User Alleges LG TVs Phone Home With Your Viewing Habits

psychonaut writes "Blogger DoctorBeet discovered that his new LG television was surreptitiously sending information about his TV viewing habits, as well as the names of the files he watched on removable media, to LG's servers. There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from."

it's a matter between him and the retailer

[mwvdlee]

it's a matter between him and the retailer he bought the TV from.

So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?

Re:it's a matter between him and the retailer

[gstoddart]

So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?

In this analogy, it depends on the EULA of the shoes you bought.

What they're saying is "you bought this, and accepted the terms and conditions, if you didn't know that it's your problem and take it up with the retailer who didn't tell you about it".

So, if the EULA for the shoes says you're not allowed to come around and kick their asses, then it was the retailer who was supposed to have told you that. And your desire to go around and kick their asses with said shoes is trumped by the fact that you agreed to it.

To me it's a dodgy legal argument, but since courts keep upholding these licenses which in effect say "by using this device you give us the right to do anything we want to, and whatever we like with the data we collect" -- the legal bullshit says "but you consented to us tracking everything you do, it's not our fault".

So, if in this case the shoes you bought had license terms which said you consent to being tracked, or accept that you're not allowed to kick their asses with said footwear ... then pretty much yes. Apparently it was up to the retailer to tell you what you've agreed to.

Re:it's a matter between him and the retailer

[grasshoppa]

Actually, I think that was just a fancy way of saying "We're not changing it, so return your product...if you can".

Re:it's a matter between him and the retailer

[Artraze]

No, he posted the full text of their response, the relevant part being:

"The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions."

What they're actually saying is that he agreed to the terms and conditions somehow, and it's the retailer's fault that he wasn't aware what they were / that he agreed to them. So really it's just a fancy way of saying 'our asses are covered beyond what legal action you can afford so go away'.

Re:it's a matter between him and the retailer

[fatphil]

If you refuse to give it, you can't use the product you shelled out money for. So it's consent *under duress*. Which is not real consent.

Out of *policy*, I never read any EULA for any product ever. To read it would be giving it weight. I will just click on anything that makes the thing work, and the only reason I'm clicking on it is to make the thing work, not because of any consent.

One of the nice things is that many websites are as dumb as fuck, and often ask me to agree to things before they let me have access to their pages - and these agreements are in a foreign language I don't understand. I cannot have consented, as I couldn't have even understood what I would be consenting to. That's not just plausible deniability, it's deniability-as-the-null-hypothesis. I just clicked on the button that then led me to where I was trying to go. If the websites don't like that, they are free to 403 me.

Re:it's a matter between him and the retailer

[almitydave]

I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.

Re:it's a matter between him and the retailer

[BroadwayBlue]

Hrm. The "collection of watching info" setting wasn't there in version 5.x of the software but it's there now after an update to 6.00.01.

Re:it's a matter between him and the retailer

[RearNakedChoke]

I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.

Yes, I too buy houses where the purchase contract requires no signature, but merely a mouse click. Or even better, where the contract is INSIDE the house and by the mere fact of removing the key from a sealed envelope and opening the door, I've accepted the mysterious contract that is inside that I did not sign...my opening the door is signature enough.

And if there is some clause in that contract that says the bank will install secret video cameras, too bad, take it up with the previous owner.

Re:it's a matter between him and the retailer

[Culture20]

The difference of course being the timing of the contract agreement and the value of the object being withheld. With EULAs, they are often after the purchase is completed. It would be like the seller of the house refusing to vacate the house even after you've taken possession of it until you agree to terms that weren't mentioned before the sale or in the original contract. To get your property, you either have to agree to their demands (which would not be binding) or involve the police. Police would care about a trespasser. A EULA preventing you from using the software you bought, not so much.

Re:it's a matter between him and the retailer

[almitydave]

If you are trying to blah blah blah *you are part of the problem*.

