FTC vs. VIZIO: Getting smart about TV data collection and sharing

If you have a so-called smart TV from VIZIO, LG, or Samsung, you may want to check its settings related to Privacy, Marketing, and Automatic Content Recognition (ACR). Why? Because your TV may be collecting information about what you and your family watch, and then sharing that data with third parties in ways that you may not have thought about.

In this article I will explain why the practice of TV manufacturers collecting and profiting from information about your TV viewing was thrust into the headlines this week, but before I do that, I want to share a link to an article by Consumer Reports that explains how to shut off technology that tracks what you watch on many VIZIO, LG, and Samsung televisions. Consumer Reports is an independent, nonprofit organization and it makes sense to share the advice they have already assembled, rather than delay this article in an effort to replicate their work (besides, my TV at home happens to be a Sony, which doesn’t help here, and I don’t think I have the budget to get any more TVs for the research lab).

The FTC vs. VIZIO

Why did the issue of televisions snooping on those who watch them hit the headlines this week? Because on Monday the US Federal Trade Commission (FTC), along with the Office of the New Jersey Attorney General, announced a settlement with one of the world’s largest manufacturers and sellers of internet-connected “smart” televisions, namely VIZIO, a privately held American company headquartered in Irvine, California.

VIZIO has agreed to pay more than $2 million in fines to settle charges that its smart TVs did, without consumers’ knowledge or consent: “capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices”. Furthermore, the settlement charges that VIZIO “facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value…[and] sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices…”

A lot of that behind-the-scenes data acquisition and trafficking is likely to come as a shock to some of the folks who own the 11 million VIZIO television sets involved in this case. If you have a VIZIO smart TV and didn’t know it might doing this, you may be upset. The first thing to do is check out the Consumer Reports article on how to turn this off.

Next, you can take some comfort in the fact that the FTC settlement requires VIZIO to “delete data collected before March 1, 2016” and to “prominently disclose and obtain affirmative express consent for its data collection and sharing practices.” The company could be in for even bigger fines if, down the road, it is found to have further misrepresented the privacy, security, or confidentiality of consumer information it collects.

If you own a Samsung or LG smart TV, I need to stress they are not part of this FTC case; however, they also have tracking capabilities that you may want to turn off, as described in that article, or in the documentation that came with the TV. And that right there is a big part of this problem: the documentation that comes with the device. When you buy a “connected device” and the documentation that comes with it does not make abundantly clear what data the device collects and shares, and with whom, and for what purposes, you are being deceived. So says both common sense and the FTC.

A less deceptive approach would have been to offer the public two versions of each TV at two different prices, for example:

  • 42 inch smart TV without data tracking: $650
  • 42 inch smart TV with full data tracking and sharing: $600

That way, people would know why the price of the second model was lower. Absent such transparency, one is left to speculate that the price of all new TVs, which strike me as inexpensive compared to some other digital products, is based on assumptions about revenue that go beyond the per unit purchase price.

The official account of the VIZIO settlement can be found here. A more colloquial account, which gives you a better sense of how dimly the FTC viewed the facts uncovered in this case, can be found on the agency’s blog, along with some good advice on how manufacturers can avoid sanctions like the ones VIZIO has run into. These echo the FTC’s prior advice on a wide range of “smart” devices and component parts of the Internet of Things (IoT):

  • Explain your data collection practices up front.
  • Get consumers’ consent before you collect and share highly specific information about their entertainment preferences.
  • Make it easy for consumers to exercise options.
  • Remember that established consumer protection principles apply to new technology.

You can read more able the FTC’s thinking on IoT data privacy and security in this article.

Smart TV or big screen computer?

This latest FTC action raises the question of how many consumers are currently aware of the data privacy and information security implications of a television set that can record everything they watch, and report that data, identified by their internet connection (IP address), to distant servers where it can be enriched with information about their age, gender, and other details.

Consumer awareness in this arena might be greater if we stopped calling these things televisions. In reality, they are actually powerful internet computers with large displays – big-screen PCs if you will – PCs that just happen to be able to show you TV stations in addition to a whole bunch of streaming video, audio, games, and other services. Security folks have been saying the same thing about smartphones for many years, and I get the impression a lot of consumers are now hip to that; yes, you can use it to place a phone call, but basically it’s a small-screen internet computer.

When you grasp that your TV and your phone are computers, and not just simple communication units, you are hopefully more likely to realize their power and potential, for ill as well as good, and treat them accordingly. Read their documentation, their privacy policies and license agreements, and check the default settings. If you’re like me, that won’t mean you stop using the big-screen computer you just installed in your living room, but at least you’ll be watching with eyes wide open, and maybe fingers crossed that the FTC or some tech-savvy attorney general is looking out for your privacy.

To learn more about the FTC’s position within the US data privacy landscape, you might try this ESET white paper.

 

Author Stephen Cobb, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.