Hacker News new | past | comments | ask | show | jobs | submit login
What Vizio was doing behind the TV screen (ftc.gov)
888 points by Deinos on Feb 6, 2017 | hide | past | web | favorite | 333 comments

So I have a bit of intimate knowledge of this.

Not sure what I can answer but for years my company worked on an Automatic Content Recognition project using tools from a team called Cognitive Networks who were bought by Vizio and makes up the tech that did this. If I understand correctly the founder of Vizio kept this tech for himself in the sale of Vizio.

When developing this we would work directly with Cognitive checking sync'd apps. We knew for a long time that they could see our content in their office while we tested.

Note LG got caught on this about 2-3 years ago and made ACR apps opt-in which pretty much killed it for LG.

AFAIK Samsung never did the exact same thing a bunch of providers saw the writing on the wall and dumped this sort of technology a few years back. It had some really cool applications for interactive sync to broadcast apps but the privacy concerns killed it for a lot for a lot of manufacturers.

Thanks for posting this. When I saw the original FTC story I recalled reading about this once or twice in the past but couldn't think of any key phrases or sources.

In response to some of the other comments here, basically what they are guilty of isn't spying but failing to properly disclose and opt-in users. There is a particular major AV vendor who is selling raw clickstream data of millions of their user's internet usage directly to marketers and other parties right now. As far as I can tell, as long as it is buried somewhere in the terms and conditions no one cares.

Of course, other companies that are actually serving the content are doing far more than just passively monitoring your viewing habits.

From my best guess, Facebook is logging every signal it can from content/pictures/videos it displays to users. Even if you didn't click like, comment, or click through the link it knows the story captured your attention.

I had an interesting case with Instagram where after viewing enough pictures of women's butts it started also showing men's bare butts in my feed too.. at least until I never opened any of them, and they disappeared.

Users should consider that content providers are going to have extremely deep data sets of even the most minute dimensions of their political leanings, porn viewing habits, dating preferences, and gullibilities. All of this will make what TV shows you watched between Netflix and NBC beyond mundane.

With an open web, where we get content from the source, this shouldn't actually be possible. Thank the platform business model.

Is it possible to bring about a similar complaint against Facebook with the FTC? Or, if the FTC is the wrong agency, what would be the right one?

Of particular concern are "shadow profiles" - dossiers on people who have never even used or consented to using Facebook[1]. I'm no lawyer, but there could be precedent per this Vizio case.

In my opinion Facebook is hugely overstepping people's privacy bounds, even if they do bury what they do with some of the data in their terms of service. I never even knew about DeepFace, or mouse cursor movements, or any of the multitudes of violations of privacy outlined in the article below, and frankly it scares me and makes me angry.


By using FB, you consent to them using the information about you that others and you yourself provide. Dont like it? Dont use FB.

By that logic, we shouldn't buy or use Vizio TVs either. But the issue here with the FTC complaint is that there was not a prominent warning that the data was being collected or used in such a way.

I certainly never read or even saw any warning about facial matching in all my photos or my children's photos.

Besides all that, people with shadow profiles who never even used Facebook or agreed to their TOS are being tracked. This is not ok.

I feel like there is a double standard here: we are vilifying Vizio - a company that has mutliple competitors - for much less wrongdoing than what Facebook is guilty of, even though FB has a de facto monopoly on social networking.

Edit: there is a link on the ftc.gov website where you can file a complaint against a company with concerns how it handles your privacy: https://www.ftccomplaintassistant.gov/Company#crnt

> By that logic, we shouldn't buy or use Vizio TVs either.

Burn it all. Facebook and Vizio.

And every other company. Go live in a cave because thats where all companies are going and no one is slowing the process down. This consumer choice gambit very well be a false statement in the future.

> dossiers on people who have never even used or consented to using Facebook

I think you misread the comment. These are people that already don't use Facebook.

Except a lot of people are forced to use FB either for work or by friends/family. Without the right IRL social network these people are very disadvantaged given that practically everything social (as in, real life people hanging out, not "social" media) is on FB nowadays

don't like the single de facto platform for communication online? don't use it. i'm sure your friends will get ahold of you somehow. maybe whatsapp?

On the one hand, Facebook is ubiquitous enough that the government could probably step in and regulate them and it wouldn't be entirely unreasonable. On the other hand, I don't use Facebook and I'm getting along just fine. I have an account but log in about once a year. "Don't use it" is a legitimate option.

They still track you even if you don't have an account. Your friends give them more than enough info for them to create a detailed dossier.


>here is a particular major AV vendor who is selling raw clickstream data of millions of their user's internet usage directly to marketers and other parties right now. As far as I can tell, as long as it is buried somewhere in the terms and conditions no one cares.

ugh. Name them please! If it's in the ToS they shouldn't mind being called out.

Avast, source https://news.ycombinator.com/item?id=13079569 AJ007

Here are the terms, it's in section 8.Privacy, processing of personal information. https://www.avast.com/eula-avast-free-products

However "AVAST may publish or share such information with third parties that are not part of the AVAST Group but will only ever do so after removing personally identifiable information."

Also: https://www.pehub.com/2015/05/avast-leads-22-mln-round-for-j...

"Jumpshot also captures https clickstream data to reveal in-depth buying and social behavior above and beyond simple browsing."

Capturing https clickstream data is only possible when you MITM the user - see Avast.

They could make a deal with browser extension developers to bundle a surveillance module. That is why I never install any browser extensions.

They could for sure - others already did that and bought well running extensions.


At least, not all extension developers gave in to $$$.

> removing personally identifiable information

no such thing.

> I had an interesting case with Instagram where after viewing enough pictures of women's butts it started also showing men's bare butts in my feed too.. at least until I never opened any of them, and they disappeared.

This truly is technology run amok. "Welcome to buttstagram, for your butt viewing pleasure."

When I think about this situation it makes me want to stay entirely away from social media and off the internet. Yet it's ubiquity in our lives makes it difficult to be integrated and participant in society without the technology. And a lot of the features really do disappear when you remain entirely anonymous (via tor, incognito, not having accounts etc).

I had a similar thing happen a year or two ago: At some point in the past I shut down my Facebook page, but a year later I created a new minimalistic one so I could stay in touch with my family. I posted a picture of a Vespa scooter I'd been restoring in the garage, and suddenly my suggested friends list started overflowing with guys in Indonesian scooter gangs and young asian ladies in head scarfs. (I friended one guy and we exchange "likes" every once in a while but even google translate doesn't understand 3/4 of what he says.)

Wait, what's cloudstagram?

That's a very subtle joke :)

(Those in the dark search for cloud2butt browser plugin)

That is my favorite extension. It subtly brightens my day when I come across one of its gems.

> Yet it's ubiquity in our lives makes it difficult to be integrated and participant in society without the technology.

Or: Yet the ubiquity in our lives of Stuff that was never built for us (pretty sure I never gave the billionaires at FB and Goog as much as a single dollar), but merely to lure us, makes it difficult to be integrated with and unwittingly enabling that Stuff without installing and using that Stuff.

Surveilling users without their knowledge and consent sure sounds like spying to me

What Facebook is doing is quite frankly scary. This Sunday over a birthday meeting with some friends, one of them was telling us about a restaurant called "Lucuma" (this is in Guadalajara, Mexico). My wife did nothing with her cell-phone, except having it with her during the conversation.

Later that day when we are back at home, she showed me an ad about that same restaurant. We never searched for something similar (this is a vegan restaurant), but only talked about it on our way home.

The restaurant most likely bought some ads that targeted your wife and your friends' demographic. It's far easier to do that than covertly access your phone's mic.

Your wife's friends probably searched it and facebook lumped you all together in their algorithm.

Still creepy.

It's also possible that the friends saw this ad first, thus planting the idea in the first place.

Here in NY recording people without their consent is definitely against the law and is likely to piss off important people. As fun as this CT is it seems extraordinarily unlikely that FB employees would risk going to jail for this feature.

This is why i torrent behind a VPN despite being subscribed to HBO now, Netflix, and Amazon Video. My guilt is ameliorated and at least a sliver of ny privacy is maintained.

You misunderstand how it works. This worked by fingerprinting audio and video at the TV display level, it's not part of the networking layer. If your content was shown on the TV you could be tracked regardless of source.

Thanks and noted. If I ever end up getting a SmartTV (due to dumb TV's no longer being sold), it's never getting on my network and going to be banned at the mac address level.

It needs to be physically disconnected or on a network without Internet connection. The Mac address is the easiest to spoof. If it has any kind of radio like WiFi you need to de-solder it, as the data could be collected by a car driving by, or via your neighborers Wifi.

> as the data could be collected by a car driving by, or via your neighborers Wifi.


How is it going to connect to your neighbours wifi? How is someone driving past going to connect to your TV? Is the TV going to set itself up as an access point?

I'm completely behind not connecting random devices in my house to the internet but suggesting they are somehow trying to get data out by connecting to random networks or will just broadcast it for anyone to hear is a bit much.

Multiple compromised nodes working together to identify you.

We already see this with things like ultrasonic communication. A compromised (has sketchy app installed) phone could, for example, communicate with your television or computer speakers and mic via ultrasonic frequencies to determine what ads you have seen, or what digital streaming content you are consuming.

An app could take it even a step further and use a root exploit and secretly take a short recording every 10 minutes or so to relay to someone who wants to know what song or movie you were consuming.

This isn't just possible, things like this have already been found in the wild.

And you can bet your bottom dollar these snaky companies would keep their mouths shut under a NSL if it meant they could keep tracking you.


It doesn't even require anything that complex. If I remember correctly, even if your smartphone never connects to wifi AP's, while thhe WiFi radio is on, it does periodically scan for AP's in the area while either surrendering some identifiable information or establishing a pattern that can be used to identify you.

Frak it, TV is going in a Faraday cage

Get a projector a and a dozen or two bulbs and prepare for the technological winter.

I think the parent is being purposefully hyperbolic ... however, a router manufacturer could have a ghost APs that domestic goods could try to send via. It perhaps wouldn't be the weirdest invasion of consumer privacy story either.

In the UK nearly everywhere send to have a BT WiFi signal as they give out routers with a commercial side-channel that anyone can pay to access. If your smart device had access to BT WiFi they'd get a signal out in many places regardless of whether the TV owner had WiFi.


The neighbours might have an access point without a password. But I think if the vendor is really interested in collecting personal data he could just install a GSM modem with a prepaid SIM card inside so that the device doesn't depend on Internet connection.

If they really wanted to collect the data, they could make the TV auto connect to certain SSID's or any open WiFi.

Also lookup smart water meters, that can be read by driving by.

I thought Netflix and related services work the same way Spotify does: they pay content providers a small fee based on actual content viewing. If you pay Netflix a monthly subscription but never view any content on your account, I would assume Netflix keeps all of the revenue and doesn't pay out anything to the actual content providers. Just a guess, but it's possible your plan is backfiring by paying the company you don't want to support (since Netflix is the one implementing the tracking) instead of the companies you do (that actually create the content you like).

> your plan is backfiring by paying the company you don't want to support (since Netflix is the one implementing the tracking) instead of the companies you do (that actually create the content you like).

TBH, that's for too deep for my moral calculus. The only things I view/pirate from Netflix are Netflix original series and PBS documentaries/educational programs. I'm paying the former directly and the latter isn't really out to maximize profit but to enlighten and educate and it's somewhat supported by my tax dollars.

No - as a general rule, Netflix pays a fixed royalty for the content that they license from third parties, regardless of how many people watch it. This is why the quality of their predictive models is so important; the better they can forecast, the better they can determine whether the price they would have to pay is worth it.

(Of course, the royalty is different for every piece of content, but the amount is negotiated ahead of time; it is not on a per-usage basis.)

This is different from iTunes movies, Amazon (non-Prime) Video, Vudu, Google Play, etc., which license on a revenue share basis.

Actually no, in contrast to Spotify, they generally secure licenses for content for a flat fee and a 1-3 year time frame. It doesn't matter how much content is actually viewed, other than Netflix deciding whether it's worth trying to renew or not.


Spotify, at least, pools all payments before paying royalties.

So his strategy does increase royalty payments, but doesn't "vote" for who should receive those royalties.

Netflix also makes a lot of their own content. If he is pirating that content, then it's fair.

I think Netflix greenlights 3rd party content creator's projects, I'm not sure they have much if any in-house production.

Those deals probably include some combination of up-front payment as well as per-view payment.

I'm amazed you can access Netflix behind a VPN.

Why not, when you are abroad it is kinda the only way you can watch many of the content that is not available in other countries. Even subtitles are not available in English in some countries like Sweden.

Because Netflix blocks VPNs since a few months. It's really hard to find a vpn that works with netflix. Even setting up your own won't work, most ip ranges that are used by data centres are blocked by default.

He said he pays for Netflix, but torrents on a VPN.

That's a bingo!

Heck if your using a tunnel broker for ipv6, it thinks your using a vpn, sigh.

That sort of makes sense, given that is also punching through the geoblock.

I understand that, but I'm using an endpoint in the same physical area my actual internet connection is (NoVA).

I don't access Netflix, kind of the whole point :)

Whhen I do use Netflix it's through my PS4.

Facebook categorises a video view as anything seen for more than three seconds, so draw your own conclusions from that.

Instagram was purely chronological until mid way through last year. And it only shows you content you've subscribed to. So it's possible an account you were following changed its posting habits.

I'm curious, did anyone on your team raise any ethical concerns in regards to the potential privacy violation? If not, how was the topic handled by employees/management?

Not really - we talked about it and expected more consumer concerns from other outlets. This work was not being done in secret, when ACR was the hot item it was well known in the industry how it worked. We figured the the vendors would deal with the issues as they were raised - and they did despite some of the potential of the technology for some cool interactive apps the most part it died.

The difference between what we worked on and what Cognitive/Inscape eventually did and got dinged for was that we were using this technology to build sync to broadcast apps not for tracking viewing and usage habits. The work we did never got to large scale deployments and we honestly forgot a bit about it. I knew what Inscape was doing - nothing secret just kind of in the industry weeds - post Vizio sale but honestly didn't think that much about it until now.

If we expect employees speaking up to fix this, we are going to live in constant disappointment. The pro-privacy people live in a very small, but loud, echo chamber. We need to be proactive with developing pro-privacy technologies if we expect something to be done about this.

The majority of the population and the majority of developers seem to not care at all about intimately targeted ads.

It's not just apathy, it's also because there's often so much you can do without pissing off the management or generally looking like a "bad culture fit". And then they'll get someone else to do it anyway.

At my current job, I don't have any privacy-related issues, but I have to handle occasional clueless ideas from the customer. It usually goes like this:

  They: We want to have this security-related change X.
  Me:   Uh ok... but are you sure it's a good idea? What's your threat model?
  They: ???
  Me:   You see, this change will make it more difficult for user to do Y, with no real
        benefit to security, because A, B and C.
  They: Uh... yes, you're right; let's not do it then.
Fast-forward one or two other attempts at proposing the same change and half a year later, I find the change implemented in the codebase anyway. Turns out some other manager on customer's side asked someone else in my company to implement it.


I'd expect it wasn't handled. If it comes up, 'Let legal deal with it'.

Guess this is what spurred the investigation: https://www.propublica.org/article/own-a-vizio-smart-tv-its-...

Still, how did this article come about? What is a whistle blower?

A whistle blower is a term for an insider who leaks a company's criminal practices to the government. They can get a percentage of monies recovered through lawsuits

Sorry, I meant to ask "was it a whistleblower?". Just curious how exactly this whole gnarly situation was discovered.

going to be really curious how siri/alexa/google voice activated devices in home are going to be treated in the future. eventually even these will likely have video in ability

What proof do you have for what you're claiming, please? If you have intimate knowledge then you should know that many (me included) could accuse you of trying to push an agenda or divert the attention by posting what you did.

How do you really know LG stopped their data collection? Sure they might have made a checkbox be switched off by default, but what does that say about the underlying software? IMO, nothing. It might have been a PR damage control campaign without an actual change.

Nothing I've said is "secret" anyone active in the Smart TV or Interactive TV space knew this was going on and how it worked. When I said intimate I didn't mean secret, I mean I actually used the technology being discussed, and at its very nascent stage.

There were multiple ACR Vendors doing the same thing (Gracenote, Samba TV are two at top of my head, there were many failed vendors in this space)

Google ACR on TVs and you'll find all the info you need https://en.wikipedia.org/wiki/Automatic_content_recognition


(BTW the app in that techcrunch article is the one we worked on)

What proof could they actually provide? Given the medium, anything they said is probably easily forgeable or illegal to share. That being the case, demanding proof is just a way for you to look "skeptical" without providing much of value to the conversation. I'm guessing you meant well, but apparently others thought differently.

We all know people lie on the internet sometimes. We can't explicitly bring up the possibility everytime someone makes any statement, or half the internet would be "careful, this might not be true!".

Not to mention non-disclosure agreements and such.

What I want to know is, how did Vizio get caught? Was there a whistle blower. This article doesn't mention (unless I just missed it) how the FTC discovered this.

I don't disagree with anything you said. It's just that this is a high-profile case (IMO anyway). I guess I am expecting too much.

Quick tip: If you actually care about being downvoted, dont complain about being downvoted. Many people will do so just for mentioning it, it is against the rules, and it's whining about imaginary, non-transferrable internet points

Personally I think it's fine to complain about being downvoted if no-one has responded constructively.

It might not help, of course.

Moreover, without vote visibility you can't tell if the reason given by one person is supported by others.

> Personally I think it's fine to complain about being downvoted if no-one has responded constructively.

I understand that often often times people will use downvotes as a substitute for disagreeing, despite that being explicitly against its true function. Ultimately, you're complaining about fictitious karma points.

If you are a regular contributor who follows the rules, over time your karma will accrue and this can be a fuzzy way to weigh your importance to the community. The danger of valuing karma too much will cause the system to be gamed by marketers and astroturfers (see Reddit for Example A)

>people will use downvotes as a substitute for disagreeing, despite that being explicitly against its true function. //

Early on with HN pg stated that downvoting for disagreement was proper behaviour on HN. My opinion is that's wrong but, in contrast to other fora, downvoting to disagree is thus explicitly a part of proper behaviour here.

That said, I don't care about the points, it's a matter of social value - if you don't know why people are disagreeing then you can't address that concern or reassess your own position, the downvoted adds no value whilst a comment may.

Corrected. Foreign thinking to me -- but point is taken. Thank you.

As a former Cognitive and Inscape employee, @mikeryan is largely correct. Note that fingerprinting happens on the TV - no actual content was sent back to us. Still absolutely creepy.*

* Not the opinion of my (former) employer.

Once the data is sold, the cat is out of the bag. The service might not send sensitive info by itself but the DBs of the buyers might contain enough data for cross-referencing to personally identify you without a shadow of doubt.

As another poster here asked: were there any ethical discussions in the organization?

Individually yes, organizationally not that I know of.

It's not worth buying any of these 'Smart' TVs. I don't know whether it is a shoddy developer experience provided by the likes of Samsung / Vizeo etc or if it's the developers themselves (Hulu I'm looking at you) who do not maintain their apps which are constantly bug filled.

I much prefer my old dumb TV that has a Roku plugged into it. Oh yeah, and I know it's not WATCHING ME.

If you want a high end tv you don't have much choice.

But also, why do you not expect your Roku / apple tv / etc to be watching you?

Well, if it turns out your <CommodityVideoStreamerA> is spying on you, you can throw it in the trash and get a <CommodityVideoStreamerB> instead. That gets a bit trickier when it's hardwired into your $1000+ display panel's control board.

You could buy a high end Digital Signage display. Usually these are "dumb" and also have no TV tuner or consumer type settings. But are high quality, designed to be powered on 24 hours a day and have great picture quality. Because of the lack of additional image processing, they often have some of the lowest input lag as well.


Prices are much higher though.

"Prices are much higher though."

Not that much higher ... maybe double ?

Remember, the digital signage displays are often used in arrays of 12 or 18 or 24 displays, so they have to be somewhat cost-competitive - otherwise an airport or hotel lobby or mall couldn't stitch 24 of them together.

I always chime in on these discussions to urge folks to buy a digital signage / commercial display (probably from NEC). Not only are they as dumb as dumb gets, but they are also very, very high performance displays.

WTF is wrong with that site. I enabled the scripts so that I could use the filters, waited while it refreshed several times, and it just covers the screen with a pop up that just re-opens when you close it. That was one of the worst I've visited.

It's probably because of the ad blockers but still a site should be a little functional without all the scripts and ads.

> If you want a high end tv you don't have much choice.

Don't connect it to the Internet? Barring the manufacturer sneaking a backup cellular modem in there, seems like it's an easy fix.

They can nag you about retrieving updates.

root it then! Any kid that knows how to point the libstagefright and DirtyCOW MetaSploit modules at the browser can root their "smart" TV...

Better option: Buy a different TV that requires less effort to make acceptable, unless there's a huge price incentive to buy the more troublesome TV and "fix" it.

But you are also supporting the invasive practices by giving the manufacturers your money.

You can still find OLED or 4K off-brand "dumb" TVs, like from Hisense and Selki, but you run the risk of terrible support.

Don't those often use B-grade panels from other manufacturers? I know Hisense has the reputation for punching above its weight, but I wouldn't expect them to produce "high end" TVs.

Not for Hisense televisions, but I don't know for Seiki. The former is basically a high quality panel with crappy speakers.

Hisense is also now selling under the Sharp brand name.

PERSONAL OPINION: warranties are hard to enforce de facto.

Would you be so kind to provide links to these products? I am interested in a high-quality display without smart features.

Yeah, I tried to go down that route about 10 years ago when the Internet was younger and dumber and I wound up not being able to find anything. Here's a recent (UK) story about the idea that could provide some vectors, though:


Somebody other than LG sells an OLED TV? Where?

I have a "smart" LG TV - it's slow and a few years old. I manage to avoid LG's tracking of me by not having the Ethernet cable plugged in...

I suppose you could just buy a new smart TV and not inform it of its WiFi details.

From what I've read, some smart TVs actually require you to connect them to the internet for them to work at all.

That's funny in really tragic way. So what happens if your internet goes down or if for instance you are just moving in and you don't have internet for a week or so?

Does like everything stop working without internet now? ...sigh

Honestly, I'm 100% more fine with Apple spying on me than pretty much anyone else. I'm less perturbed with the entire concept of spying than I am with who is doing it.

I don't agree with this. Why do you feel that way?

You do expect the box to keep track of what content it's showing you. You don't expect the tv to keep track of all content, regardless of where it's coming from.

Agreed. We have a dumb Sony 40" LCD that is over ten years old. It's not 4K but our eyes aren't good enough to see the difference, and over the years we've used a range of front ends - currently a Raspberry Pi running Kodi (with the HiFiberry sound card - awesome!).

This has been very economic, and environmentally friendly, and I can't see why we can't continue for several more years with the same screen.

If you were using the Exodus plugin for Kodi, you were a part of a botnet. Make sure you upgrade to 3.0.5. Who knows what the other apps are doing?

Don't run sketchy plugins then?

I like to frame it this way: The oldest TV in my house is a 10+ years old 46" 'dumb' TV. It used to have a SageTV box connected, then a Roku, and now currently has a Chromecast. I could plug the Chromecast into a brand new TV, and other than the case design, they'd be indistinguishable.

Know what was state-of-the-art in embedded CPUs 10 years ago? The original iPhone. It had a 400 MHz single-core processor with 128MB RAM. Do you think app developers that have quad- and octo-core CPUs and literally 8 or 16 times the memory are going to optimize for the old platform, or build and maintain several versions of their applications?

Personally I'd rather spend of $35 ~ $200 every few years, instead of $800 ~ $2000, to have an up-to-date system.

Actually the TV's with Roku built into it are great. But again how do you know the Roku isn't watching you? I mean it even has a mic for voice search.

Well, at least if you ascertain that the Roku is watching you, you can throw it out and only be out $50 instead of $500+ for the TV.

> TV's with Roku built into it

I'm guessing that this doesn't just mean that it comes in the same box as the tv set.

I feel the same way about smart TVs, but I'm starting to have my doubts about the Roku. A few months ago I was trying out an open source DLNA media player. I tested it playing a single WAV file from my server using the Roku Media Player. A day or two later, we turned on the TV, switched to the Roku, and were greeted with an advertisement for a concert video by the exact band I had listened to. Now, I'm pretty sure the ad was not based on our the past viewing habits of our household - my wife does 99.9% of the Roku streaming, and her music preferences are completely different than mine.

Now, I know this is just a single anecdote, and that it could very well have been a coincidence, and that in the grand scheme of thing this is one of the more innocuous uses of tracking, but it was still a somewhat though-provoking experience.

The Wirecutter's top TV pick is a non-smart one, ironically a Vizio.

"In a departure from the trend toward smarter and smarter sets, the Vizio P-Series lacks built-in smart-TV features. It’s basically a dumb TV, not just lacking apps but also dispensing with a tuner."


If it doesn't have a tuner, doesn't that just make it a monitor with speakers?

If you're using a STB, that hardly matters, but I'd think a cord-cutter would like the option to plug an antenna in the back and watch OTA stations without needing extra hardware.

I don't understand the consumer infatuation with "smart", Internet connected devices, especially smart homes. Yes auto lighting and hvac systems are cool, but it introduces so many security vulnerabities that it's not worth it.

I dont ever see myself using autonomous, internet connected cars. I cant think of a bigger hacking target for terrorists and mischief makers alike.

Me neither, but it seems like we haven't even come close to the limit of what people will tolerate. For example, Johnson & Johnson has/had an insulin pump on the market that could easily be triggered remotely (i.e. be used to remotely murder you): http://www.theregister.co.uk/2016/10/05/animas_diabetes_pump...

And their response was basically "yeah, it's not that big of a deal, don't worry about it". Someone with really bad intentions could set up a few arduinos/rPIs in populated cities, set them to broadcast the 'inject insulin' command and then sit back and watch people drop dead if they wander within range.

Scary stuff.

It's the type of attack where you'd never even be able to track down the perpetrator. They should at least add a chime when it is activated so that the users can take note and chug some gatorade or something.

Someone would really, really have to have it out for diabetic geeks for this to be plausible.

The scary stuff I worry about is what an evil scientist, like the one from 12 monkeys, could do with a deadly virus. This type of evil gets more far more "bang for the buck". I guess both are equally plausible. I might worry more about your scenario if I were diabetic!

> Someone would really, really have to have it out for diabetic geeks for this to be plausible.

I disagree. The remote and disconnected nature of this renders it less real than say killing a person with a knife. You don't have to witness first hand the yelling, screaming, pleading, suffering, etc. and finally the moment when a person sublimates from a living, breathing, unique being to a lifeless husk. It's like pushing a button to kill someone...it can be so far away that it's not quite real.

When I was younger, I spent time on 4chan's /b/ and could see some of the more deranged+immature members of the community doing things like this for the lulz or using some half-baked logic rooted in 20th century eugenics. Example A: Individuals like Dylan Roof who don't understand statistics and the context around it (I watched the entirety of his interrogation and he's borderline mentally challenged or autistic)

>Someone would really, really have to have it out for diabetic geeks for this to be plausible.

It only takes someone having it out for any specific individual who depends on the device. The OneTouch pump is a convenient murder weapon that could make the death look like an accident. (Or the possibility of many collateral casualties could be a plus to some.)

> "smart", Internet connected devices, especially smart homes.

I have a "smart" home (well, parts of it -- it's expensive to do everything!).

It turns on a few select lights when it gets dark out, unless there are already lights on (eg: we're home) in which case it doesn't change anything. It turns lights off late at night in case we forget. It turns the front lights on at 30% between dusk and midnight, and cranks to 100% anytime between dusk and dawn if there's motion or the garage door is open (then gradually puts them back to what they were). Most useful, there's buttons on the kitchen keypad labelled "Dim" "Bright" and "Off" that adjust the lights over the island, sink, table, and under-cabinet and range hood (all separate). Another useful one is the "all off" button by the front door -- there's no corresponding "all on" because (as mentioned above) that happens automatically, and we never walk into a dark house.

All of it can be controlled from any PC/tablet/phone, and of course all of it could be done over the internet -- except that I don't have any of the ports open, because I don't see the point. The ability of connected switches to be controlled by other switches/motion/time yet still allow manual operation is very nice, and it's significantly cheaper than a massive re-wiring project.

I hate that there's this huge craze that confuses "smart" with "on the internet". It's an entire industry that is a solution to a problem that doesn't exist.

I have a regular light switch for my Hue lights, but also have some timers set up from my phone that change their colors in the morning/evening.

If I'm gone or even if I lose the phone, I really wonder if anyone else will ever figure out how to shut that off. They'll probably just throw the bulbs out.

The "SmartTV" isn't really smart (nor is anything to be honest). The SmartTV is just a smartphone type hardware built into the TV so the kids can Watch netflix and you don't need a second box + remote to do it. I find that pretty compelling actually.

> The "SmartTV" isn't really smart (nor is anything to be honest). The SmartTV is just a smartphone type hardware built into the TV

By definition, this is what makes it smart. It's not the sophistication of the embedded hardware, it's the connectivity. The Echo Dot isn't anything special (and a bit overpriced IMHO). Wifi, Bluetooth Radio, 3.5mm audio out, decent mic, speakers about as good as free swag portable speakers, etc.

Don't blame the consumer.

It is the industry the ones who try to force that on us.

Roku is collecting and sharing information on what you're watching with Nielsen and other analytics providers. I believe they are requiring it of all their developers.


if the FTC had any sense - they should require disclosure at point of purchase.

The smart features mostly suck, but the idea of using two remotes (or a nonstandard programmable remote) is pretty unattractive. I jump through a lot of hoops to be able to plug my tv antenna cable into my tv rather than a set top box of some kind, so it would defeat the point to have a set top box for the smart features.

I suppose if the streaming services I use were all compatible with e.g. ChromeCast I could use that, but until they are I'm pretty happy with the ui of the SmartTV. Most importantly, the kids can use Netflix without having their own smartphones.

I'm going to check the settings really carefully on the TV to see if I can at least maximize privzcy, but I wish there was something better such as a firewall setting I could use. Is there a guide for various manufacturers/models floating around somewhere?

Many TVs allow hdmi pass through of the TV remote to a device if it's supported. For example my Samsung remote can control my FireTV via HDMI.

In the past, Sony has picked confusing button mappings for the PS3 such that only Sony remotes worked well with it, but I haven't had a Sony device since then.

On the remote issue, HDMI CRC is fairly well supported these days.


Yes I wish I had known (well I sort of did) that a smart TV would be so bad just the laggy apps, opt-in after each firmware upgrade. And each upgrade seems to make the apps run slower and slower.

I got my dad a Roku but he didn't want it so I took it thinking I would return it but for Netflix and YouTube it's far faster than the same Samsung apps.

My plan to build a Pi 3 media box was set aside for now.

But yes wow such crap and mind games in these smart TVs when all I want is to see my video signal!

The difference between smart 1080p tv and dumb one is $15 LCD controller from ebay.

Couldn't you equivalently just not connect the smart tv to the internet?

I caught my TV doing this and went to war.

For the last two years I have had a service running that floods garbage data back to the collection point from several addresses throughout the Internet.

You're welcome.

I know we can't expect the "average" consumer to do this, but thanks for caring and running tcpdump on your network! It amazes me that with a lot of these stories there's no one popping up with a pcap showing exactly what's going on.

I'm hoping projects like Turris Omnia [1] will allow people to be more in control of what goes in and out of the LAN - my network, my rules.

1: https://omnia.turris.cz/en/

You don't really need a open source router. Just something that can be flashed with Openwrt or dd-wrt. The router you linked actually runs a fork of Openwrt.


Yeah, they're pretty rare in Australia due to our reliance on ADSL - unless you flash with DD-WRT. It's still not something everyone does. OpenWRT and DD-WRT's UIs are pretty rough (although, most commercial UIs are, too)

I'm running OpenWRT on a TP-Link TL-WR841N/ND v8 and the LuCI interface that comes out of box is vastly better (cleaner and more feature-full) than the majority of consumer router interfaces I've encountered. In particular, the realtime graph of current connections!

You can likely set your ADSL modem into "bridge mode" and put a user-flashable device between that and your network. Once you get NBN you just connect the WAN port to the NBN termination box and you'll be getting DHCP from your ISP.

I'm on the NBN now. Configuring OpenWRT had been a pretty steep learning curve but it's worth it in the end.

Is it an unsecured or secured connection? Can you make a connection?

You might want to check if they just blocked your IP addresses and your connections are being dropped. Although if you're been running it for 2 years(!), I think you have it covered.

Just a tip: It's very easy to clean up completely garbage data from a database. Any data scientist worth their salt would do that. Getting rid of your garbage data just needs a couple lines of code. What you need to do is, skew the data so that it isn't suspicious but eventually will mess up their inferences.

Care to elaborate on this? How you caught it, what and how are you sending back to them?

I'm curious too. Do you have a blog post detailing it?

Can't speak for OP, but my solution involved the words pfSense, tcpdump, bro, and squid.

It would be nice to rope in some chan-ners and a bot net or two. I think the data should say that the entire country watched a certain Rick Astley video on repeat for the next year.

Glad to know someone is giving them hell. I purchased a Vizio TV on black friday and suspected that all manufacturers would be doing something like this. For that reason I never configured it to access my wireless network. Scary to realize that it was actually happening and at this scale.

Well played. This is the kind of stuff botnets should be put to work doing. :)

And it will have taken them no effort to blacklist your IP for sending junk data.

I'd love more details on this. It would make a great supplement to something like Pie-hole.

Good luck defending those cyber hacking charges that are going to be brought against you.

The amount of money they made from that data is probably orders of magnitude more than the paltry $2.2 million penalty.

I hate to get all paranoid, but it seems like every day there's news of a company's data being hacked, and what information isn't being hacked is being actively sold.

What can an average citizen do (short of living Ron Swanson-style in a cabin in the woods) to protect their privacy?

On the individual level, probably not much. But I think you could help much more on a societal level. Help monitor what these devices are sending back when they contact their servers and report on it. Is there a database for that sort of thing?

But also, giving to litigation groups that fight this sort of thing. EFF comes to mind, but I'm sure there are others.

Giving to the EFF is a great idea, thanks.

Isn't there money to be made in simply selling honest software and hardware that doesn't spy? A profitable consumer electronics and software company could be established whose products didn't monitor, aggregate, or stalk its customers with ads.

I should think there's enough awareness of these kinds of antics in the market now that a successful company could be established soon that has the creation of honest, respectful tech as its M.O. A venture like that could be profitable AND disruptive.

I suppose to guarantee the privacy of its customers, such a company would necessarily have to have vast product offerings - or lots of like-minded partners - to compose a comprehensive landscape of services that could replace the privacy-violating services their consumers currently rely on. A sort of privacy walled-garden.

Build a blacklist of companies that adopt such policies and boycott the shit out of them.

The problem is virtually every company is on the list for one reason or another. Sony's rootkit for example.

As TheGRS notes, I'm worried that my individual contribution would be nothing. But I guess that's why we have organizations like the EFF.

The first company in the list should be Google.

So....stop buying everything?

I think you're definitely on to something.

"orders of magnitude more" ? As in, ~$200m? No chance.

With a little bit of industry knowledge, I would posit that they made roughly the same quantum as the fine.

So basically, it pays to engage in unethical behavior, because if you do get caught, the fine will usually not be more than the profit you made from said behavior.

Obviously. Whatsapp broke privacy law in Canada and across Europe to hack growth. Different industry, but Four Loko also was penalized for its risky (but great for some people) original formula.

> Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content.

That type of technology alone would cost you at least $2M to build.

So either your statement is incorrect or Vizio got a terrible ROI on this (sans fine).

I doubt it would cost nearly that much. I could build something similar in a couple of days, and I'm not even a developer by trade.

Just use something like pHash (e.g. https://github.com/JohannesBuchner/imagehash), screen cap the centre of the screen (say, a quarter of the screen in total) every minute, hash and then send the 8 byte hex string back to home base.

Ah, the "I'm no developer, but this is easy" person. Glad to have your valuable input here :)

"I could build a twitter clone over the weekend!"

The problem you are describing is one that many large companies spend huge resources on today, so guarantee you that it is not something you do in a couple of days.

Even if you had the system up and running, you would still need to create a large database system managing 100 billion data points each day and integrate the stream of information with your customers APIs.

$2m worth of developer time going into this project is very likely. Thinking you could do this in a couple of days is simply ignorant.

Ok. Now get the database of content to match it against and build a program that automatically determines what the user is engaged in.

Ok, I'll just go and buy a major media content publisher. Sony, perhaps...

Can you elaborate on your industry knowledge? I'm not in the industry so I'm curious. I would guess that Vizio would have been able to demand a premium for that data.

An order of magnitude would be ~$20m (actually ~$50m, together with the other fine). And I too believe that the fines were too small

Correct, and "orders" (plural) of magnitude would be ~$200m

No way. They absolutely made more than 2.2M. The content detection system, recv servers, writing the firmware, all cost more than 2.2M.

> What can an average citizen do (short of living Ron Swanson-style in a cabin in the woods) to protect their privacy?

Talk to your politicians. Tell them that data privacy is important. If you're in the USA lobby for something like the EU's Data Protection law (even at the constitutional level). If you're in EU, lobby for stronger data protection (no more sharing data with the USA)

When the penalty is less than the profit, it has a different name. Tax.

Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content.

I would like to know more about that process. I find it ethically abhorrent, but technically very interesting.

Like, is it grabbing, say, three pixels in constant locations across the screen and matching their color change over time? Is it examining a whole block? Is it averaging a block at some proportional location on the screen?

The terms of art are Automatic Content Recognition https://en.wikipedia.org/wiki/Automatic_content_recognition and Video Fingerprinting https://en.wikipedia.org/wiki/Digital_video_fingerprinting

You can dive in from there but it's basically either watermarking or fingerprinting of video and or audio frames. Video was preferred because there were fewer false positives from music beds. In a nutshell its video Shazam

Perceptual hashing could have been the technique used. For example, see: https://github.com/JohannesBuchner/imagehash

I use this for deduplicating my, er, 'home movies' collection.

EDIT: Here's a good explanation of one specific technique that should give you the general idea: http://www.hackerfactor.com/blog/?/archives/432-Looks-Like-I...

I'm also curious if they'd be able to match different encodings of the same video or would only be able to match against specific encodings in their collection.

I would imagine it's simply a temporal comparison of pixel colors at predetermined locations, similar to how the Shazam algorithm[1] works? You'd just need to analyze enough pixels to reduce "collisions", coupled with the temporal aspect!

[1] https://www.ee.columbia.edu/~dpwe/papers/Wang03-shazam.pdf

It's not encoding based - its frame based, basically bitmap data. It has to be to work across the whole video delivery pipeline so it's fairly fuzzy but also accurate.

They need a source to compare too so when we worked on it masters were being sent from the network to the sync technology group. So they had source data for comparison on the first broadcast of a show.

Outside of latency there's no reason they can't match against broadcast content off cable. For user tracking they can just log the fingerprint data and compare it later to source data for analytics so this works fine.

If nobody's started one yet, I think there would be an audience for a blog/vlog/whatever that reviews non-smart TVs. And/or a place that evaluates which "smart" TVs function acceptably as "dumb" when they are not connected to a network.

Realistically, this would have to include evaluating things beside consumer TVs for use as living room devices, since "smart" features in consumer TVs are nearly unavoidable at this point.

Because I'm going to have to start looking into the world of commercial displays for my next TV, I guess. At least I think those don't have "smart" features. Yet?

Rather than avoiding such TVs, I think we're better off taking some good precautionary measures.

Why buy commercial displays which usually are pretty expensive, when you can buy consumer ones and be smart about how you use it? Of course, even if they start coming with in-built wifi, just don't let them connect to anything.

First, off taking control of your own home network is crucial. Get a good router, something you can install pfSense or linux on. You'll basically have to get an NUC and learn how to manage firewalls. I suggest pfSense or just plain jane ubuntu server if you aren't very good with these systems. Then, a wifi access point can be connected to it for your wireless devices.

Prevent external network access to all the devices, and then whitelisting them (probably only your computers) is the way to go. Unless you bother to teach every one who lives in your house about the terrible things that some companies do, just block everything.

I don't think we can prevent IoT just like we couldn't stop phones. Home automation can be the best thing since mobile phone. As nuts as it sounds, you might just realize the comfort factor of having a "smart home". Just have to be careful, just like you're careful with your phones, and what they do. Read up on basic security, common exploits targeting IoT devices, etc.

There's an absurd amount of technical knowledge that you are suggesting that every household in America should subscriber to.

Also, if you have a SmartTV, you probably need to allow it contact the internet, otherwise playing internet TV (Netflix, iPlayer, Hulu, etc) is not going to work. If it can access Netflix, it can probably phone home with your data.

Don't connect your TV to the internet and use something like a Chromecast, Roku, Apple TV, instead.

Yeah, but those spy on you too, so I don't see how they're any better. The main advantage with things like those is that you can more easily upgrade them later as technology changes.

I agree with you on the amount of technical knowledge that's needed. I guess routers/home internet security might be ready for some shakeup if someone comes up with a layman-ready interface while being secure.

But, the point of having a firewall is that you can find tune the outgoing IP addresses. Sure, it'll take some time to initially allow all IP addresses for a specific devices, but it shouldn't be undoable. There are lists out there which specify which service owns which IP.

The sole point of a good firewall _is_ that it can only access Netflix and not any unwanted servers.

There is a market opportunity for a router with some smarts that can do automatic VLANs and access control. e.g. lightbulbs can talk to *.lifx.com and local Android devices but nothing else, TV can talk to YouTube but not to the fridge, etc etc.

We need to configure our routers to allow access to neflix.com, but disallow access to viziospyservice.com.

Not much technical knowledge required. Basic parental control on my ASUS router denies access to the internet to Samsung TV and it can still play content from LAN via UPnP.

In order to roughly scale how much technical knowledge this actually represents, remember that most humans, even most humans with home networks, do not know what routers and networks are.

For a much better sense of scale, it's important to remember that ~14% of adults in the US are illiterate[1].

This is why the medical community adopted the principle of requiring informed consent[2]. a much higher standard than "it was in the ToS" or "our business model assumes you weren't lucky enough to have the education necessary to understand why it is important to opt-out". Similar requirements need to be applied to data; if you aren't proactively informing users about precisely what will happen with their data, and making sure they understand, the user isn't making a properly informed decision.

Pretending people will understand the consequences of data collection (with modern analysis methods) when there is a decent chance they can't even read the ToS/etc is what you tell yourself to alleviate conative dissonance.

[1] https://nces.ed.gov/naal/kf_demographics.asp#2

[2] https://en.wikipedia.org/wiki/Informed_consent

That's the equivalent of people having to manage blacklists for ad blocking - it doesn't work for most people because it's too much work or too difficult.

Just like uBlock solves it by making an accessible plugin and a manages blacklist, I hope someone will launch a simple appliance for home use that will manage this. The router/firewall UI would just need to provide simple switches for blocking various manufacturers' data collection.

Everything you say makes total sense.

I think you have a more optimistic view than I do, though, regarding one crucial aspect...

    Why buy commercial displays which usually are 
    pretty expensive, when you can buy consumer ones 
    and be smart about how you use it?
Right. But how long until consumer displays refuse to work (or, function in some diminished way) if there's no internet connection available?

When significant numbers of people start defeating those data collection efforts, TV manufacturers will start to take countermeasures.

These data collection activities aren't simply a thing that Vizio does to make a little extra cash on the side. Profit margins on mass-market consumer electronics like TVs are notoriously thin, and expected revenue from data collection is something that Vizio factors into their MSRPs.

> Prevent external network access to all the devices

You're assuming that is possible. Some system-on-a-chips have started including an integrated LTE modem.

(e.g. https://en.wikipedia.org/wiki/Exynos#List_of_ARMv8_Exynos_So... )

Who's paying for the data, though?

Same as everything else in a business: the company itself out of the profit made profit made when they sell the data. out of the profit. From the FTC's statement:

> Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others.

(or simply include the cost in the price of the TV)

Also, the data costs should be a lot lower if they negotiate for a very-lows-priority, off-hour plan that batches the data, only uploading when it is cheapest.

There was a similar thread here on HN a month or two ago with a comment about swapping out the 'smart' logic board for a generic 'dumb' board.

Doesn't work for all boards but it makes sense that for some makes and models, the screen is relatively generic and can be driven by something you can buy off of ebay.

That or source an industrial display

Personally, I'd be pretty happy with very high quality monitor-only sets... I mostly run everything through my AVR anyways. Though some of the smart tv options are getting compelling, I tend to find the integrated devices are always a letdown after a couple years.

Yeah, same: I expect a TV to last a decade or more, but I expect a smart TV features to become out of date about as quickly as most smartphones do. And I never expect drastic updates for those sorts of things; the TV company's revenue stream depends on you buying a new TV more frequently than I'd plan to.

I think a separate device like a ChromeCast or Apple TV is a much better choice.

I'd also like non-smart Blu-ray players. Well, speaking over HDMI is okay, but no internet crap.

Internet crap is a required part of the Blu-ray standard.

I think it's not just TVs. Any internet-connected home devices have to be viewed with suspicion until proven to be good household citizens.

"Vizio has agreed to stop unauthorized tracking".

As if there's any human-measurable way of confirming this. Yes they can be forced by a court. And no, the court can't know if they stopped all of the software copies on all TVs and no, the court can't know if they didn't re-activate them in the future back again.

What actual proof do we have that LG actually stopped? What actual proof can we have that Vizio will stop doing this?

Vizio is not an individual, it's a collection of employees and contractors, some loyal, and others who hate their corporate overlord and would love nothing better that to dob them in if they ever sneakily resumed the spying.

It's pretty sad that this is our only hope for an OEM that doesn't spy on its users, isn't it?

Where were these noble folks earlier?

This wasn't an issue earlier. It was a known public fact. I stumbled upon the marketing page for this feature about a year ago by accident without even attempting to find it.

What Visio is doing has so little impact on privacy that it is embarrassing for our regulatory system that this is what they took action on.

Well, one could monitor all outgoing packets from your smart TV, but you would also need to know exactly how to decode what was contained those packets... unless of course they conveniently set the evil bit for you. With the poor level of development associated with this type of work, it would probably be enough to identify a different set servers for receiving the data.

With more sophisticated coding, you really do have to know what's in every outgoing packet. Perhaps it reduces down to problems similar to the discovery path of the VW Diesel emissions cheat - taking an interested hacker/researcher to examine the compliance.

I realize that a good router configuration (and a trusted router no less) might entirely eliminate the problem, but the thing is, there might be some other agreements between vendors we don't know about. For example, I have an ASUS router. I don't know if a Vizio TV can't send a packet to my router with which it gains unlimited and unfiltered net access. We simply don't know.

Anyway, probably my paranoia, but once you see things like the original post, you start to question a lot more. At least I do.

Replace your default router software with open source.

Easier - when I upgrade from my 6+ year old Sony, my TV will either be disconnected (ironically I trust the Xiaomi Mi Box more) or only allowed to access *.youtube.com. I realise this isn't tenable for most consumers.

This is probably gonna be the "temporary solution" which is gonna solidify as the permanent solution unless I really find some extra energy and motivation, yep.

A 2.2M settlement is absolute peanuts compared to the mountains of cash they likely made.

Yeah not much of a punishment to discourage further abuse. Should have fined them on a ratio of the number of data points they collected (100 billion). Even a 100:1 seems like a reasonable punishment for this scale of abuse ($1 billion)

The idea that the data that they collected was worth $1B is laughable.

Fine should be bigger than price of the data.

Expected return from 'illegal' activity E = R - p * F, where R is revenue, F is fine and p is probability of getting caught.

p < 1, so if F < R engaging in such activity is a rational, if immoral, choice.

There probably will be a class action lawsuit.

Which will be settled with a coupon for $12.00 off the purchase of your next Vizio Smart TV.

The reputational damage is in some ways will be bigger than the fine itself.

Sad truth is most users don't care and won't ever even hear about this. There might be an impact but it won't really hurt Vizio.

...I hope this is just pessimism. Trust me, I do.

To me, this truth is why the market really isn't a good enough mechanism for protecting consumers - it is downright fatiguing trying to keep track of all of the bad actors/actions and there's no way to be specific in your feedback - market share and revenues are a really imprecise signal.

Just further confirms that "Smart" TV's are a ripoff at best and a scam at worst.

Never, ever, ever buy a television described as smart. For any reason at all. All of the solutions are miserably pathetic. All of the solutions are riddled with bugs, design omissions and potentially nasty security zero days. All implementations have little to no update support from major third parties.

And, in many cases from many companies, the units spy on you as aggressively as could be to sell data for marketing purposes.

"Smart" tv's are lose lose lose lose. You pay more, you get inferior software, inferior hardware and ultimately have your privacy abused.

EDIT: To be fair, I love my Vizio dumb TV I just got. 40" 1080p dumb TV for $167 inc. taxes this past black friday. Got a HDR/4K Roku for an additional $70 and this TV is beautiful and the Roku is so much impossibly better in both hardware, software and third party support than any "smart" solution ever could be, and costs far less than the "smart" upgrade!

I don't understand why someone just doesn't hook up their TV with their computer via HDMI or DP. Is switching sources too complicated for people?

Even the shittiest Dell boxes these days have 2 video outputs, I believe, so you can run 1 monitor + TV. Most laptops have an extra video out port too.

That way you can actually type on your keyboard when you search youtube, unlike typing with god forbid, a remote or an xbone controller (like a console peasant)

By using a $5 cable, pretty much anyone can make a TV 'Smart', and not just smart, but smarter than the ones that are marketed as such.

Because a full desktop UI is vastly inferior to a simple remote interface if you don't have a full mouse/kbb available, and having to have a mouse/kbb to, I don't know, pick a movie is very lame from a couch user perspective.

Because you can get 4K/HDR with regularly updated high quality third party apps like Netflix from Roku for $80 with hardware that can handle it/

But a Media PC running Windows would require you to spend several multiples of 80$ to achieve 4k/HDR with a good remote.

More work, more setup, more money, more configuration, and frankly the end result isn't better.

Easier to use your PC as a media server, then use Roku to read from the server using a remote on your couch.

Install Kodi, use the wireless gamepad as the remote control.

Problem solved, no money spent, best of both worlds.

>Problem solved, no money spent, best of both worlds.

Many new problems:

* Gamepad costs roughly 70% the cost of any entire 4k/HDR Roku setup. A first party game pad costs $50-65 dollars, while a HD Roku costs $80.

* A gamepad is VASTLY INFERIOR to a remote. This one is very easy. Gamepads are crappy, crappy remotes. The back triggers (L2 R2) are stupidly mapped to seeking causing endless fastfoward/rewind triggering by mistake. The buttons are unintelligble (what does a Square do to my movie? What does Y do to my TV show?) and are only usable by basically the 1 geek who set it up and is unusable by all other users who have to learn custom button mappings per application

* Kodi is vastly inferior to Roku for average use, like Netflix. Users must use unsupported, buggy third party non-Netflix based Netflix add-ons which are inferior in every way to an officially distributed Netflix app. At this point, the best solution is the PAID "PlayOn" subscription service, meaning the user must pay monthly just to access basic apps like Netflix which are free monthly on Roku (outside of the actual subscription, which both methods require)

I'm sorry but Kodi is pretty crap as a home media solution, have you ever relied on it for your full library and media consumption and watched it be used by the less tech-focused people in your home? Regular users, children, elderly people?

Roku is easy for my grandfather to use. Kodi + a Xbox1 controller? Not so much

Well, I already had all the hardware, and the hard disks already have most of the content.

I kind of disagree about gamepads being bad remotes. The default mappings are bad and I do agree about the triggers. We don't need more than half the control to do forward and rewind. I had remapped mine, particularly to add changing subtitles and audio streams.

But: the gamepad is the control I can use without having to look at it, because it is not a matrix of similar rectangular buttons, and after a while everything is just second nature. For me, nothing is faster or more intuitive now. And the buttons are REAL solid buttons, not crappy pieces of rubber. I get frustrated when I have to use a regular remote control now.

I don't use Netflix because I'm not in the USA and in South America it honestly sucks. And they hunt and shutdown VPNs now.

However, nothing beats the price of your Roku for a new setup. That one I concede. Your setup is much cheaper. But you can't play Batman Arkham games on it :D

Cluttering up my living room by running a cable across it isn't very attractive, nor is the general experience of using a non-stationary laptop with a giant cable hanging out of it. I much prefer using a Chromecast, or using my Xbox with a wireless keyboard (which I have stashed under the coffee table, within reach whenever I need it).

It's going to get more and more difficult to find a "dumb" TV. Almost all medium and high quality TVs are "smart" TVs now. It costs TV manufacturers very little to add "smart" functionality and it brings in a lot of customers.

I think it's more pragmatic to look for a TV that suits your needs, including any tracking, advertising, etc. Some platforms let you turn it off and others don't -- e.g. Samsung's smart TVs show ads in the menus that you can't disable. I would never buy a TV like that. I just bought a Vizio recently, but I knew about their tracking software so I knew how to disable it during initial setup. Far from ideal, but I wanted a quality 4k display so I was pretty much stuck with "smart" TVs.

Also, for what it's worth, Vizio changed their "smart" platform to just be a built-in Chromecast which isn't as terrible as most smart TV platforms. I have an HTPC hooked up to my TV but 4k content is mostly limited to "approved platforms", meaning I have to use some kind of device to stream it.

Harder but certainly not impossible.

IMO you and others choosing to patronize overpriced and pointless smart systems is why it is becoming harder to find.

If even the people who care don't care, then sure, they'll surcharge $100+ on every model happily.

For what it's worth, my dumb Vizio was found in a stack of 20+ at a local Target during Black Friday. They were literally stacked at the entrance to the store. I couldn't miss it. It wasn't that hard to find.

That doesn't make much sense -- if I'm unable to find a product to meet my needs with a particular attribute, I'm going to buy one that meets my needs despite not having the attribute. In fact, the TV I got is the closest I could get to a dumb TV. It just has a Chromecast built into it.

Is your dumb Vizio a 4k TV? From my research, there was not a single 4k TV from a reputable brand that did not have some "smart" features.

"Smart" TVs are the worst TVs I've ever used, I really don't understand the appeal whatsoever.

They're almost universally clunky and slow with horrific UI / UX choices and painfully high latency on simple things like browsing a list of files or even just registering button presses, provide fuck all useful benefit over and above the regular TV experience, are usually running some long-deprecated version of Android which is riddled with security holes that will never get patched - why does anyone actually want this?

A Raspberry Pi running OSMC is everything you could ever want out of a home media setup, it'll work with good old regular "dumb" TVs that can't invade your privacy, with an interface so simple your grandparents can use it, and can be put together for well under $50.

And then there's Tizen which is even worse than Android Smart TVs. Dad bought a Samsung Smart TV with Tizen (even though I begged him to change his mind and buy a better solution for half the price) and expecting the worst I was _still_ suprised what an absolute piece of garbage that TV is.

This sounds like an excellent reason to simply never connect the TV to the Internet and to simply connect your own system to the TV whether it be a stick PC or something with a little more oompf.

Be glad that Ethernet over HDMI never took off.

That's what I plan to do but it still makes me nervous that the "smart" part of the TV might secretly contact my router and ask for network access.

I have zero proof but I became paranoid recently. :(

The reasonable tradeoff would be to buy a high-quality "dumb" TV with a very good screen. At least I hope so.

Last time I looked, dumb TVs were expensive and hard to find. I assumed that is because the manufacturer can make fat bank off Netflix, Amazon, et al. by including their apps. Not to mention the possible revenue made off this kind of secret monitoring. That probably makes a huge difference in a low margin business like TV manufacturing.

Disable UPnP, run a configuration where you can monitor all traffic in and out of your network.

> Ask for network access Assuming you have a decent router that supports wpa2 I find it difficult to believe a TV would crack it.

Agreed, but. Most just bug you about 'updates' ad nausem until you have a moment of weakness and punch it in. At least some will autoconnect to open wifi. Sure YOURS is locked down, but what about your neighbors? Just 'turning it "off"' is not enough for even casual security.

Exactly what you said. Even if I do my very best to secure my router and blacklist the TV's Mac address (and never give it the wifi password), how do I know that my neighbours won't mistakenly let their WiFi open for a day or two until they realize their mistake? Or if I tether my mobile data from my phone and turn into a router, that I might forget to secure it?

All it takes is one small slip.

I'd rather never take the risk. I'll just look for a dumb huge TV; I need 65+ inches, good luck to me, right?

You can usually unplug the Wifi module, if you don't mind opening it up (and checking beforehand if it is removable).

Good luck

All hardware is removable if you own a soldering iron ;)

This is promising and is a good start towards IOT precedent, and perhaps even operating systems of our devices (Windows 10).

- Explain your data collection practices up front.

- Get consumers’ consent before you collect and share highly specific information about their entertainment preferences.

- Make it easy for consumers to exercise options.

- Established consumer protection principles apply to new technology.

I wonder how many technical teams are scrambling to undo their spying now - though this is a fairly insubstantial fine. I could see the data being potentially worth more than $2.2m

To note, they were also forced to delete the collected data, though the insights they've already extracted / profits from data they've already sold may offset both the point and the $2.2 million fine.

You're right, good insight.

I was thinking purely about risk/reward for other players in the market. The fine is 0.4% of the Note 7 recall cost, not including brand damage.

A fine this nominal could easily be seen as the cost of doing business - if you get caught.

If they really have sold 10 million devices then the fine is 22 cents per device.

Vizio might be able to delete the data but there is not much of a chance that the data brokers they sold to can. Probably already baked into their models.

Plus how is this verifiable? The fine should be a lot higher to discourage this action.

> I wonder how many technical teams are scrambling to undo their spying now

I bet the one that truly have to worry in terms of size calculated that the cost of undoing it will overweight the cost of eventual penalty, underscoring word "eventual".

What I'm about to say may go against what many of the HN community believes. This isn't an attack on anyone's beliefs; I'm merely expressing my thoughts in an attempt to solicit constructive discourse.

I'mma be honest. I don't understand the repulsion at the possibility of corporation X knowing my personal info, (excluding the usual things like bank account info, SSNs, etc) like my location, search history, etc. To be clear, I'm 10000000% against warrantless (FISA court "warrants" excluded) government access to this information. Here's my reasoning:

* Governments

Have the power to arrest and detain on a whim. Not to mention, use drone strikes.

* Corporations

... Don't. These entities have self-interested incentives to provide tools which are economically productive for users. For example, a smarter smartphone, whatever that may be.

Regarding Vizio, my grip is that Vizio's goal (for this product at least) is to make a profit producing TVs. So, after the TV is sold, the product is individually "finished" (not considering support stuff). So, then, what other product is the data collection for, and what does this product give me in return for my data? The answer to both is no, and not just for Vizio.

Maybe I'm naive.

One thing to consider is that regardless of original motivations, once data has been collected by any party, that data CAN come into another party’s possession. Maybe the company network is not secure and the data is just stolen. Maybe a disgruntled employee screws them over. Maybe the company is bought out by someone else with different goals.

The point is that you can never assume that something will only be available to certain people for certain purposes. Even if you know this at one point in time, things change.

Therefore, one must expect and demand the highest security throughout technology stacks, and implement laws to clean up whatever cannot be guaranteed by security technologies.

Let me shoot a few holes in your reasoning.

> Corporations ... Don't [Have the power to arrest and detain on a whim. Not to mention, use drone strikes.]

... yet. In western countries. It's not unheard of in history for corporations to have armies.

That said, the primary issue today is that once data is collected, a government entity can subpoena for it, essentially turning the thing into a user->corp->govt data pipeline. In cases where you'd be worried about serious government abuse of data, the corporate databanks are not safe from it either.

Secondly, some companies do have a way of ruining your life. Think banks and insurance companies, for example.

> [Corporations] have self-interested incentives to provide tools which are economically productive for users. For example, a smarter smartphone, whatever that may be.

No, they don't. That's the naive story you may hear about market economics in primary school. The truth is, these entities have self-interest incentives to make you pay them for shit. It doesn't matter if it's economically productive for you, or if it's economically destructive. Think cigarettes, addictive entertainment, crappy products that break quick, planned obsolescence, various marketing shenanigans they pull with telemarketers, etc. Companies make useful products only when, and only to the extent, that they sell better than useless products.

It's the lack of transparency that's the real problem. I like to know as much as I can when something I own is sharing personally identifiable data about me and my habits to companies (and governments). The fact that the whole effort on Vizio's part was under the radar means that consumers lacked important information about the functioning of their TV's. If they had known about the depth and breadth of the data collection, maybe some portion of purchasers would have made other decisions. Once that's on the table, then you're free to make the choice to let that data be shared if you're comfortable with it (as you indicate you'd be in your case).

Yes, yes, yes. For example I am perfectly okay with Google slurping up every bit of data they can about me, tracking my every move etc. because the benefit I receive (i.e. really spooky-accurate suggestions & info in Google Now) is worth the privacy tradeoff.

Also, based on their past actions and statements, my level of trust with them is very high that they will be transparent with their uses of that data and that they will diligently guard against that data being put to other uses that they or I didn't allow.

But what Vizio has done here makes it perfectly clear that providing any benefit to the end users was never their goal and that keeping the true nature of this program secret was an intentional act. That's enough to ensure I'll never buy a Vizio product in the future.

I think your idea of distinction between "governments" and "corporations" is naive

What do you think the corporation does with your personal info when the government asks for it?

The collected data about you will be used by marketers to sell you goods and services at a higher price and not to make a "smarter smartphone". For example if an online shop somehow knows that you live in your own house it can set higher price for you than for people who rent a cheap apartment in a city.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact