Hacker News new | past | comments | ask | show | jobs | submit login
Tracking systems of TV streaming devices (acolyer.org)
160 points by godelmachine on Feb 10, 2020 | hide | past | favorite | 57 comments

I knew this was the case but the reminder is just more motivation to revert back to purchasing optical media, ripping it, and using mpv on a computer.

I don't want my entertainment to be tied up with advertising. I don't want my whole life to be subject to metrics.

Optical media these days has a horribly intrusive DRM system, which prevents you from watching the content on most of PCs (see AACS 2.0 on Blu-Ray drives). Ripping them is pretty much impossible unless you do some very DMCA illegal firmware patching... and even that doesn't always work.

It's mind boggling that they continue to make life so difficult for paying customers when it's possible to go to a site like Pirate Bay and get a bit-perfect rip in less than 15 minutes without Hollywood making a single penny.

Just let me buy DRM-free movies and download them to my NAS - and without all the tracking bullshit!

Is it though? I have never seen a bit perfect rip on tpb. I have paid for sketchy software to have access to blu-ray ripping software to get around this while trying to play with high bitrate material and understand a bit more about it. 25 GB is the smallest a blu ray gets, with most being 50 GB (and potentially up to 300 GB, though I have not seen this personally). UHD blu ray goes from 50 GB to 100 GB. No one is ripping these things, and certainly no one is seeding them, and most certainly no one is leeching them. Maybe on private trackers. I wouldn’t know.

>No one is ripping these things, and certainly no one is seeding them, and most certainly no one is leeching them.

I searched for 'remux' (which means original video+audio data, no quality loss) on the rarbg site mentioned in another reply to your comment. People are definitely ripping, seeding and downloading them.

I wouldn’t say no one is seeding/leeching those things. You can find plenty of remuxes on rarbg (a public tracker), and they’re well seeded a few days after release (after the initial influx of leechers are gone) up to a few months later (before people start deleting it from their machines).

There are plenty of sources that provide so-called remuxes of BR content, which usually are sufficiently high bitrate.

Which is fine and well. "Good enough" is a soft target and blu-ray transcodes are higher quality than every other option (except for the blu rays themselves). My point was that if you want the highest available quality, physical media is still the most available and convenient way to get it.

Torrenting is sadly impractical in some countries :/

> unless you do some very DMCA illegal firmware patching

That seems very risky given the regular unannounced firmware audits by the DMCA police.

P2P pirating we go then.

Is that still the case for ripping? I was under the impression that all you need now is a copy of https://www.makemkv.com/

edit: skimming their forum I see mentions of firmware flashing/patching so I believe that's answered my question.

Advertisement works because most people do not feel this way and are ok with metrics and adds as long as they get something back. Is that ok, or is there a rational argument why everyone should feel bad about being subject to metrics?

Advertising works because people have little choice in the matter. It's exploiting that people value "consumption with ads" more than "no consumption at all", and most are not skilled enough to remove the ads themselves.

(It's not like they wouldn't do it if they knew how; remember the popularity of VCRs? Their main use case was that on a recorded show, you could fast-forward through ads.)

People are not OK with metrics; most population has no understanding about the extent to which they're being surveilled or measured. There's also a growing feeling of helplessness, because the more the snooping is becoming known, the more apparent it seems that it's the same as with advertising - unless you're a tech-savvy person, you have no choice at all.


A big part of the problems are the constant lies of omission. I believe much fewer people would be willing to connect their TVs to the Internet if on the box, next to "you can watch Netflix from your couch", there would be text saying "we'll spy on you as much as we can, and this data might wind up at your insurance provider". Or an asterisk next to "Netflix" explaining that "the service will work until we get bored or they change their API, i.e. for about two to three years".

Indeed. I had planned to purchase a few Roku devices for me and someone else. Then I stumbled upon an article describing the amount of third party data sharing and how it varies by channel. Stopped me from purchasing. And this is after a bit of research on streaming devices and plans and all that!

People in one of the online neighbor groups routinely ask about options for this channel or that channel and such as the lineup out here with some services seems to change regularly and lots of people are moving.. invariably someone squeeks about how great their Roku device is...

I ask them how they like the device sharing info about what is being watched and when with multiple third parties, If they knew that before purchasing, and if they tell other people who use it... every time the answer has been 'this is the first I've heard of this"

Cable companies to this too with their STB. OTA or pirating content is the only way to maintain privacy.

