognitive and Inscape employee, @mikeryan is largely correct. Note that fingerprinting happens on the TV - no actual content was sent back to us. Still absolutely creepy.*
Once the data is sold, the cat is out of the bag. The service might not send sensitive info by itself but the DBs of the buyers might contain enough data for cross-referencing to personally identify you without a shadow of doubt.
As another poster here asked: were there any ethical discussions in the organization?
It's not worth buying any of these 'Smart' TVs. I don't know whether it is a shoddy developer experience provided by the likes of Samsung / Vizeo etc or if it's the developers themselves (Hulu I'm looking at you) who do not maintain their apps which are constantly bug filled.
I much prefer my old dumb TV that has a Roku plugged into it. Oh yeah, and I know it's not WATCHING ME.
Well, if it turns out your <CommodityVideoStreamerA> is spying on you, you can throw it in the trash and get a <CommodityVideoStreamerB> instead. That gets a bit trickier when it's hardwired into your $1000+ display panel's control board.
You could buy a high end Digital Signage display. Usually these are "dumb" and also have no TV tuner or consumer type settings. But are high quality, designed to be powered on 24 hours a day and have great picture quality. Because of the lack of additional image processing, they often have some of the lowest input lag as well.
Remember, the digital signage displays are often used in arrays of 12 or 18 or 24 displays, so they have to be somewhat cost-competitive - otherwise an airport or hotel lobby or mall couldn't stitch 24 of them together.
I always chime in on these discussions to urge folks to buy a digital signage / commercial display (probably from NEC). Not only are they as dumb as dumb gets, but they are also very, very high performance displays.
WTF is wrong with that site. I enabled the scripts so that I could use the filters, waited while it refreshed several times, and it just covers the screen with a pop up that just re-opens when you close it. That was one of the worst I've visited.
It's probably because of the ad blockers but still a site should be a little functional without all the scripts and ads.
Better option: Buy a different TV that requires less effort to make acceptable, unless there's a huge price incentive to buy the more troublesome TV and "fix" it.
Don't those often use B-grade panels from other manufacturers? I know Hisense has the reputation for punching above its weight, but I wouldn't expect them to produce "high end" TVs.
Yeah, I tried to go down that route about 10 years ago when the Internet was younger and dumber and I wound up not being able to find anything. Here's a recent (UK) story about the idea that could provide some vectors, though:
That's funny in really tragic way. So what happens if your internet goes down or if for instance you are just moving in and you don't have internet for a week or so?
Does like everything stop working without internet now? ...sigh
Honestly, I'm 100% more fine with Apple spying on me than pretty much anyone else. I'm less perturbed with the entire concept of spying than I am with who is doing it.
You do expect the box to keep track of what content it's showing you. You don't expect the tv to keep track of all content, regardless of where it's coming from.
Agreed. We have a dumb Sony 40" LCD that is over ten years old. It's not 4K but our eyes aren't good enough to see the difference, and over the years we've used a range of front ends - currently a Raspberry Pi running Kodi (with the HiFiberry sound card - awesome!).
This has been very economic, and environmentally friendly, and I can't see why we can't continue for several more years with the same screen.
I like to frame it this way: The oldest TV in my house is a 10+ years old 46" 'dumb' TV. It used to have a SageTV box connected, then a Roku, and now currently has a Chromecast. I could plug the Chromecast into a brand new TV, and other than the case design, they'd be indistinguishable.
Know what was state-of-the-art in embedded CPUs 10 years ago? The original iPhone. It had a 400 MHz single-core processor with 128MB RAM. Do you think app developers that have quad- and octo-core CPUs and literally 8 or 16 times the memory are going to optimize for the old platform, or build and maintain several versions of their applications?
Personally I'd rather spend of $35 ~ $200 every few years, instead of $800 ~ $2000, to have an up-to-date system.
I feel the same way about smart TVs, but I'm starting to have my doubts about the Roku. A few months ago I was trying out an open source DLNA media player. I tested it playing a single WAV file from my server using the Roku Media Player. A day or two later, we turned on the TV, switched to the Roku, and were greeted with an advertisement for a concert video by the exact band I had listened to. Now, I'm pretty sure the ad was not based on our the past viewing habits of our household - my wife does 99.9% of the Roku streaming, and her music preferences are completely different than mine.
Now, I know this is just a single anecdote, and that it could very well have been a coincidence, and that in the grand scheme of thing this is one of the more innocuous uses of tracking, but it was still a somewhat though-provoking experience.
The Wirecutter's top TV pick is a non-smart one, ironically a Vizio.
"In a departure from the trend toward smarter and smarter sets, the Vizio P-Series lacks built-in smart-TV features. It’s basically a dumb TV, not just lacking apps but also dispensing with a tuner."
If it doesn't have a tuner, doesn't that just make it a monitor with speakers?
If you're using a STB, that hardly matters, but I'd think a cord-cutter would like the option to plug an antenna in the back and watch OTA stations without needing extra hardware.
I don't understand the consumer infatuation with "smart", Internet connected devices, especially smart homes. Yes auto lighting and hvac systems are cool, but it introduces so many security vulnerabities that it's not worth it.
I dont ever see myself using autonomous, internet connected cars. I cant think of a bigger hacking target for terrorists and mischief makers alike.
Me neither, but it seems like we haven't even come close to the limit of what people will tolerate. For example, Johnson & Johnson has/had an insulin pump on the market that could easily be triggered remotely (i.e. be used to remotely murder you): http://www.theregister.co.uk/2016/10/05/animas_diabetes_pump...
And their response was basically "yeah, it's not that big of a deal, don't worry about it". Someone with really bad intentions could set up a few arduinos/rPIs in populated cities, set them to broadcast the 'inject insulin' command and then sit back and watch people drop dead if they wander within range.
It's the type of attack where you'd never even be able to track down the perpetrator. They should at least add a chime when it is activated so that the users can take note and chug some gatorade or something.