Oh good grief. My point was about ignoring the terms of a contract that you are presented with, know are legally binding, are knowingly take action signifying consent. The person to whom I was replying stated that was their attitude to all software, including where he's required to give explicit consent to terms presented to him before use, not just shrink-wrapped EULAs.

There are problems with EULAs, and contracts to which you don't know you're agreeing should never be allowed to stand up in court, but a person who says "I know this software is presenting terms of a contract and I'm going to click the button that I knows signifies acceptance without reading the contract, and pretend that somehow that means I'm not accepting them" is being ridiculous.

Retailer

[lw54]

Who did he buy it from, Sony?

Re:Retailer

Don't you get the sarcasm?

LG doesn't take responsibility for their products.

Re:Retailer

[davester666]

Yeah. You totally forgot about Canada!

Built-in set top box

[benjfowler]

It's a wonder that so many people are using the built-in set top boxes in their so-called smart TVs.

The user interfaces are invariably shit (especially so for any software designed in the far East). And you're stuck with whatever badly designed, misconceived bollocks they force upon you. It's the Sony shit-on-your-paying-customers way of doing things.

Anyway, the whole world is (or should be) treating large displays like TVs as monitors, which screens media pushed from the internet via other devices in your house. DLNA and Chromecast are the way of the future, not built-in TV set top pox.

Re:Built-in set top box

[hellsop]

I'm sure that if you read the fine print on the agreements for most (if not all) set top box services like TiVo, Hulu, Netflix, your cable agreements, you'll find that they grant permission to collect viewing data and resell it. It's pure gold to ratings organizations or anyone else wanting to prove how many people are watching one thing or another.

Re:Built-in set top box

[mwvdlee]

Agreements do not trump law.
Especially forced and unsigned agreements.

Re:Built-in set top box

Sending the info over http is purely irresponsible.
Not honoring the setting that disables the features is dishonest.

Analytics can be valuable but trust also matters. A very massive backlash is quite possible (people refusing to buy new TVs or buying the low end ones that are not smart etc.).

Re:Built-in set top box

[mi]

DLNA and Chromecast are the way of the future, not built-in TV set top pox.

Whatever your DLNA-client — whether it is the TV itself (LG have this capability), or some 3rd-party box — it can do the same sort of "calling home" reporting what you are watching.

Worse! Whereas the documented spying reports only the currently-watched file and is limited to the listing of the currently-inserted USB-stick, with DLNA your entire collection can be POSTed facilitating not only research into your watching habits, but also aiding investigations of copyright-violations, for example.

The only way to be sure is to disable Internet-access — or only allow it to the sites you trust (for whatever reason). (Like YouTube or Netflix — it is unlikely (though entirely possible) for them to do the same kind of snooping into your media-collection.) Unfortunately, doing that will also disable firmware updates...

Re:Built-in set top box

[bill_mcgonigle]

Have you actually used DLNA? I personally think it stinks. For a way to get a list of files it is pretty good. For any sort of meta data, thumbs, run time, etc it blows.

yeah, I'd been searching for a decent remote control keyboard for my XBMC (formerly MythTV) box for a while (tried a few 2.4GHz and Bluetooth devices), and never found any I liked (nor do I find the XBMC interface very usable). Then I found out about DLNA and MediaHouse on Android, and now I keep all of our media on the NAS in the basement and the XBMC box is set to receive DLNA and we just use whichever android device is around for a much better remote experience.

I agree, though, there's not much metadata on it (just ID3 AFAIK). We have pretty much no need for more on the remote, though, so that's fine.

The other thing is that the allowed port range (like UDP 30000-60000) is insane - reminds me of the bad-old NFSv3 days. There's an heir apparent protocol out there that few vendors have implemented to date. It's probably time, though.

In the meantime, the list of files (I have a folder structure) is all my kids (7 & 10) need to actually watch what they want. They have friends over and go through their karaoke videos or whatever and the friends think it's like magic - I was chagrined that I never noticed DLNA several years ago!

Re:Built-in set top box

[qbast]

The only way to be sure is class-action lawsuit and huge fine paid by LG.

Re:Built-in set top box

[Jaseoldboss]

It doesn't transmit the currently watched filename, it dumps the folder contents asynchronously when accessing the Smart functions. And not all the time, it's possibly newly added files.
I am the blogger who found this, let me know if you would like verification.

Re:Built-in set top box

[sosume]

I'd rarther reverse engineer the protocol and then build a 'crap stats generator' which sends insane viewing patterns to LG. You know, just to tilt the balance in another direction, to make their entire stats database worthless and get a few managers fired. Not allowed? Collecting data like that is highly illegal and could cost LG their import license.

Re:Built-in set top box

[Jaseoldboss]

I tried that but you need a valid authentication ID and session ID plus all those X-Device attributes otherwise it returns an error from the JBoss app server.

Re:Built-in set top box

[mrchaotica]

Anyone have a good iptables rule to block this sort of thing?

Mine is called "don't hook the TV to the network."

Re:Built-in set top box

[nullchar]

A traffic dump would be amazing to look at!

Re:Built-in set top box

[locopuyo]

Let Little Bobby Tables have control over the remote for a while.

Re:Built-in set top box

[lgw]

My TV is just the monitor for a laptop I bought to be a "settop box" (though it's actually connected with a 50' HDMI cable). My remote is my wireless mouse (and I choose a media player that gives me click-almost-anywhere pause and mousewheel volume control, which I find better than my home theater remote).

1080p makes it all work - I have a real UI, can run any sort of display app (Netflix etc) with the "full PC controls" instead of the annoyingly limited "app controls", and of course playing files from my media server just uses a normal file browser that shows whatever I want it to, with my media organized by a filesystem.

Everything else seems half-assed by comparison. I'm a bit mystified why a geek would do this any other way. Just for the fun of buying a bunch of embedded devices that don't really work so well?

Re:Built-in set top box

[sjames]

Just plug in a USB stick with fake .avi's on them. For example, Bon-JoonKooFucksChickens.avi.

Of course it didn't

[rebelwarlock]

This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.

Sure, whatever you say.

midget porn

[hduff]

I can feel the outrage in his comments.

They'll be prying his midget porn from his cold, dead, slightlt sticky hands

Re:midget porn

[Zanadou]

They'll be prying his midget porn from his small, cold, dead, slightly sticky hands

FTFY

I used to think totalitarianism came from above

[hessian]

Now I realize that it's democratic: it comes from the people.

Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.

We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.

When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.

Re:I used to think totalitarianism came from above

[alexhs]

When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.

What about wrapped in a flag on a Harley, distributing Bibles, cheeseburgers and credit cards ? :)

Re:I used to think totalitarianism came from above

No, it comes from corporations, by way of any method that might maximize profits. There should be rules against what LG is doing here if this pans out. Rules put in place by the government. And there might in fact be, however that's a matter for the courts since it was probably documented in the owners manual or when you agreed to view content online.

That being said, this is disappointing to hear about LG. Thought they were the last reputable TV maker out there. If this does pan out, I hope there bottom line takes a massive hit, and Streissand is unkind in her effect.

Re:I used to think totalitarianism came from above

[hey!]

You think totalitarianism doesn't come from above? Who do you think is higher on the political food chain, the consumer or corporations?

You expect consumers to care about privacy, but what does it cost him to care? You almost can't buy a decent TV these days that's not "smart". So he has to put a packet analyzer on the network port and figure out if the thing is phoning home?

No, this a place where the consumer reasonably feels he ought to be protected by government regulation.

Back in 1972 the US Department of Health Education and Welfare developed a landmark report which anticipated a lot of the electronic privacy issues of the following 40 years. The report was prepared under squeaky clean Elliot Richardson, who was shifted from HEW to DoD shortly before the report came out. He was replaced by Caspar Weinberger (later Reagans' Sec'y of Defense, and mixed up with Iran Contra). If you read the report it is capped with a conclusion which doesn't seem to match: we can't really be sure about what's going to happen in the future, so we should avoid regulating any potential privacy abuses by the private sector until they become problems. That's the philosophy which controls the US approach to consumer data privacy to this day. Consumers have to figure out that their data is being abused, then win a political fight against companies who've invested money in the business of exploiting their data.

Re:I used to think totalitarianism came from above

[jodido]

Every public opinion poll says just the opposite. Too many to cite, but here's one: http://articles.washingtonpost.com/2013-07-23/politics/40862490_1_edward-snowden-nsa-programs-privacy It's easier to blame the victims than the people in power.

Re:I used to think totalitarianism came from above

[bzipitidoo]

One of the most obnoxiously intrusive three-letter government agencies is the HOA. It's stunning what those petty little organizations think they have the right to dictate. You shall not have the right to paint your own house whatever color you please, let your lawn go unmowed, repair cars in your driveway, use a clothesline, or quite a few other things. Why? Because it might commit the grievous sin of Lowering the Neighbors' Property Values. Never know when a neighbor will notice something and make a mental note to complain about it while they wait for their dog to leave a deposit in your yard.

These days, purchasing consumer electronics feels like you got a lawn that will be very nice as soon as you've finished cleaning up after someone else's dog or figured out where not to step.

Re:I used to think totalitarianism came from above

[metrix007]

A SmartTV is a boon for me. I don't need a separate device like a roku or chromecast to access youtube or netflix, and those things can't do DLNA while the TV can. No extra device, no extra power usage...and the price difference is about what the most expensive roku costs anyway.

Just because you don't see benefits, does not mean they do not exist.

Re:I used to think totalitarianism came from above

[gweihir]

People are stupid and always go for the (seemingly) easy solutions presented to them. Even after millennia of documented bloody human history, the common person on the street remains completely ignorant how things work, despite it being glaringly obvious.

"The best argument against democracy is a five-minute conversation with the average voter." -- Winston Churchill

Great thing about being old

[sunsurfandsand]

All I watch are reruns of Law & Order. Guess that's why I keep getting targeted ads for handguns, anti-freeze, bleach, and no-contract cell phones.

Re:Great thing about being old

[clickclickdrone]

Anti-freeze, I've been told, has a slightly sweet taste

Back in the mid eighties Austria got caught exporting wine sweetened with diethylene glycol which is what goes in anti-freeze. Pretty much destroyed their wine industry.

Re:Great thing about being old

[gweihir]

Actually it vastly improved their wine industry, as they refocused from "cheap" to "quality". There are really good Austrian wines today.

From the Ad to Advertisers...

[DexterIsADog]

This is part of the pitch to advertisers from the LG video: "Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness."

LG staff apparently speak like robots. Or Michael Caine. Who can only say. A few words. At a time.

That's pretty creepy.

Re:From the Ad to Advertisers...

[Impy+the+Impiuos+Imp]

Or Christopher Walken: "Yeah. I'm collecting data. On you. So you turned the setting. Off. What of it? Make a fuss and I'll stab you in the eye with a pencil."

Re:From the Ad to Advertisers...

[gstoddart]

Here's a thought, I ditched my cable provider and went with Netflix and sharing media on my computer with my tv to not have to be bombarded with ads.

And your ISP, Netflix, and a half a dozen entities in the middle still know exactly what you're doing.

You've avoided ads, but you've not gained any additional privacy.

Re:From the Ad to Advertisers...

[Culture20]

Funny, that's why a lot of people started paying for cable and satellite TV decades ago. Ads will creep in to Netflix too. All it takes is a demand from shareholders for ever increasing profit.

Re:From the Ad to Advertisers...

[L4t3r4lu5]

Netflix is over HTTPS and the stream from the CDN is DRM'd up the wazoo. The ISP is handled by a $5pcm VPN connection, which incidentally might get you an endpoint in another country getting you access to their Netflix library *wink wink*. Between your box and the Netflix CDN it's all secured.

What Netflix do with the data is between you, them, and the lawyers.

Re:From the Ad to Advertisers...

[locopuyo]

I'm not too sure about that. Cable TV is controlled by monopolies but people can easily choose between competing streaming services.
Netflix, Amazon, and others provide paid streaming services without any advertisements. If you don't like one you can easily switch to another.
Youtube, Hulu, and networks' own sites like NBC.com stream content for free with advertisements. People aren't going to pay for something they can already get free.

FTW

[AndyKron]

So much for ever buying a TV set again.

No thanks....

[theNetImp]

This is exactly why my TV though having an either port does NOT have internet access connected to it. I get monitored enough, there's enough risk from being hacked. Leave my TV alone!

What we need....

[frostfreek]

For now, it's filenames. Next will be screenshots. After that, reverse-netflix?

What we need is for the protocol to be reverse-engineered, and then just start posting all sorts of randomized information to the servers, effectively making it useless. Advertisers won't pay for garbage data.

Of course, once LG notices, the protocol will be encrypted...

Re:What we need....

[dbc]

If that's the case, it should be pretty easy to crap-flood them. Does it even need a be from a TV? I presume the TV reports it's identifcation with a serial number or such. So... make up a few valid serial numbers, and spin up a few AZW instances, and for pennies a day their database could be filled with so much invalid and malformed data that they never crawl out from under it. Also, why is the cheif of police watching so much porn?

No encryption?

[gameboyhippo]

If I were to build a TV that spied on my customers, I would at least encrypt the traffic. By not encrypting the traffic, this opens up the possibility of a user getting revenge by posting misleading data or even something as evil as an XML bomb. Dumb move by LG.

Any Canadians here?

[alexo]

Contact the privacy commissioner.

Hardware Firewall

[musterion]

So, does his TV connect to the internet via a cable modem? Perhaps it's time for someone to market a hardware firewall that you can place between your cable modem and your router to monitor and filter all of your inbound and outbound traffic. I suppose that some routers let you do this. I have an Airport Extreme and it does not give you access to any logs (suggestions as hoe to do this would be welcome).

Re:Hardware Firewall

[DogDude]

What you're describing is generally the duty of the router in non-enterprise settings. You should invest $50 and get a good (non-Apple) router that can do what you want.

Cable company selling viewing data

Actually, in the US it's a bit tricky for a Cable TV company to sell/give/distribute your viewing data. They can use it internally, but there's a specific law that prohibits disclosure of that data. The Cable TV Privacy Act of 1984 prohibits cable TV providers from disclosing personally identifiable information, and allows users to view and verify their information. This is somewhat unique. No such rules apply to other communications means. For instance if Verizon wants to publish my browsing habits, as gleaned from watching the packets go by, there's not a lot I can do, from a non-contract law standpoint.

Who is surprised by this?

[gstoddart]

I think nobody should be surprised.

Once a company gets a network connection to what you do, they're going to track it, analyze it, and try to figure out how to monetize it. And, if requested, they're going to hand it over to law enforcement.

And this is precisely why I have no interest in having my TV connected to the internet.

The easiest way to avoid stuff like this is to stop giving companies a window into everything you do. Because the reality is, they're going to exploit it whenever they can for their own benefit.

Re:Who is surprised by this?

[mlts]

Eventually appliances that have an Internet connection will require one. Consoles come to mind, and the only thing one can do is not buy one. It would not be surprising for TV makers to require an Internet connection for some "always on" next-gen DRM.

This DRM could constantly monitor (with facial recognition uploads) how many people are in the room, to shut off a video if more than a certain amount are watching a movie, of it someone banned from a service enters the room.

If you give an inch, they will take a mile. The fewer devices with Internet access, the better.

Of course, there are security ramifications. A criminal organization would score the jackpot if they knew where everyone's kid is and when people were not at home, if they could tap into the TVs themselves or the data aggregating machines.

Re:Easy Solution

[rhsanborn]

The response email from LG implies the original author agreed to the access when he accepted the terms of service. That would likely stand, for now, in the US. I'm not sure if it would fly in the UK.

And LG paralyzes your tv when it wants to.

[Marrow]

LG decided that it needed to update its user agreement and sent an update that paralyzed my TV. It would no long switch between inputs or do anything useful until I clicked their stupid agreement. They even supplied an email address for question about the process onscreen, but nobody ever responded.
I was a good customer for them until that stunt.

Re:And LG paralyzes your tv when it wants to.

[joe_frisch]

Sounds nice, but "return the TV' means somehow finding an appropriate shipping box, filling out the required paperwork and paying to mail it back. If you are lucky you will then eventually get another TV to unpack and set up - and then have to repeat the process. Maybe you "win" and get your money back. The TV company doesn't care - very few of their customers will go to that effort rather than just click on the box, and your return will just be in the "user too stupid to use our TV" category.

This is the general problem with "returning" any sort of high tech product. The cost of the users time to do it is so high that most people simply won't bother - especially when they realize that the competitors product will likely have the same problem.

Sites to Blacklist

[Fnord666]

From the article:

So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.

• ad.lgappstv.com
• yumenetworks.com
• smartclip.net
• smartclip.com
• llnwd.net
• smartshare.lgtvsdp.com
• ibis.lgappstv.com

Re:Sites to Blacklist

[billn]

llnwd.net is a CDN. You *can* block it if you like, but you'll be blocking a lot of other things, like Netflix, Amazon Prime videos, Sony DLC, and all manner of Internet content.

Re:Easy Solution

[msauve]

You mean their attempt at an unconscionable contract of adhesion? Meh. Whenever one of those things appears on my screen, I cover it with a post-it note saying basically "By clicking "accept," I agree to nothing. If you don't agree to that, don't accept my click."

No Internet access

[Natales]

Is this a surprise to anybody? why do you think all TV vendors are pushing for "Smart TV"? all this metadata could be a huge source of revenue to them in all kinds of areas, from advertising profiling to law enforcement.

Since we have more and more connected devices in our lives, you've got to take extra precautions. First and foremost, if your device doesn't need to be connected to the Internet, just don't. There is no reason your wired printer need Internet access, so block that MAC address for external access. If your device does need it, then make sure that it's in an isolated segment with no raw access to Ethernet frames from other systems in your house, and if it's WiFi-enabled, make sure you have guest isolation turned on. Then, setup a proxy, transparent or not, to make sure you have the chance to monitor that traffic for unexpected surprises. If you can, whitelist some specific sites that your application needs to access, like Netflix or VUDU for example and block access to everything else.

Finally, why use apps in the TV when you can have excellent open source software provide you with content, like XBMC or MythTV?

how is it not?

[Chirs]

It's a grouping of people with some authority over the people living in a geographic area.

But...

[sacrilicious]

Who will monitor the monitors?

Spam

[Dan+East]

Spamming them to death with garbage data would be the best way to take control of the issue. Since the information is unencrypted, posting gibberish data to their server will be a breeze. It would be even better to have a registry of device IDs that people can opt-in so that many people can be spamming them on behalf of other device IDs. Better yet is if the device IDs are serial, then the whole range can be randomly spammed. It doesn't have to go to the point of DDOSing them. Just throwing some bad data at them would be enough to totally screw up their ability to mine / sell that data.

Deniability

[wiredlogic]

I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

LG doesn't need to implement a valid page for the URL to get the data. The POST is logged on their servers and the 404 gives them deniability if this matter ever draws an executive out to testify in front of legislators.