
LG says it will push out firmware update for spy TVs, but no apologies - sdoering
http://grahamcluley.com/2013/11/lg-firmware-update-spy-tv/
======
smtddr
Before this update hits, please y'all techies out there- log as much network
traffic as you can. Then update, then compare if you see SSL traffic that
wasn't there before the update. Also compare the DNS requests before & after
update. Oh, and UDP packets too. Basically, just record days worth of traffic,
before and after, and upload it so people(like me?) with free time can search
for anything suspicious.

EDIT: Okay, for Danieru's & verandaguy's replies to my comment[1], be sure to
set in your wireshark filter "ip.addr == [IP of TV]" so we don't see anything
random internet-folk are not suppose to see. That filter is traffic that is
only coming from or going to the TV. Also Danieru, if your CC is flying around
unencrypted in network traffic... something and/or someone has made a mistake
elsewhere.

EDIT2: I'll also take this time to promote
[http://cloudshark.org/](http://cloudshark.org/) , not because I have anything
to do with the website. I just think it's super cool. You can upload a pcap
file and it'll give you a unique url you can share with others.

EDIT3: It'd be cooler still if you could actually capture the firmware binary
being downloaded to the TV!

1\. [http://i.imgur.com/OHJAPGH.png](http://i.imgur.com/OHJAPGH.png)

~~~
voltagex_
Is it assumed the update will be OTA? For Sony TVs it can be put on a USB
stick - which means there's a binary to reverse.

------
codeulike
"I think my TV is spying on me."

90's: "You should talk to a psychiatrist."

2013: "You should talk to my cousin Ernie, he's an IT whiz."

via
[https://twitter.com/kennwhite/status/403584069923270656](https://twitter.com/kennwhite/status/403584069923270656)

Says something about whats happened in technology and privacy over the last
few decades.

------
jrockway
_Information such as channel, TV platform, broadcast source, etc. that is
collected by certain LG Smart TVs is not personal but viewing information._

Wrong. If you would otherwise have to be in my house to know something, what
you have is personal information.

~~~
mikeryan
(please note I'm not excusing LG just trying to parse the double speak)

So in FCC land cable operators know what you watch, their box is tuning to it
and they're able to log this information for diagnostic purposes. They're also
allowed to share some of this information as long as its not personally
identifiable information. IE "2000 people viewed CSI NY" not J. Rockway from
123 Main St. viewed CSI NY".

They're trying to make the distinction here (though doing in poorly) likely to
save themselves some privacy complaints later.

~~~
ams6110
I have to admit being a little surprised about the uproar over the LG
situation when I assumed it was common knowledge that cable/satellite
boxes/DVRs are sending your viewing data back to the operating company.

~~~
Nick_C
> DVR

Which DVRs? Mine had better not be doing that.

------
pbhjpbhj
" >> although the data is not retained by the server.

>Well, that’s something I suppose. Although presumably it is retained for
_some_ period of time, otherwise how would the adverts and recommendations be
possible? " //

So, basically they flat-out lied about the data retention.

If the UK Information Commission doesn't apply the largest fine ever recorded
it will show they're entirely toothless.

When will government stop protecting the financial interests of mega-corps and
start doing something to favour the _demos_.

~~~
nl
_> Well, that’s something I suppose. Although presumably it is retained for
some period of time, otherwise how would the adverts and recommendations be
possible? " // So, basically they flat-out lied about the data retention._

That isn't the case. The system could build a representation of the viewers
preferences when the data is received, then discard the data. That means the
data isn't retained (for any normal definition of "retained").

~~~
pbhjpbhj
It does hinge on the definition of retention - but the definition here is to
contrast not being retained at all. So even retaining it long enough to digest
it (which IMO is still data retention) is to be considered retention because
the claim is that there is actually no retention at all.

~"Data is not retained" here should mean something like the port that data is
being sent on is closed, or the packets input on that port are dropped by a
firewall.

Minimal retention is still "retention".

~~~
nl
Your terminology may make sense to you, but it isn't commonly used or
understood that way.

The more common term for what you describe is "processed"

Additionally, there are legal issues around that definition. For example,
redefining "retention" to really mean "processed" means that things like
proxies may suddenly become liable for things like copyright violation.

~~~
pbhjpbhj
A proxy or cache doesn't substantively process the data. Here they are
processing it if they are constructing anonymised models from it as you
suggest may be the case. If they're processing it then they need to retain it
long enough to perform those operations.

In the case at hand if they're processing it then they've "retained" it long
enough to do that which is contrary to the spirit of the statement that it was
'fine that data was being sent to them as they weren't using it'. They used
different words but this is the point of contention.

Either they discarded the data without further processing, amalgamation,
statistical analysis, model construction, archiving or anything else or they
used the data.

If they used the data in any way then it's a constructive lie even if there is
some weaselling way in which their statement can be construed to be true.

------
joering2
I don't know about others, but I don't need a stinking apology. I need to stay
away from LG as a company per se, and its a great timing because this
thanksgiving I'm getting 80" TV, and trust me, it WILL NOT be from LG.

Hope LG made up the $ difference by selling customers' info, or whatever else
they do/did/continue doing with this data.

~~~
ams6110
Apologies after getting caught are never genuine anyway, I don't know why it's
gotten so trendy to call for people to "apologize" all the time, how about
holding them accountable for the bad thing they actually did?

------
katowulf
Le sigh. "Regrets concerns the reports may have caused" but yanno, not the
oops, privacy didn't matter to us. LG: The place where customers are still
numbers and lawyers get to write the press releases?

~~~
patrickholness
What the hell does 'le sigh' mean?

~~~
freehunter
It's a reddit rage comic thing.

~~~
kibibu
No, it's a Pepé Le Pew thing

------
magic_haze
I think I should set up wireshark on my network asap. I never used my TV's
"smart" features, and the only reason I even have it connected to the network
is for its youtube app (because building a youtube app for roku apparently
takes longer than building a rocket that can land itself...)

Also, I'm fairly sure my roku is sniffing my netflix usage as well: I recently
started seeing ads on the roku start page for TV shows and movies that I'd
just watched on netflix: has anyone else seen this behavior?

~~~
ams6110
If advertising is involved, it almost certainly is sniffing everything it can.

------
CWuestefeld
_even when this function is turned off by the viewers, it continues to
transmit viewing information although the data is not retained by the server._

Does anyone buy the claim that their servers weren't retaining the data?

For this to be true, the TV would need to transmit to the server a
notification that data should no longer be stored. While it's possible, I find
it implausible that they would go to the trouble to do all of that, rather
than just make it a simple client-side switch that just stops transmitting the
snooped data.

~~~
sesqu
They mean they haven't put the data received so far into long-term storage,
because the feature wasn't considered to be in production. This is consistent
with the initial report.

So to make this true, they just need to wipe their logs and not set up the
database until the firmware has been pushed out.

I do wonder if erasing those logs would violate the data retention directive,
though.

------
chrsstrm
Notice how it doesn't explicitly say that it's an OTA update to cover TVs
currently in use. It also doesn't say if it will happen automatically in the
background or if the user will be prompted to update (or not). Given how close
it is to Black Friday, what are the odds that the update doesn't roll out
until well after Christmas, when all those new TVs are plugged in?

------
chadwickthebold
Love the (metadata) buzzword thrown in. This is complete crap.

~~~
cjfont
Yes, it seems that is the new word companies and governments are now using to
describe data that isn't quite as sensitive as other data and thereby OK to
collect.

------
roberthahn
Serious question to those of you with networked TVs: why is your TV even on
the network in the first place?

~~~
stonemetal
Netflix without a device like a roku attached.

~~~
roberthahn
Thanks. I have an Apple TV; I hadn't even considered the possibility for the
TV itself to support services like Netflix.

------
wirrbel
Are there any reports on other LG devices such as bluray players?

------
talles
lol @ the example they used: "Midget_porn_2013.avi".

------
mariuolo
Then they can keep their TVs as well.

Shameless.

------
shooper
I guess this is why class actions are sometimes good. Even though the lawyers
are the one that enrich themselves, atleast the company suffers the monetary
cost so that it will think twice before repeating such shenanigans.

