Slashdot Mirror
User Alleges LG TVs Phone Home With Your Viewing Habits
psychonaut writes "Blogger DoctorBeet discovered that his new LG television was surreptitiously sending information about his TV viewing habits, as well as the names of the files he watched on removable media, to LG's servers. There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from."
it's a matter between him and the retailer he bought the TV from.
So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Who did he buy it from, Sony?
Isn't this already a Smirnoff joke?
ISR, joke has already written YOU.
As long as its not filming me and recording my vinegar strokes when it reports that i am watching "siberian amputee dwarf party 8"
It's a wonder that so many people are using the built-in set top boxes in their so-called smart TVs.
The user interfaces are invariably shit (especially so for any software designed in the far East). And you're stuck with whatever badly designed, misconceived bollocks they force upon you. It's the Sony shit-on-your-paying-customers way of doing things.
Anyway, the whole world is (or should be) treating large displays like TVs as monitors, which screens media pushed from the internet via other devices in your house. DLNA and Chromecast are the way of the future, not built-in TV set top pox.
This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.
Sure, whatever you say.
I can feel the outrage in his comments.
They'll be prying his midget porn from his cold, dead, slightlt sticky hands
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Now I realize that it's democratic: it comes from the people.
Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.
We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.
When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.
Futurist Traditionalism
All I watch are reruns of Law & Order. Guess that's why I keep getting targeted ads for handguns, anti-freeze, bleach, and no-contract cell phones.
This is part of the pitch to advertisers from the LG video: "Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness."
LG staff apparently speak like robots. Or Michael Caine. Who can only say. A few words. At a time.
That's pretty creepy.
Unplug the TV from the network and us another device for accessing content. Then sue LG for invading your privacy.
don't buy a smart TV. Build or buy a set-top box that gives you customizability and control over what it does. Plenty of options for Windows, Android or Linux htpc's or set top boxes that you can customize as deeply as you like.
...LG watches you! Oh, wait...
I guess if they do that, then an un-hacked G2 would do it as well- along with the stuff Verizon did along those same lines. Guess I don't want the G2, then...
So much for ever buying a TV set again.
Is that it is full of lizards.
for dumb people.
Hmm. I have an LG TV. It must report "watching HMDI 1 again" (TiVo). Oops, now watching "HDMI 4" (chromecast). No way it is sending any information about the shows. It has no idea what show is on those inputs. Lame story. I will stipulate that if you use the "Smart" features it could send a file name of something you watch from DLNA, etc. However the "Smart" features on these TVs are f*cking stupid. The menu takes 30 seconds to come up - even to SWITCH INPUTS. They are a joke, so nobody that has tried them ever uses them again. You use the things you plug in - such as a DVR, a Chromecast, a Roku - things like that.
This is exactly why my TV though having an either port does NOT have internet access connected to it. I get monitored enough, there's enough risk from being hacked. Leave my TV alone!
For now, it's filenames. Next will be screenshots. After that, reverse-netflix?
What we need is for the protocol to be reverse-engineered, and then just start posting all sorts of randomized information to the servers, effectively making it useless. Advertisers won't pay for garbage data.
Of course, once LG notices, the protocol will be encrypted...
If I were to build a TV that spied on my customers, I would at least encrypt the traffic. By not encrypting the traffic, this opens up the possibility of a user getting revenge by posting misleading data or even something as evil as an XML bomb. Dumb move by LG.
Contact the privacy commissioner.
So, does his TV connect to the internet via a cable modem? Perhaps it's time for someone to market a hardware firewall that you can place between your cable modem and your router to monitor and filter all of your inbound and outbound traffic. I suppose that some routers let you do this. I have an Airport Extreme and it does not give you access to any logs (suggestions as hoe to do this would be welcome).
Actually, in the US it's a bit tricky for a Cable TV company to sell/give/distribute your viewing data. They can use it internally, but there's a specific law that prohibits disclosure of that data. The Cable TV Privacy Act of 1984 prohibits cable TV providers from disclosing personally identifiable information, and allows users to view and verify their information. This is somewhat unique. No such rules apply to other communications means. For instance if Verizon wants to publish my browsing habits, as gleaned from watching the packets go by, there's not a lot I can do, from a non-contract law standpoint.
I think nobody should be surprised.
Once a company gets a network connection to what you do, they're going to track it, analyze it, and try to figure out how to monetize it. And, if requested, they're going to hand it over to law enforcement.
And this is precisely why I have no interest in having my TV connected to the internet.
The easiest way to avoid stuff like this is to stop giving companies a window into everything you do. Because the reality is, they're going to exploit it whenever they can for their own benefit.
Lost at C:>. Found at C.
Their data is sent in the clear. Time to fill their logs with the idea that I watch Golden Girls 24x7.
Trolling is a art,
Disable the Internet connection on the TV. Problem solved.
"Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon."
HTC is still trying to recover from spyware.
Boston cops seem to care that they're being tracked.
I turn off Google Android GPS and so do most everyone I know. Latitude was never run and for my next phone, I want Android without all that Google spyware and forcing you to sign up for an account that groups stuff and all the other creepy surveillance stuff they do.
There won't be any LG products in my new house. Not just TV's, I find their attitude to my data appalling and don't want them selling even the guarantee card data on.
I love this lovely bit of weaseling:
So, once again, it's in the EULA and Terms and Conditions, so we can do any fucking thing we want.
Companies can cramp any opaque license in there they want, and you have no recourse.
Fuck LG.
Lost at C:>. Found at C.
LG decided that it needed to update its user agreement and sent an update that paralyzed my TV. It would no long switch between inputs or do anything useful until I clicked their stupid agreement. They even supplied an email address for question about the process onscreen, but nobody ever responded.
I was a good customer for them until that stunt.
So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's a fantastic idea, LG! We certainly will abide by your wishes and make it a matter between the consumer and the retailer by not buying your tv's.
Done and done!
Of course LG has no idea what's going on. NSA infiltrated LG's servers. They want to know if you're downloading and watching homeland tv series.
I just wrote a quick script that makes his TV viewing habit a 24/7 affair on all the porn channels.
I'm afraid you're wrong about them not being able to identify your content just because it arrives through externally connected devices instead of from the TV broadcaster.
All they have to do is build a database of patterns to recognize (held on their servers), and then use a CDDB-type approach to figure out what the content watched on the TV is. Because digital technology preserves content so well even when it's been through multiple stages of format conversion, this isn't all that hard to do.
Anyone who's done a course in image recognition is aware of scene properties that are very robust and could be used for this purpose. It's then just a matter of the TV sending home patterns for the content it's displaying every few minutes, and the server end does the job of matching against its steadily improving database.
If your viewed material is something that many others have watched, they'll eventually discover what it is from this uploaded information, and even if they don't recognize it, they'll know that what you watch is exactly the same thing as N other identifiable people.
He didn't want anyone to know he was watching teletubbies. How embarrassing.
What do I know, I'm just an idiot, right?
Is this a surprise to anybody? why do you think all TV vendors are pushing for "Smart TV"? all this metadata could be a huge source of revenue to them in all kinds of areas, from advertising profiling to law enforcement.
Since we have more and more connected devices in our lives, you've got to take extra precautions. First and foremost, if your device doesn't need to be connected to the Internet, just don't. There is no reason your wired printer need Internet access, so block that MAC address for external access. If your device does need it, then make sure that it's in an isolated segment with no raw access to Ethernet frames from other systems in your house, and if it's WiFi-enabled, make sure you have guest isolation turned on. Then, setup a proxy, transparent or not, to make sure you have the chance to monitor that traffic for unexpected surprises. If you can, whitelist some specific sites that your application needs to access, like Netflix or VUDU for example and block access to everything else.
Finally, why use apps in the TV when you can have excellent open source software provide you with content, like XBMC or MythTV?
You mean to tell me a modern day electronic is invading your privacy? Shirley, you jest!
It's time for egress filtering, both at the TCP layer, and at the application (hello Privoxy) layer on home firewalls.
I want to delete my account but Slashdot doesn't allow it.
The first thing a tech at the store would do is hit 'agree', and then call me and tell me the set worked fine and to stop wasting his time.
Since they cannot know who agreed or even what jurisdiction the agreement was made in, the entire process was meaningless. I just will not buy any more of their stuff. Or purchase it on behalf of any company I work for.
It's a grouping of people with some authority over the people living in a geographic area.
Who will monitor the monitors?
- First they ignore you, then they laugh at you, then ???, then profit.