It's not just lies of omission. Take this:


> Plus, your TV keeps getting smarter with new Alexa skills and over-the-air software updates, so you always have the latest.

Now maybe they will provide software updates for a reasonable length of time similar to the hardware's expected life... but what manufacturer does that?

My current TV is >10 years old and I fully expect the "Smart" bits of this JVC TV to be deprecated in a fraction of that?

Ignorance and acceptance aren't the same thing. Many people would be and regularly become disturbed by the amount of tracking, but it is complex and difficult to understand on purpose. GPDR tried to make it obvious but missed the mark, making everybody accept cookies is just a blind annoyance.

The rational argument against tracking is the enormous power it enables. Humans aren't aware enough of how easily they can be manipulated, more information means more and easier manipulation. More information also enables actual power for the abuse of the population.

The power assymetry can only be abused and it will gradually grow until it will be very difficult to remove.

> GPDR tried to make it obvious but missed the mark, making everybody accept cookies is just a blind annoyance.

It's almost two years now, and while I don't think cookie warnings are GDPR's fault (it was earlier regulation, that was trying to give adtech industry a chance to self-regulate), I do have this feeling that it indeed missed the mark.

I currently feel the problem is enforcement. There's loads of sites that managed to implement a GDPR consent form in a way that defeats the spirit of the law, and often enough the letter as well. I was hoping that a hammer would be swiftly brought down on those cases, but that doesn't seem to be happening.

See techcrunch, the site with one of the most anti-consumer cookie preference practices yet a site that is very often linked on the first page of HN. This is proof that even informed people will get over any reservations if the content piques their curiosity.

It is ok if that is their decision and they have the ability to choose. I would contest that this is realized for modern devices.

There are so numerous "rational" arguments against it, that it is not even funny. And I doubt that many people like the current situation. The trick is to not ask.

Many people I know don't connect their TV to the net at all. They may would use its features, but not wanting to be spied upon is one of the big reasons.

That said, even the older generation starts to use TV less or have devices that record the program and cut out advertising while not connecting their "smart" TV.

Don't know why you're getting downed for this, sample size of two:

My dad's response to "smart TVs send back everything you watch and Samsung are the worst" was "I expected as much..." <— he owns a Samsung smart tv

Person who works for civil service who is not yet even 30 "our government is crazy inefficient, each service and their data are siloed and cannot talk to each other, so we can't know that Joe Bloggs in HMRC is the Joe Bloggs in the NHS and Joe Bloggs on this council tax register... Why can't everything be connected like it is with Google/Facebook. I find myself connecting things up so I get better suggestions"

In my opinion the surveillance economy is one bad leader away from a 1984 hell on earth but that opinion isn't nearly as prevalent as people in tech would hope. But it's also not constructive to patronize people with the opinion "oh it's because they don't know how bad it is..." etc

I think some people don't care. Some people see some of the value the metrics driven approaches can bring. Some people don't agree that the road to hell can be paved with good intentions.

After all I find it hard to believe that all those devs at Facebook and Google are categorically amoral - life isn't black and white like that

How many people do you know who have actually purchased something solely because of advertisement?

Sometimes I wonder if the whole pervasive advertisement racket isn’t a case of the emperor with no clothes, if not a front for more nefarious ends.

I dislike advertising as much as the next person, but dismissing it as not working is attempting to handwave reality away.

I am saying this as I am currently going through a graduate marketing course. It is bananas.

If there is one you learn from marketing really fast is:

1. what is the reality? 2. how to manipulate it

To answer your surface question. You may be an outlier, but I can name purchases resulting from an ad. Impulsive purchases are a thing.

>most people do not feel this way and are ok with metrics and adds

Where did you get this information? I suspect most people have no idea what goes on behind the curtain.

I do not feel that way, and was fascinated by the intensity with which some people on HN dislike metrics and adds. So I had tried an informal survey of people i knew, and out of 39 only 7 were somewhat concerned and some said they thought phones and tvs can capture video or audio and were not particularly concerned even with that.

Another indirect piece of evidence is that even NSA backdoors did not get the attention they deserved.

Everyone should feel ad about being subject to metrics, because anyone can be manipulated given the right knowledge about them.

money quotes

> Running with a Pi-hole helps, but still misses about 27% of A ID leaks, and 45% of serial number leaks.


> Our measurements showed that tracking is prevalent on the OTT platforms we studied, with traffic to known trackers present on 69% of Roku channels and 89% of Amazon Fire TV channels… Our analysis of the available privacy countermeasures showed that they are ineffective at preventing tracking.

the fact that pihole is ineffective is troublesome.

