Two senators, alarmed about the potential of smart TVs spying on users in the privacy of their homes, asked the FTC to “launch an investigation into the privacy policies and practices of smart TV manufacturers.”
Wait, what year is this? There’s nothing new about smart TV spying. Zero-day vulnerabilities in Samsung Smart TVs were exposed at the end of 2012; if exploited, attackers could gain control of the webcam and microphone. Smart TVs were called the perfect target for spying on users back in 2013 – the same year as a Black Hat presentation about hacking Samsung Smart TVs. It was not just exploits that allowed for spying as a scandal erupted about LG Smart TV spying in 2013.
Although Samsung took heat in 2015 for its privacy policy and its use of voice recognition – being able to record and listen in on what users were saying – it later came to light that the CIA had a Weeping Angel attack against Samsung Smart TVs back in 2014, making it possible to record conversations and send them back to a covert CIA server.
Also in 2015, thanks to Smart Interactivity, Vizio was busy tracking what 10 million smart TV owners’ were watching and then selling that data to advertisers. Vizio was full of denials, but the FTC slapped Vizio for this. And in 2017, Vizio agreed to pay $2.2 million to settle charges by the FTC.
Report about Samba TV privacy alarms U.S. senators
What changed to finally snag the attention of two Democrat lawmakers? A recent New York Times report on Samba TV got the senators worked up enough to ask the FTC to investigate if the connectivity and interactivity of smart TVs are coming at the expense of consumer privacy.
Samba, according to the Times as well as research by software engineer David Kitchen, has software deals with numerous big-name TV brands to “track nearly everything that appears on the TV on a second-by-second basis, essentially reading pixels to identify network shows and ads, as well as programs on HBO and even video games played on the TV.”
Samba claimed that users must agree to Samba Interactive TV when setting up their TVs. It’s no surprise that most users do not delve into the 6,500 words in the terms of service or the privacy policy, which has over 4,000 words. Although Samba doesn’t directly sell users’ data after they have opted in, it does allow advertisers to “pay the company to direct ads to other gadgets in a home.”
In a letter to the FTC (pdf), Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) wrote:
Many internet-connected smart TVs are equipped with sophisticated technologies that can track the content users are watching and then use that information to tailor and deliver targeted advertisements to consumers. By identifying the broadcast and cable shows, video games, over-the-top content like Netflix, and other applications that users are viewing, smart TVs can compile detailed profiles about users' preferences and characteristics. Recent reports even suggest that smart TVs can identify users' political affiliations based on whether they watch conservative or liberal media outlets.
This allows companies to rely on “detailed dossiers of individual users” and send ads to those users’ “computers, phones or any other device that shares the smart TVs’ internet connection.” The senators don’t believe most users are aware of “the extent to which their televisions are collecting sensitive information about their viewing habits.”
They used Samba TV, which the Times said had deals with Sony, Sharp, TCL, Philips and other TV brands – collecting viewing data from over 13.5 million smart TVs, as an example. When users are prompted to opt into the Samba Interactive TV service, Samba “does not clearly convey how much sensitive information about a user will be collected or whether the data will be used for targeted advertisements across different devices.”
“Televisions have entered a new era, but that does not mean that users’ sensitive information no longer deserves protection,” the senators wrote. “The content consumers watch is private, and it should not be assumed that customers want companies to track and use information on their viewing habits.”
The senators pointed out that users should be given the details of who can access their data, be told how their data will be used, and give real consent to the collection and use of their sensitive info “while still having access to the core functions of smart TV technology.” The last bit is likely a snipe at the companies who penalize users for not agreeing and giving consent by taking away functionality.
While the FTC confirmed to Ars Technica that it had received the letter, it did not give any additional comments.