Someone would really, really have to have it out for diabetic geeks for this to be plausible.
The scary stuff I worry about is what an evil scientist, like the one from 12 monkeys, could do with a deadly virus. This type of evil gets more far more "bang for the buck". I guess both are equally plausible. I might worry more about your scenario if I were diabetic!
> Someone would really, really have to have it out for diabetic geeks for this to be plausible.
I disagree. The remote and disconnected nature of this renders it less real than say killing a person with a knife. You don't have to witness first hand the yelling, screaming, pleading, suffering, etc. and finally the moment when a person sublimates from a living, breathing, unique being to a lifeless husk. It's like pushing a button to kill someone...it can be so far away that it's not quite real.
When I was younger, I spent time on 4chan's /b/ and could see some of the more deranged+immature members of the community doing things like this for the lulz or using some half-baked logic rooted in 20th century eugenics. Example A: Individuals like Dylan Roof who don't understand statistics and the context around it (I watched the entirety of his interrogation and he's borderline mentally challenged or autistic)
>Someone would really, really have to have it out for diabetic geeks for this to be plausible.
It only takes someone having it out for any specific individual who depends on the device. The OneTouch pump is a convenient murder weapon that could make the death look like an accident. (Or the possibility of many collateral casualties could be a plus to some.)
> "smart", Internet connected devices, especially smart homes.
I have a "smart" home (well, parts of it -- it's expensive to do everything!).
It turns on a few select lights when it gets dark out, unless there are already lights on (eg: we're home) in which case it doesn't change anything. It turns lights off late at night in case we forget. It turns the front lights on at 30% between dusk and midnight, and cranks to 100% anytime between dusk and dawn if there's motion or the garage door is open (then gradually puts them back to what they were). Most useful, there's buttons on the kitchen keypad labelled "Dim" "Bright" and "Off" that adjust the lights over the island, sink, table, and under-cabinet and range hood (all separate). Another useful one is the "all off" button by the front door -- there's no corresponding "all on" because (as mentioned above) that happens automatically, and we never walk into a dark house.
All of it can be controlled from any PC/tablet/phone, and of course all of it could be done over the internet -- except that I don't have any of the ports open, because I don't see the point. The ability of connected switches to be controlled by other switches/motion/time yet still allow manual operation is very nice, and it's significantly cheaper than a massive re-wiring project.
I hate that there's this huge craze that confuses "smart" with "on the internet". It's an entire industry that is a solution to a problem that doesn't exist.
I have a regular light switch for my Hue lights, but also have some timers set up from my phone that change their colors in the morning/evening.
If I'm gone or even if I lose the phone, I really wonder if anyone else will ever figure out how to shut that off. They'll probably just throw the bulbs out.
The "SmartTV" isn't really smart (nor is anything to be honest). The SmartTV is just a smartphone type hardware built into the TV so the kids can Watch netflix and you don't need a second box + remote to do it. I find that pretty compelling actually.
> The "SmartTV" isn't really smart (nor is anything to be honest). The SmartTV is just a smartphone type hardware built into the TV
By definition, this is what makes it smart. It's not the sophistication of the embedded hardware, it's the connectivity. The Echo Dot isn't anything special (and a bit overpriced IMHO). Wifi, Bluetooth Radio, 3.5mm audio out, decent mic, speakers about as good as free swag portable speakers, etc.
Roku is collecting and sharing information on what you're watching with Nielsen and other analytics providers. I believe they are requiring it of all their developers.
The smart features mostly suck, but the idea of using two remotes (or a nonstandard programmable remote) is pretty unattractive. I jump through a lot of hoops to be able to plug my tv antenna cable into my tv rather than a set top box of some kind, so it would defeat the point to have a set top box for the smart features.
I suppose if the streaming services I use were all compatible with e.g. ChromeCast I could use that, but until they are I'm pretty happy with the ui of the SmartTV. Most importantly, the kids can use Netflix without having their own smartphones.
I'm going to check the settings really carefully on the TV to see if I can at least maximize privzcy, but I wish there was something better such as a firewall setting I could use. Is there a guide for various manufacturers/models floating around somewhere?
Many TVs allow hdmi pass through of the TV remote to a device if it's supported. For example my Samsung remote can control my FireTV via HDMI.
In the past, Sony has picked confusing button mappings for the PS3 such that only Sony remotes worked well with it, but I haven't had a Sony device since then.
Yes I wish I had known (well I sort of did) that a smart TV would be so bad just the laggy apps, opt-in after each firmware upgrade. And each upgrade seems to make the apps run slower and slower.
I got my dad a Roku but he didn't want it so I took it thinking I would return it but for Netflix and YouTube it's far faster than the same Samsung apps.
My plan to build a Pi 3 media box was set aside for now.
But yes wow such crap and mind games in these smart TVs when all I want is to see my video signal!
For the last two years I have had a service running that floods garbage data back to the collection point from several addresses throughout the Internet.
I know we can't expect the "average" consumer to do this, but thanks for caring and running tcpdump on your network! It amazes me that with a lot of these stories there's no one popping up with a pcap showing exactly what's going on.
I'm hoping projects like Turris Omnia [1] will allow people to be more in control of what goes in and out of the LAN - my network, my rules.
You don't really need a open source router. Just something that can be flashed with Openwrt or dd-wrt. The router you linked actually runs a fork of Openwrt.
Yeah, they're pretty rare in Australia due to our reliance on ADSL - unless you flash with DD-WRT. It's still not something everyone does. OpenWRT and DD-WRT's UIs are pretty rough (although, most commercial UIs are, too)
I'm running OpenWRT on a TP-Link TL-WR841N/ND v8 and the LuCI interface that comes out of box is vastly better (cleaner and more feature-full) than the majority of consumer router interfaces I've encountered. In particular, the realtime graph of current connections!
You can likely set your ADSL modem into "bridge mode" and put a user-flashable device between that and your network. Once you get NBN you just connect the WAN port to the NBN termination box and you'll be getting DHCP from your ISP.
