
Samsung Global Privacy Policy - SmartTV Supplement - tscherno
https://www.samsung.com/uk/info/privacy-SmartTV.html
======
patcheudor
I recently collected a bug bounty from Samsung on a crypto implementation flaw
I found in some of their software. The fix is still being rolled out and given
the impact I'm not going to disclose right now, rather I'll let Samsung handle
that when the time is right. Anyway, the team at Samsung was responsive and
they seemed like they genuinely cared about security. However, based on what
I've seen in their products and those from their competitors the first thing I
would do is pen-test the voice recognition feature, then turn it off no matter
the outcome. The fact is, if it must communicate with a back-end server to
work, then it becomes incredibly hard to lock the solution down. Even if the
TV is properly validating the public cert of the server when doing the TLS
handshake, there's got to be a mechanism on the TV for updating the trusted
root store because at the end of the day, certs need to expire and thus must
be updated. On a few non Samsung smart TV's I've looked at over the years,
updating the trusted root store on the TV is as "easy" as man in the middling
(MitM) the network the TV is on so that web traffic goes to a site I own which
has a link to the my.cer root CA that I generated and am using in my TLS MitM
solution. From there I just bring up the web browser on the TV, click on the
my.cer link and go through the prompts to install the root CA. After that
point all traffic from the TV can be decrypted on the wire.

Now it is fair to say that the attack I just described requires the ability to
MitM the network and have physical access to the device, however, remember
that these TV's use an IR remote & all an attacker needs is visual access to
the TV. If it can be seen through a window it can be controlled through a
window and these things typically don't require a password to modify the WiFi
settings. Some smart TVs also have proxy settings which again, typically don't
require a password to modify.

Given what I just covered, think hotel. From a risk perspective that's what
I'd be most worried about. I wonder how many are installing smart TVs with
voice recognition? For all other scenarios basically the situation in many
cases on the ground is that you are secure because no one is targeting you. In
the case of a hotel, someone could be targeting everyone. Such an attack could
prove valuable, especially if done in executive suites near financial centers.

~~~
themodelplumber
Wow. This combined with the fact that economic espionage has been receiving
state sponsorship for a long time now is kind of unsettling. Cell phones are
bad enough, but TVs...and really anything else that can use voice control
(alarm clocks are my personal favorite) could be huge for spies.

~~~
patcheudor
Also imagine how many companies are going to eventually purchase these for
their conference rooms. I imagine some already have. In pen tests my team
always considers how to hide bugs, mostly wireless keyboard sniffers & network
taps these days. These TVs offer the ability to hide in plain sight and with
no out of pocket expense beyond paying Amazon for a cloud service to run a
proxy.

~~~
skybrian
Would a bug be more practical? Then they don't have to worry about which brand
of TV it is.

~~~
patcheudor
It depends. If the target is a high security facility that happens to have
periodic bug & unauthorized WiFi sweeps this could be a great side-channel
vector which could go unnoticed. Of course I'd hope the management of such a
facility would know better than to put a smart TV in a conference room, let
alone hook it up to the network but honestly nothing surprises me anymore.
I've seen older smart TVs in secure areas not connected to the network, but
within a hands reach of a network port.

~~~
skybrian
That seems like a rather specialized worry since your average hotel isn't
going to do any of this? It seems like you might as well go for a walk in a
park to have any real conversation.

------
amluto
It seems to me that, if you have one of these, you live in a two-party consent
state (e.g. California), and you invite a guest who hasn't clicked the EULA
over, then someone is committing felony wiretapping.

I would love to see a TV vendor prosecuted for this.

~~~
amelius
So how about if somebody in California replies to an e-mail which was sent
from gmail.com?

~~~
jneal
IMO there is no expectation of privacy with email. Maybe only false
expectation. If you go into someone's home and take part in private
discussions, you probably don't anticipate being recording in any manner.

