User Alleges LG TVs Phone Home With Your Viewing Habits

psychonaut writes "Blogger DoctorBeet discovered that his new LG television was surreptitiously sending information about his TV viewing habits, as well as the names of the files he watched on removable media, to LG's servers. There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from."

it's a matter between him and the retailer

[mwvdlee]

it's a matter between him and the retailer he bought the TV from.

So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?

Re:it's a matter between him and the retailer

[gstoddart]

So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?

In this analogy, it depends on the EULA of the shoes you bought.

What they're saying is "you bought this, and accepted the terms and conditions, if you didn't know that it's your problem and take it up with the retailer who didn't tell you about it".

So, if the EULA for the shoes says you're not allowed to come around and kick their asses, then it was the retailer who was supposed to have told you that. And your desire to go around and kick their asses with said shoes is trumped by the fact that you agreed to it.

To me it's a dodgy legal argument, but since courts keep upholding these licenses which in effect say "by using this device you give us the right to do anything we want to, and whatever we like with the data we collect" -- the legal bullshit says "but you consented to us tracking everything you do, it's not our fault".

So, if in this case the shoes you bought had license terms which said you consent to being tracked, or accept that you're not allowed to kick their asses with said footwear ... then pretty much yes. Apparently it was up to the retailer to tell you what you've agreed to.

Re:it's a matter between him and the retailer

[grasshoppa]

Actually, I think that was just a fancy way of saying "We're not changing it, so return your product...if you can".

Re:it's a matter between him and the retailer

[Artraze]

No, he posted the full text of their response, the relevant part being:

"The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions."

What they're actually saying is that he agreed to the terms and conditions somehow, and it's the retailer's fault that he wasn't aware what they were / that he agreed to them. So really it's just a fancy way of saying 'our asses are covered beyond what legal action you can afford so go away'.

Re:it's a matter between him and the retailer

[almitydave]

I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.

Re:it's a matter between him and the retailer

[RearNakedChoke]

I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.

Yes, I too buy houses where the purchase contract requires no signature, but merely a mouse click. Or even better, where the contract is INSIDE the house and by the mere fact of removing the key from a sealed envelope and opening the door, I've accepted the mysterious contract that is inside that I did not sign...my opening the door is signature enough.

And if there is some clause in that contract that says the bank will install secret video cameras, too bad, take it up with the previous owner.

Built-in set top box

[benjfowler]

It's a wonder that so many people are using the built-in set top boxes in their so-called smart TVs.

The user interfaces are invariably shit (especially so for any software designed in the far East). And you're stuck with whatever badly designed, misconceived bollocks they force upon you. It's the Sony shit-on-your-paying-customers way of doing things.

Anyway, the whole world is (or should be) treating large displays like TVs as monitors, which screens media pushed from the internet via other devices in your house. DLNA and Chromecast are the way of the future, not built-in TV set top pox.

Re:Built-in set top box

[Jaseoldboss]

It doesn't transmit the currently watched filename, it dumps the folder contents asynchronously when accessing the Smart functions. And not all the time, it's possibly newly added files.
I am the blogger who found this, let me know if you would like verification.

Re:Built-in set top box

[sosume]

I'd rarther reverse engineer the protocol and then build a 'crap stats generator' which sends insane viewing patterns to LG. You know, just to tilt the balance in another direction, to make their entire stats database worthless and get a few managers fired. Not allowed? Collecting data like that is highly illegal and could cost LG their import license.

Re:Built-in set top box

[Jaseoldboss]

I tried that but you need a valid authentication ID and session ID plus all those X-Device attributes otherwise it returns an error from the JBoss app server.

Re:Built-in set top box

[mrchaotica]

Anyone have a good iptables rule to block this sort of thing?

Mine is called "don't hook the TV to the network."

Re:Built-in set top box

[locopuyo]

Let Little Bobby Tables have control over the remote for a while.

Of course it didn't

[rebelwarlock]

This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.

Sure, whatever you say.

I used to think totalitarianism came from above

[hessian]

Now I realize that it's democratic: it comes from the people.

Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.

We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.

When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.

Re:I used to think totalitarianism came from above

[hey!]

You think totalitarianism doesn't come from above? Who do you think is higher on the political food chain, the consumer or corporations?

You expect consumers to care about privacy, but what does it cost him to care? You almost can't buy a decent TV these days that's not "smart". So he has to put a packet analyzer on the network port and figure out if the thing is phoning home?

No, this a place where the consumer reasonably feels he ought to be protected by government regulation.

Back in 1972 the US Department of Health Education and Welfare developed a landmark report which anticipated a lot of the electronic privacy issues of the following 40 years. The report was prepared under squeaky clean Elliot Richardson, who was shifted from HEW to DoD shortly before the report came out. He was replaced by Caspar Weinberger (later Reagans' Sec'y of Defense, and mixed up with Iran Contra). If you read the report it is capped with a conclusion which doesn't seem to match: we can't really be sure about what's going to happen in the future, so we should avoid regulating any potential privacy abuses by the private sector until they become problems. That's the philosophy which controls the US approach to consumer data privacy to this day. Consumers have to figure out that their data is being abused, then win a political fight against companies who've invested money in the business of exploiting their data.

Re:Retailer

Don't you get the sarcasm?

LG doesn't take responsibility for their products.

Great thing about being old

[sunsurfandsand]

All I watch are reruns of Law & Order. Guess that's why I keep getting targeted ads for handguns, anti-freeze, bleach, and no-contract cell phones.

From the Ad to Advertisers...

[DexterIsADog]

This is part of the pitch to advertisers from the LG video: "Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness."

LG staff apparently speak like robots. Or Michael Caine. Who can only say. A few words. At a time.

That's pretty creepy.

No encryption?

[gameboyhippo]

If I were to build a TV that spied on my customers, I would at least encrypt the traffic. By not encrypting the traffic, this opens up the possibility of a user getting revenge by posting misleading data or even something as evil as an XML bomb. Dumb move by LG.

Any Canadians here?

[alexo]

Contact the privacy commissioner.

And LG paralyzes your tv when it wants to.

[Marrow]

LG decided that it needed to update its user agreement and sent an update that paralyzed my TV. It would no long switch between inputs or do anything useful until I clicked their stupid agreement. They even supplied an email address for question about the process onscreen, but nobody ever responded.
I was a good customer for them until that stunt.

Re:And LG paralyzes your tv when it wants to.

[joe_frisch]

Sounds nice, but "return the TV' means somehow finding an appropriate shipping box, filling out the required paperwork and paying to mail it back. If you are lucky you will then eventually get another TV to unpack and set up - and then have to repeat the process. Maybe you "win" and get your money back. The TV company doesn't care - very few of their customers will go to that effort rather than just click on the box, and your return will just be in the "user too stupid to use our TV" category.

This is the general problem with "returning" any sort of high tech product. The cost of the users time to do it is so high that most people simply won't bother - especially when they realize that the competitors product will likely have the same problem.

Sites to Blacklist

[Fnord666]

From the article:

So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.

• ad.lgappstv.com
• yumenetworks.com
• smartclip.net
• smartclip.com
• llnwd.net
• smartshare.lgtvsdp.com
• ibis.lgappstv.com

Re:Sites to Blacklist

[billn]

llnwd.net is a CDN. You *can* block it if you like, but you'll be blocking a lot of other things, like Netflix, Amazon Prime videos, Sony DLC, and all manner of Internet content.

Re:Easy Solution

[msauve]

You mean their attempt at an unconscionable contract of adhesion? Meh. Whenever one of those things appears on my screen, I cover it with a post-it note saying basically "By clicking "accept," I agree to nothing. If you don't agree to that, don't accept my click."

No Internet access

[Natales]

Is this a surprise to anybody? why do you think all TV vendors are pushing for "Smart TV"? all this metadata could be a huge source of revenue to them in all kinds of areas, from advertising profiling to law enforcement.

Since we have more and more connected devices in our lives, you've got to take extra precautions. First and foremost, if your device doesn't need to be connected to the Internet, just don't. There is no reason your wired printer need Internet access, so block that MAC address for external access. If your device does need it, then make sure that it's in an isolated segment with no raw access to Ethernet frames from other systems in your house, and if it's WiFi-enabled, make sure you have guest isolation turned on. Then, setup a proxy, transparent or not, to make sure you have the chance to monitor that traffic for unexpected surprises. If you can, whitelist some specific sites that your application needs to access, like Netflix or VUDU for example and block access to everything else.

Finally, why use apps in the TV when you can have excellent open source software provide you with content, like XBMC or MythTV?