Is it an unsecured or secured connection? Can you make a connection?
You might want to check if they just blocked your IP addresses and your connections are being dropped. Although if you're been running it for 2 years(!), I think you have it covered.
Just a tip: It's very easy to clean up completely garbage data from a database. Any data scientist worth their salt would do that. Getting rid of your garbage data just needs a couple lines of code. What you need to do is, skew the data so that it isn't suspicious but eventually will mess up their inferences.
It would be nice to rope in some chan-ners and a bot net or two. I think the data should say that the entire country watched a certain Rick Astley video on repeat for the next year.
Glad to know someone is giving them hell. I purchased a Vizio TV on black friday and suspected that all manufacturers would be doing something like this. For that reason I never configured it to access my wireless network. Scary to realize that it was actually happening and at this scale.
The amount of money they made from that data is probably orders of magnitude more than the paltry $2.2 million penalty.
I hate to get all paranoid, but it seems like every day there's news of a company's data being hacked, and what information isn't being hacked is being actively sold.
What can an average citizen do (short of living Ron Swanson-style in a cabin in the woods) to protect their privacy?
On the individual level, probably not much. But I think you could help much more on a societal level. Help monitor what these devices are sending back when they contact their servers and report on it. Is there a database for that sort of thing?
But also, giving to litigation groups that fight this sort of thing. EFF comes to mind, but I'm sure there are others.
Isn't there money to be made in simply selling honest software and hardware that doesn't spy? A profitable consumer electronics and software company could be established whose products didn't monitor, aggregate, or stalk its customers with ads.
I should think there's enough awareness of these kinds of antics in the market now that a successful company could be established soon that has the creation of honest, respectful tech as its M.O. A venture like that could be profitable AND disruptive.
I suppose to guarantee the privacy of its customers, such a company would necessarily have to have vast product offerings - or lots of like-minded partners - to compose a comprehensive landscape of services that could replace the privacy-violating services their consumers currently rely on. A sort of privacy walled-garden.
So basically, it pays to engage in unethical behavior, because if you do get caught, the fine will usually not be more than the profit you made from said behavior.
Obviously. Whatsapp broke privacy law in Canada and across Europe to hack growth. Different industry, but Four Loko also was penalized for its risky (but great for some people) original formula.
I doubt it would cost nearly that much. I could build something similar in a couple of days, and I'm not even a developer by trade.
Just use something like pHash (e.g. https://github.com/JohannesBuchner/imagehash), screen cap the centre of the screen (say, a quarter of the screen in total) every minute, hash and then send the 8 byte hex string back to home base.
The problem you are describing is one that many large companies spend huge resources on today, so guarantee you that it is not something you do in a couple of days.
Even if you had the system up and running, you would still need to create a large database system managing 100 billion data points each day and integrate the stream of information with your customers APIs.
$2m worth of developer time going into this project is very likely. Thinking you could do this in a couple of days is simply ignorant.
Can you elaborate on your industry knowledge? I'm not in the industry so I'm curious. I would guess that Vizio would have been able to demand a premium for that data.
> What can an average citizen do (short of living Ron Swanson-style in a cabin in the woods) to protect their privacy?
Talk to your politicians. Tell them that data privacy is important. If you're in the USA lobby for something like the EU's Data Protection law (even at the constitutional level). If you're in EU, lobby for stronger data protection (no more sharing data with the USA)
Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content.
I would like to know more about that process. I find it ethically abhorrent, but technically very interesting.
Like, is it grabbing, say, three pixels in constant locations across the screen and matching their color change over time? Is it examining a whole block? Is it averaging a block at some proportional location on the screen?
You can dive in from there but it's basically either watermarking or fingerprinting of video and or audio frames. Video was preferred because there were fewer false positives from music beds. In a nutshell its video Shazam
I'm also curious if they'd be able to match different encodings of the same video or would only be able to match against specific encodings in their collection.
I would imagine it's simply a temporal comparison of pixel colors at predetermined locations, similar to how the Shazam algorithm[1] works? You'd just need to analyze enough pixels to reduce "collisions", coupled with the temporal aspect!
It's not encoding based - its frame based, basically bitmap data. It has to be to work across the whole video delivery pipeline so it's fairly fuzzy but also accurate.
They need a source to compare too so when we worked on it masters were being sent from the network to the sync technology group. So they had source data for comparison on the first broadcast of a show.
Outside of latency there's no reason they can't match against broadcast content off cable. For user tracking they can just log the fingerprint data and compare it later to source data for analytics so this works fine.
If nobody's started one yet, I think there would be an audience for a blog/vlog/whatever that reviews non-smart TVs. And/or a place that evaluates which "smart" TVs function acceptably as "dumb" when they are not connected to a network.
Realistically, this would have to include evaluating things beside consumer TVs for use as living room devices, since "smart" features in consumer TVs are nearly unavoidable at this point.
Because I'm going to have to start looking into the world of commercial displays for my next TV, I guess. At least I think those don't have "smart" features. Yet?
Rather than avoiding such TVs, I think we're better off taking some good precautionary measures.
Why buy commercial displays which usually are pretty expensive, when you can buy consumer ones and be smart about how you use it? Of course, even if they start coming with in-built wifi, just don't let them connect to anything.
First, off taking control of your own home network is crucial. Get a good router, something you can install pfSense or linux on. You'll basically have to get an NUC and learn how to manage firewalls. I suggest pfSense or just plain jane ubuntu server if you aren't very good with these systems. Then, a wifi access point can be connected to it for your wireless devices.
Prevent external network access to all the devices, and then whitelisting them (probably only your computers) is the way to go. Unless you bother to teach every one who lives in your house about the terrible things that some companies do, just block everything.
