
LG Smart TVs log USB filenames and viewing info to LG servers - Amadou
http://doctorbeet.blogspot.com/2013/11/lg-smart-tvs-logging-usb-filenames-and.html
======
jamesrom
Dear TV manufacturers,

No one want's your shitty software, it's not a competitive edge. No one has
ever been impressed by the software their TV comes with, and for every person
that found your software easy to use, there is a thousand who are still trying
to figure out what that one button does on their remote. You wanna know what
people are care about? Picture quality. That's it. That's always been the key.
I don't know why you constantly fail to understand that.

Why can't you just make a dumb screen? You know desktop monitors? Like that.
No sound, minimal software, but if you really want to get fancy, maybe a nice
small remote to turn it on and off. Everything else, from sound to color
profiles can, and have already for years now, be handled by external devices
smarter than you.

If you make this, and you focus on picture quality instead of figuring out
ways to confuse and exploit the customer, I promise you, I absolutely promise
you, every AV nerd I know will buy one. And they will love it. And they will
recommend it, and share it, and buy them for their loved ones. And blog about
it. Tweet about it. Podcast, vlog and sing about it.

And you'll disrupt the old model. You will be the company that brings about
the next revolution in television. You've been looking to do that for so long
haven't you? And while you always secretly knew it wasn't IPTV or 3D that was
going to start the next revolution, what you didn't know is how easy it would
be to disrupt the current incumbents.

The customer is waiting, cash in hand.

~~~
Pxtl
One look at the average TV remote tells you enough about TV manufacturers and
their ability to do any kind of UI design.

Remotes like this:
[http://wardiesworld.files.wordpress.com/2012/11/raspi_samsun...](http://wardiesworld.files.wordpress.com/2012/11/raspi_samsung_remote_actual.jpg)

always remind me of this: [http://www.codinghorror.com/blog/2006/11/this-is-
what-happen...](http://www.codinghorror.com/blog/2006/11/this-is-what-happens-
when-you-let-developers-create-ui.html)

~~~
mikeryan
Remotes are incredibly hard to design. My company builds Smart TV Apps we have
just about every remote imaginable and that Samsung one you chose "just works"
its like the Nokia 3310 of remotes. You can pick it up and use it without
thinking about it.

Show me a remote that works better then that one and I can probably tell you
why it sucks.

~~~
deletes
Apple remote comes to mind:
[http://support.apple.com/kb/ht3176](http://support.apple.com/kb/ht3176)

I would like to hear you opinion.

~~~
mikeryan
The Apple Remote is solid similar to the Samsung but with out all the keys.

Roku's first remote was very similar but had the same problem - no back
button. If you're going to do interactive apps on your TV you need a back
button and an exit or "home" button - they're two different things. The Apple
remote assumes very limited input almost zero text input so no numbers or
extraneous keys like the color keys.

My favorite remote close to the apple one was the Boxee 1 remote (it too needs
an explicit back button). But the slim, pared down front side design with the
full keyboard on the back was very slick and usable.

[http://old-blog.boxee.tv/wp-content/uploads/2010/01/Boxee-Bo...](http://old-
blog.boxee.tv/wp-content/uploads/2010/01/Boxee-Box-remote-1024x662.jpg)

~~~
mjbraun
That's interesting: the remote was one of the two reasons I ditched my Boxee
(the second being that the UI was painful). Initially, the keyboard was a
major selling point for me over my AppleTV remote but grey text on black
rubber buttons? No backlight? Trying to use the keyboard functionality of the
remote in anything other than full lighting was an exercise in futility.

To be fair: UI (virtual and physical) is _hard_. Thus far, the AppleTV is my
favorite but it's a "lesser of two evils" scenario.

~~~
Pxtl
I like this one:

[http://shop.lenovo.com/SEUILibrary/controller/e/web/LenovoPo...](http://shop.lenovo.com/SEUILibrary/controller/e/web/LenovoPortal/en_US/catalog.workflow:item.detail?hide_menu_area=true&GroupID=460&Code=57Y6678)

It's purely meant as a mouse-and-keyboard thing, and in that vein it has some
failures (the mouse-buttons are face-buttons instead of console-style
triggers, and the keyboard lacks a way to use the F function keys)... but in
general? I used its predecessor (the N9501 instead of N9502) and found the
design _lovely_.

I could navigate my set-top PC easily with the trackball and mouse buttons,
and when I needed to do text-entry I could hold it like a thumb keyboard. I
even got pretty far in Cipher Prime's Auditorium with the trackball - it was
quite pleasant for low-stress mouse-only games (as long as they only need
click, not drag). The problem with my old version was that the trackball was
not user-servicable (trackballs get dirty, fast) and it wasn't backlit.

The new one uses a touchpad and has backlighting.

~~~
mjbraun
I bought the predecessor as well and you're absolutely right: the design is
lovely. While I'd say it's more of a full-featured HID than a remote it's well
designed and comfortable to use. I didn't know about the new one and I'll keep
an eye out for it.

A problem I see is that the tasks of set-top-boxes and displays are relatively
constrained, so having a reduced input device seems like a good idea. But how
to support free-text searching without a full keyboard (on-screen menus are
painful) or having to deal with limited battery life due to a touchscreen?

------
r0h1n
If the data sending wasn't creepy enough, LG's response to the author's letter
takes the cake - they tell him to contact the retailer!

 _" The advice we have been given is that unfortunately as you accepted the
Terms and Conditions on your TV, your concerns would be best directed to the
retailer. We understand you feel you should have been made aware of these T's
and C's at the point of sale, and for obvious reasons LG are unable to pass
comment on their actions."_

~~~
pfortuny
Next time I buy a loaf of bread I shall ask for the terms and conditions, just
to be sure...

~~~
amirmc
You joke but I can totally imagine a future where there are embedded sensors
_in the bread_ that transmit local conditions and (after ingestion)
health/medical data.

Such a loaf could be given away free if the data collected could be repackaged
and access to it sold to the highest bidder (I'm thinking pharma companies
might pay).

A (imho insidious) way to get this accepted by the public would be to target
humanitarian efforts first. Tracking health and disease in refugee populations
is a real problem, so this system could offer tangible benefits. The refugees
aren't really in a position to complain about privacy aspects and it'd be
unpalatable for anyone to try a cost/benefit analysis when considering
_immediate survival_ against future privacy concerns (esp when it's framed
from the point of view of saving a child -- as it usually is). Once this is
considered 'normal' in such situations, it could be a short hop (or slippery
slope?) to the supermarket.

If you think this is ridiculous, please remember that there was once a time
when having robots read our email was considered hugely invasive by much of
the public (Gmail launch).

~~~
gagege
I have an idea for a novel about this, I'm just not a good writer.

Basically, you ingest food and something in it collects data and can show you
advertisements (or whatever) based on your eating habits. You wouldn't even
have to know you've eaten the stuff (the nano-machines or whatever) but you'd
start seeing ads because the nano-machines have attached themselves to your
eyes and are creating images for you to see. How do you know what's real,
then?

We don't have that technology yet (AFAIK), but this is just one step beyond a
few current technologies (Google Glass + nano-machines?) and an extension of
the path of privacy invasion via technology we're currently on.

This might just sound like crazy science fiction paranoia but I'm pretty sure
we'll see something like this happen in the next 100 years.

------
eonil
Actually, there's real good and simple method to determine which one is a shit
or not. If it has a word _SMART_ on its name, that's a shit. _SMART_ \- it's a
magic word to identify shits. Because I never saw stupid companies can make
great stuff with more computing power and accessibility. When they have more
freedom, they always make a bigger shit. And sometimes it becomes deadly huge.

Real nice product doesn't advertise such smart shit stuff, and only focus on
the feature what you actually need and use. Even such computing features made
you happy, they know that's not a feature to be advertised.

Just don't buy any SMART stuff. Whatever they ADVERTISE, they're saying on
advertisement are all bullshit.

------
aunty_helen
Just started looking at what my Samsung is dialing up.
[http://54.241.140.58/api/tvp/1.0](http://54.241.140.58/api/tvp/1.0) \+ huge
url param string is one thing that jumps out. Resolves to 'Samsung AdHub
Portal'

Only seems to be transmitting back when using the smart tv stuff though. The
request params and some of the stuff I can decipher. request? id=<some id>
s=220x124 dt=03 did=<device id> pt=04 pv=T-INFOLINK2012-1003 nt=10
coc=<country> lnc=<language> ts=1384856584858 <timestamp> tz=<time zone>
scr=1280x720 <screen size> dy=2012 md=12_X10PLUS mf=Samsung HTTP/1.1\\\r\\\n

~~~
goatforce5
I have a Samsung "Smart TV" and fortunately as their frontend is a piece of
shit I never use their "smart" features.

Unfortunately for me my cable and internet provider (Bell Canada) has decided
to start tracking usage habits to target ads:

[http://montreal.ctvnews.ca/bell-to-start-tracking-
customers-...](http://montreal.ctvnews.ca/bell-to-start-tracking-customers-
web-history-tv-viewing-unless-they-opt-out-1.1508083)

------
DanBC
A nice write up for the Information Commissioner would probably be a good
idea.

I'd suggest doing a short cover letter, a simple-English write-up, with a
detailed technical appendix.

I'd ask if LG are registered to collect data, and if their registration covers
this data. And if any of this information leave the EU etc.

Thanks for the write up! It's interesting. I wonder if rooting the telly to
replace this functionality is legal? I never know what the laws are about
reverse engineering stuff now.

~~~
justincormack
I can't even find LG Electronics UK Ltd on the data protection register...

------
csmuk
Actually perhaps the most annoying thing I can see is that after paying a
fuck-load for the television, they dare to show me adverts on the guide!

LG is instantly on my shitlist for this and the channel and media data leaks.

~~~
chrislomax
Do you know what, this actually annoyed me about my Panasonic TV, it does
exactly the same.

When I go into the "Internet" function, it shows me ads at the bottom. Why am
I seeing these ads?

For example, in the UK we pay the TV license to BBC to NOT see ads. We are
paying for a TV so why am I still seeing ads?

If I was renting a TV at a reduced cost or some type of freemium model then I
would expect it, takes the biscuit a little I say.

~~~
csmuk
I'd have taken it back.

My Bravia EX has no adverts but I don't entirely trust it.

~~~
dlhavema
i have an NX Bravia and in the Channel Guide there are ads.. what about yours?

~~~
csmuk
Not a thing. No ads at all anywhere. I'm in the UK though so it might be
different and this unit is 3 years old now.

------
ccozan
I worked for a system like this, but for Philips. Could be that the company (
cannot tell the name!) sold the solution to LG. Actually this was meant to
display channel suggestions, not ads. Seems like since last time they twisted
it. Quite a shame.

It was an opt out system, every TV got a unique ID, but it was anonymous -
Philips didn't knew who you were. If someone watched something more than 15
mins, it was send to the DB and was profiled. After a while, the system
learned your preferences - also depending on the watching hour - and started
to show, per request, recommandations what to watch - which channel was the
most close to your preferences. It worked like a charm.

But indeed, no personal data was collected so I don't really understand the
fuss. Same for this case, LG sens anonymous data, and returns best ads for
you. A little better than Google, i might say.

~~~
incongruity
I'm sorry, but _every_ detail of what I do or my family does within the
privacy of our own home is _personal_. I do not expect my TV to be spying on
me in any form.

~~~
draugadrotten
>I do not expect my TV to be spying on me in any form.

The spying is done by the people working at LG. The TV is only the technical
method used to spy on you and your family.

------
nodata
The first comment on that page is important: contact the ICO.

But it's interesting and worrying that this problem would not have been found
if LG was using SSL.

~~~
raverbashing
Well, I doubt they would be using certificate pinning.

So you could bypass it easily

~~~
nodata
How would I get a SSL certificate issued for an lg domain from an issuer that
the LG tv trusts?

~~~
raverbashing
Best case is, they left the "\--no-check-certificate" option on for debugging
purposes.

Or maybe you can import a certificate somehow.

~~~
sk5t
No certificate checking is quite likely unless the TV also has a method to
update its CA trust list, and maybe even handle CRL/OCSP depending on the
client library.

------
nnnnni
So when this sniffs the viewing habits of someone who is under 13, does it run
afoul of CIPA or COPA or whatever it's called?

~~~
icebraining
I don't think so, because COPPA only applies if the service is directed at
children and/or asks (directly or indirectly) the user's age.

~~~
nnnnni
What about when it starts showing ads for things kiddie shows?

------
grecy
I wonder what would happen if I had a movie on my USB stick I wanted to watch,
and it happened to be in the same folder as a few documents that happened to
be named with my personal identifying data.

My name, address, tax number, drivers license number, passport number, etc,
etc.

Now they've slurped that off my drive without my permission, and transmitted
it in the clear. Can I sue them for "unauthorized access" or identity theft?

What if the file name was some industry secret under NDA or other protection?

(For example Apple_iPhone_7_2015_design_spec.pdf or
NSA_POTUS_PHONE_LOGS_2013_TOP_SECRET.csv )

~~~
russellsprouts
Trade secret information is not blanket protected. For example, the recipe for
Coke is a trade secret, but you can still try to reverse engineer it. You
cannot try to steal it, or pay someone to give it to you. It seems that the
user agreed that the TV would give that information, in some sort of license
agreement, and plugged that data into the TV also. I don't think it would
count as a fraudulent way of getting the data.

With regard to TOP SECRET info, I think that the person plugging the data in
is at fault, if they were under an obligation to keep it protected, and they
failed by letting it go to a private server.

Identity information could be a liability for them, I think. By instituting
this feature, they open a possibility of collecting private information, which
they should have a duty to protect.

------
orbitingpluto
Anyone have a link to LG's Terms and Conditions that reveal they will be
collecting data?

Furthermore, there's an issue of going further down the rabbit hole with smart
TVs. What about the terms and conditions of use of software that you may never
even use that is still collecting data?

I have a LG dumb TV with DLNA and wired connectivity only. LAN only setup does
not work. It has to have a full Internet connection.

------
rem1313
I'm currently in the market for a new TV 50-55", preferably the least smart,
the better.

Any suggestions? I can't seem to find any non-smart TVs that are reasonably
current with at least 3 HDMI ports.

~~~
nicolsc
Why non-smart especially ? You're free not to connect it to the internet.
That's exactly what most customers do with their 'smart' tvs : not plugging
them or getting their hands dirty with the wifi settings.

~~~
Silhouette
_Why non-smart especially ? You 're free not to connect it to the internet._

Until they get "smart" enough to connect via someone else's WiFi hotspot
within range.

If you think this is a joke or some sort of silly conspiracy theory, please
consider the scheme BT already operate across the UK where you can piggy back
on other people's home broadband to get wireless Internet access. On my fairly
typical residential street, I already have several homes within range of this
computer that are part of that scheme, which any wireless device in my home
could be connecting to without my knowledge or consent, including those with
access to my home network or that include equipment like cameras and
microphones.

I expect BT could make a tidy profit from making deals with these kinds of
companies so they can phone home using their built-in wireless without
depending on the customer's own Internet provision, and given their track
record, I have no reason to believe they would object to their networks being
used for the purposes of intrusive surveillance. I am hoping that laws against
these in-home privacy intrusions will arrive before it becomes the norm for
consumer products to use the national wireless spynet for this kind of
purpose, but given the way the market is going, I am not happy about our
prospects on this one.

------
stedaniels
I've got one of these TV's and annoyingly I think it's great. I'm likely going
to have to set up some routing/dns/proxy rules to defeat this.

Might even have some fun with it by sending it _lots_ of channel changes, pen
drive details and the rest.

~~~
hellweaver666
could you get a small USB device (Rasberry Pi?) and set it up to show as a USB
storage device and randomly generate file names while it's plugged in? That
would flood their servers with dummy data :)

~~~
hrrsn
It would be easier just to write a script that makes repeated requests and
running that since it's just HTTP anyway

~~~
pritambaral
Perhaps the upper post imagines reverse engineering the HTTP API is too
difficult. I'm sure his suggestion was the same in spirit/principle.

------
csmuk
That scares me. I'm going to fire up wireshark on my Sony Bravia tonight and
see what that sends off as well.

------
acqq
Now who can suggest the best software to install on the home router to block
the connections based on the URLs? Ideally it would be a transparent solution
-- the client computers shouldn't need any additional configuration. I have an
OpenWrt based router.

Another question is how to handle https requests?

~~~
draugadrotten
> software to install on the home router to block the connections based on the
> URLs?

tinyproxy does what you want.

[http://wiki.openwrt.org/doku.php?id=oldwiki:proxy.tinyproxy](http://wiki.openwrt.org/doku.php?id=oldwiki:proxy.tinyproxy)

~~~
acqq
Theoretically. But I've found out that it doesn't work on small Linuxes like
OpenWRT -- the guy who took over maintenance obviously only works with big
desktops and servers, he even removed the mechanisms for proper cross-
compiling, at least the last time I looked, a couple of years ago. It looks
like the people who use such distros aren't particularly interested in URL-
based blocking?

We are really making it easy for all the companies that do the same that LG
does.

~~~
draugadrotten
Ah, didn't realize it wasn't supported for openWRT anymore.

Perhaps you would be happier with a script like
[https://gist.github.com/aarmot/5730468](https://gist.github.com/aarmot/5730468)

There's also [http://block.si/](http://block.si/) cloud service but I haven't
tried that.

Pretty sure there's a small dns blocker app for openwrt/pineapple as well, but
don't remember the name of it right now.

------
hiby007
someone should DDOS these servers. Or may be pass wrong info. JK.

These is very bad For LG, And Samsung. These wrongful data collection should
stop.

~~~
yashodhan
JK but not really

------
ChikkaChiChi
Auto manufacturers do the same thing. Stop giving me a button to talk to your
shitty computer and have it be a bluetooth command action for Siri or Google
Now.

My phone is smarter than you.

------
Spearchucker
How can't it be disabled? It needs a network connection to do that. I imagine
there is a use case compelling enough to encourage the user to hook it up
(YouTube?) but I doubt it has satcoms. Sooo... just don't configure the
network.

That notwithstanding, I see boxes like Apple TV and Xbox One becoming the way
that people interact with their TVs, making the whole problem somewhat moot
anyway.

~~~
primelens
Isn't network connectivity kind of the point of a smart tv?

~~~
pja
Yes, but reporting back every program you choose to watch to the TV
manufacturer certainly isn't.

Naturally they bury this little fact deep in the T&Cs where you won't even get
to read it until you get the TV home, and who reads T&Cs? Almost nobody & the
LG knows it.

How well do you think this TV would sell if they had to emblazon "This TV will
report what you watch to LG so that they can sell that information to anyone"
across the front in the store?

~~~
primelens
> Yes, but reporting back every program you choose to watch to the TV
> manufacturer certainly isn't

Of course, I agree. My point was that since the buyer wants a "smart" tv, they
probably mean to connect it to the network. So instead of not configuring the
network, blocking the "phone home" ips might be a more realistic (although
probably too technical for most) solution.

------
joering2
> I think it's important to point out that the URL that the data is being
> POSTed to doesn't in fact exist, you can see this from the HTTP 404 response

Is it possible that they do indeed collect it, but are faking 404?

Step now would be implement technology into the TVs. check

Step two would be to accept payload, however perhaps they are in waiting
period to see if news like this one will come up, and then how much damage, if
any, it will create. If none, then Step two: check.

What's step 3? Agreement with RIAA or Holywood to sell this data? It could
help in litigation by giving more ammunition to plantiff. What is LG TOS of
the TV says? Mentions anything about it?

Thank you for the post BTW. While they are tens of TV brands, its good to know
which one to stay away from.

------
bobdvb
I've worked in the consumer electronics business for quite some time so let me
present some information for your consideration, I don't expect you to like it
but it will explain context: 1) Adverts: These are often used to subsidise
features and capabilities. Sometimes good EPG data needs to be paid for,
sometimes you need to justify the running of applications stores. This is a
business choice that the manufacturer has to make, be off-putting or lose
money. Targeted advertising does increase acceptance of advertising over non-
targeted advertising, however if you hate advertising your just not going to
get a subsidised product (if it is economically feasible to make one). 2)
Viewer tracking: This has many uses a) product improvement: by knowing how
users use products you can improve your designs. However this isn't usually
done in such a scatter gun approach. b) You can sell _anonymous_ information
to agencies who use it to understand viewing habits and increase the value of
traditional TV advertising. 3) Third party content tracking - This could be
used a) to identify working and non-working content formats, not all encoders
are the same and it is a nightmare debugging all the strange formats the
people of the internet generate. b) to deliver improved titling, indexing and
other metadata.

Above all remember Hanlon's Razor: "Never attribute to malice that which is
adequately explained by stupidity.": 1) LG's response from their CS department
was composed by a minimum wage agent who got a response from their mid-level
supervisor who enquired with someone in product management who badly
translated that from some Korean discussions. 2) Most Koreans don't care about
content piracy, it is rife in Korea, especially with their excellent
bandwidth. 3) Most of these policies were probably written by someone more
interested in making the best product for the least money and probably not
someone from the west.

I would hope that LG might pick up on this and make a better statement, but it
won't change their attitude.

Finally, personally as someone who makes a lot of set-top boxes I would
happily see more dumb TVs, but the business of TVs is loss making. None of the
big brands has made money in the TV business in ages, most people do it either
for turn-over or brand recognition. Making basic large "monitors" is a
difficult business to make a profit in because you are selling something very
basic in a mature market.

~~~
kevinpet
"just not going to get a subsidised product"

What subsidized product? I just paid hundreds to thousands for something you
advertise as a smart tv.

~~~
Silhouette
And I would happily pay more for a top display and decent audio, if I could
have it without all the junk. I don't even need a tuner or channel selection.
Just let me point the TV at the input source I want and then do what that
input tells it, but do it well. My PVR/Blu-Ray/console/whatever can do the
rest.

~~~
bobdvb
I suspect many other people would as well, but I have never been able to
convince anyone else that there is sufficiently large enough market to make it
viable. Remove the tuner: $2-5 Remove the codecs: £15 You still need a
graphics plane, image scaler and video switch. In the end it is the panel that
takes up most of the money. That and marketing, plastics, PSU, etc.

------
priz3
Found this info on the company behind the LG data collection:

[http://www.theregister.co.uk/2013/09/02/cognitive_lands_lg_a...](http://www.theregister.co.uk/2013/09/02/cognitive_lands_lg_as_its_first_tv_oem/)

[http://vimeo.com/22276085](http://vimeo.com/22276085)

------
kidmenot
What's funny is that they think they can make their TVs phone home and get
away with it.

~~~
prof_hobart
Well they have mostly so far. What do you think is going to stop them getting
away with it?

~~~
alextingle
Erm, the law?

~~~
prof_hobart
Let me know how that works out for you...

------
mikro2nd
I wonder what the names/IP addresses of those servers are that this TV is
contacting? Has anyone sniffed the data and figured out a way to spam their
servers with bogus data? Feels to me like they're inviting something like
this.

------
lignuist
Why do these companies seem to always get away with violating their customers
privacy? Why don't they have to pay huge fines for that, or even better, go to
jail (those who made such decisions)? Seriously, what they do is criminal.

------
hayksaakian
TVs need a tomato or ddwrt

Some alternative OS they can install that doesn't suck.

~~~
vdm
[http://openlgtv.org.ru/wiki/index.php/Wiki_index](http://openlgtv.org.ru/wiki/index.php/Wiki_index)

------
wnevets
Guess which TV brand I wont be buying this black friday?

------
pja
Time to put a packet sniffer on my home network & see whether our Panasonic
smart TV does the same!

~~~
Jayschwa
Let us know if you turn up anything interesting :-)

------
smegel
Why does he assume that 404 means there isn't something on the server slurping
the submissions...

~~~
himal
Absolutely, The server can do whatever it wants with the data and return a 404
header.

~~~
robmcm
Yup, this actually saved me in the past when a statistics logger was returning
an internal error (PHP) but Apache was logging the requests, so we could just
parse the logs to get the info needed :)

~~~
ajtaylor
Been there, done that too! Less than 2 weeks ago at that.

------
jt884
Thanks for the heads up. That's the last time I buy from LG. Ever. Period.

