CES 2018 brought to light many exciting advancements in consumer technologies. Without a doubt, Smart TVs, Smart Homes, and voice assistants were dominant: LG has a TV that rolls up like a poster; Philips introduced a Google Assistant-enabled TV is designed for the kitchen; and Samsung revealed its new line of refrigerators, TVs, and other home devices powered by Bixby, their intelligent voice assistant. More than ever before, companies are emphasizing “seamless connectivity” between TVs and other connected home devices. In other words, users will be able to instruct their TV to dim the lights, display footage from their home security camera, show who is standing at the front door, or even see what’s inside the fridge — all features envisioning the TV as the command center of the ideal, futuristic Smart Home.
Nonetheless, Smart TVs are raising serious data privacy questions that apply broadly to all Smart Home devices – for example, how long should a manufacturer be responsible for installing software updates to keep an Internet-connected TV secure? Do buyers fully understand what kinds of data their TV manufacturer is collecting, and how to control it? How much information should be presented on the box before purchase? It is critical to identify solutions that maximize consumer benefits while avoiding privacy risks and harms.
A Deep Dive into Leading Smart TVs
In order to better understand the privacy and security issues raised by Smart TVs, we recently had the opportunity to informally review the policies and user interfaces of 2017 models from three leading manufacturers: Sony (which uses the Android TV interface), LG, and Samsung. We aimed to learn more about the privacy and security aspects of leading Smart TVs.
Overall, Smart TV data practices vary considerably. Consumer choices are not always easy to exercise, and there remains a great need for transparency and consensus around how TV data should be used. Advertising using Smart TV data, for example, is a nascent but rapidly growing industry, and many TV buyers are not yet aware of the extent to which their other activities (online and offline) may be synced with their TV viewing information in a way that informs and drives advertising. Security is also a critical aspect — in today’s TVs, software updates are not necessarily automatic, or guaranteed to continue, and it can be difficult for even a well-informed person to make a purchasing decision on the basis of a company’s security practices. Although Smart TVs promise great benefits to consumers, there is clearly more work to be done to build consensus around privacy and security.
Skip ahead to:
- Privacy Policies
- Automated Content Recognition (ACR)
- Privacy Choices and Consent
- Software Updates
- Data Deletion
What Makes a TV “Smart?”
Smart TVs – or, as they are often promoted, “intelligent TVs,” are TVs that connect to the Internet to allow users to access streaming video services (such as Netflix or Hulu), other online media or entertainment, such as music, on-demand video, and web browsers. Many Smart TVs have their own App Stores, making them more similar to large-screen computers than traditional displays. Many are now integrating connectivity with other Smart Home technologies like lights, baby monitors, or kitchen appliances.
In addition to the wide variety of new entertainment options, a less appreciated benefit of Smart TVs is the ability to generate accurate, reliable TV viewing measurement data. Historically, TV viewing was difficult to measure, resulting in efforts by companies such as Nielsen to encourage families to voluntarily track their TV viewing habits. The inevitable result, as discussed by several speakers in the Federal Trade Commission’s recent workshop, was that only the most popular and mainstream TV viewing would typically be measured accurately.
In the last ten years, as TVs and streaming media has become more sophisticated, it has become possible to measure less popular or even obscure content. The ability to know what kinds of content people are actually interested in, even if it isn’t mainstream, has allowed for greater investment in content that previously would have been too risky – for example (as discussed by Samba TV’s Ashwin Navin at the FTC’s Smart TV workshop), Arrested Development (canceled and then re-launched by Netflix), or The Mindy Project (picked up by Hulu).
Nonetheless, the same data collection that allows for accurate TV viewing measurement often creates concerns around individual privacy. For example, individual data can be used to create detailed profiles based on viewing habits, sometimes in expected ways (e.g. Netflix suggestions), and sometimes in unexpected ways.
Smart TVs Vary in their Privacy Settings and Features
Are all Smart TVs the same with respect to their data practices? In many ways, they are not. The TVs we unboxed and set up had significant differences in privacy features, including things like: whether relevant policies are easily available; whether and how users are prompted to consent to data collection and uses; whether users can delete their personal data; and whether software updates are installed automatically. Notably, some TV manufacturers run software from other companies (e.g. LG TVs that run Android OS), but other manufacturers actively collect data for advertising and other purposes. Hardware manufacturers are responsible for many of the things buyers care about, like screen size, picture quality, and durability, but when it comes to data privacy, buyers should also think about the operating system and apps.
There are also some issues applicable to all modern TVs that deserve greater attention – specifically, the fact that digital advertising using TV data is a rapidly growing industry that has not yet developed consensus around privacy norms. These important questions about data privacy have broader implications for other connected devices in the Internet of Things (IoT) and the Smart Home.
Key privacy and security issues:
Relevant privacy policies are not always available.
Automated Content Recognition (ACR) is a common feature of Smart TVs.
All Smart TVs that we reviewed – and probably, nearly all modern Smart TVs – are equipped with automated content recognition (ACR) technology. ACR is usually built in to the TV software but also present in many third party apps. An early example of ACR technology is Shazam, the popular music recognition app that is now available on many leading TVs.