I don't think we can prevent IoT just like we couldn't stop phones. Home automation can be the best thing since mobile phone. As nuts as it sounds, you might just realize the comfort factor of having a "smart home". Just have to be careful, just like you're careful with your phones, and what they do. Read up on basic security, common exploits targeting IoT devices, etc.
There's an absurd amount of technical knowledge that you are suggesting that every household in America should subscriber to.
Also, if you have a SmartTV, you probably need to allow it contact the internet, otherwise playing internet TV (Netflix, iPlayer, Hulu, etc) is not going to work. If it can access Netflix, it can probably phone home with your data.
Yeah, but those spy on you too, so I don't see how they're any better. The main advantage with things like those is that you can more easily upgrade them later as technology changes.
I agree with you on the amount of technical knowledge that's needed. I guess routers/home internet security might be ready for some shakeup if someone comes up with a layman-ready interface while being secure.
But, the point of having a firewall is that you can find tune the outgoing IP addresses. Sure, it'll take some time to initially allow all IP addresses for a specific devices, but it shouldn't be undoable. There are lists out there which specify which service owns which IP.
The sole point of a good firewall _is_ that it can only access Netflix and not any unwanted servers.
There is a market opportunity for a router with some smarts that can do automatic VLANs and access control. e.g. lightbulbs can talk to *.lifx.com and local Android devices but nothing else, TV can talk to YouTube but not to the fridge, etc etc.
Not much technical knowledge required. Basic parental control on my ASUS router denies access to the internet to Samsung TV and it can still play content from LAN via UPnP.
In order to roughly scale how much technical knowledge this actually represents, remember that most humans, even most humans with home networks, do not know what routers and networks are.
For a much better sense of scale, it's important to remember that ~14% of adults in the US are illiterate[1].
This is why the medical community adopted the principle of requiring informed consent[2]. a much higher standard than "it was in the ToS" or "our business model assumes you weren't lucky enough to have the education necessary to understand why it is important to opt-out". Similar requirements need to be applied to data; if you aren't proactively informing users about precisely what will happen with their data, and making sure they understand, the user isn't making a properly informed decision.
Pretending people will understand the consequences of data collection (with modern analysis methods) when there is a decent chance they can't even read the ToS/etc is what you tell yourself to alleviate conative dissonance.
That's the equivalent of people having to manage blacklists for ad blocking - it doesn't work for most people because it's too much work or too difficult.
Just like uBlock solves it by making an accessible plugin and a manages blacklist, I hope someone will launch a simple appliance for home use that will manage this. The router/firewall UI would just need to provide simple switches for blocking various manufacturers' data collection.
I think you have a more optimistic view than I do, though, regarding one crucial aspect...
Why buy commercial displays which usually are
pretty expensive, when you can buy consumer ones
and be smart about how you use it?
Right. But how long until consumer displays refuse to work (or, function in some diminished way) if there's no internet connection available?
When significant numbers of people start defeating those data collection efforts, TV manufacturers will start to take countermeasures.
These data collection activities aren't simply a thing that Vizio does to make a little extra cash on the side. Profit margins on mass-market consumer electronics like TVs are notoriously thin, and expected revenue from data collection is something that Vizio factors into their MSRPs.
Same as everything else in a business: the company itself out of the profit made profit made when they sell the data. out of the profit. From the FTC's statement:
> Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others.
(or simply include the cost in the price of the TV)
Also, the data costs should be a lot lower if they negotiate for a very-lows-priority, off-hour plan that batches the data, only uploading when it is cheapest.
There was a similar thread here on HN a month or two ago with a comment about swapping out the 'smart' logic board for a generic 'dumb' board.
Doesn't work for all boards but it makes sense that for some makes and models, the screen is relatively generic and can be driven by something you can buy off of ebay.
Personally, I'd be pretty happy with very high quality monitor-only sets... I mostly run everything through my AVR anyways. Though some of the smart tv options are getting compelling, I tend to find the integrated devices are always a letdown after a couple years.
Yeah, same: I expect a TV to last a decade or more, but I expect a smart TV features to become out of date about as quickly as most smartphones do. And I never expect drastic updates for those sorts of things; the TV company's revenue stream depends on you buying a new TV more frequently than I'd plan to.
I think a separate device like a ChromeCast or Apple TV is a much better choice.
As if there's any human-measurable way of confirming this. Yes they can be forced by a court. And no, the court can't know if they stopped all of the software copies on all TVs and no, the court can't know if they didn't re-activate them in the future back again.
What actual proof do we have that LG actually stopped? What actual proof can we have that Vizio will stop doing this?
Vizio is not an individual, it's a collection of employees and contractors, some loyal, and others who hate their corporate overlord and would love nothing better that to dob them in if they ever sneakily resumed the spying.
This wasn't an issue earlier. It was a known public fact. I stumbled upon the marketing page for this feature about a year ago by accident without even attempting to find it.
What Visio is doing has so little impact on privacy that it is embarrassing for our regulatory system that this is what they took action on.
Well, one could monitor all outgoing packets from your smart TV, but you would also need to know exactly how to decode what was contained those packets... unless of course they conveniently set the evil bit for you. With the poor level of development associated with this type of work, it would probably be enough to identify a different set servers for receiving the data.
With more sophisticated coding, you really do have to know what's in every outgoing packet. Perhaps it reduces down to problems similar to the discovery path of the VW Diesel emissions cheat - taking an interested hacker/researcher to examine the compliance.
I realize that a good router configuration (and a trusted router no less) might entirely eliminate the problem, but the thing is, there might be some other agreements between vendors we don't know about. For example, I have an ASUS router. I don't know if a Vizio TV can't send a packet to my router with which it gains unlimited and unfiltered net access. We simply don't know.
Anyway, probably my paranoia, but once you see things like the original post, you start to question a lot more. At least I do.
Easier - when I upgrade from my 6+ year old Sony, my TV will either be disconnected (ironically I trust the Xiaomi Mi Box more) or only allowed to access *.youtube.com. I realise this isn't tenable for most consumers.
