Given smart TV privacy risks, you might be better off with a ‘dumb’ TV

Posted on January 13th, 2020 by in Privacy deep dives.

Illustration of smart tv monitoring its users' data.

 

Smart TVs are essentially televisions that can watch you. Their surge in popularity, along with smart speakers, means corporations (and anyone that can hack these devices) have another window through which they can view your private activity. The data collection that typifies the Internet is spilling over into your offline life — and invading your home.

This expansion of corporate surveillance to encompass your TV viewing undermines the effort to create a more private Internet. Your privacy is only as strong as your weakest link, which means your efforts to keep your browsing data private could be undone if corporations can accumulate similar data by monitoring your TV viewing habits.

We’ve prepared this article to help you understand how smart TVs spy on you and what steps you can take to stay private. 

What is a smart TV?

Smart TVs are Internet-connected television sets that support a range of apps, from Amazon Prime Video to YouTube. Many smart TVs have also incorporated voice recognition and video cameras so that you can give vocal commands to your television or use it for video chatting.

Smart TVs monitor what you watch, similar to streaming services like Hulu, Netflix, and YouTube, but they take it a step further. They typically use a system called automatic content recognition (ACR), which captures a section of pixels on your screen every few seconds. It then sends these pixel “fingerprints” to a third party that acts somewhat like a Shazam for video. It can quickly identify whatever program you’re watching, whether it’s a personal DVD, live television show, or a YouTube video. In addition to this information, smart TVs add the date and time you watched this program, the channel the show was on, and whether you recorded it. This information is then used, just like your online history, to inform advertisers which ads would be most effective to target you with.

Privacy concerns

Your television viewing habits can reveal almost as much about you as your Internet browsing history. Advertisers can determine your political preferences, wealth, and location from this type of data. The FTC considers your TV viewing history sensitive data that requires your express consent before it can be collected, putting it in a protected category in the US, alongside personal health and financial data.

Another privacy issue arises with how smart TVs share this data. When they sell your TV viewing history to advertisers and third parties, they link it to your WiFi network’s IP address. With this information, advertisers can link your TV viewing history and your browsing history, meaning they have eyes on you throughout the majority of your leisure time. This also means they can follow you from device to device, ensuring you see the same ads over and over.

The business plan of smart TVs represents a dramatic expansion of corporate surveillance, which is why many smart TV providers have, time and again, tried to cut corners and obfuscate their data collection.

When corporations abuse smart TV data

Here are just a few of the privacy scandals involving smart TVs.

Hidden data collection

Vizio is one such company that never informed its users about data collection, and as a result, never gave them a choice. Between 2014 and 2017, it sold smart TVs (and updated older smart TV models) that automatically used ACR to monitor what its users were watching without their knowledge. In 2017, there were upwards of 11 million Vizio smart TVs tracking all their customers’ viewing histories.

Vizio was caught in 2017 when the Attorney General of New Jersey filed a complaint with the FTC, alleging that Vizio hid the details of its data collection from its users. There was no mention of data collection in its privacy policy. The only place where Vizio mentioned that any data would be collected was in a supplement that explained its “Smart Interactivity” feature. Even here, the language was vague, stating the feature “enables program offers and suggestions.” Vizio eventually settled out of court and had to pay a $2.2 million fine

A microphone is always listening

Samsung built microphones into certain smart TV models to allow users to change the channel or turn the TV set on with vocal commands. But these microphones never turned themselves off. In fact, in 2015, The Daily Beast discovered that deep in the Samsung privacy policy was the phrase “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” So basically, anything you said within the range of a Samsung smart TV was collected and transmitted to a third party.

Samsung later issued a clarification, stating most of the TVs require users to activate the microphone with the remote control. Concerned users that have a Samsung smart TV with a built-in microphone can deactivate their TV’s voice recognition system (Hi TV).    

Poor technical privacy protections

In 2013, Jason Huntley, an IT consultant, made several shocking discoveries about LG smart TVs and how they were collecting and transmitting their users’ viewing data. First of all, the smart TVs would transmit data on its users even if the user opted out of data collection by turning the feature off. Second, the smart TV would scan any USB drive that was inserted into the TV and record all the file names it found. Third, the smart TV did not encrypt the data it transmitted. Sending data in plaintext means anyone between the smart TV set and LG’s servers could have easily accessed and read the data.

The publicity from Huntley’s post led LG to update its software so that users could opt out of this data collection, something that should have already been an option. 

Secretly share data with Facebook, Google, and Netflix

A September 2019 report from Northeastern University and Imperial College London found that nearly all major smart TV providers and many streaming services, including Amazon’s FireTV and Roku, are sending private personal information to Netflix without informing users. According to the report, almost all the smart TVs they tested sent data to Netflix, “even though we never configured any TV with a Netflix account. This, at the very least, exposes information to Netflix about the model of [the] TV at a given location.” The researchers did not offer a hypothesis for why data is sent to Netflix.

A similar report from Princeton found that 89 percent of Amazon Fire TV channels and 69 percent of Roku channels contained trackers from Facebook and Google that collect information about users’ viewing history and preferences. The data shared also includes information that can uniquely identify and locate specific devices (like your advertiser ID, your WiFi network, and your device serial number). This information was also sometimes transmitted in plaintext (unencrypted).

Smart TVs and security

Transmitting sensitive data in plaintext is just one security vulnerability of many that hackers can exploit in smart TVs. In 2017, a Wikileak document dump exposed the “Weeping Angel” program, in which the CIA and MI5 hacked into Samsung smart TVs and used their built-in microphones to spy on people. While this is the most dramatic example of hackers accessing smart TVs, it is far from the only one.

Also in 2017, security consultants found over 40 zero-day (previously unknown) vulnerabilities in Samsung’s smart TV open source operating system, Tizen. Samsung also sent out (and then deleted) a tweet earlier this year that its smart TV users should run antivirus scans every few weeks.

While security has improved somewhat since South Korean IT security consultant security Seung-Jin Lee showed the many, many ways he could take over a smart TV, there is still a long way to go. The situation is so dire that the FBI sent out a warning on the week of Black Friday, informing customers that smart TVs are not secure. 

What you can do to protect your privacy

US lawmakers are pushing for the FTC to further investigate smart TV manufacturers for violating their users’ privacy, but so far, little action has been taken. The GDPR also protects the data of smart TV users, but they have yet to levy and fines against a smart TV producer. For now, the best way to protect your data is to take matters into your own hands. If you have a smart TV or are considering buying one, here are some steps you can take to maintain your privacy and cybersecurity.

  • Adjust privacy settings: The FTC requires smart TV makers to give you the option to turn this feature off. This can usually be done by navigating deep into your smart TV’s settings. CNET has a guide that covers how to do this for most smart TVs.
  • Do not connect your smart TV to the Internet: Even if you activate the privacy settings on your smart TV, it will inevitably share some data. It will also still be an enticing target for hackers. By disconnecting your TV from the Internet, you effectively are turning it back into a “dumb” TV. If your TV does not give you the option to disconnect from your WiFi network, reset it to its factory default settings. Then, during the setup process, do not enter your WiFi password. 
  • Buy a “dumb” TV: While this is the most straightforward solution, it is becoming more difficult, as smart TVs made up 70 percent of television sales in 2018. To buy a TV that does not have any of the data collection tools a smart TV uses means you will have to buy an older model TV (most likely pre-2017).

Smart TVs may make it easier for you to watch Netflix on a big screen TV, but they represent another brick in the surveillance capitalism edifice. It should concern everyone that Amazon, Facebook, and Google’s insatiable hunger for your data is spreading to other companies. Samsung is also currently moving ahead with plans to use your TV viewing data to feed you targeted ads themselves, in an effort to become the Google of television. Soon, all corporations will be scrambling to secure as much of your data as possible.

This is the world that Proton Mail and Proton VPN are trying to prevent. We work on a subscription business model so that our interests align with our users. Our users trust us because we protect their privacy. If you would prefer to work with a company that gives you control over your data rather than collecting it, sign up for Proton VPN and Proton Mail today.

Best Regards,
The Proton VPN Team

Follow us on social media to stay up to date on the latest Proton VPN news:

Twitter | Facebook | Reddit | Instagram

To get a free Proton Mail encrypted email account, visit: proton.me/mail

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Secure
your internet

Get Proton VPN
Get Proton VPN