You can improve that stat. If you have a router that allows it, make a rule that allows port 53 out if it’s from the Pihole, and redirects it back to the Pihole if it isn’t. You’ll catch more of the sneaky crap that way.

I do this, any traffic to port 53 gets re-directed using IP masquerading to my local DNS server which uses the blocklists from https://github.com/StevenBlack/hosts.

By coincidence since I did that I need to do a hard reboot of my Mi Box android tv device everyday as when you turn it on from standby and open Youtube / Netflix it goes in to a frozen state.

dot/doh is here, pihole is becoming irelevant

Quite, effectively your device VPNs to the internet on port 443 to a non descript IP. You can either block it completely or allow everything through.

The only hope is that device manufacturers are terrible, don’t implement certificate checks, and you can MITM everything by redirecting port 443 through a proxy.

The only choice is to block it.

Which prevents you from using Netflix or YouTube etc.

Don’t connect your tv, but you need a device of some sort to use modern tv

Block https?

Could just block it from that device.

Pihole may be irelevant soon, but not yet. I sit with about 10% blocked.

“DNSSEC is here, man in the middle attacks are over”

- a person in 2001

I only checked one of the listed urls (the tables are images???) but found 15 hits in my pi-hole. I’m using the “safe” (as in marked likely to not break things) set of lists from wally3k’s github. So the standard set of lists won’t catch many things, but it is prudent to add more. There are currently nearly a million domains being filtered in my pi-hole and 13.0% of http/https requests are filtered out.

It is an arms race. It started like it normally does. Pihole guys were dismissed as not a threat since setup required user setup and maintenance. Clearly, there was a miscalculation of sentiment since adtech seems to be actively working on subverting it.

I hope pihole can keep up. I am at a point, where I would pay for it ( donation may no longer be viable ).

Surprised that apple TV isn't included in this analysis at all. I'd be interested to see that, especially using a short list of the 'most common' apple TV apps -- eg Netflix, Youtube, Hulu, HBO.

I have a Roku and it's a targeted advertising machine. Great if you're a marketer but kinda iffy if you're just an ordinary consumer. I see ads for debit card purchases within a matter of hours. I don't mind because I'm into marketing and might leverage the adtech at some point. But if you're concerned about privacy, stay far away.

Surprised it doesn't recommend Kodi in the 'What can you do about it'

It's basically the OpenWRT equivalent of streaming devices.

Presumably an AppleTV is only as good as the apps you choose to run on it. I'd love to see some analysis of YouTubeTV. I recently saw a stat which claimed YouTubeTV only had 2M subscribers, which seemed critically low to me.

That’s a handy list of domains to put into pi-hole for them to be blocked.

I did not see a list of domains on that site. I thought they talk about using a pihole in general. If you saw, or recommend specific lists - please do - and thank you in advance.

Here’s a question: when my old tv dies, where can I even get a new non-smart tv? I haven’t seen a new one sold in years now

Walmart and Amazon. They even sell 4k "dumb" TVs.


This link used to have better results, but Amazon must have changed something: https://www.amazon.com/s?k=4k+-smart&rh=n%3A1266092011

After reading this, I think if everyone setup a Tor node just for TV, that’s be great (harder to identify who is watching what).

Did you actually read it? It literally says identifiers were sent irrespective of tracking settings. Tor only masks IP and that was never the intent of the Tor network and using it that way is a is a complete waste of resources that doesn’t solve anything.

> Tor only masks IP and that was never the intent of the Tor network and using it that way is a is a complete waste of resources that doesn’t solve anything

More garbage traffic on Tor isn't necessarily a bad thing. It keeps others safe who actually do need it.

I don’t know a great deal about tor so maybe that’s true, but suggesting people use some convoluted routing in the name of privacy (which it doesn’t solve) isn’t the way to go about it.

If smashing TOR with bandwidth actually helps anonymise real users, then TOR should get in contact with BitTorrent client developers and get them to creat clients that split traffic over tor and non tor routes. That way they can create sanely manageable traffic from a very large volume of nodes, helping mask tor users far more than what a few obscurely routed tvs ever would.

tor would prove extremely painful to use with IPTV re speed and dropouts. identifiers may be avoided using packet inspection/rewrites but that is still far from a solid, PnP solution

So what about Apple TV?

What is a Roku channel? Is it like an app on your phone?

Yes. There are apps for Netflix, Amazon, etc.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact