Hacker News new | past | comments | ask | show | jobs | submit login
Three recent papers uncover the extent of tracking on TVs (twitter.com/random_walker)
411 points by randomwalker on Sept 28, 2019 | hide | past | favorite | 155 comments

I try to think long and hard before I buy any hardware which has an obvious tracking use case, other than a router and a smartphone, but so many friends and relatives try to one-up each other by filling their homes with Alexas and Ring doorbells, and all sorts of tracking technology.

I'm not saying I'm perfect, like I said I have a phone and a router, and I understand at a point I can't hide certain things, i.e. my ISP can see what I'm pulling on the net and I find it's not worth the hit to convenience to try to scrub or obfuscate that info, but man, one guy I know has an Alexa in every room in his house! Another has IoT'd his place upside down with various Chinese equipment that is collecting who-knows-what data and sending it who-knows-where, and it's not that I have a problem with it, but they don't even think of the privacy implications when they buy these things.

I try to live my life as if I'd become president one day and the CIA/FBI/NSA would use everything in their power to find something heinous they could use to destroy my life, and also so that I don't have to worry about my future children having their entire life uploaded from birth to death because of mistakes I made in the technology I buy. It keeps me humble and skeptical of new hardware and I truly measure the impact it has on the privacy of myself and those around me, but I wonder sometimes if it has no affect because they could always build a profile based on how I've intereacted around others' technology

I used to be the same way but then I became victim to a very sophisticated and coordinated cyberattack. It all started when one of my financial accounts was compromised. I was able to get that mess cleaned up and I beefed up my security everywhere but then I started to get very strange things happening. I would get phishing e-mails that were very well crafted, so much so that they were able to get past g-mail's filters. I would get e-mails from "lost friends" trying to get in contact with me. They knew my name, my address, my phone numbers, where I worked, and even places I had visited on my day's off. I would get calls where the person would appear to sound like normal. They knew my name and all pertinent details. They would try to get me to small chat with them before asking out of the blue questions like what type of car was my first car. I am somewhat of a paranoid so I do not disclose any of this information willingly.

It was very very freaky to say the least. I've beefed up all my security credentials and deleted a lot of my social media accounts as well. Most of what I do online now is pseudonymous.

Lots of people say stuff like "I have nothing to hide" but trust me, you definitely do. You don't want people to know your first and last name, your address, where you work, your phone number. There are criminals out there that will try to rip you off any second they get and try to pull all sorts of tricks to get access to your money. The level of effort I saw in these attempts was significant and I could see how lots of people could get tricked by it. I would say that all of the attempts from the calls to the e-mails were custom written specifically based on the information they knew about me.

In hindsight, this is all my fault. I was too trusting of big tech companies putting my information out there for all to see and now I am paying the price for it.

The other major problem is how public information can so often be used to authenticate as you. Someone asked Amazon customer support for the last address I had something shipped to after supplying them with my name and an address I used to live at.

No amount of security best practices on your part can save you from these sorts of attacks.

Methinks scammers are just getting better at phishing and extortion.

Eg, scammers are now scrapping haveibeenpwned.com, then matching it with all the other publicly available information. I imagine non-geeks easily believing the extortion emails I now routinely receive.

It's a form of the tragedy of the commons. Any given individual generally has little to actually lose by allowing themselves to be surveilled by corporations. In aggregate, however, that increasing surveillance has a deleterious effect on society.

They aren't aware of it though.

I guarantee you that if brand X would have explicitly stated what they were doing the outcry would have ended it all rather quickly.

They have nothing to fear or lose. So that one guy gets his promotion while everyone's privacy is sold for pennies.

Facebook popularity (among others) challenges your guarantee :)

I recently lost a domestic argument over Google Home Minis in my kid's rooms... we just sound like conspiracy theorists, even in this post-Snowden era. The response is a shrug of the shoulders more often than not. Honestly it's just going to be played out. The masses will need to get screwed badly before we collectively wake up.

I'm opting to simply prepare myself for the fallout, like rampant identity theft, loss of privacy, lack of objective / critical news coverage, etc. As an example, the SASS service I built and run does absolutely zero user tracking / analytics, anticipating that some day this will be appreciated.

You make a good point, but I think individuals underestimate what they have to lose. We all have something to hide (in many cases including intimacy, trade secrets, client confidentiality and our plans for negotiations/auctions/etc). To submit to blanket corporate surveillance is to risk that data leaking to criminals or being taken by governments.

> my ISP can see what I'm pulling on the net

You could use a VPN if you wish to avoid that.

Generally, I agree with you and wrote about my thoughts:


My concern is really that we wont have any kind of freedom in the years to come. There's pretty much nothing you can do. Only thing we can kind of do is provide some privacy, sometimes...

Then the VPN company knows what you are pulling on the net...

Some VPNs conduct third-party audits to be able to say that they don't persist info about your traffic. That's usually more than what an ISP is willing/able to say.

I worked for quite a lot of companies that had a few planned and random audits by third parties, including government. We did things one way when they were there. We did it totally differently when they weren't. Made me doubt the value of anything other than live surveillance of the company or network, remote and with well-paid person stationed there.

Agree, a simple VPN is not enough. You need to know how to use the more advanced security tools like using bitmessage for e-mail/messaging, signal with end to end encryption, TOR etc. Everything needs to be encrypted directly on your computer before it is sent and using super strong passwords on everything. All big companies and tech companies provide zero protection for their customer's. It is your duty to do it if you want true security/privacy.

All of which is never going to happen for all but the most knowledgeable and dedicated. What is one blank spot on a map but an invitation for the cartographer to devote more resources toward discovery. If this matters to us, we need a more universal solution.

I had been wondering about that. Are there any mechanisms in say, Nord VPN, that stop them from tracking you or is it just shifting your trust from the ISP to a VPN provider?

There's a few mechanisms but they're essentially all market/regulatory forces which might not be adequate enough for some. At the end of the day you're still just shifting your traffic from the ISP to the VPN provider and you still need to trust your VPN company like you would (or wouldn't) your ISP.

As far as the forces go, the first and biggest force should probably be the legal one, companies generally can't lie or mislead while advertising or entering contracts. If a VPN company advertises that they don't keep logs and it's discovered that they keep logs it's a pretty good case for a claim against the company to get out of the contract at the very least. This all depends on specific countries, VPN companies involved, what claims those companies are making, etc. It should be noted that an employee doesn't need to leak anything for this to be the case, if the VPN company is involved in a public court case then it can be inferred whether they actually keep logs, this has been the case with at least one company.

The second force tends to work in favour of the VPN company and is the market forces involved, generally you might only have a handful of ISPs to choose from if you even have a choice as you could be stuck with a single cable company for instance. This isn't the case for VPN companies as you have literally thousands to choose from and they can be located anywhere in the world, and while this might not be a big deal if you're from a first world country with good network infrastructure and regulatory environment already it'll be a bigger deal for people living outside of these countries.

The third is somewhat related to the second, there's obviously a use case for privacy focused VPN companies whose value added product is simply to provide a good service and there's more than enough people that will want to make a business out of it. This is obviously the case for ISPs too where their value added product may be technically competent staff and ensuring that they'll uphold your privacy and won't engage in censorship, etc, but again access to these ISPs may be limited.

The other really good point I read about a while back is one of jurisdiction. Your isp is essentially guaranteed to be and operate in your country, giving your government jurisdiction over your ISP's information on you. A VPN may be in a different country, making things a hell of a lot more difficult for your government.

And still the ISP to some extent. Content fingerprinting just from the packet sizes / timing is unreasonably effective. It doesn't matter that the packets are encrypted.

I, admittedly don't know enough about VPNs. But could I just ssh tunnel to an ec2 instance and browse the web with a sox proxy?

You'd still be leaking through dns (and basically all non-http communication) and applications which don't adhere to proxy settings, which are a lot. Webrtc doesn't go through the proxy either iirc

Also, you're still trusting Amazon to play by the rules, which is unlikely if state actors are involved as the comment (which spawned this discussion) insinuated

It's educational to try.

I had to tunnel dns through openvpn to make dnssec reliable.

On a wifi router, there's loads of leakage; mdns, ntp, things devices do to check for captive portal, weather apps, etc etc.

You can mitm https, but breaks hsts sites, unless you hack your browser

Good write up!

Although I pay for ProtonMail, this year I started using gmail again for almost everything - I found email search and automatic calendar integration compelling, especially for travel arrangements and keeping organized while traveling.

I am starting to regret the switch back to gmail because I am slipping on privacy for the sake of convenience.

EDIT: as a self labeled liberal, I find Kevin Williams very conservative politics somewhat disagreeable, but I still find his new book “ The Smallest Minority: Independent Thinking in the Age of Mob Politics” well worth reading and has slightly changed my viewpoint on the importance of personal liberty.

I recently setup a home security system for on a renovation project, so we wanted something that could send us notifications. There was exactly one system that works by SMS only, and I like the simplicity: no ads, no phoning home to some server etc. I check the bill on the Sim card that the only activity is texting with my phone.

In the larger context it's easy to forget that good compromises are available, it doesn't have to be all surveillance or nothing at all.

Do you mind sharing more with me about your setup? I've been researching options, including diy, but don't want/need all the bells and whistles espoused by the "easy"corporations.

It's a system made by Smanos, not diy, and has a central unit with battery backup, rfid tags and remote control. There are a bunch of sensors, standard stuff. The part that attracted me was the simplicity of using only text messages to control it and receive notifications.

"I try to live my life as if I'd become president one day and the CIA/FBI/NSA would use everything in their power to find something heinous they could use to destroy my life"

It's a smart move. It's more likely to happen during a regime change, shift in popular opinion, etc where a group is labelled unpopular, not to be tolerated, and/or dangerous. That has happened many times in my life. Then, the Patriot Act passed letting them black-bag people for torture flights or hold them indefinitely due to what they claim to find via secret surveillance whose methods aren't peer reviewable ("classified").

Part of the complaint about surveillance is the chilling effect it has of "someone is always watching over your shoulder", and the self-censoring which ensues; if you're going to "live as if I'd become president one day", the surveillance culture is having that chilling effect on you already even though you try to opt-out.

(And you're not getting any of the benefits those technologies could have; worst of both worlds).

I've got one of these smart devices in every room of my house. Love it. Fantastic experience. Maybe some day I'll pay for this. My take: I won't. I'm going to be fine. And I have no anxiety about this.

Corporate surveillance "pollutes" democracy like a car pollutes the air we breathe.

You'll get away with using a internal combustion engine. You'll be fine.

But you are harming me and everybody else.

I don't think you've demonstrated the externality. You don't have to come to my house. Chances are I probably won't invite you.

> I don't think you've demonstrated the externality.

Forbo's answers points it out.

> Chances are I probably won't invite you.

Can't you come up with a better argument?

While one of your devices collected a conversation about wine and sells it to my insurance company years later. Tata nerd!

The externality is that a fosters an environment in which surveillance capitalism is able to thrive. It's not limited to just your home.

You're right. Most people "get away" with all this crap.

My take on this is that I can't miss what I never had. Knowing myself, once I get used to some convenient tech it's hard to go back. I got my first smartphone only two years ago and even then consciously restricted my usage by basically just using it like my old phone plus email and a browser. No WhatsApp, no cloud services, no voice assistant.

And every now and then when visiting a friend or colleague I'm amazed to see what's actually possible with modern tech if you fully embrace it. So I just fiddle around a bit out of curiosity and that's it.

I respect that. Personal discipline. I think you can make your life better with these things, but if you've tried them and determined they're not for you, then not having them seems sensible.

You spoke against the hive mind on this forum and are getting downvoted. The agenda some people push on this forum is a bit asinine. Everyone is spying on me and intentionally out to get me. Corporation X, Y, Z are “evil”, etc. I wonder sometimes if this forum is turning into Reddit.

You can smoke and get away with it.

It's stupid anyway.

Nah, you can't. There is a continuous deleterious effect on your health, not just the increased risk of lung cancer. I used to smoke. The difference is huge when you don't. I've lived without the devices when I've been elsewhere for a while and I don't feel better in any way.

> my ISP can see what I'm pulling on the net

Will DNS over HTTPS help mitigate this?

They still see traffic to an IP, and the hostnames in the certs. Also the request/response lengths can reveal what was fetched

ISPs will quickly move from domain names tracking to IPs tracking. How many times pornhub changes their IP? Never?

No if the DoH Is performed by Cloudflare. We need decentralised DNS over HTTPS services, to guarantee anonymity. Obviously, no service should log users' activity as well

Your ISP won't see your DNS requests if you use DoH from Cloudflare. Cloudflare will, but so would whoever else you resolve queries with if it wasn't Cloudflare.

Never trust a tech company to give you privacy. Big mistake.

Its also a good idea (and costs nothing, not even time) to always put in different garbage information whenever you have to enter a name, dob, or whatever, anywhere. Even before widespread computer use I think,it made sense to always spell your name in a different way on every form. Slow the bastards down at least!

This is a good idea

I feel uneasy visiting friends with Alexa and all that.

Shouldn't be any more than friends who just have a smart phone.

I used to joke about being uncomfortable with people visiting my apartment carrying smartphones, now I'm actually becoming uncomfortable with people visiting my apartment carrying smartphones. All of my technology is dumb as shit/rooted. I've physically taken the webcam out of my new laptops for years before the first power up, which is with a Debian DVD.

And I honestly think that I'm taking the lazy approach because I'm not overly concerned about being targeted, just caught in dragnets. Anybody practiced and willing to put in a few hours of work could own me. I could own me, so I know it's true. People who aren't technical with software, hardware, and web architecture just have no chance.

Not at all. Alexa in known for uploading plenty of audio recordings. If phones were doing the same on a large scale people would notice the network traffic!

how do you inspect the cellular network traffic?

Various cheap devices catch plenty of interference from a phone in transmission. You don't have to analyze traffic to realize that phones are transmitting all the time without a good reason.

Also, you can easily intercept traffic over wifi. You can even do that while switching off GSM.

> how do you inspect the cellular network traffic?

You can investigate cell traffic with an SDR.

I am not doing it.

If you carry a phone, all the rest is just gravy. There's an old saying, "if you are going to get screwed anyway, you may as well try to enjoy it".

Isn't there some way these TVs are violating the Video Privacy Protection Act?


Even the amendment in 2012 seems to make it only legal to add a function "share" functoin for a user to post what they watched on a service. It does not seem to make it possible to just share all viewing info. It also does not make it possible to just add it to a EULA or TOS.

> In 2015, a federal appeals court in Atlanta found that those protections do not reach the users of a free Android app, even when the app assigns each user a unique identification number and shares user behavior with a third-party data analytics company.

So the TV company would probably argue that it's not a violation if they don't know your real identity. Even though they share the data with an analytics company that does.

But the only way to really answer the question is to litigate.

The main issue in the 2015 case was that the app was free and therefore the users weren't "subscribers" by the court's narrow interpretation. See the discussion near 103: https://harvardlawreview.org/2018/04/the-video-privacy-prote... They mention a later 2016 decision where free mobile app users were considered subscribers.

Typically circuit splits end up in the Supreme Court sooner or later. So if it does come up it'll be some pretty expensive litigation.

Having thought about it a bit recently, smart-TV advertising and tracking seems like it may become more invasive in some ways than smartphone-based tracking. Smartphone ads at least give the perception of being personal.

Watching TV is a social activity - gathering at a friend's place to watch a new episode, or relaxing with family.

The future implied by these developments is that TV-based tracking will take the home audience into account, and the screen becomes -- in some sense at least -- a camera as well as a display.

Instead of being shown subtly inadequacy-leveraging ads on your own device, now they're going to be interwoven into you and your family's home in such a way as to influence thoughts and opinions.

Gradually adtech will - as it has already - erode the ability to have peaceful, genuine social human interaction while enjoying an artist's intended work uninterrupted.

I'd like to think that alternatives to advertising finance are on the horizon, because the ad business seems to further income inequality. Adtech employees deny and avoid their guilt by enjoying the profits they make, while their audience (who are increasingly also their acquaintances, as peer-based referrals and influence marketing heat up) are pressed to spend and consume, often unnecessarily.

I'd wager the trend towards ads and quantified influence is going to continue until it necessitates radical change.

NB: In reality the capability likely already exists to target ads based on who you're currently with, so this is really just an opportunity for the advertising industry to socialize and normalize these practices.

I honestly expect adtech to bust at some point.

At the end of the day, there are a lot of limits on how successful any ad campaign can be. How much budget your target has, how elastic it is, how much demand is inherent to the product type.

Even with perfect 24/7 targeted advertising, Toyota's maximum possible upside is selling me one Camry every two years. Once they reach that point, any further marketing spend is wasted.

There's also the problem of advertising being imperfect. We'll always have faulty data, and importantly an trustless adversarial relationship with the consumer, which will limit the ability to improve ad effectiveness. (Imagine the opportunity to say in one central place "I have bought a widget, everyone I researched with can discontinue the widget post-visit campaign as there's no further chance of victory"-- advertisers wouldn't go for it and consumers wouldn't believe it). I also suspect tighter and tighter targeting increases the risk of catastrophic ad failure-- where it undermines the brand's reputation or creates public backlash. The Uncanny Valley can be one hostile place for brands.

Do expensive, high-tech ads outperform cheap spray-and-pray techniques like TV spots and dumb banners? Probably. But I suspect the price-performance curve is approaching an asymptote pretty quickly. Billions are spent to chase increasingly small gains in actual sales over older, less creepy techniques. Someone's going to do the numbers and start asking questions.

The real advantage of "smart" advertising isn't in better business performance, but of better legibility of the advertisement's performance. The cheap spray-and-pray techniques might work, but you don't know how well they work, so you make a guess and bid on it based off the low end of the range.

With perfect information about how well an advertising campaign works, you can convince the rest of the org to spend up to 100% of the profit margin of a sale on enough marginal advertising to drive one additional sale.

In other words, the end state is measuring ad performance well enough that spending on ad buys wind up cannibalizing all the corporate surplus generated from them.

> Even with perfect 24/7 targeted advertising, Toyota's maximum possible upside is selling me one Camry every two years. Once they reach that point, any further marketing spend is wasted.

Not necessarily. Growing their brand and making it more trustworthy has intangible benefits, but they do exist. The idea is to make you feel better about their company.

Orwell's telescreen is here for years but has a different, more pleasant packing and features because the world we're living takes the best from both "1984" and Huxley's "Brave New World" mixing it together.

> Smartphone ads at least give the perception of being personal.

Ads maybe but phones are personal as much as your contacts list and metadata leaks.

> I'd like to think that alternatives to advertising finance are on the horizon,

It will never happened because alternatives wont scale.

Didn't Facebook just unveil their TV offering, complete with a camera "for video chat"?

You know that TV has always included ads, right? And the purpose of an ad is to influence thought and opinions?

From trying to reduce hostile snooping/malware "TV" behavior for the last few years (as an on-principle techie exercise)...

My current practical requirements: Lately, I mostly watch movies and series from borrowed Blu-ray and DVD discs (which turned out to be a better catalog, IMHO, than Netflix's streaming catalog at the time I switched). I also want to occasionally play PS4 online multiplayer games on the same display.

I didn't want the PS4 to be phoning home when I played the discs, so I found a model of Blu-ray player that does DVD 1080p upscaling, but which still doesn't have WiFi. I did a final firmware update of the (EOL'd) Blu-ray player over the Internet, and then have a policy that the player will never be plugged into the Internet again. (Again, this is mostly an on-principle exercise, and, so far, it's proven practical for me. I've encountered only one Blu-ray implementation bug, which is known lockups of a very small number of titles in 24p mode of some players, and which never got a firmware update anyway.)

(Before the Blu-ray player appliance, I tried using Kodi for playing DVDs, first with a laptop, and then a RasPi 3 setup, but that worked poorly.)

I paired the airgapped Blu-ray player with a nice older Sony 1080p TV with decent integrated speakers, and which had no WiFi, and was not new enough to be fully "smart TV" obnoxious. It has a nice picture, and works well with the Blu-ray player's remote over HDMI. To get this one, I had to do some research, and then do daily searches on CraigsList for a while.

The two main drawbacks to the older, less-smart TV are that it's not 4K, and that it's power-hungry. (20W off, 90W to display no-signal screen, peaks to 140W+ even in a dim room.) For saving the 20W when off, I'll probably move the TV to a secondary position on a smart power switch, but I've hesitated, because I don't know whether the TV was designed for frequent abrupt power cuts, and, if I wear it out prematurely, finding a similar replacement model on the used market looks increasingly difficult.

When I eventually upgrade to 4K or whatever is next, I suspect I'll probably end up getting a non-TV commercial display without Internet, and a separate audio amp and speakers.

Maybe I'll also be forced to give up on borrowed discs, and switch more to streaming, which I suspect will be locked-down with anti-user hardware and software, and (unless regulation really steps up) fraught with excessive corporate surveillance and other misbehavior (and possible attendant vulnerabilities, due to the complexity and methods).

There are some open source media player things I'd like to build, if I can ever spare the time again, but those might be precluded by the available (legal) consumer-hostile media methods at the time.

I bought a modern 4K “tv” [0] (actually a monitor) recently without any sort of “smart tv” features. There are a few options out there in the high end monitors or, even cheaper, the “Corporate display panel” genre. I was appalled at how hard it was to get a display that wasn’t able to phone home, though!

[0] https://www.lg.com/us/monitors/lg-43UD79-B-4k-uhd-led-monito...

How do you do sound? That’s the bit I’ve been stumbling over. Having a separate receiver and therefore another remote is not something I’m keen on.

Integrated speakers in TVs have never been good, but as TVs get thinner, the speakers get worse.

In theory, HDMI-CEC might make it possible to control everything with any device's remote. My TVs are too old for that to work properly though. The receiver should come with a universal remote, which may work for you. I'm happier with the logitech harmony non-touchscreen remotes; model 665 has a nice shape, and the screen is useful for picking activities amd using functions that are hard to map. The configuration software is torturous, however. If you're using an IR remote like the harmony 665, you'll want to group components for easier aiming.

My way requires a separate receiver but at least not a separate remote... TV speakers just weren't enough for me.

I have a 6+ year old dumb panel that has S/PDIF and RCA "audio out" connectors.

I run HDMI from a Pi to my TV, then S/PDIF to a receiver for full surround sound. Volume control is either done through the TV remote or Kodi, the receiver stays on 24/7. With CEC, the TV remote can also control Kodi.

Personally, I'm fine having several remotes, but I realize that most people would prefer not to.

My setup is a stereo receiver plugged into the display's stereo out. A Linux desktop, RPI4 (for Kodi), and a PS2 (via a component->HDMI converter) all plug into the display, so all audio is device->display-> receiver, except for the PS2 which is optical S/PDIF. All HDMI devices end up on the same channel on the receiver.

I keep the volume on the receiver at a pretty neutral level, so I don't often use the receiver remote, instead using volume control on the display remote. Of course, when I want to play CDs/cassettes/records I can't use the display remote...

If anybody has any recommendations for a good universal remote, I'd love to hear them! Nothing I've found works well with my receiver (HK 3490). Of course, I also don't want the remote to have WiFi or Bluetooth.

My setup is to use optical out from my HDMI splitter to a Sonos sound bar. The sound bar can remap its volume up/down to respond to arbitrary remote input, so I use a couple otherwise unused buttons on my $20 remote from Best Buy.

If you can find one that supports ARC you can control your receiver and TV with a single remote.

Next time around I'm planning on going the monitor/commercial display route too.

Not sure if it meets your use case but Optoma makes 4k projectors, and other HN members have reported buying 4k true monitors with no smart guts. There's even a commercial TVs and Displays section on Amazon. It's a mix of dumb displays and smart signs which seem to be much more limited in functionality than consumer products.

All legal because you clicked 'agree' on a mountain of legalese. It's past time voters and consumers engage in some serious collective bargaining as to what manufacturers are allowed to put in those agreements, and what the products are allowed to do. We've been 'voting with out wallets', isolated and individually, for decades, and things have only been getting worse.

The problem is that we* voted with our wallets for "neat features" like watching YouTube without attaching to a computer, voice control, and lower prices. Very few actually did and do care about privacy and security implications.

It's like buying chips and candy, few care about "nutritional value", and most care about a twist of taste.

* "We" figuratively; I don't have a TV for last 20 years, and so do likely a number of readers. Not a large enough number of consumers, though.

If you haven’t had a TV in 20 years, TV manufacturers care even less what you think about this tracking. You aren’t going to buy a smart TV, but you weren’t going to buy a dumb one either so they’ve lost no revenue.

For now the TV owners (if you can even call it ownership) can work around by not connecting them to the internet (and using an Apple TV or some open source system for streaming), but individual streaming providers on that will still track you, so it’s a small win. And if enough people did that, manufacturers would just stick a cellular modem in to bypass the WiFi network.

I don’t see a solution to this short of comprehensive privacy legislation.

You would probably get quite far just abolishing patents and copyright. Seems to me a lot of the stranglehold on the market to get away with all this relies on exclusive control of the tech and the content. With this out of the way I’m pretty sure the cicvil society would come up with acceptable infrastructure pretty quickly.

Eh, sorry, when you clicked "agree" you agreed to give up your right to collective action in favor of confidential arbitration that is _totally_ more fair than those nasty old courts.

Is there a better alternative than discursive agreements with a single yes/no at the end?

People have been litigating this for a while, and the best Google and Apple have come up with is prompting you for permission to access your camera.

That was a form of collective bargaining, and that was the result, I just don't necessarily believe that a congressperson's staff is going to do a better job than the monopolist platform holder.

> Is there a better alternative than discursive agreements with a single yes/no at the end?

T&Cs really just seem like a way to ensure that the company can get away with every abuse of the consumer that's arguably legal. In some cases, e.g. credit bureaus, there isn't really a way to opt out of signing their T&Cs without also opting out of modern society.

Without a government that's actually interested in protecting consumers, it's a moot point.

> credit bureaus, there isn't really a way to opt out of signing their T&Cs without also opting out of modern society.

If anyone's curious, here's more detail.

Opting out of credit bureaus is actually not possible. One can opt out of pre-screened offers of credit (https://optoutprescreen.com/, https://simpleoptout.com/#lexis-nexis), can lock your credit to prevent credit checks, and can opt out of some of data sharing, but financial institutions have safe harbor to release information to credit reporting agencies under the Fair Credit Reporting Act (https://www.law.cornell.edu/uscode/text/15/1681).

The Gramm-Leach-Bliley Act requires financial institutions to let customers opt out of disclosing "nonpublic personal information to a nonaffiliated third party" (https://www.law.cornell.edu/cfr/text/16/313.7). That constraint would be fairly reasonable, except that there's giant additional carve-outs (https://www.law.cornell.edu/cfr/text/16/313.14, https://www.law.cornell.edu/cfr/text/16/313.15). The biggest things that no one can opt out of are "(3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, persons that are assessing your compliance with industry standards, and your attorneys, accountants, and auditors;" and "(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681et seq.)."

This is true even if one has never requested, been extended, or will ever request credit. As you noted, the only way to "opt out" would be to only receive or pay cash for everything and forgo modern society.

The root cause is FCRA's overly broad scope. Instead of allowing credit applicants/recipients and credit providers to establish an equilibrium that works for both parties ("Want credit? Okay, opt in to credit reporting from your other vendors and then we'll review your application"), FCRA forcibly opts everyone in.

You've probably seen this form before: https://www.ftc.gov/system/files/documents/rules/privacy-con.... Those FCRA carve-outs are why "Can you limit this sharing?" always says "No" for the top few rows.

> That was a form of collective bargaining

How so? AFAIK Apple and Google did not negotiate those solutions with organisations that represents users (such as industry ombudsmen, consumer rights orgs etc), that scenario would qualify as collective bargaining IMO

> Is there a better alternative than discursive agreements with a single yes/no at the end?

Yes, that's what GDPR is all about, you need informed consent (not just yes/no) and also the collection of data needs to be related of what you are trying to achieve (that's almost never the case with tracking).

GDPR would likely disagree about a mountain of legalese making it legal.

I never plug TVs into the internet and generally don’t connect any device unless it has a clear need to connect.

In the office I’ve taken to calling connected TVs a security concern, but I didn’t realise how right I was. The conference room TVs there are currently connected (before my time) but I’ll be disconnecting them next week.

My TCL TV power-cycles endlessly unless it has an internet connection. This behavior didn't start until a year after I purchased it.

I can't help but wonder if it's intentional. It did get me to connect the damn thing, despite my severe misgivings.

So the tactic worked.

I locked down my Alexa, and noticed it takes 2-3 “Alexa”s to get it to start listening. I know not having the “learn your voice” thing off lowers accuracy, but it seems really odd it doesn’t wake up instantly. I would assume that is what they train the ML stuff most for.

Has anyone else noticed the same thing?

If you run pihole and have a good router, doing an “if port 53 and not from PiHole, block” fixes a lot of these dirty devices.

Some vendors (Samsung) 'smart' TVs will attempt to utilize nearby open wifi networks [1]

Would not be surprising to see Comcast/TW/Charter/$ISP would strike a deal with TV vendors to provide a wifi network on the ISP-provided routers just for the TVs or other 'smart' devices [2]

Start watching out for cellular connectivity in TVs as yet-another-phone-home-vector too [3]

[1] https://www.reddit.com/r/security/comments/bpjky4/worried_ab...

[2] https://www.xfinity.com/support/articles/about-xfinity-wifi-...

[3] https://venturebeat.com/2019/05/01/huawei-reportedly-plans-f...

Wait till they all start DoH-ing..

Ditto. Have a couple Roku TV's that have never and will never been connected to the network or internet.

I didn't buy them for that functionality, but was hoping that someone would figure out how to root them - AFAIK though that still hasn't happened.

I don't connect our TV to the internet for this reason, but I'm wonder if the PS4 I watch everything on does this. I hadn't heard it called out, but I wouldn't be surprised if tracking shows up at some point.

Sony definitely phones home to sends digital fingerprints of media you stream from local servers. I was streaming a movie on my PS3 from a local file server and about 5-15 minutes into the movie the audio cut out and a banner popped up about not having a proper license for the media

Was the movie you streamed Cinavia [1] copy-protected?

[1] https://en.wikipedia.org/wiki/Cinavia

My Apple TV sometimes doesn't negotiate hdmi correctly and ends up without hdcp enabled, and it whines similarly to what you describe. If I switch inputs on the receiver it'll re-negotiate correctly and everything works again. It's annoying, but it's not necessarily caring specifically about the content you are watching.

They haven't exactly been secretive about it, here is Vizio CTO giving an interview at CES this year over the topic


Meat of it starts @15:58

I'm in the market for a new TV. I'm impressed by display technology advances, but everything else about TV manufacturers is unimpressive. i.e. all the "smart" software, the OS, menus, apps, apps, and more apps. And surveillance. No thanks. Please give me compliant HDMI, USB, and other connections and let me feed sources of my choosing to your display controller.

My intention is to keep my TV offline right from the start, but maybe I'm screwing myself out of useful (display) firmware updates?

Rest assured, 5 years from now your new TV will connect to the 5G wireless network without asking. For Your Convenience [TM].

That's what wire cutters are for.

The only wires left to cut are the power lines. Are you proposing pre-electricity housing as the only alternative to in-home surveillance? Maybe we should just get rid of the creeps by legal means, fat adtech paychecks be damned.

No I'm suggesting opening the case of your hypothetical 5g TV and clipping the antenna wire. Commercial displays with no smart features and projectors can be purchased right off Amazon. There are still options: we haven't quite yet made it to 1984's mandatory TVs that watch you.

But yeah I'm with you that's it's excessive and needs regulation.

I wish it were that easy. Nowadays we build systems-on-chip. Hard to cut specific parts out of the picture. But perhaps the antenna is still off-chip. https://www.androidauthority.com/how-it-works-systems-on-a-c...

> [...] you should have a general picture of what goes inside it: CPU, Memory, GPU, Northbridge, Southbrige, Cellular radios, Other radios [...]

> [...] Such is the case with the Snapdragon S4 from Qualcomm, which has an embedded LTE modem on board responsible for 4G LTE connectivity [...]

The radio chip may be on the SoC, but not the Antenna.

Good luck claiming the guarantee if something else breaks afterwards...

Well if you destroy the antenna then your warranty is void anyways.

They will use the display panel matrix as an active antenna eventually. (note to self: patent this)

Good luck!

That's basically what I do. I don't let my TV connect to the net. But according to this twitter thread, that doesn't matter much, as my Roku is regurgitating my data all over the place anyway...

How sure are you your TV isn't joining open/sponsored wireless networks anyway?

Roku has a setting to disable tracking data.

From the link:

> Here’s a doozy: Roku has a “Limit Ad Tracking” option. Turning it on increased the number of tracking servers contacted It did prevent Roku’s AD ID from being leaked, but a whole bunch of other unique IDs are available. Even Pi-hole wasn’t that effective at limiting tracking.

Maybe buy a model that's couple of years old, update the firmware and disconnect from internet?

Maybe the next product to suggest to puri.sm or pine64?

They found the Ring doorbell records video when someone moves in front of it? Isn’t that what is made for? I’m opposed to subscription cameras and avoid Ring but everyone I know who has one bought it because it records when someone walks in front of it.

And locks those recordings away on Amazon’s servers, by default.

That is in no way reassuring. Edit: Most likely you intended the comment that way.

I don't have a TV. I'm not into sports, and there's not much else that I care enough about. What I have is a huge display, attached to a Linux NAS/server with a decent graphics card. With a couple TB of video, from various sources. And even it is offline, except when I need to update stuff.

Care to share what display you have? I'm in the market for a TV but this interests me more.

LG 27UD58-B

At some point, I'll probably get a larger one.

And for sound, a 100W per channel amp driving a pair of ancient JBL L96s.

I would settle for some laws to protect against adding tracking and ads later. Something as simple as, "if a device is sold without tracking or ads, they shall never be added through software updates or other means" and "if device has tracking or ads, it must display this fact on the box/other conspicuous places."

Drives me insane buying a device and for it to get slathered with ads six months later.

Discussion of one of the papers mentioned here: https://news.ycombinator.com/item?id=21100404

Our 25yo analog Sony CRT television just gave up the ghost. I looked online for a new television, but all of them come with 'voice control' and other 'smart' features. Do I really want to engage in yet another infosec fight trying to keep what should be a simple dumb appliance from reporting on what I do in my own home?

The very cheapest, "who the hell is this" brands often have non-smart models in larger sizes.

I wonder if you could DIY a set-- buy the panel and a controller dumb controller board and bolt it together yourself? I know someone did that back when the "import an off-brand 27" LCD monitor for 1/3 the price of the Apple equivalent" was a trend.

I have a feeling that there is going to be a big community of DIY hackers that are going to figure out ways to just disable those features. For example, I am sure the TV could be opened up and the camera could just be disconnected. Most of those little cameras are simply connected via ribbon cable anyways.

Simple. Just don’t connect your TV to the web. I do this and have a separate Apple TV that I use, because the tv apps quickly become obsolete

I hope you have a signal jammer that blocks all other wifi networks, because it's been proven that smart TV's also connect to open wifi.

yep, same. got a good quality Sony Bravia 4K that stays offline except occasionally for firware updates and on an isolated vlan.

built an HTPC that's connected via HDMI that i can use for youtube, netflix, plex/kodi, NAS, etc.

basically a dumb display.

Maybe it stores all your data on disk. When you update the firmware, it will send all the data saved before

it's possible, sure. most of the tracking features on smart tvs relate to tge use of smart features/apps. the parts that do screen fingerprinting do it in real-time, so hopefully does not store many months of 1-sec intervals of fingerprints.

i should actually intercept the traffic to double check.

This is quite likely.

Some of them require you to opt in to use voice control, fwiw. Ideally they don't capture audio if you opt out, but who knows.

Samsung smart TV. We had to use it with an external receiver so we set the TV on video input. It works. We turn off the TV, turn it on again, it shows the video input for a brief moment and then hides it with a message that there is no signal and please choose you signal input. No matter what we did, it didn't want to just work.

The solution? connect the TV to internet (in a rural area), wait overnight so it can download the Terms and Conditions without any indication that this is what it is trying to do, sign the T&C and then it works...

I have an old Thinkpad T420 with a non-working display that I attached to my (non smart) tv. I'm very satisfied with Kodi and browsing with Firefox in Linux. Next step would be some voice and gesture recognition (open kinect maybe?)

Has anyone tried implementing DOS attacks on ad providers with the intention of making them block all traffic from your IP? Are these requests signed?

Bonus fun, count all of your requests by campaign, then contact advertisers to let them know how many fake requests they were charged for.

"TV watches you" was discovered at least 6 years ago, here's some discussions from that time:



Can anyone explain this to me? My Roku TV knows what I'm watching even if it's just a .avi file. I'm watching a movie on my Raspberry Pi with Kodi via HDMI. About 30 seconds into the movie it says "You can watch this movie on ... channel."

How does it know what I'm watching? Is it analyzing the feed like Shazam to music?

My wife and I Watch a lot of entertainment in our iPad Pros, only using our TV when we want to watch the same Netflix, HBO, or Prime content together. We are using a Firestick our kids gave us. I am thinking that an Apple TV would be a bit better privacy wise. In any case, I am going to remove my WiFi password from my Samsung TV’s setup config and see if it works without an online connection.

That's why I use ad-block hosts file on the router.

This is specifically mentioned in the linked article as being at best only partially effective.

With how complex these systems are, I wonder when companies will start open sourcing and using reproducible builds to show there's nothing up their sleeves. For Microsoft, it clearly gives away too much, but for a company like Huawei facing bans over security, it gets closer to showing there's no government backdoor...unless it's in the hardware.

I read one of the papers, and the channels listed with trackers were largely "long tail" garbage channels that 99.9% of Roku users wouldn't touch. Now, it only lists the ten worst channels, but it leaves it hard to figure out whether or not the use of trackers is prevalent on popular channels like Hulu, Netflix and such.

The Pi-Hole lists to contribute to and subscribe to: https://github.com/Perflyst/PiHoleBlocklist

Oh, good story here. There's an e-reader called Tolino which is somewhat popular here in Germany. You can use it to subscribe to your local library for a monthly fee and rent books.

Recently an old friend crashed on my couch for a week, bringing such a device. He couldn't download any new books from the library while staying. On the last day of his stay we didn't have anything better to do so we researched that problem. After some googling we actually found a long thread in some forum where people had all kinds of problems with a recent firmware update which didn't actually seem to be the problem here, but then there was some guy in this thread casually mentioning that he solved it by disabling his pi-hole. And yes, indeed, that immediately fixed the problem in our case too.

Let that stink in: You pay for your e-reader. You pay a monthly subscription. And then they dare to require you to send your data to googleanalytics.com, a foreign company, and don't even show a meaningful error message if that doesn't work (too embarrassed?)

I’m thinking about buying a screen that has no TV with a basic amazon fire stick (no microphone) for precisely this reason.

Does anyone have any recommendations?

Long ago I was dissatisfied with the smart TVs sluggish smart features so I just gave up and never connect them to internet.

Seems like a good policy now.

Well, you need consent with CCPA. This is going to be fine.

As long as the dilemma to the user is presented as no privacy and get the job done vs privacy but don't get the job done, consent will be given.

> As long as the dilemma to the user is presented as no privacy and get the job done vs privacy but don't get the job done, consent will be given.

You also get to demand access to your data and can instruct them to delete it (and they must or run afoul of the law).

Does any of that studies look at Chromecast?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact