
Three recent papers uncover the extent of tracking on TVs - randomwalker
https://twitter.com/random_walker/status/1177570679232876544
======
michannne
I try to think long and hard before I buy any hardware which has an obvious
tracking use case, other than a router and a smartphone, but so many friends
and relatives try to one-up each other by filling their homes with Alexas and
Ring doorbells, and all sorts of tracking technology.

I'm not saying I'm perfect, like I said I have a phone and a router, and I
understand at a point I can't hide certain things, i.e. my ISP can see what
I'm pulling on the net and I find it's not worth the hit to convenience to try
to scrub or obfuscate that info, but man, one guy I know has an Alexa in every
room in his house! Another has IoT'd his place upside down with various
Chinese equipment that is collecting who-knows-what data and sending it who-
knows-where, and it's not that I have a problem with it, but they don't even
think of the privacy implications when they buy these things.

I try to live my life as if I'd become president one day and the CIA/FBI/NSA
would use everything in their power to find something heinous they could use
to destroy my life, and also so that I don't have to worry about my future
children having their entire life uploaded from birth to death because of
mistakes I made in the technology I buy. It keeps me humble and skeptical of
new hardware and I truly measure the impact it has on the privacy of myself
and those around me, but I wonder sometimes if it has no affect because they
could always build a profile based on how I've intereacted around others'
technology

~~~
scarejunba
I've got one of these smart devices in every room of my house. Love it.
Fantastic experience. Maybe some day I'll pay for this. My take: I won't. I'm
going to be fine. And I have no anxiety about this.

~~~
eeZah7Ux
Corporate surveillance "pollutes" democracy like a car pollutes the air we
breathe.

You'll get away with using a internal combustion engine. You'll be fine.

But you are harming me and everybody else.

~~~
scarejunba
I don't think you've demonstrated the externality. You don't have to come to
my house. Chances are I probably won't invite you.

~~~
eeZah7Ux
> I don't think you've demonstrated the externality.

Forbo's answers points it out.

> Chances are I probably won't invite you.

Can't you come up with a better argument?

------
greggman2
Isn't there some way these TVs are violating the Video Privacy Protection Act?

[https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act](https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act)

Even the amendment in 2012 seems to make it only legal to add a function
"share" functoin for a user to post what they watched on a service. It does
not seem to make it possible to just share all viewing info. It also does
_not_ make it possible to just add it to a EULA or TOS.

~~~
buckminster
> In 2015, a federal appeals court in Atlanta found that those protections do
> not reach the users of a free Android app, even when the app assigns each
> user a unique identification number and shares user behavior with a third-
> party data analytics company.

So the TV company would probably argue that it's not a violation if they don't
know your real identity. Even though they share the data with an analytics
company that does.

But the only way to really answer the question is to litigate.

~~~
Mathnerd314
The main issue in the 2015 case was that the app was free and therefore the
users weren't "subscribers" by the court's narrow interpretation. See the
discussion near 103: [https://harvardlawreview.org/2018/04/the-video-privacy-
prote...](https://harvardlawreview.org/2018/04/the-video-privacy-protection-
act-as-a-model-intellectual-privacy-statute/) They mention a later 2016
decision where free mobile app users _were_ considered subscribers.

Typically circuit splits end up in the Supreme Court sooner or later. So if it
does come up it'll be some pretty expensive litigation.

------
jka
Having thought about it a bit recently, smart-TV advertising and tracking
seems like it may become _more_ invasive in some ways than smartphone-based
tracking. Smartphone ads at least give the perception of being personal.

Watching TV is a social activity - gathering at a friend's place to watch a
new episode, or relaxing with family.

The future implied by these developments is that TV-based tracking will take
the home audience into account, and the screen becomes -- in some sense at
least -- a camera as well as a display.

Instead of being shown subtly inadequacy-leveraging ads on your own device,
now they're going to be interwoven into you and your family's home in such a
way as to influence thoughts and opinions.

Gradually adtech will - as it has already - erode the ability to have
peaceful, genuine social human interaction while enjoying an artist's intended
work uninterrupted.

I'd like to think that alternatives to advertising finance are on the horizon,
because the ad business seems to further income inequality. Adtech employees
deny and avoid their guilt by enjoying the profits they make, while their
audience (who are increasingly also their acquaintances, as peer-based
referrals and influence marketing heat up) are pressed to spend and consume,
often unnecessarily.

I'd wager the trend towards ads and quantified influence is going to continue
until it necessitates radical change.

NB: In reality the capability likely already exists to target ads based on who
you're currently with, so this is really just an opportunity for the
advertising industry to socialize and normalize these practices.

~~~
hakfoo
I honestly expect adtech to bust at some point.

At the end of the day, there are a lot of limits on how successful any ad
campaign can be. How much budget your target has, how elastic it is, how much
demand is inherent to the product type.

Even with perfect 24/7 targeted advertising, Toyota's maximum possible upside
is selling me one Camry every two years. Once they reach that point, any
further marketing spend is wasted.

There's also the problem of advertising being imperfect. We'll always have
faulty data, and importantly an trustless adversarial relationship with the
consumer, which will limit the ability to improve ad effectiveness. (Imagine
the opportunity to say in one central place "I have bought a widget, everyone
I researched with can discontinue the widget post-visit campaign as there's no
further chance of victory"\-- advertisers wouldn't go for it and consumers
wouldn't believe it). I also suspect tighter and tighter targeting increases
the risk of catastrophic ad failure-- where it undermines the brand's
reputation or creates public backlash. The Uncanny Valley can be one hostile
place for brands.

Do expensive, high-tech ads outperform cheap spray-and-pray techniques like TV
spots and dumb banners? Probably. But I suspect the price-performance curve is
approaching an asymptote pretty quickly. Billions are spent to chase
increasingly small gains in actual sales over older, less creepy techniques.
Someone's going to do the numbers and start asking questions.

~~~
ThrustVectoring
The real advantage of "smart" advertising isn't in better business
performance, but of better legibility of the advertisement's performance. The
cheap spray-and-pray techniques might work, but you don't know how well they
work, so you make a guess and bid on it based off the low end of the range.

With perfect information about how well an advertising campaign works, you can
convince the rest of the org to spend up to 100% of the profit margin of a
sale on enough marginal advertising to drive one additional sale.

In other words, the end state is measuring ad performance well enough that
spending on ad buys wind up cannibalizing all the corporate surplus generated
from them.

------
neilv
From trying to reduce hostile snooping/malware "TV" behavior for the last few
years (as an on-principle techie exercise)...

My current practical requirements: Lately, I mostly watch movies and series
from borrowed Blu-ray and DVD discs (which turned out to be a better catalog,
IMHO, than Netflix's streaming catalog at the time I switched). I also want to
occasionally play PS4 online multiplayer games on the same display.

I didn't want the PS4 to be phoning home when I played the discs, so I found a
model of Blu-ray player that does DVD 1080p upscaling, but which still doesn't
have WiFi. I did a final firmware update of the (EOL'd) Blu-ray player over
the Internet, and then have a policy that the player will never be plugged
into the Internet again. (Again, this is mostly an on-principle exercise, and,
so far, it's proven practical for me. I've encountered only one Blu-ray
implementation bug, which is known lockups of a very small number of titles in
24p mode of some players, and which never got a firmware update anyway.)

(Before the Blu-ray player appliance, I tried using Kodi for playing DVDs,
first with a laptop, and then a RasPi 3 setup, but that worked poorly.)

I paired the airgapped Blu-ray player with a nice older Sony 1080p TV with
decent integrated speakers, and which had no WiFi, and was not new enough to
be fully "smart TV" obnoxious. It has a nice picture, and works well with the
Blu-ray player's remote over HDMI. To get this one, I had to do some research,
and then do daily searches on CraigsList for a while.

The two main drawbacks to the older, less-smart TV are that it's not 4K, and
that it's power-hungry. (20W off, 90W to display no-signal screen, peaks to
140W+ even in a dim room.) For saving the 20W when off, I'll probably move the
TV to a secondary position on a smart power switch, but I've hesitated,
because I don't know whether the TV was designed for frequent abrupt power
cuts, and, if I wear it out prematurely, finding a similar replacement model
on the used market looks increasingly difficult.

When I eventually upgrade to 4K or whatever is next, I suspect I'll probably
end up getting a non-TV commercial display without Internet, and a separate
audio amp and speakers.

Maybe I'll also be forced to give up on borrowed discs, and switch more to
streaming, which I suspect will be locked-down with anti-user hardware and
software, and (unless regulation really steps up) fraught with excessive
corporate surveillance and other misbehavior (and possible attendant
vulnerabilities, due to the complexity and methods).

There are some open source media player things I'd like to build, if I can
ever spare the time again, but those might be precluded by the available
(legal) consumer-hostile media methods at the time.

~~~
zxexz
I bought a modern 4K “tv” [0] (actually a monitor) recently without any sort
of “smart tv” features. There are a few options out there in the high end
monitors or, even cheaper, the “Corporate display panel” genre. I was appalled
at how hard it was to get a display that wasn’t able to phone home, though!

[0] [https://www.lg.com/us/monitors/lg-43UD79-B-4k-uhd-led-
monito...](https://www.lg.com/us/monitors/lg-43UD79-B-4k-uhd-led-monitor)

~~~
lostlogin
How do you do sound? That’s the bit I’ve been stumbling over. Having a
separate receiver and therefore another remote is not something I’m keen on.

~~~
toast0
Integrated speakers in TVs have never been good, but as TVs get thinner, the
speakers get worse.

In theory, HDMI-CEC might make it possible to control everything with any
device's remote. My TVs are too old for that to work properly though. The
receiver should come with a universal remote, which may work for you. I'm
happier with the logitech harmony non-touchscreen remotes; model 665 has a
nice shape, and the screen is useful for picking activities amd using
functions that are hard to map. The configuration software is torturous,
however. If you're using an IR remote like the harmony 665, you'll want to
group components for easier aiming.

------
deogeo
All legal because you clicked 'agree' on a mountain of legalese. It's past
time voters and consumers engage in some serious collective bargaining as to
what manufacturers are allowed to put in those agreements, and what the
products are allowed to do. We've been 'voting with out wallets', isolated and
individually, for decades, and things have only been getting worse.

~~~
doctorpangloss
Is there a better alternative than discursive agreements with a single yes/no
at the end?

People have been litigating this for a while, and the best Google and Apple
have come up with is prompting you for permission to access your camera.

That was a form of collective bargaining, and that was the result, I just
don't necessarily believe that a congressperson's staff is going to do a
better job than the monopolist platform holder.

~~~
caconym_
> Is there a better alternative than discursive agreements with a single
> yes/no at the end?

T&Cs really just seem like a way to ensure that the company can get away with
every abuse of the consumer that's arguably legal. In some cases, e.g. credit
bureaus, there isn't really a way to opt out of signing their T&Cs without
also opting out of modern society.

Without a government that's actually interested in protecting consumers, it's
a moot point.

~~~
troydavis
> credit bureaus, there isn't really a way to opt out of signing their T&Cs
> without also opting out of modern society.

If anyone's curious, here's more detail.

Opting out of credit bureaus is actually not possible. One can opt out of pre-
screened offers of credit
([https://optoutprescreen.com/](https://optoutprescreen.com/),
[https://simpleoptout.com/#lexis-nexis](https://simpleoptout.com/#lexis-
nexis)), can lock your credit to prevent credit checks, and can opt out of
some of data sharing, but financial institutions have safe harbor to release
information to credit reporting agencies under the Fair Credit Reporting Act
([https://www.law.cornell.edu/uscode/text/15/1681](https://www.law.cornell.edu/uscode/text/15/1681)).

The Gramm-Leach-Bliley Act requires financial institutions to let customers
opt out of disclosing "nonpublic personal information to a nonaffiliated third
party"
([https://www.law.cornell.edu/cfr/text/16/313.7](https://www.law.cornell.edu/cfr/text/16/313.7)).
That constraint would be fairly reasonable, except that there's giant
additional carve-outs
([https://www.law.cornell.edu/cfr/text/16/313.14](https://www.law.cornell.edu/cfr/text/16/313.14),
[https://www.law.cornell.edu/cfr/text/16/313.15](https://www.law.cornell.edu/cfr/text/16/313.15)).
The biggest things that no one can opt out of are "(3) To provide information
to insurance rate advisory organizations, guaranty funds or agencies, agencies
that are rating you, persons that are assessing your compliance with industry
standards, and your attorneys, accountants, and auditors;" and "(i) To a
consumer reporting agency in accordance with the Fair Credit Reporting Act (15
U.S.C. 1681et seq.)."

This is true even if one has never requested, been extended, or will ever
request credit. As you noted, the only way to "opt out" would be to only
receive or pay cash for everything and forgo modern society.

The root cause is FCRA's overly broad scope. Instead of allowing credit
applicants/recipients and credit providers to establish an equilibrium that
works for both parties ("Want credit? Okay, opt in to credit reporting from
your other vendors and then we'll review your application"), FCRA forcibly
opts everyone in.

You've probably seen this form before:
[https://www.ftc.gov/system/files/documents/rules/privacy-
con...](https://www.ftc.gov/system/files/documents/rules/privacy-consumer-
financial-information-financial-privacy-rule/privacymodelform_optout.pdf).
Those FCRA carve-outs are why "Can you limit this sharing?" always says "No"
for the top few rows.

------
doctor_eval
I never plug TVs into the internet and generally don’t connect any device
unless it has a clear need to connect.

In the office I’ve taken to calling connected TVs a security concern, but I
didn’t realise how right I was. The conference room TVs there are currently
connected (before my time) but I’ll be disconnecting them next week.

~~~
jjoonathan
My TCL TV power-cycles endlessly unless it has an internet connection. This
behavior didn't start until a year after I purchased it.

I can't help but wonder if it's intentional. It did get me to connect the damn
thing, despite my severe misgivings.

~~~
api
So the tactic worked.

------
ajflores1604
They haven't exactly been secretive about it, here is Vizio CTO giving an
interview at CES this year over the topic

[https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit...](https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-
vizio-tv-bill-baxter-interview-vergecast-ces-2019)

Meat of it starts @15:58

------
emptybits
I'm in the market for a new TV. I'm impressed by display technology advances,
but everything else about TV manufacturers is unimpressive. i.e. all the
"smart" software, the OS, menus, apps, apps, and more apps. And surveillance.
No thanks. Please give me compliant HDMI, USB, and other connections and let
me feed sources of my choosing to your display controller.

My intention is to keep my TV offline right from the start, but maybe I'm
screwing myself out of useful (display) firmware updates?

~~~
clircle
That's basically what I do. I don't let my TV connect to the net. But
according to this twitter thread, that doesn't matter much, as my Roku is
regurgitating my data all over the place anyway...

~~~
kevin_thibedeau
Roku has a setting to disable tracking data.

~~~
kalleboo
From the link:

> _Here’s a doozy: Roku has a “Limit Ad Tracking” option. Turning it on
> increased the number of tracking servers contacted It did prevent Roku’s AD
> ID from being leaked, but a whole bunch of other unique IDs are available.
> Even Pi-hole wasn’t that effective at limiting tracking._

------
wil421
They found the Ring doorbell records video when someone moves in front of it?
Isn’t that what is made for? I’m opposed to subscription cameras and avoid
Ring but everyone I know who has one bought it because it records when someone
walks in front of it.

~~~
TheSpiceIsLife
And locks those recordings away on Amazon’s servers, by default.

~~~
lostlogin
That is in no way reassuring. Edit: Most likely you intended the comment that
way.

------
mirimir
I don't have a TV. I'm not into sports, and there's not much else that I care
enough about. What I have is a huge display, attached to a Linux NAS/server
with a decent graphics card. With a couple TB of video, from various sources.
And even it is offline, except when I need to update stuff.

~~~
gabriel897
Care to share what display you have? I'm in the market for a TV but this
interests me more.

~~~
mirimir
LG 27UD58-B

At some point, I'll probably get a larger one.

And for sound, a 100W per channel amp driving a pair of ancient JBL L96s.

------
Waterluvian
I would settle for some laws to protect against adding tracking and ads later.
Something as simple as, "if a device is sold without tracking or ads, they
shall never be added through software updates or other means" and "if device
has tracking or ads, it must display this fact on the box/other conspicuous
places."

Drives me insane buying a device and for it to get slathered with ads six
months later.

------
greenyoda
Discussion of one of the papers mentioned here:
[https://news.ycombinator.com/item?id=21100404](https://news.ycombinator.com/item?id=21100404)

------
PeterStuer
Our 25yo analog Sony CRT television just gave up the ghost. I looked online
for a new television, but all of them come with 'voice control' and other
'smart' features. Do I really want to engage in yet another infosec fight
trying to keep what should be a simple dumb appliance from reporting on what I
do in my own home?

~~~
skunkworker
Simple. Just don’t connect your TV to the web. I do this and have a separate
Apple TV that I use, because the tv apps quickly become obsolete

~~~
leeoniya
yep, same. got a good quality Sony Bravia 4K that stays offline except
occasionally for firware updates and on an isolated vlan.

built an HTPC that's connected via HDMI that i can use for youtube, netflix,
plex/kodi, NAS, etc.

basically a dumb display.

~~~
ttty
Maybe it stores all your data on disk. When you update the firmware, it will
send all the data saved before

~~~
leeoniya
it's possible, sure. most of the tracking features on smart tvs relate to tge
use of smart features/apps. the parts that do screen fingerprinting do it in
real-time, so hopefully does not store many months of 1-sec intervals of
fingerprints.

i should actually intercept the traffic to double check.

------
GoToRO
Samsung smart TV. We had to use it with an external receiver so we set the TV
on video input. It works. We turn off the TV, turn it on again, it shows the
video input for a brief moment and then hides it with a message that there is
no signal and please choose you signal input. No matter what we did, it didn't
want to just work.

The solution? connect the TV to internet (in a rural area), wait overnight so
it can download the Terms and Conditions without any indication that this is
what it is trying to do, sign the T&C and then it works...

------
brachi
I have an old Thinkpad T420 with a non-working display that I attached to my
(non smart) tv. I'm very satisfied with Kodi and browsing with Firefox in
Linux. Next step would be some voice and gesture recognition (open kinect
maybe?)

------
cwkoss
Has anyone tried implementing DOS attacks on ad providers with the intention
of making them block all traffic from your IP? Are these requests signed?

~~~
cwkoss
Bonus fun, count all of your requests by campaign, then contact advertisers to
let them know how many fake requests they were charged for.

------
userbinator
"TV watches you" was discovered at least 6 years ago, here's some discussions
from that time:

[https://news.ycombinator.com/item?id=6759426](https://news.ycombinator.com/item?id=6759426)

[https://news.ycombinator.com/item?id=6778397](https://news.ycombinator.com/item?id=6778397)

------
Diesel555
Can anyone explain this to me? My Roku TV knows what I'm watching even if it's
just a .avi file. I'm watching a movie on my Raspberry Pi with Kodi via HDMI.
About 30 seconds into the movie it says "You can watch this movie on ...
channel."

How does it know what I'm watching? Is it analyzing the feed like Shazam to
music?

~~~
unwiredben
[https://support.roku.com/article/115005739288-how-do-i-
use-m...](https://support.roku.com/article/115005739288-how-do-i-use-more-
ways-to-watch-on-my-roku-tv-)

------
mark_l_watson
My wife and I Watch a lot of entertainment in our iPad Pros, only using our TV
when we want to watch the same Netflix, HBO, or Prime content together. We are
using a Firestick our kids gave us. I am thinking that an Apple TV would be a
bit better privacy wise. In any case, I am going to remove my WiFi password
from my Samsung TV’s setup config and see if it works without an online
connection.

------
lostmsu
That's why I use ad-block hosts file on the router.

~~~
LeoPanthera
This is specifically mentioned in the linked article as being at best only
partially effective.

------
dehrmann
With how complex these systems are, I wonder when companies will start open
sourcing and using reproducible builds to show there's nothing up their
sleeves. For Microsoft, it clearly gives away too much, but for a company like
Huawei facing bans over security, it gets closer to showing there's no
government backdoor...unless it's in the hardware.

------
cwyers
I read one of the papers, and the channels listed with trackers were largely
"long tail" garbage channels that 99.9% of Roku users wouldn't touch. Now, it
only lists the ten worst channels, but it leaves it hard to figure out whether
or not the use of trackers is prevalent on popular channels like Hulu, Netflix
and such.

------
buro9
The Pi-Hole lists to contribute to and subscribe to:
[https://github.com/Perflyst/PiHoleBlocklist](https://github.com/Perflyst/PiHoleBlocklist)

~~~
iforgotpassword
Oh, good story here. There's an e-reader called Tolino which is somewhat
popular here in Germany. You can use it to subscribe to your local library for
a monthly fee and rent books.

Recently an old friend crashed on my couch for a week, bringing such a device.
He couldn't download any new books from the library while staying. On the last
day of his stay we didn't have anything better to do so we researched that
problem. After some googling we actually found a long thread in some forum
where people had all kinds of problems with a recent firmware update which
didn't actually seem to be the problem here, but then there was some guy in
this thread casually mentioning that he solved it by disabling his pi-hole.
And yes, indeed, that immediately fixed the problem in our case too.

Let that stink in: You pay for your e-reader. You pay a monthly subscription.
And then they dare to require you to send your data to googleanalytics.com, a
foreign company, and don't even show a meaningful error message if that
doesn't work (too embarrassed?)

------
andy_ppp
I’m thinking about buying a screen that has no TV with a basic amazon fire
stick (no microphone) for precisely this reason.

Does anyone have any recommendations?

------
duxup
Long ago I was dissatisfied with the smart TVs sluggish smart features so I
just gave up and never connect them to internet.

Seems like a good policy now.

------
scarejunba
Well, you need consent with CCPA. This is going to be fine.

~~~
Iolaum
As long as the dilemma to the user is presented as no privacy and get the job
done vs privacy but don't get the job done, consent will be given.

~~~
vageli
> As long as the dilemma to the user is presented as no privacy and get the
> job done vs privacy but don't get the job done, consent will be given.

You also get to demand access to your data and can instruct them to delete it
(and they must or run afoul of the law).

------
panpanna
Does any of that studies look at Chromecast?