Since when did Ubuntu start supplying Smart TV builds?
Spamming them to death with garbage data would be the best way to take control of the issue. Since the information is unencrypted, posting gibberish data to their server will be a breeze. It would be even better to have a registry of device IDs that people can opt-in so that many people can be spamming them on behalf of other device IDs. Better yet is if the device IDs are serial, then the whole range can be randomly spammed. It doesn't have to go to the point of DDOSing them. Just throwing some bad data at them would be enough to totally screw up their ability to mine / sell that data.
Better known as 318230.
There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from.
What is it these days with companies not taking any responsibility of their products starting from the point they leave the factory? It's unethical and just wussy-ass behavior to not stand behind your products. You don't "shrug the matter off". You must care about customer satisfaction. From a good company the correct answer would have been "at your service, sir". After that they would have start working hard to provide a firmware update which allows properly turning off the spying feature. If you bother to wake up in the morning to make televisions, at least do your job properly.
one more reason not to buy a tv that connects to the internet. Or if you can't avoid one with an ethernet connection, just don't use it. WiFi devices can be blocked from connection at the router by simply not entering the mac address in the list of devices allowed to connect. If they ever make a TV that "requires" a connection to the internet (will not work without it, like a lot of game consoles) they can kiss my ass. In Times Square. At Midnight. On New Years EVE!
I'm not surprised that LG or some other "smart TV" maker would consider trying this. It's pretty darn tempting. But I am surprised they actually let it loose in the wild. You have to be pretty dumb to think it wouldn't eventually be noticed, and the damage control from headlines like "LG TVs spy on their users" will be potentially pretty bad if past experience is any indication.
Think "Sony rootkit" bad, LG. Remember that? Google how well-known that is if you are unfamiliar. Is that the kind of attention from consumers, the media, and regulators what you want? I think most companies will probably look at the options and say "Not worth the downside". Apparently LG is either filled with stupid managers or gamblers who think the information payout is still worth the risk.
And if this is their initial response to a query about it, wow, is this going to get bad if there is any truth to these claims.
Want to hurt LG for this?
Everyone go out and buy an LG TV, then return it to the store* the next day because you refuse to accept the Terms and Conditions. See how fast retailers start dropping LG from their lines...
*Be sure to check the store's return policy. Should work at most big chains.
I wonder who they'd feel if someone decided to send a steady stream of nonsense to their servers? And have field named "LG virus payload" "Trojan_LG" etc?
I'm a consultant - I convert gibberish into cash-flow.
With ordinary domestic electronics, you can bet your life such abuses are poorly coded, and easily identified. The same does NOT apply to products from companies like Google, Apple and Microsoft.
Microsoft sets up 'plausible deniability' for the traffic that travels to their servers by doing TWO things.
1) For years now, every Microsoft product connected to the Internet regularly sends data of an unspecified type, that Microsoft tells people is general "quality control" information. This constant outward steaming GROOMS users to expect devices to engage in periodic mysterious transmissions that are, too all intents and purposes, impossible to prevent if the device needs to be online for any reason.
2) Microsoft ENCRYPTS traffic sent from its newest devices. The Xbox One has specific encryption hardware blocks that eliminate apparent overhead.
So, with the Xbox One, for instance, engineers can investigate the device (when it is released in a few days), PROVE Kinect is powered and processing whenever there are people in the room, PROVE there is significant outward encrypted traffic whenever the console is online, and Microsoft will reply that this is expected, innocent and UNSTOPPABLE (if you have the Kinect connected and an Internet connection).
Contrary to what Microsoft's vile shills tell you, Microsoft has NOT stated you can prevent this behaviour using 'user settings' on the interface. The ONLY thing the user settings change is the experience FOR THE USER. The owner of the Xbone does NOT get to modify the Microsoft designated behaviour, UNLESS the user refuses to connect the Gates/NSA Kinect II sensor bar.
Parallel to the technological ability to spy on people in their own homes have been a raft of new laws passed in EVERY major nation on the planet that effectively legalise such spying, and severely restrict the ability of users to seek action against companies who abuse their customers in such ways. Indeed, Obama's new INTERNATIONAL IP TREATIES are specifically designed to criminalise, with the severest penalties, ANY action that circumvents inbuilt functions within CONSUMER devices. In other words, Obama states that the ONLY right of the citizen will be whether to buy or not buy a device. If it is bought, the user MUST use the device according to the whims of the manufacturer.
Vile shills will tell you that this CANNOT prevent savvy people from hacking etc, but this is irrelevant. What matters is that the VAST MAJORITY are afraid of the law, and discourage 'law breaking' by those around them. So the sheeple will learn to treat those who openly 'modify' the behaviour of home electronics in the same light as those that openly, say, snort cocaine.
In the foreseeable future, even taping over the cameras built into things like TVs will become a criminal offence (just as Americans have been trained by Obama to accept EULAs as an absolute statement of law).
Only ONE thing can now protect Humanity from this fate- namely that the RIGHT TO PRIVACY is codified into the fundamental principles of a free, decent society. A right to privacy MUST join things like:
freedom of speech
freedom of conscience
presumption of innocence
right to a fair trial
all men to be equal under the law
etc, etc.
In the USA, this means AN AMENDMENT TO THE CONSTITUTION. The ability of the State to use its power, influence and resources to spy within the homes of citizens MUST be denied by law. All general and specific acts of intelligence gathering against ordinary citizens must be deemed to be a Crime against Humanity. Only those carefully and reasonably designated as "persons of interest" by justice or defense departments following specific, PUBLIC protocols (under direct democratic control) should be potential targets for State spying. While such spying can be secret, the protocols that justify such spying in general MUST NEVER be secret.
However, the monsters that rule you are NEVER going to willingly give up their ability to abuse you. The more their spy powers improve, and the more people they spy on, the greater their power, and their future ability to hold on to and grow such power.
I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.
However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.
LG doesn't need to implement a valid page for the URL to get the data. The POST is logged on their servers and the 404 gives them deniability if this matter ever draws an executive out to testify in front of legislators.
I am becoming gerund, destroyer of verbs.
Mine isn't even hooked up to the internet. Even if it was, all it would know is, "Damn, she uses her Mac Mini a LOT!" :D
and report back?
I refuse to buy an Internet-enabled TV, or any other appliance for that matter (Lowes tried to sell me an Internet-enabled LG kitchen suite that would send me an email if the temperature in my refrigerator got too high. No thanks.)
XBMC on Linux is the only "smart" TV I need.
So what? Ad engines on websites have been doing the same thing for years. Fix it the same way; just identify the domain names that the TV is radioing home to, and redirect those domains via DNS (OpenDNS makes this easy), to anywhere else where they'll just 404.
What the hell is my printer going to do to me?
Or what the hell are you scanning on yours?
With a device intended to snoop on your viewing habits, I'd be curious if any viewing habits could be construed as abuse in a court of law.
Would a court frown upon disabling the setting and then view randomly named files millions of times an hour?
Here's a thought, I ditched my cable provider and went with Netflix and sharing media on my computer with my tv to not have to be bombarded with ads.
Aren't you opening a huge security hole on your computer, doesn't Netflix on a PC/Mac require Microsoft Silverlight ?
There are a few companies that are actively working against this privacy invasive hardware/software. The problem is you don't care enough or aren't willing to pay the true cost for your hardware.
ThinkPenguin, and ??? a few (very very very few) others have actively pushed for the release of free software drivers/firmware so that they could ship systems that were NOT privacy invasive or at least less privacy invasive.
If you don't even have enough users to produce a distribution that is privacy friendly though... well, we're all f'd. And that's for hardware that people actually think about.
Nobody is thinking about the privacy invasive aspects of TVs.
Read the Samsung Smart TV Manual's Terms and Conditions, Privacy Policy and you'll see, "Carefully read the terms and conditions to use Samsung Account...". Read the Privacy Policy and you'll see, "We collect such information to help us identify users' browsing preferences. This information is used for internal purposes so that we can carry out research on user demographics, behavior and interests."
Errr, this is an item described as a TV. So why is it connected to the Internet?
Or am I falling behind the times with TVs? I thought you just sent them a video signal and they turned it into pictures (moving or not).
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
...you are probably not enjoying yourself!
I got tired of reading through this thread and the rants not specific about the original post, so if there's proof that this is happening and I missed it please advise. Has anyone have proof from a packet sniffer? I ran one at home, my LG 3D Smart TV (47LM6700) isn't 'calling home'.