Generally, ACR technologies use one of two methods: fingerprinting or watermarking. The most common method, audio/video-based fingerprinting, relies on periodically extracting a “fingerprint” of unique characteristics of the content being watched, and sending it to a third party matching service to identify the content. Watermarking, in contrast, relies on the content creator to embed a unique “overlay” or “watermark” (often imperceptible) into the audio or video file so that it can be recognized again in the future.
|Fingerprinting vs. Watermarking|
Most Smart TVs provide users with notice of ACR data collection through on-screen notices, but the policies typically describe the collection of “Viewing Information,” or “Viewing History,” providing little detail about what the ACR technology collects or how it works in detail. Some examples of how ACR-enabled viewing data is described in on-screen policies (on file with author):
- Samsung: “In order to provide you with customized and personalized Smart TV experiences, some of our feature and services will rely on your TV viewing history and Smart TV usage information. Your TV viewing history includes information about the networks, channels, websites visited and programs viewed on your Smart TV and the amount of time spent viewing them. We may use automatic content recognition (ACR) and other technologies to capture this information. Your Smart TV transfers video snippets or TV tuner information in order to determine the programs watched.”
- LG: “Viewing Information . . . refers to information about your interactions with program content, including live TV content, streaming content, movies, and video on demand. Viewing Information may include the name of the channel or program watched, requests to view content, details of actions taken while viewing (e.g., play, stop, pause, etc.), the duration that content was watched, and input method (RF, Component, HDMI). … The ‘Live Plus’ service recognizes the content you are watching and provides interactive services based on that content.”
TVs vary in how they obtain consent to collect and use ACR data.
A key principle of U.S. privacy law is that technology providers should ask users for their consent prior to the collection of use of their personal information, especially sensitive information such as granular TV viewing data. However, what this consent should look like, and how to structure users’ choices, is a frequent source of debate.
Occasionally, offering choices is not practical, because data might be necessary for a device to work as intended – for example, any Internet-connected device necessarily sends an IP address and MAC address in order to connect to a network. In contrast, automated content recognition data (“ACR Data”), while it may enable certain benefits, is not necessary for the TV to function. Furthermore, ACR involves the collection of sensitive information about everything that viewers are watching and when. As a result, it is appropriate for TV manufacturers to offer robust choices around the collection of this kind of data.
In the TVs that we “unboxed,” notice and consent for the collection of ACR data varied. For example, Samsung TVs ask users to opt in to optional data collection during set-up. In contrast, the LG TV presented a basic privacy statement during set-up, and then asked for additional permissions later when we tried to use the specific features that required those extra permissions. In general, these sorts of “just in time” notices reflect a more privacy-conscious design. Although in some ways it makes sense to place all the information “up front,” the set-up process is also a time when users are eager to get the device running, and not necessarily well-positioned to distinguish between routine terms of service (which may be required to set up the TV at all) and optional privacy choices related to added benefits.
Software updates (a key component of good security) are not necessarily automatic or guaranteed to continue.
As TVs become more like computers, a growing issue is the extent to which manufacturers have an obligation to continue supporting software and pushing updates to fix security vulnerabilities. As any smartphone user knows, receiving persistent reminders for app and OS updates can be frustrating, but updating software is crucial to good security.
In leading 2017 TVs, security updates are possible, but not necessarily automatic by default. In addition, it is not clear how often manufacturers push updates for security vulnerabilities. Most TV manufacturers have bug bounty programs (for example, Samsung’s Smart TV bug bounty program; Google’s vulnerability rewards program, which applies to Android TV; and Sony’s [email protected] program), which provide an incentive for independent security researchers to report security flaws so that companies can fix software before consumers are affected. However, without automatic updating or prominent notices on the TV interface, it can be difficult to ensure that TV buyers take the steps necessary to secure their devices.
Finally, many manufacturers do not yet make explicit assurances to their customers about how long they will continue to support older TV models. Given that the average lifespan of a TV is around 7-10 years, it is crucial that Smart TVs, with all of their added connectivity and software-dependent services, continue to be updated for a reasonable time. Furthermore, with enough transparency, software support can be a powerful selling point for a budget-impacting purchase. The importance of Smart TV security is heightened as the newest TVs become linked to other devices in smart homes.
Smart TVs vary in policies for data retention and deletion.
Finally, as with all connected devices, a key question for Smart TV providers is how they should handle users’ requests for deletion of accounts and associated data. Deletion of data is not only a practical consideration – for example, if a buyer decides to sell or re-purpose a TV – but increasingly viewed as an aspect of consumer privacy rights.
Leading Smart TV manufacturers have very different policies regarding data retention and users’ opportunity to meaningfully delete their personal information:
|TV Manufacturer||On-Screen Retention Policy|
|Sony (Bravia)||“You can stop uploading the TV usage logs at any time in [Help] -> [Privacy setting]. If this uploading is disabled, the above information about the use of this TV will no longer be uploaded to Sony Corporation . . . Information already uploaded to Sony Corporation with a unique number shall be deleted or converted to anonymized statistical data within approximately six months. The viewing history data stored in this TV will also be deleted and as a result the functions which use viewing history data may not be available (such as “Popular” program recommendations).”|
|Samsung||“Interest based advertisements will be linked to a randomized, non-persistent, and resettable device identifier called the “PSID.” You may reset your PSID at any time by visiting the settings menu, and once reset, your viewing history and Smart TV usage information will be cleared and de-linked.”|
|LGE||“We will take reasonable steps to make sure that we keep your personal information for as long as is necessary for us to provide you with LG Smart TV Services or for the purpose for which it was collected, or as required by law.”|
|“If you request removal of Personal Information, you acknowledge that residual Personal Information may continue to reside in VIZIO’s records and archives, but VIZIO will not use that Personal Information going forward for commercial purposes.”|
Digital advertising using Smart TV data is a nascent, but rapidly growing, industry.
While Smart TV data can be used for a wide range of useful features (including measurement, recommendations, and interactivity features such as in-show trivia, polling, or song recognition), it can also be used for personalized advertising in potentially unexpected or intrusive ways. As a result, there is a need for greater transparency, understanding, and consumer education on issues of TV data privacy.
Programmatic advertising, while well-established in the online ecosystem, is still nascent and growing rapidly for Smart TV data. There are two sides to TV data and advertising: (1) the use of TV viewing data for serving advertisements elsewhere, such as on associated devices; and (2) the use of data from other sources (online browsing behavior on associated devices, social media activities, or demographics) to display an advertisement on a TV. Although both activities may be surprising to consumers, they carry different implications for individual privacy.
In discussions around best practices, processors of TV data are often inclined to apply the same, or similar, standards as those that exist for online behavioral advertising, such as the Network Advertising Initiative’s Code of Conduct. Although similarities exist, direct application of standards for online advertising may not be appropriate unless they take into account key differences:
- As the FTC has noted, consumer expectations for televisions are different. Because of the historical role of TVs as passive, one-way transmission devices in the living rooms of nearly all Americans, there is a much higher barrier that must be overcome before most families will be comfortable with their TVs collecting sensitive information. As expectations change, the responsibility lies with technology providers to provide the education, notice, and transparency necessary to build trust in their devices.
- TVs are expensive. In many cases, personalized digital advertising in online platforms is defended on the grounds that it enables much of the free content that we enjoy. This argument may not translate well to the context of devices purchased at some expense. For such a device, higher standards for privacy choices, transparency, security practices, and deletion, may be appropriate.
- TVs are often shared family devices. Finally, it should be noted that TV viewing is often a shared experience. As a result, it is most likely appropriate to have best practices around advertising content that avoids inadvertent disclosure of embarrassing or too-personalized information.
Finally, it was surprising to note that several leading Smart TVs are integrating advertising into their main user interfaces. In other words, the TV’s main screens are being designed to contain static placements for digital advertisements (whether personalized or otherwise). For many, this will be a serious downside that might not be understood at the time of purchase. Will we start to see differential pricing for Smart TVs – a less expensive TV with advertisements, and a more expensive TV without advertisements? Although this would not necessarily be unusual for connected devices, it remains to be seen how TV buyers would respond to such a pricing model.
Overall, the industry for Smart TVs and Smart TV data, much like the broader “Internet of Things” ecosystem, is relatively nascent. In the absence of baseline privacy legislation that would provide minimum standards for commercial collection and use of personal information, there is little consensus or consistency between different TV manufacturers about the appropriate ways to collect and use data. Smart TVs promise a range of benefits and interactive features – but are also collecting data for advertising and commercial purposes that might surprise many Smart TV users.
Unfortunately, even well-informed prospective buyers of Smart TVs do not yet have easily available tools to compare TVs on the basis of their privacy and security features. As more consumers start to use Smart TVs as a central hub for connected home devices, good security is also critical. Ironically, strong security practices can make it more difficult for independent researchers to evaluate privacy features. For example, a side effect of the increased use of SSL encryption (an important security safeguard for well-designed connected devices) is that security researchers are not able to analyze data being sent and received by a Smart TV.
We look forward to Consumer Reports’ emerging Digital Standard, which promises to provide such tools for prospective buyers to compare connected devices on many key privacy aspects – such as, for example, the existence of clear policies, or the default settings of ACR. Inevitably, it will be difficult for outside observers to compare Smart TVs on the basis of their internal business practices (especially as data is increasingly better secured and challenging to assess from external observation). For these reasons, independent trusted organizations will likely play a key role in addressing these challenges in years to come. By working towards greater transparency and privacy commitments,
 For more information on the 2015 Samsung concerns and other privacy issues related to voice data and speech-enabled devices, read Future of Privacy Forum’s 2015 report, “Always On: Privacy Implications of Microphone-Enabled Devices.”
 In evaluating Smart TVs, we approached each 2017-model TV from the perspective of an average user, relying only on public-facing documents and the communications presented in the TV’s user interface. Although some of the companies discussed here are also supporters of FPF, we applied the same approach to all TVs and believe that we have presented a fair, accurate comparison of key privacy and security aspects.