The internet came by storm. Yes, for years it wasn’t accessible to the major populace, but over time it found its way into the office, school, home, and now more specifically into the living room. With the evolution of the internet came few rules. In came the market makers who began to define basic expectations of online privacy, which were next to nothing. Google and Facebook use data collection and user analytics to drive their company profits. It isn’t only the major software, but also phone carriers and internet providers who are the conduit for data access. They use their limited competition to set the boundaries on what user data to collect. Currently, the European Union is the most notable in consumer privacy endeavors.
Smart TVs have been around for a while, but the market for post-purchase monetization has revved up in the past several years. The increasingly affordable TV sticker prices aren’t solely due to cheaper materials, but from a market change by selling devices at a lower price with the expectation of making up for the tight profit margins with post-purchase data collection. This perverse business model is now the default, as finding a ‘dumb’ TV without any internet capability is next to impossible.
My smart TV from 2011 uses an Android OS, and updates for the device were discontinued years ago. While I could continue to use some clunky functioning streaming apps on the TV, I instead chose to disable internet connectivity and plug a streaming device into the TV. This solution works for any smart TV today. Obviously, you are trading one data gathering device for another. The difference is that TV operating systems have been able to easily slide under consumers’ radars while bigger streaming device companies such as Amazon, Google, Roku, or Apple at least tend to get some scrutiny than say the operating system on a Samsung, TCL, Sony, or any other internet-connected TV.
Data Collection through Automatic Content Recognition
Data collection from smart TV’s is done through Automatic Content Recognition (ACR). The technology can track what is playing on the screen based on fingerprinting and watermarking techniques. Fingerprints we know are unique to an individual, and similarly audio content can be identified by distinct patterns already known and stored in a database. This allows for audio content recognition even if played on different mediums or acquired from separate sources, such as watching on a streaming service or from cable. Digital watermarking instead uses tags in the video content that are invisible to the user but can be detected by an ACR system. If you are streaming Netflix, watching a sports game via cable, or playing a movie, then an ACR system can pick that up.
Consumer Reports
As Consumer Reports points out, consumers who choose to decline at TV’s privacy policy will often have the internet functionality disabled and therefore can’t use any of their smart TV features. So, either you give the TV access to your viewing content through ACR detection, or you don’t get to access the full benefit of your smart TV purchase. Consumer Reports has another great article documenting how to turn on privacy controls for different TV brands. In addition, Mozilla has several reviews on streaming devices that you may find helpful.
With all this of this brought to your attention, would you decide to disable your smart TV features? Likely not, considering you purchased the TV in part because of those features. You shouldn’t be put in this ‘either or’ situation, but with weak consumer privacy protection worldwide (barring GDPR members to some extent) being dismal, that is the state we are in.
Microphones and Cameras
A more nefarious element of smart TV’s is the integration of microphones and cameras. Not only have you opened up a window to TV manufacturers of what you watch and listen, but you are now inviting them into your home life as they can potentially listen to or watch you. Even worse, attackers who hack into your TV could gain this access. The Malicious Life podcast covers this extensively. A big takeaway is that that Internet of Things (IoT) devices are becoming more prevalent, and unfortunately with how personal computers were in the early day, security has been an afterthought. Smart TVs are computers, but they have had less scrutiny than they deserve. While our phones have cameras and microphones, they are at least continually updated, tested for bugs, and used by billions of users with basic expectations of security features. Government security agencies and private firms focused on finding exploits may discover vulnerabilities, but that will always be inevitable. What differentiates smart TVs from a smartphone or PC is oversight. There simply aren’t enough eyes on these TV operating systems.
History of Smart TV Incidents Thanks to the Malicious Life Podcast
- 2014 – Wikileaks released papers on the CIA and M15 jointly developing malware code-named “Weeping Angel” to exploit vulnerabilities for Samsung smart TV’s F-Series models. By plugging in a USB into the TV they could record audio from the microphone in the remote.
- 2016 -FLocker Ransomware initially targeted mobile devices but later began to target smart TVs
- 2017 – Vizio was fined by the Federal Trade Commission for tracking TV owners viewings and selling the ACR acquired data to advertisers
- 2018 – ADB.Miner, a cryptominer, discovered to use Android devices including TVs to mine Monero
- 2020 – Researchers discovered several vulnerabilities on TCL TVs. One that allowed an attacker read/write privileges on the TVs file system by accessing the device through an open port. It was even possible to access the TVs remotely outside a local network.
This blog post drills down to two main issues: privacy and security. We can’t expect privacy improvements until the TV manufacturers feel pressured enough to do this. As voting with your wallet is near impossible when the standard is to use ACR technology for post-purchase monetization, the actual change will likely arrive from government legislation. The EU with their GDPR regulation has led the way, and the California Consumer Privacy Act (CCPA) is a good framework to mirror onto the rest of the US, but regulation will likely need to push further if consumers are to expect a modicum of privacy from their smart TV purchase. In addition, smart TVs like other IoT devices are in their infancy when it comes to security. Hopefully, in the future, we will see proper investment for security in TV operating system designs and hold companies responsible for poor security practices.
What Should I Do If I Own a Smart TV?
You have two choices when it comes to privacy.
- Use the smart TV features and accept the privacy incursion.
- Disable the internet on the TV and connect a streaming device.
Now, selecting option 2 doesn’t resolve all your privacy issues, it just shifts it to another device. Ultimately, you need to pick your poison and go with it. The Firefox ‘privacy not included’ website has reviews on streaming devices and gives Apple TV and Google Chromecast better marks over Roku and Amazon Fire TV.
If you go with option 1 you can at least take a few steps to enhance your privacy and security. If possible, see if you can opt out of data gathering. There might be some options even if you are still required to have ACR active. In addition, check if there are any software updates, as those may be addressing newly discovered security vulnerabilities.
A third option not mentioned is for those a bit more tech-savvy. With enough networking knowledge, you may consider putting your TV on a separate subnet so that it cannot communicate with other devices in your home network, as that will at least add a small additional security gap-stop. Privacy-wise, you can try to pin down how the TV is exporting its ACR data and see if it is done on a separate port than other services used on the TV. That port can then be blocked without the TV losing its smart TV capabilities. That though could be time intensive, may not work, and ultimately is a fix for something that should not be a problem to begin with.