Slashdot Mirror
User Alleges LG TVs Phone Home With Your Viewing Habits
psychonaut writes "Blogger DoctorBeet discovered that his new LG television was surreptitiously sending information about his TV viewing habits, as well as the names of the files he watched on removable media, to LG's servers. There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from."
it's a matter between him and the retailer he bought the TV from.
So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Who did he buy it from, Sony?
As long as its not filming me and recording my vinegar strokes when it reports that i am watching "siberian amputee dwarf party 8"
It's a wonder that so many people are using the built-in set top boxes in their so-called smart TVs.
The user interfaces are invariably shit (especially so for any software designed in the far East). And you're stuck with whatever badly designed, misconceived bollocks they force upon you. It's the Sony shit-on-your-paying-customers way of doing things.
Anyway, the whole world is (or should be) treating large displays like TVs as monitors, which screens media pushed from the internet via other devices in your house. DLNA and Chromecast are the way of the future, not built-in TV set top pox.
This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.
Sure, whatever you say.
I can feel the outrage in his comments.
They'll be prying his midget porn from his cold, dead, slightlt sticky hands
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Now I realize that it's democratic: it comes from the people.
Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.
We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.
When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.
Futurist Traditionalism
All I watch are reruns of Law & Order. Guess that's why I keep getting targeted ads for handguns, anti-freeze, bleach, and no-contract cell phones.
This is part of the pitch to advertisers from the LG video: "Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness."
LG staff apparently speak like robots. Or Michael Caine. Who can only say. A few words. At a time.
That's pretty creepy.
Unplug the TV from the network and us another device for accessing content. Then sue LG for invading your privacy.
...LG watches you! Oh, wait...
I guess if they do that, then an un-hacked G2 would do it as well- along with the stuff Verizon did along those same lines. Guess I don't want the G2, then...
So much for ever buying a TV set again.
for dumb people.
don't buy a smart TV.
Since the price difference between a smart TV and a dumb one can be less than $100,00 (here in Brazil where you expend some $700 more to buy a PS4 instead of a PS3), you'd better buy one and root it.
Linux is for people who don't mind RTFM.
This is exactly why my TV though having an either port does NOT have internet access connected to it. I get monitored enough, there's enough risk from being hacked. Leave my TV alone!
For now, it's filenames. Next will be screenshots. After that, reverse-netflix?
What we need is for the protocol to be reverse-engineered, and then just start posting all sorts of randomized information to the servers, effectively making it useless. Advertisers won't pay for garbage data.
Of course, once LG notices, the protocol will be encrypted...
If I were to build a TV that spied on my customers, I would at least encrypt the traffic. By not encrypting the traffic, this opens up the possibility of a user getting revenge by posting misleading data or even something as evil as an XML bomb. Dumb move by LG.
Contact the privacy commissioner.
So, does his TV connect to the internet via a cable modem? Perhaps it's time for someone to market a hardware firewall that you can place between your cable modem and your router to monitor and filter all of your inbound and outbound traffic. I suppose that some routers let you do this. I have an Airport Extreme and it does not give you access to any logs (suggestions as hoe to do this would be welcome).
Actually, in the US it's a bit tricky for a Cable TV company to sell/give/distribute your viewing data. They can use it internally, but there's a specific law that prohibits disclosure of that data. The Cable TV Privacy Act of 1984 prohibits cable TV providers from disclosing personally identifiable information, and allows users to view and verify their information. This is somewhat unique. No such rules apply to other communications means. For instance if Verizon wants to publish my browsing habits, as gleaned from watching the packets go by, there's not a lot I can do, from a non-contract law standpoint.
I think nobody should be surprised.
Once a company gets a network connection to what you do, they're going to track it, analyze it, and try to figure out how to monetize it. And, if requested, they're going to hand it over to law enforcement.
And this is precisely why I have no interest in having my TV connected to the internet.
The easiest way to avoid stuff like this is to stop giving companies a window into everything you do. Because the reality is, they're going to exploit it whenever they can for their own benefit.
