
Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices [pdf] - pwg
https://tv-watches-you.princeton.edu/tv-tracking-acm-ccs19.pdf
======
randomwalker
Coauthor here. As it turns out, this is one of three papers released near-
simultaneously that uncover the extent of tracking on TVs or IoT devices more
generally. I've written up a survey of the three papers and what I thought
were especially interesting findings, along with some thoughts on why targeted
advertising as a business model for TV platforms is harmful to users:
[https://twitter.com/random_walker/status/1177570679232876544](https://twitter.com/random_walker/status/1177570679232876544)

Direct links to the other two papers:

[https://moniotrlab.ccis.neu.edu/wp-
content/uploads/2019/09/r...](https://moniotrlab.ccis.neu.edu/wp-
content/uploads/2019/09/ren-imc19.pdf)

[https://arxiv.org/pdf/1909.09848.pdf](https://arxiv.org/pdf/1909.09848.pdf)

~~~
blub
Thanks for your work.

I noticed you include gstatic.com and a subdomain of cloudfront.com in the
tracker domains list. Are these really known to be used for tracking or are
they included because they're controlled by Google & Amazon?

~~~
dictum
I saved the paper for reading later, so this may be already discussed in it,
but enough information leaks through the _Referer_ HTTP header when browsing
the web in a traditional browser.

I've never inspected Recaptcha (on gstatic.com), but it does some degree of
tracking, ostensibly to detect unusual usage patterns and pick who gets to
help train Google's ML models with distorted street objects, and who's never
shown the captcha window.

------
mindslight
In a way, the world of _1984_ was _too humanistic_ \- imagining a telescreen
having a camera pointed back at the human viewer, ambiguously judged by
another human viewer. In the current panopticon being built out, surveilling
humans for their poorly-specified human behavior is actually not important.
Rather it's only worth surveilling each human's effects in the technological
realm. The system doesn't particularly care how you lash out, just about which
ways you conform.

~~~
grawprog
Our current world reminds me a lot more of Farenheit 451 than 1984. I always
felt it was more insidious. It was a self induced, self policing (apart from
the firemen) ignorance, fueled by drugs and technology that kept people
stupid, entertained and complacent. Plus, every time i see someone with a pair
of air pods i can't help but think of those earbud things they wear while
staring at the giant screens.

------
bravoetch
Installed pi-hole recently and wasn't surprised to see all my devices making
requests to check in constantly.

~~~
RyanShook
Considering setting up pi-hole. Do you think it’s pretty effective against
this kind of tracking or would I just be wasting time?

~~~
grawlinson
It’s effective for _known_ domains, active analysis of your IoT device would
eventually show all communications made.

I find it easier to just put the device in its own VLAN with zero internet
access. Like the author has said, there’s no clear cut solution.

------
thakoppno
What are your thoughts about server-side ad insertion?

One of your captured urls in the paper looks like it might be part of a VAST
request, which could lead to SSAI.