~~~
threatofrain
I actually think there is a reasonable expectation to privacy, and that most
people, from senators to elementary school teachers, believe that email is
technically secure, meaning that "normal people" could not read their email
even if they wanted to, at least not without resorting to "hacking" or
"spying".

In fact, one might say that email is more secure than normal mail, because
normal mail doesn't have a password and is default delivered to a publicly
accessible mailbox. If a neighbor wishes to invade your privacy via your
email, how do they do so? Probably by entering your password somehow. If that
person wants to steal your physical mail, how do they do so? By walking up to
your mailbox when nobody is looking.

Also, email at least has a very plausible chance of being encrypted; even if
you don't know what that means, your workplace may be doing it for you. But
companies, including financial or accountancy firms, don't encrypt physical
email to their customers.

I think most reasonable people have the belief that email is safer than mail,
and in 2015 I think they might be right.

~~~
Spooky23
Many people believe that the world is flat. Doesn't mean that it is.

There has never, ever been any expectation set that internet email is private.
There have been many examples in the broader media that show how one might
compromise email. Also, you have no way to assess the quality of the email
service provider, network provider, or client environment.

Postal mail is more secure for 99% of the public for several reasons,
including:

\- A paper envelope is tamper-evident. My dad used to correspond with radio
operators in the Warsaw Pact... envelope tampering was trivial for me to
detect as a 5-year old.

\- Stolen mail is stolen. You don't get the message. Detecting a pattern of
missing mail is pretty easy.

\- If you're not a police organization, tracking postal mail metadata is
risky. Bystanders will notice somebody rifling through a mailbox every day.
There really isn't a way to surveil outbound letters.

\- It's a serious felony to tamper with mail. Linking physical mail theft to a
perpetrator is pretty straightforward. Also, Postal Inspectors take mail
integrity very seriously, sometimes too seriously. With electronic crimes, you
probably have a 1/100 chance of finding a cop who understands your complaint
AND has the means to do anything about it.

\- It's much easier to implement physical security practices/procedures that
keep secrets transmitted by mail secret than via digital means.

~~~
vertex-four
> There has never, ever been any expectation set that internet email is
> private.

When I send an email to somebody, I _do_ expect that no human other than the
recipient will read it, and that automated processes do not attempt to divulge
meaning from its contents past that required for advertising (and that data is
used for no reason other than advertising).

I expect that it _might_ be read by the police with a warrant, as with
anything else. I also expect that any post I send might be read by the police
with a warrant - resealing an envelope is actually easy, and worst case
scenario, they could simply use another envelope and copy the addresses and
stamps, and I'd be none the wiser.

The technical ability to read my email has little/nothing to do with my
expectation of privacy. Technically, someone could read all my mail with ease
(it gets delivered to my apartment's hallway where anybody could pick it up),
but I still expect that people will not do that. They could also read RF
emissions from my apartment to figure out what I'm typing just now, and IIRC
that's a violation of privacy.

~~~
Spooky23
I get it, it's 2015 and paper mail feels old hat. So waving away and
dismissing concerns about the vulnerability of email feels like the right
thing.

Do you affirmatively know that every email that you've ever sent isn't an
account managed by a third party (like an employer) whom the recipient has
ceded (or shares) control of their mailbox to?

Any employer can trivially read email, and many do so routinely. Most people
allow for the sharing of devices in the household... So the spouse and kids
can probably access the computer pretty trivially. That's two trivial examples
that doesn't involve spy stuff or conspiracy theory.

You cannot access postal mail without a warrant or physically stealing the
mail. Once received, you can physically destroy or secure it.

~~~
vertex-four
> Do you affirmatively know that every email that you've ever sent isn't an
> account managed by a third party (like an employer) whom the recipient has
> ceded (or shares) control of their mailbox to?

They could also send my post to them off to a processor for whatever reason.
When I give my personal details to my ISP, they could sell them to
advertisers. I expect that they will not, and feel violated when they do.

> Any employer can trivially read email, and many do so routinely.

If I'm sending an email to a UK employee, they in fact cannot legally do so in
the general case - doubly so if it's a personal email.

> So waving away and dismissing concerns about the vulnerability of email
> feels like the right thing.

No, but there's a point to be made that just because something is _possible_
and _easy_ does not mean it should be _legal_ or even _right_ , nor that
people should expect it to happen. If it were something I really wanted kept
secret, I'd encrypt it - but most things I email are, while not things I would
necessarily want public, not life-destroyingly secret either.

I don't expect or want to be tracked everywhere I go in public either, but I
don't wear a mask to ensure I can't be. On the other hand, perhaps I might
want to do so in some circumstances because the stakes are higher.

------
imgabe
> You may disable Voice Recognition data collection at any time by visiting
> the “settings” menu. However, this may prevent you from using all of the
> Voice Recognition features.

from here: [https://www.samsung.com/uk/info/privacy-
SmartTV.html](https://www.samsung.com/uk/info/privacy-SmartTV.html)

So, disable it. I don't understand everybody's fascination with voice
recognition. I don't find it more convenient at all. I'd much rather just push
a button. It's really not that complicated.

~~~
wodenokoto
Right now it isn't so useful, but once stuff like "put on that Wes Andersen
movie where they ride on a train all the time" becomes useful, I see why voice
might be preferred over a button, especially in China, where voice search
already has a big share of all search.

But I agree. I'd much rather have a dumb tv and upgrade my attached boxes.

~~~
maccard
> But I agree. I'd much rather have a dumb tv and upgrade my attached boxes.

So you trust the manafacturer/software provider of your attached box more than
that of the TV?

~~~
wodenokoto
I get to choose box separate from screen. Means I can get a box with
microphone if I trust the company, or one without if I dont.

What I don't like is paying for smart tv features that don't work or don't
trust just to get a screen. Maybe the company that makes great screens make
untrustable smart tv features, and maybe the open source smart tv of the
future sits in a crappy screen.

More probably the smart tv features gets outdated before the screen.

------
yaddayadda
English translation:
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fnetzpolitik.org%2F2015%2Fsamsung-
warnt-bitte-achten-sie-darauf-nichts-privates-vor-unseren-smarttvs-zu-
erzaehlen%2F&edit-text=&act=url)

~~~
stuaxo
[https://www.samsung.com/uk/info/privacy-
SmartTV.html](https://www.samsung.com/uk/info/privacy-SmartTV.html)

Here is the relevant part: "Please be aware that if your spoken words include
personal or other sensitive information, that information will be among the
data captured and transmitted to a third party through your use of Voice
Recognition."

This must be a data protection violation ?

------
hughlomas
I think Amazon's Echo device is doing this the proper way, which "uses on-
device keyword spotting to detect the wake word. When Echo detects the wake
word, it lights up and streams audio to the cloud". It seems like a technical
or design failure on Samsung's part to not feature similar functionality.

~~~
azernik
Also Google Now (for devices that are always listening for the "trigger
word"), where your phone will make a very distinctive noise and pop up a
screen to indicate that it's listening.

------
Animats
_" Please be aware that if your spoken words include personal or other
sensitive information, that information will be among the data captured and
transmitted to a third party through your use of Voice Recognition."_

 _" Your SmartTV is equipped with a camera that enables certain advanced
features, including the ability to control and interact with your TV with
gestures and to use facial recognition technology to authenticate your Samsung
Account on your TV."_

We've come so far since Orwell's "telescreen" in "1984".

 _" Big Brother is watching YOU."_

~~~
huxley
The telescreens in 1984 were two-way, it was mentioned in the scene with the
exercise instructor :

"‘Smith!’ screamed the shrewish voice from the telescreen. ‘6079 Smith W.!
Yes, YOU! Bend lower, please! You can do better than that. You’re not trying.
Lower, please! THAT’S better, comrade. Now stand at ease, the whole squad, and
watch me.’

A sudden hot sweat had broken out all over Winston’s body. His face remained
completely inscrutable. Never show dismay! Never show resentment!"

------
brianpetro_
This immediately brought to mind Orwell's telescreens.

[http://en.wikipedia.org/wiki/Telescreen](http://en.wikipedia.org/wiki/Telescreen)

~~~
0942v8653
Here's an article actually comparing the two:
[http://www.brennancenter.org/analysis/im-terrified-my-new-
tv...](http://www.brennancenter.org/analysis/im-terrified-my-new-tv-why-im-
scared-turn-thing)

------
jsilence
Given that voice recognition is possible offline on a RaspberryPi Version 1
[1] I'm wonderung why they have to send the recorded audio to the cloud in the
first place.

[1] [https://jasperproject.github.io/](https://jasperproject.github.io/)

~~~
lotu
Cloud based versions work significantly better. They are able to put perhaps
10,000 times* more processing power into recognizing what you said. They are
better able to deal with different people, background noise, and tick accents.
When you are making a consumer device this is critical.

*I pulled this number out of the air

~~~
nl
Android voice recognition can now be used offline[1]. You download the trained
recognition model (which took much, much more than 10,000 times more
processing power to train), and then it works without a network connection.

[1] [http://androidwidgetcenter.com/android-tips/how-to-use-
offli...](http://androidwidgetcenter.com/android-tips/how-to-use-offline-
speech-recognition-in-jelly-bean/)

------
_asummers
As far as networking is concerned, what should I google for separating a
device like this onto its own internal private network? I have devices that I
want to whitelist traffic for while not affecting other devices in my home.

~~~
jsjohnst
I'm not sure how technical you are (this isn't a simple subject to implement),
but I'd look into "managed switches" (to enable classifying traffic from
specific ports, aka one the TV is plugged into), "VLANs" (what the switch uses
to "segregate" traffic), "policy based firewall" (allow you to be explicit in
what traffic is allowed or not, two examples you might look into being pfsense
and mikrotik).

~~~
_asummers
Thank you!

------
ChuckMcM
Interesting, there is the vocal recognition thing but the camera equipped to
do facial recognition is much more worrisome. Check into a hotel room wearing
a ski mask, sneak up to the TV and put tape over the camera if you can find
it.

Nothing like downloading the facial recognition features of Carmen San Diego
into all the hotel TV's in a country to see where she is staying.

License plate readers don't hold a candle to this. Now to check to see if
every Samsung TV coming into the US has to go through 'special customs
checking' ...

------
frik
It's not only Samsung Smart-TV but all cloud-based speech recognition
products, right?

(Nuance/Apple Siri, Microsoft Cortana, Google Now, IBM Watson Speech, Amazon
Echo, LG-Smart TV, etc.)

From a consumer perspective you want an offline speech product like Nuance
Dragon NaturallySpeaking:
[http://en.wikipedia.org/wiki/Dragon_NaturallySpeaking](http://en.wikipedia.org/wiki/Dragon_NaturallySpeaking)
(it's the same technology that powers Nuance cloud based products like Apple
Siri, IBM Watson, etc.)

~~~
cbr
Most of those products locally recognize an activation command: "hey siri",
"ok google", "alexa", ... and then send the next phase to the cloud for
interpretation. With Samsung's Smart-TV, however, it sounds like everything
you say is uploaded so that they can recognize "Channel Up", "Smart Hub" etc.

~~~
stevep98
Yeh, you'd think that based on all the comments you read here.

But, if anyone commenting had actually used one of the new samsung smart TV's
with this feature, you'd see that this is being blown out of proportion.

The TV isn't even listening for a keyword. It's waiting for you to press a
button on the remote. The microphone for voice control is actually in the
remote itself.

Samsung Smart TV remote with Voice button:
[http://goo.gl/DkgWPb](http://goo.gl/DkgWPb)

I would caveat the above by saying that the TV may also have a microphone in
it, because I have noticed that when you use the built-in skype app, the
camera does a cool digital/zoom to highlight whoever is speaking, which it
probably does either with a microphone array, or moving-lips detection in the
camera. The camera, by the way, can be physically disabled when not in use, by
pushing it into the TV.

~~~
bgruber
The Samsung TVs do perform voice recognition through the mic on the TV as well
as on the remote (well, at least mine, which is a couple years old, does).
Even if you have the voice recognition setting turned off, the one on the
remote still works by pressing the button.

The non-remote one does use a trigger word ("hi tv" by default) and it
definitely does that processing locally (I know because i disconnected my TV
from the internet and tried it). Basic commands ("channel up" etc) also
worked. I don't know what else to try to figure out when it goes out to the
internet. I'd also add that the camera/microphone have a very visible hardware
off (which I keep off, because life is too much like 1984 already).

Again, this is a 2013 model.

------
api
Why is the cloud required for speech to text when a four core ARM SOC is under
15 dollars? My Commodore 64 had good text to speech, and Dragon was doing
speech to text on 90s PCs. I don't get the technical rationale.

~~~
DanBC
You needed to train Dragon and you needed to calibrate the microphone.

People talking to control their tv's want to be able to iist talk. Thus,
instead of training the software you offload that training to the cloud and
massive computing to do it.

I agree that the tv setup could include a bit of voice recognition training.
But then the TV only changes channels if Ann asks it to. Bob's out of luck, he
has to use the remote.

~~~
api
Ahh... that explains it a little more... though I don't see why you couldn't
just share model data via the cloud instead of actually sending _audio from a
microphone_ directly out to a remote endpoint.

But then again anything with an Internet connection and a mic (laptop, cell
phone, etc.) is a potential spy device with the right malware installed.

------
aw3c2
If you submit things from aggregators, please try to find the actual source
and submit that instead.

Submitted: [https://netzpolitik.org/2015/samsung-warnt-bitte-achten-
sie-...](https://netzpolitik.org/2015/samsung-warnt-bitte-achten-sie-darauf-
nichts-privates-vor-unseren-smarttvs-zu-erzaehlen/) which links to
[http://martingiesler.tumblr.com/post/110325577280/samsung-
wa...](http://martingiesler.tumblr.com/post/110325577280/samsung-watch-what-
you-say-in-front-of-our-tvs) which links to
[http://mostlysignssomeportents.tumblr.com/post/110300533107/...](http://mostlysignssomeportents.tumblr.com/post/110300533107/samsung-
watch-what-you-say-in-front-of-our-tvs) which links to
[http://boingboing.net/2015/02/06/samsung-watch-what-you-
say-...](http://boingboing.net/2015/02/06/samsung-watch-what-you-say-in.html)
which links to
[http://www.reddit.com/r/technology/comments/2uuvdz/samsung_s...](http://www.reddit.com/r/technology/comments/2uuvdz/samsung_smarttv_privacy_policy_please_be_aware/)
which references [https://www.samsung.com/uk/info/privacy-
SmartTV.html](https://www.samsung.com/uk/info/privacy-SmartTV.html)

On the other hand, the HN rules suggest doing things like this if you want to
cherry pick a certain aspect of a page...

~~~
sctb
Thank you, we updated the URL of the submission to the original source.

------
Havoc
Has been in the news before. Voice recognition is done on a server farm
meaning it needs to get sent there & possible get intercepted.

Not ideal but doesn't strike me as a big risk

------
teapowered
It's about targeted advertising - arguing with your spouse? Next ad break we
show you adverts for lawers.

~~~
lotu
I don't think anyone actually wants to do that. I work in advertising with
video and the people I've talked don't appear to think this is a good idea.

------
shmerl
A good lesson why one shouldn't use any systems with DRM. People are so upset
about mass surveillance by the government, yet they readily subject themselves
to mass surveillance of DRM systems. Where is logic?