Lost at C:>. Found at C.
you have to pay $100 more for a dumb TV these days? Well, OK, I guess that's a feature.
(we're happy as a clam with our Vizio dumb LCD panel. LED/120Hz, buncha HDMI, all the 'enhancements' and speakers can be turned off and open source stuff plugs into the HDMI ports just fine).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Their data is sent in the clear. Time to fill their logs with the idea that I watch Golden Girls 24x7.
Trolling is a art,
Disable the Internet connection on the TV. Problem solved.
"Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon."
HTC is still trying to recover from spyware.
Boston cops seem to care that they're being tracked.
I turn off Google Android GPS and so do most everyone I know. Latitude was never run and for my next phone, I want Android without all that Google spyware and forcing you to sign up for an account that groups stuff and all the other creepy surveillance stuff they do.
There won't be any LG products in my new house. Not just TV's, I find their attitude to my data appalling and don't want them selling even the guarantee card data on.
I love this lovely bit of weaseling:
So, once again, it's in the EULA and Terms and Conditions, so we can do any fucking thing we want.
Companies can cramp any opaque license in there they want, and you have no recourse.
Fuck LG.
Lost at C:>. Found at C.
LG decided that it needed to update its user agreement and sent an update that paralyzed my TV. It would no long switch between inputs or do anything useful until I clicked their stupid agreement. They even supplied an email address for question about the process onscreen, but nobody ever responded.
I was a good customer for them until that stunt.
Probably the long term answer is a solid internal firewall, or putting the smart TV on its own subnet. Eventually all TVs will be "smart" ones, perhaps even not working unless they have an always-on connection, so I can see emulators being written to make the TV think its phoning home, except it is just communicating with a fancy /dev/null.
So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's a fantastic idea, LG! We certainly will abide by your wishes and make it a matter between the consumer and the retailer by not buying your tv's.
Done and done!
Of course LG has no idea what's going on. NSA infiltrated LG's servers. They want to know if you're downloading and watching homeland tv series.
I'm afraid you're wrong about them not being able to identify your content just because it arrives through externally connected devices instead of from the TV broadcaster.
All they have to do is build a database of patterns to recognize (held on their servers), and then use a CDDB-type approach to figure out what the content watched on the TV is. Because digital technology preserves content so well even when it's been through multiple stages of format conversion, this isn't all that hard to do.
Anyone who's done a course in image recognition is aware of scene properties that are very robust and could be used for this purpose. It's then just a matter of the TV sending home patterns for the content it's displaying every few minutes, and the server end does the job of matching against its steadily improving database.
If your viewed material is something that many others have watched, they'll eventually discover what it is from this uploaded information, and even if they don't recognize it, they'll know that what you watch is exactly the same thing as N other identifiable people.
He didn't want anyone to know he was watching teletubbies. How embarrassing.
What do I know, I'm just an idiot, right?
Is this a surprise to anybody? why do you think all TV vendors are pushing for "Smart TV"? all this metadata could be a huge source of revenue to them in all kinds of areas, from advertising profiling to law enforcement.
Since we have more and more connected devices in our lives, you've got to take extra precautions. First and foremost, if your device doesn't need to be connected to the Internet, just don't. There is no reason your wired printer need Internet access, so block that MAC address for external access. If your device does need it, then make sure that it's in an isolated segment with no raw access to Ethernet frames from other systems in your house, and if it's WiFi-enabled, make sure you have guest isolation turned on. Then, setup a proxy, transparent or not, to make sure you have the chance to monitor that traffic for unexpected surprises. If you can, whitelist some specific sites that your application needs to access, like Netflix or VUDU for example and block access to everything else.
Finally, why use apps in the TV when you can have excellent open source software provide you with content, like XBMC or MythTV?
It's time for egress filtering, both at the TCP layer, and at the application (hello Privoxy) layer on home firewalls.
I want to delete my account but Slashdot doesn't allow it.
The first thing a tech at the store would do is hit 'agree', and then call me and tell me the set worked fine and to stop wasting his time.
Since they cannot know who agreed or even what jurisdiction the agreement was made in, the entire process was meaningless. I just will not buy any more of their stuff. Or purchase it on behalf of any company I work for.
It's a grouping of people with some authority over the people living in a geographic area.
Who will monitor the monitors?
- First they ignore you, then they laugh at you, then ???, then profit.
Since when did Ubuntu start supplying Smart TV builds?
Spamming them to death with garbage data would be the best way to take control of the issue. Since the information is unencrypted, posting gibberish data to their server will be a breeze. It would be even better to have a registry of device IDs that people can opt-in so that many people can be spamming them on behalf of other device IDs. Better yet is if the device IDs are serial, then the whole range can be randomly spammed. It doesn't have to go to the point of DDOSing them. Just throwing some bad data at them would be enough to totally screw up their ability to mine / sell that data.
Better known as 318230.
There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from.
What is it these days with companies not taking any responsibility of their products starting from the point they leave the factory? It's unethical and just wussy-ass behavior to not stand behind your products. You don't "shrug the matter off". You must care about customer satisfaction. From a good company the correct answer would have been "at your service, sir". After that they would have start working hard to provide a firmware update which allows properly turning off the spying feature. If you bother to wake up in the morning to make televisions, at least do your job properly.
I'm not surprised that LG or some other "smart TV" maker would consider trying this. It's pretty darn tempting. But I am surprised they actually let it loose in the wild. You have to be pretty dumb to think it wouldn't eventually be noticed, and the damage control from headlines like "LG TVs spy on their users" will be potentially pretty bad if past experience is any indication.
Think "Sony rootkit" bad, LG. Remember that? Google how well-known that is if you are unfamiliar. Is that the kind of attention from consumers, the media, and regulators what you want? I think most companies will probably look at the options and say "Not worth the downside". Apparently LG is either filled with stupid managers or gamblers who think the information payout is still worth the risk.
And if this is their initial response to a query about it, wow, is this going to get bad if there is any truth to these claims.
I wonder who they'd feel if someone decided to send a steady stream of nonsense to their servers? And have field named "LG virus payload" "Trojan_LG" etc?
I'm a consultant - I convert gibberish into cash-flow.
I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.
However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.
LG doesn't need to implement a valid page for the URL to get the data. The POST is logged on their servers and the 404 gives them deniability if this matter ever draws an executive out to testify in front of legislators.
I am becoming gerund, destroyer of verbs.
Mine isn't even hooked up to the internet. Even if it was, all it would know is, "Damn, she uses her Mac Mini a LOT!" :D
and report back?
I refuse to buy an Internet-enabled TV, or any other appliance for that matter (Lowes tried to sell me an Internet-enabled LG kitchen suite that would send me an email if the temperature in my refrigerator got too high. No thanks.)
XBMC on Linux is the only "smart" TV I need.
So what? Ad engines on websites have been doing the same thing for years. Fix it the same way; just identify the domain names that the TV is radioing home to, and redirect those domains via DNS (OpenDNS makes this easy), to anywhere else where they'll just 404.
Here's a thought, I ditched my cable provider and went with Netflix and sharing media on my computer with my tv to not have to be bombarded with ads.
Aren't you opening a huge security hole on your computer, doesn't Netflix on a PC/Mac require Microsoft Silverlight ?
Read the Samsung Smart TV Manual's Terms and Conditions, Privacy Policy and you'll see, "Carefully read the terms and conditions to use Samsung Account...". Read the Privacy Policy and you'll see, "We collect such information to help us identify users' browsing preferences. This information is used for internal purposes so that we can carry out research on user demographics, behavior and interests."
Errr, this is an item described as a TV. So why is it connected to the Internet?
Or am I falling behind the times with TVs? I thought you just sent them a video signal and they turned it into pictures (moving or not).
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
...you are probably not enjoying yourself!