The dumpster fire that passes for security and privacy standards in the internet of things space is by now pretty well understood. It’s also pretty clear that in this sector, “smart TV” vendors have been among the laziest sectors around in terms of making sure private consumer data is adequately encrypted, and that consumers understand that their viewing habits and even some in-room conversations are being hoovered up and monetized, usually sloppily.

Recent studies have found that upwards of 90% of smart TVs can be compromised remotely, and leaked documents have made it clear that intelligence agencies have been having a field day with the lack of security in such sets, easily exploiting paper-mache grade protections in order to use TV microphones to monitor targets without anybody being the wiser.

Meanwhile, set vendors and viewing tracking firms continue to do a pretty dismal job clearly explaining to the end user what data is being collected and monetized. The New York Times, for example, recently did a profile piece on a company named SambaTV, whose viewer-tracking software is now collects viewing data from 13.5 million smart TVs in the United States. Owners of these sets will find Samba’s Interactive TV software already installed, and are told that the software simply lets you receive handy recommendations and experience TV “in a whole new way”:

“Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.”

But at no point during set up does the company really make it obvious just how much data is being collected or how it’s used:

“Once enabled, Samba TV can track nearly everything that appears on the TV on a second-by-second basis, essentially reading pixels to identify network shows and ads, as well as programs on HBO and even video games played on the TV. Samba TV has even offered advertisers the ability to base their targeting on whether people watch conservative or liberal media outlets and which party’s presidential debate they watched.”

That’s certainly something that would never be abused, right? Especially since we keep seeing story after story after story about how anonymized data isn’t really “anonymous”, such data isn’t particularly well protected, and consumers don’t actually have the faintest understanding of what’s being collected and monetized in the first place. Consumer advocates say that transparency about what data is collected remains utterly lacking, as most users of this software have zero understanding it can potentially even track their political leanings:

“It’s still not intuitive that the box maker or the software embedded by the box maker is going to be doing this,” said Justin Brookman, director of consumer privacy and technology policy at the advocacy group Consumers Union and a former policy director at the Federal Trade Commission. “I’d like to see companies do a better job of making that clear and explaining the value proposition to consumers.”

The FTC last year fined TV vendor Vizio $ 2.2 million for hoovering up the viewing data on 11 million consumer TVs without consumers’ knowledge or consent. But FTC enforcement is inconsistent, and is often slow to address how companies now use numerous devices in concert (your smart phone, your home assistant, and your TV) to deepen in-home surveillance capabilities further. The rabbit hole gets deeper still when you consider that your ISP is also cashing in on your IOT device usage without much transparency or oversight thanks to the recent attacks on privacy rules and FCC authority over ISPs.

Quite often, such data hoovering systems are actively misrepresented as being of ambiguous benefit to the end user. And because users can technically dig through Samba’s 4,000 word privacy policy and 6,500 word terms of use to discover what’s actually happening (something companies know users won’t do and may not even understand if they did), they’re technically adhering to the law. Eventually we’ll get around to working together on modernizations of the law, but pretty clearly not before years and dozens of additional privacy and security scandals drive the point home.

Permalink | Comments | Email This Story

Techdirt.