This is probably gonna be the "temporary solution" which is gonna solidify as the permanent solution unless I really find some extra energy and motivation, yep.
Yeah not much of a punishment to discourage further abuse. Should have fined them on a ratio of the number of data points they collected (100 billion). Even a 100:1 seems like a reasonable punishment for this scale of abuse ($1 billion)
To me, this truth is why the market really isn't a good enough mechanism for protecting consumers - it is downright fatiguing trying to keep track of all of the bad actors/actions and there's no way to be specific in your feedback - market share and revenues are a really imprecise signal.
Just further confirms that "Smart" TV's are a ripoff at best and a scam at worst.
Never, ever, ever buy a television described as smart. For any reason at all. All of the solutions are miserably pathetic. All of the solutions are riddled with bugs, design omissions and potentially nasty security zero days. All implementations have little to no update support from major third parties.
And, in many cases from many companies, the units spy on you as aggressively as could be to sell data for marketing purposes.
"Smart" tv's are lose lose lose lose. You pay more, you get inferior software, inferior hardware and ultimately have your privacy abused.
EDIT: To be fair, I love my Vizio dumb TV I just got. 40" 1080p dumb TV for $167 inc. taxes this past black friday. Got a HDR/4K Roku for an additional $70 and this TV is beautiful and the Roku is so much impossibly better in both hardware, software and third party support than any "smart" solution ever could be, and costs far less than the "smart" upgrade!
I don't understand why someone just doesn't hook up their TV with their computer via HDMI or DP. Is switching sources too complicated for people?
Even the shittiest Dell boxes these days have 2 video outputs, I believe, so you can run 1 monitor + TV. Most laptops have an extra video out port too.
That way you can actually type on your keyboard when you search youtube, unlike typing with god forbid, a remote or an xbone controller (like a console peasant)
By using a $5 cable, pretty much anyone can make a TV 'Smart', and not just smart, but smarter than the ones that are marketed as such.
Because a full desktop UI is vastly inferior to a simple remote interface if you don't have a full mouse/kbb available, and having to have a mouse/kbb to, I don't know, pick a movie is very lame from a couch user perspective.
Because you can get 4K/HDR with regularly updated high quality third party apps like Netflix from Roku for $80 with hardware that can handle it/
But a Media PC running Windows would require you to spend several multiples of 80$ to achieve 4k/HDR with a good remote.
More work, more setup, more money, more configuration, and frankly the end result isn't better.
Easier to use your PC as a media server, then use Roku to read from the server using a remote on your couch.
>Problem solved, no money spent, best of both worlds.
Many new problems:
* Gamepad costs roughly 70% the cost of any entire 4k/HDR Roku setup. A first party game pad costs $50-65 dollars, while a HD Roku costs $80.
* A gamepad is VASTLY INFERIOR to a remote. This one is very easy. Gamepads are crappy, crappy remotes. The back triggers (L2 R2) are stupidly mapped to seeking causing endless fastfoward/rewind triggering by mistake. The buttons are unintelligble (what does a Square do to my movie? What does Y do to my TV show?) and are only usable by basically the 1 geek who set it up and is unusable by all other users who have to learn custom button mappings per application
* Kodi is vastly inferior to Roku for average use, like Netflix. Users must use unsupported, buggy third party non-Netflix based Netflix add-ons which are inferior in every way to an officially distributed Netflix app. At this point, the best solution is the PAID "PlayOn" subscription service, meaning the user must pay monthly just to access basic apps like Netflix which are free monthly on Roku (outside of the actual subscription, which both methods require)
I'm sorry but Kodi is pretty crap as a home media solution, have you ever relied on it for your full library and media consumption and watched it be used by the less tech-focused people in your home? Regular users, children, elderly people?
Roku is easy for my grandfather to use. Kodi + a Xbox1 controller? Not so much
Well, I already had all the hardware, and the hard disks already have most of the content.
I kind of disagree about gamepads being bad remotes. The default mappings are bad and I do agree about the triggers. We don't need more than half the control to do forward and rewind. I had remapped mine, particularly to add changing subtitles and audio streams.
But: the gamepad is the control I can use without having to look at it, because it is not a matrix of similar rectangular buttons, and after a while everything is just second nature. For me, nothing is faster or more intuitive now. And the buttons are REAL solid buttons, not crappy pieces of rubber. I get frustrated when I have to use a regular remote control now.
I don't use Netflix because I'm not in the USA and in South America it honestly sucks. And they hunt and shutdown VPNs now.
However, nothing beats the price of your Roku for a new setup. That one I concede. Your setup is much cheaper. But you can't play Batman Arkham games on it :D
Cluttering up my living room by running a cable across it isn't very attractive, nor is the general experience of using a non-stationary laptop with a giant cable hanging out of it. I much prefer using a Chromecast, or using my Xbox with a wireless keyboard (which I have stashed under the coffee table, within reach whenever I need it).
It's going to get more and more difficult to find a "dumb" TV. Almost all medium and high quality TVs are "smart" TVs now. It costs TV manufacturers very little to add "smart" functionality and it brings in a lot of customers.
I think it's more pragmatic to look for a TV that suits your needs, including any tracking, advertising, etc. Some platforms let you turn it off and others don't -- e.g. Samsung's smart TVs show ads in the menus that you can't disable. I would never buy a TV like that. I just bought a Vizio recently, but I knew about their tracking software so I knew how to disable it during initial setup. Far from ideal, but I wanted a quality 4k display so I was pretty much stuck with "smart" TVs.
Also, for what it's worth, Vizio changed their "smart" platform to just be a built-in Chromecast which isn't as terrible as most smart TV platforms. I have an HTPC hooked up to my TV but 4k content is mostly limited to "approved platforms", meaning I have to use some kind of device to stream it.
IMO you and others choosing to patronize overpriced and pointless smart systems is why it is becoming harder to find.
If even the people who care don't care, then sure, they'll surcharge $100+ on every model happily.
For what it's worth, my dumb Vizio was found in a stack of 20+ at a local Target during Black Friday. They were literally stacked at the entrance to the store. I couldn't miss it. It wasn't that hard to find.
That doesn't make much sense -- if I'm unable to find a product to meet my needs with a particular attribute, I'm going to buy one that meets my needs despite not having the attribute. In fact, the TV I got is the closest I could get to a dumb TV. It just has a Chromecast built into it.
Is your dumb Vizio a 4k TV? From my research, there was not a single 4k TV from a reputable brand that did not have some "smart" features.
"Smart" TVs are the worst TVs I've ever used, I really don't understand the appeal whatsoever.
They're almost universally clunky and slow with horrific UI / UX choices and painfully high latency on simple things like browsing a list of files or even just registering button presses, provide fuck all useful benefit over and above the regular TV experience, are usually running some long-deprecated version of Android which is riddled with security holes that will never get patched - why does anyone actually want this?
A Raspberry Pi running OSMC is everything you could ever want out of a home media setup, it'll work with good old regular "dumb" TVs that can't invade your privacy, with an interface so simple your grandparents can use it, and can be put together for well under $50.
And then there's Tizen which is even worse than Android Smart TVs. Dad bought a Samsung Smart TV with Tizen (even though I begged him to change his mind and buy a better solution for half the price) and expecting the worst I was _still_ suprised what an absolute piece of garbage that TV is.
This sounds like an excellent reason to simply never connect the TV to the Internet and to simply connect your own system to the TV whether it be a stick PC or something with a little more oompf.
Last time I looked, dumb TVs were expensive and hard to find. I assumed that is because the manufacturer can make fat bank off Netflix, Amazon, et al. by including their apps. Not to mention the possible revenue made off this kind of secret monitoring. That probably makes a huge difference in a low margin business like TV manufacturing.
Agreed, but. Most just bug you about 'updates' ad nausem until you have a moment of weakness and punch it in. At least some will autoconnect to open wifi. Sure YOURS is locked down, but what about your neighbors? Just 'turning it "off"' is not enough for even casual security.
Exactly what you said. Even if I do my very best to secure my router and blacklist the TV's Mac address (and never give it the wifi password), how do I know that my neighbours won't mistakenly let their WiFi open for a day or two until they realize their mistake? Or if I tether my mobile data from my phone and turn into a router, that I might forget to secure it?
All it takes is one small slip.
I'd rather never take the risk. I'll just look for a dumb huge TV; I need 65+ inches, good luck to me, right?
This is promising and is a good start towards IOT precedent, and perhaps even operating systems of our devices (Windows 10).
- Explain your data collection practices up front.
- Get consumers’ consent before you collect and share highly
specific information about their entertainment preferences.
- Make it easy for consumers to exercise options.
- Established consumer protection principles apply to new technology.
I wonder how many technical teams are scrambling to undo their spying now - though this is a fairly insubstantial fine. I could see the data being potentially worth more than $2.2m
To note, they were also forced to delete the collected data, though the insights they've already extracted / profits from data they've already sold may offset both the point and the $2.2 million fine.
Vizio might be able to delete the data but there is not much of a chance that the data brokers they sold to can. Probably already baked into their models.
Plus how is this verifiable? The fine should be a lot higher to discourage this action.
> I wonder how many technical teams are scrambling to undo their spying now
I bet the one that truly have to worry in terms of size calculated that the cost of undoing it will overweight the cost of eventual penalty, underscoring word "eventual".
What I'm about to say may go against what many of the HN community believes. This isn't an attack on anyone's beliefs; I'm merely expressing my thoughts in an attempt to solicit constructive discourse.
I'mma be honest. I don't understand the repulsion at the possibility of corporation X knowing my personal info, (excluding the usual things like bank account info, SSNs, etc) like my location, search history, etc. To be clear, I'm 10000000% against warrantless (FISA court "warrants" excluded) government access to this information. Here's my reasoning:
* Governments
Have the power to arrest and detain on a whim. Not to mention, use drone strikes.
* Corporations
... Don't. These entities have self-interested incentives to provide tools which are economically productive for users. For example, a smarter smartphone, whatever that may be.
Regarding Vizio, my grip is that Vizio's goal (for this product at least) is to make a profit producing TVs. So, after the TV is sold, the product is individually "finished" (not considering support stuff). So, then, what other product is the data collection for, and what does this product give me in return for my data? The answer to both is no, and not just for Vizio.
One thing to consider is that regardless of original motivations, once data has been collected by any party, that data CAN come into another party’s possession. Maybe the company network is not secure and the data is just stolen. Maybe a disgruntled employee screws them over. Maybe the company is bought out by someone else with different goals.
The point is that you can never assume that something will only be available to certain people for certain purposes. Even if you know this at one point in time, things change.
Therefore, one must expect and demand the highest security throughout technology stacks, and implement laws to clean up whatever cannot be guaranteed by security technologies.
> Corporations ... Don't [Have the power to arrest and detain on a whim. Not to mention, use drone strikes.]
... yet. In western countries. It's not unheard of in history for corporations to have armies.
That said, the primary issue today is that once data is collected, a government entity can subpoena for it, essentially turning the thing into a user->corp->govt data pipeline. In cases where you'd be worried about serious government abuse of data, the corporate databanks are not safe from it either.
Secondly, some companies do have a way of ruining your life. Think banks and insurance companies, for example.
> [Corporations] have self-interested incentives to provide tools which are economically productive for users. For example, a smarter smartphone, whatever that may be.
No, they don't. That's the naive story you may hear about market economics in primary school. The truth is, these entities have self-interest incentives to make you pay them for shit. It doesn't matter if it's economically productive for you, or if it's economically destructive. Think cigarettes, addictive entertainment, crappy products that break quick, planned obsolescence, various marketing shenanigans they pull with telemarketers, etc. Companies make useful products only when, and only to the extent, that they sell better than useless products.
It's the lack of transparency that's the real problem. I like to know as much as I can when something I own is sharing personally identifiable data about me and my habits to companies (and governments). The fact that the whole effort on Vizio's part was under the radar means that consumers lacked important information about the functioning of their TV's. If they had known about the depth and breadth of the data collection, maybe some portion of purchasers would have made other decisions. Once that's on the table, then you're free to make the choice to let that data be shared if you're comfortable with it (as you indicate you'd be in your case).
Yes, yes, yes. For example I am perfectly okay with Google slurping up every bit of data they can about me, tracking my every move etc. because the benefit I receive (i.e. really spooky-accurate suggestions & info in Google Now) is worth the privacy tradeoff.
Also, based on their past actions and statements, my level of trust with them is very high that they will be transparent with their uses of that data and that they will diligently guard against that data being put to other uses that they or I didn't allow.
But what Vizio has done here makes it perfectly clear that providing any benefit to the end users was never their goal and that keeping the true nature of this program secret was an intentional act. That's enough to ensure I'll never buy a Vizio product in the future.
The collected data about you will be used by marketers to sell you goods and services at a higher price and not to make a "smarter smartphone". For example if an online shop somehow knows that you live in your own house it can set higher price for you than for people who rent a cheap apartment in a city.
Pretty sure that Samsung does very similar things. I've been interested in actually capturing outgoing pcap data for this purpose. Looks like I have a new project to add the pile.
One thing that I'd treat as a "tell" for how invasive Samsung's tracking is: how hard is it to disable the Smart TV functionality?
For example, can you disable the wireless interface, or will it keep asking you to connect it to the internet? Does the TV itself ask you to agree to a EULA?
I've been interested in the Samsung hardware, but only as a Dumb TV. This kind of data collection is not what I'd want.
Why wouldn't that data be encrypted? All you would see is packets going to specific IP addresses. No way to analyze the contents.
Of course, the data might not be encrypted. Why go thru the effort? Because of the large quantity of data being passed back and forth by almost all Internet connected devices, it's tedious to interpret what's happening even if the flows are completely open.
> The data might not be encrypted. Why go thru the effort?
It's true that a lot of IoT devices communications are not encrypted.
But what concerns me is that they'll start encrypting everything so that we can't analyze what's being transmitted. Not for our privacy but to prevent us from knowing what they're doing.
I see DNS issues with SmartHub, etc.. but I don't see anyone suggesting that Samsung is capturing image data and sending it back? Not saying they aren't, but as an owner of two Samsung TVs, I'd be interested in any real evidence of them doing this type of thing..
However, as far as anyone has shown, that audio data is only when the user uses the voice functionality on the TV. They just were bad about encryption, but to use voice search, it made sense that they were sent data. That is remarkably different than recording image data every second from every television and sending that back.
Not saying it's the same, just saying it's a potentially questionable (re privacy) thing Samsung has already been caught doing.
Not sure if they were selling any of those data, anonymized or not, either.
edit: It's also worth pointing out that while technical people (e.g. us) may see voice recognition tech and immediately suspect that it involves phoning home, most people probably have no idea that anything of what they say is leaving their living room.
It's in the privacy/TOS section on the Samsung TV I bought from Costco 3 months ago.
"Interest Based Advertisement. Samsung provides the ability to obtain and view interactive and interest based advertising on your Smart TV. Interest based advertisements will rely on your TV viewing history and Smart TV usage information. Your viewing history includes information about the networks, channels, and programs viewed on your Smart TV and the amount of time spent viewing them. We may use automatic content recognition (ACR) and other technologies to capture this information."
It is opt-out, and it's buried a couple levels deep in the menus.
To be picky, the thingy was introduced "only" in 2014, so maybe "only" 4.5 million tv affected, that would raise the cost for the company to a whopping $0.50/each, more than double what you calculated but still peanuts ...
Last time around, I elected to buy a smaller "dumb" TV, and just sit closer to it. I learned my lesson very early, with LG as my teacher.
If I really had to get a large display, I'd just make it a big computer monitor and add a separate sound setup, or I'd spend the gratuitous extra markup on a commercial "digital signage" display. Either way, I'd probably have to route all TV-related functions through a set-top box with HDMI output, like a DVR, cable/satellite box, or HTPC.
It's amazing this was settled for a few million dollars. It's easy to imagine an alternative press release where the settlement was 10x or even 100x larger.
Call (not email, not Twitter) your Congressional representatives and remind them. Agencies act within laws which make certain things easier or harder and they're probably going to settle if the alternative is a lot more work.
but then Vizio wouldn't make a profit. The FTC has to make sure these companies continue to be profitable while itself appears to be semi-competent. Similarly, Verizons supercookie "crackdown" was laughable. FTC stands for Fuck the Consumer because that is their primary objective.
edit: I phrased the above incorrectly. I meant to imply that the FTC is beholden to these companies and largely does their bidding. Except in narrow circumstances, the FTC really is a tool of the major corporations it is supposed to regulate.
>On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.
> The order also includes a $1.5 million payment to the FTC and an additional civil penalty to New Jersey for a total of $2.2 million.
So I actually worked at cognitive networks up until the end of 2014. I've read this thread and thought I would address some things here that didn't seem to get fully concrete answers (in no particular order).
The ACR technology that cognitive used was/is in vizio and LG tvs. during the time I worked there we only had a deal to use it actively on vizio tvs. I guess lg was just testing the waters to see how it'd work. The ACR technology that CG used is based on RGB values from sampled patches on regions of the image. There was no audio finger printing used. There were a number of items that would mess up the "recognition". Some of those included aspect ratio of content, watermarks from different providers, overlays and basically anything that modified either the size of the original image or obstructed it. For the server infrastructure, what we did was we ingested live feeds from the major network providers, these feeds had to be ahead of what tvs were watching by at least 5-10 seconds so we actually had the fingerprint data in our database to be recognized. we would pair the ingested fingerprints to TV scheduling data and voila, we "knew" what you were watching. Now clearly if we didn't have the content in our database we had no idea what was being shown on your screen.
What did we use the ACR data for. Well there were 2 "deals" going on while I was there. One was ratings, something to compete with the likes of neilsons. Different content providers, distributors, marketing agencies, etc. would want ratings info. Additional there were other "data mining" companies that build profiles based off public IP addresses that would want to use our data to enhance and augment their data. The other application that was the one that everybody was after want "interactive advertising". This would allow us to pop up an HTML5 app/page based on the ACR. So for example your selling a car, your ad comes up, you pop up your app and allow the user to schedule a test drive or look at the car in more detail. The use cases were endless though.
The ACR technology ONLY worked on content that was viewed from the HDMI ports. Any built in apps like netflix or hulu that were run, ACR was force disabled. One thing I remember about that was that netflix is huge about NOBODY getting viewing data/ratings information about netflix and it's users. Only netflix has that data apparently. One somewhat reassuring thing about disabling the technology is at one point vizio did notice a bug on one of its TVs where ACR was not being disabled when the user opted out of "interactivity". This was a big deal and we were required to solve it ASAP.
This is ridiculous, I wish someone with money would create an absolute shitstorm by buying this kind of data, buying data from Facebook, google, twitter, internet cable companies, state departments, combining them, deanonymizing millions of users and dumping them. Until something crazy like this happens nothing will happen, it needs to be brought to the light. Until then, no regulation will ever happen on data collection on users and we will all be sheep and the product. Crazy thing, it won't cost that much money. Folks need to wake up and be scared shit less. Everything spies on you, your pace maker, your fitbit, your car, your TV, your fridge, watch. 1984 ain't got shit on this! :-(
I wonder how many of these Vizio TVs are in government offices, recording and selling their IPs, pixels, preferences and schedules.
Remember, it's not just broadcast, it's also from DVD players. Anything displayed.
And I wonder who's buying, and then correlating IPs and devices, besides the obvious advertisers. The potential for espionage and extortion is interesting.
"That's an interesting fetish you got there, Mr third or fourth down on the org chart who does the actual day to day running of the agency. It'd be a shame if it was to be ... exposed."
I got a supposedly "smart" TV at a ludicrous price the other day, maybe because there are already surplus units that nobody wants? It's a Roku/Sharp combo thing so there are no numbers on the remote either, but the UI is actually pretty darn good.
And no, I would never connect my cheapo TV to the Internet. Come on.
There is a comment on this article basically saying, "I bought a Vizio TV, later my email, bank account, and facebook got hacked, and now I know why." Shows roughly the understanding of these issues for some people.
Wow, those punishments are pathetic for sampling private movies you watched (e.g. porn) on your TV and funneling that information off with IP address to advertisers.
Consumers want the best service at the cheapest price. Producers want to maximize the profit on products and services. Advertisers want the best return on investment for their ad dollars so they also maximise profit.
This are fundamental thruths of the market. It's why Google and Facebook are behemoths.
The only way to win the game is precision tracking, addictive services and building good models of customer behavior for advertising.
On a similar note, can anyone here speak to the hidden audio signal that is broadcast over the air with things like sporting events?
I noticed it once when Google Now knew instantaneously that I was watching a specific NFL football game and began displaying the score. It felt magical but after a little research there are hidden frequencies that reveal this information.
How are fines that are as little as this supposed to deter future companies from sketchy collection practices? One can only assume they made more than $3.7M selling illegally collected data.
There's no incentive for companies to do better and not be shady. It pays to roll the dice and see if you get caught. If you do just say sorry and pay a small fine.
If they were aggregating and selling this information to television networks, as a better way of measuring how many viewers a show had, I would be okay with that. It may help keep some of my favorite shows on air. But to sell my individual viewing habits with my IP address? Not okay.
With Vizio and other Dolby HDR compatible TVs you'll have to keep it connected if they intend to get firmware updates. I wonder which TV will be ideal for purchase, now that Samsung and Vizio have been caught hoodwinking their customers.
only reason, with Vizio, is if you buy a 4k HDR TV thats Dolby HDR compatible and a year or two later HDR 10 becomes the standard and Dolby HDR dies, then Vizio 'can' update the TV to be compatible with HDR 10.
Otherwise, its safe I guess to keep it disconnected.
I'm conflicted about updates. On the one hand, people screaming "but security!!111~1" have some pretty good points - especially when talking about internet-connected devices. On the other hand, shit used to work out of the box in the past, and most updates that are not security patches seem to only introduce useless crap and bloat software more.
I wonder how many meetings were called at other manufacturers when this went public, both to check on what they themselves were doing, and to make plans to stop doing it where relevant.
It's called Smart Interactivity and it's so far tucked away it's blatantly obvious they intended to hide it. As I recall it was in the 'System Reset' menu for some inexplicable reason.
Yah but Trump's going to get rid of the FTC and regulations that get in the way of business, such as spying on you and selling your watching habits and personal info to a bunch of other companies.
Now that we know what they did the class action lawsuits should follow. If your concerned about privacy don't connect your TV to the Internet. Treat it like the dumb screen it's supposed to be and just cast or route content to it.
Not sure what I can answer but for years my company worked on an Automatic Content Recognition project using tools from a team called Cognitive Networks who were bought by Vizio and makes up the tech that did this. If I understand correctly the founder of Vizio kept this tech for himself in the sale of Vizio.
When developing this we would work directly with Cognitive checking sync'd apps. We knew for a long time that they could see our content in their office while we tested.
Note LG got caught on this about 2-3 years ago and made ACR apps opt-in which pretty much killed it for LG.
AFAIK Samsung never did the exact same thing a bunch of providers saw the writing on the wall and dumped this sort of technology a few years back. It had some really cool applications for interactive sync to broadcast apps but the privacy concerns killed it for a lot for a lot of manufacturers.