User Alleges LG TVs Phone Home With Your Viewing Habits 286
psychonaut writes "Blogger DoctorBeet discovered that his new LG television was surreptitiously sending information about his TV viewing habits, as well as the names of the files he watched on removable media, to LG's servers. There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from."
it's a matter between him and the retailer (Score:5, Funny)
it's a matter between him and the retailer he bought the TV from.
So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?
Re:it's a matter between him and the retailer (Score:5, Interesting)
In this analogy, it depends on the EULA of the shoes you bought.
What they're saying is "you bought this, and accepted the terms and conditions, if you didn't know that it's your problem and take it up with the retailer who didn't tell you about it".
So, if the EULA for the shoes says you're not allowed to come around and kick their asses, then it was the retailer who was supposed to have told you that. And your desire to go around and kick their asses with said shoes is trumped by the fact that you agreed to it.
To me it's a dodgy legal argument, but since courts keep upholding these licenses which in effect say "by using this device you give us the right to do anything we want to, and whatever we like with the data we collect" -- the legal bullshit says "but you consented to us tracking everything you do, it's not our fault".
So, if in this case the shoes you bought had license terms which said you consent to being tracked, or accept that you're not allowed to kick their asses with said footwear ... then pretty much yes. Apparently it was up to the retailer to tell you what you've agreed to.
Re:it's a matter between him and the retailer (Score:4, Insightful)
Out of *policy*, I never read any EULA for any product ever. To read it would be giving it weight. I will just click on anything that makes the thing work, and the only reason I'm clicking on it is to make the thing work, not because of any consent.
One of the nice things is that many websites are as dumb as fuck, and often ask me to agree to things before they let me have access to their pages - and these agreements are in a foreign language I don't understand. I cannot have consented, as I couldn't have even understood what I would be consenting to. That's not just plausible deniability, it's deniability-as-the-null-hypothesis. I just clicked on the button that then led me to where I was trying to go. If the websites don't like that, they are free to 403 me.
Re:it's a matter between him and the retailer (Score:5, Insightful)
I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.
Re:it's a matter between him and the retailer (Score:5, Insightful)
I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.
Yes, I too buy houses where the purchase contract requires no signature, but merely a mouse click. Or even better, where the contract is INSIDE the house and by the mere fact of removing the key from a sealed envelope and opening the door, I've accepted the mysterious contract that is inside that I did not sign...my opening the door is signature enough.
And if there is some clause in that contract that says the bank will install secret video cameras, too bad, take it up with the previous owner.
Re:it's a matter between him and the retailer (Score:4, Interesting)
Re: (Score:3)
If you are trying to blah blah blah *you are part of the problem*.
Oh good grief. My point was about ignoring the terms of a contract that you are presented with, know are legally binding, are knowingly take action signifying consent. The person to whom I was replying stated that was their attitude to all software, including where he's required to give explicit consent to terms presented to him before use, not just shrink-wrapped EULAs.
There are problems with EULAs, and contracts to which you don't know you're agreeing should never be allowed to stand up in court, but a
Re:it's a matter between him and the retailer (Score:5, Insightful)
Actually, I think that was just a fancy way of saying "We're not changing it, so return your product...if you can".
Re:it's a matter between him and the retailer (Score:5, Insightful)
No, he posted the full text of their response, the relevant part being:
"The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions."
What they're actually saying is that he agreed to the terms and conditions somehow, and it's the retailer's fault that he wasn't aware what they were / that he agreed to them. So really it's just a fancy way of saying 'our asses are covered beyond what legal action you can afford so go away'.
Re: (Score:3, Interesting)
Retailer (Score:4, Funny)
Who did he buy it from, Sony?
Re:Retailer (Score:4, Informative)
Don't you get the sarcasm?
LG doesn't take responsibility for their products.
Re: (Score:2)
The AC never said American companies had scruples either. He also gave no indication he's American. You do realize there's more than 2 countries on the planet with companies, right?
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
I'm sure that if you read the fine print on the agreements for most (if not all) set top box services like TiVo, Hulu, Netflix, your cable agreements, you'll find that they grant permission to collect viewing data and resell it. It's pure gold to ratings organizations or anyone else wanting to prove how many people are watching one thing or another.
Re: (Score:2)
Re: (Score:2)
Good thing I do not use any of the above to get my TV. My active cable TV subscription ends at a turned off HD homerun. Sickbeard is just so much faster and less annoying, paired with xbmc.
Re: (Score:3)
Agreements do not trump law.
Especially forced and unsigned agreements.
Re: (Score:2)
Sending the info over http is purely irresponsible.
Not honoring the setting that disables the features is dishonest.
Analytics can be valuable but trust also matters. A very massive backlash is quite possible (people refusing to buy new TVs or buying the low end ones that are not smart etc.).
Cable company selling viewing data (Score:2, Informative)
Actually, in the US it's a bit tricky for a Cable TV company to sell/give/distribute your viewing data. They can use it internally, but there's a specific law that prohibits disclosure of that data. The Cable TV Privacy Act of 1984 prohibits cable TV providers from disclosing personally identifiable information, and allows users to view and verify their information. This is somewhat unique. No such rules apply to other communications means. For instance if Verizon wants to publish my browsing habits, as
Re:Built-in set top box (Score:4, Informative)
Whatever your DLNA-client — whether it is the TV itself (LG have this capability), or some 3rd-party box — it can do the same sort of "calling home" reporting what you are watching.
Worse! Whereas the documented spying reports only the currently-watched file and is limited to the listing of the currently-inserted USB-stick, with DLNA your entire collection can be POSTed facilitating not only research into your watching habits, but also aiding investigations of copyright-violations, for example.
The only way to be sure is to disable Internet-access — or only allow it to the sites you trust (for whatever reason). (Like YouTube or Netflix — it is unlikely (though entirely possible) for them to do the same kind of snooping into your media-collection.) Unfortunately, doing that will also disable firmware updates...
Re:Built-in set top box (Score:4, Interesting)
Re:Built-in set top box (Score:5, Informative)
I am the blogger who found this, let me know if you would like verification.
Re: (Score:2)
I'd love to be able to create my own stats and upload them to LG.
Re:Built-in set top box (Score:5, Informative)
Re: (Score:3)
A traffic dump would be amazing to look at!
Re: (Score:3)
Have you actually used DLNA? I personally think it stinks. For a way to get a list of files it is pretty good. For any sort of meta data, thumbs, run time, etc it blows.
yeah, I'd been searching for a decent remote control keyboard for my XBMC (formerly MythTV) box for a while (tried a few 2.4GHz and Bluetooth devices), and never found any I liked (nor do I find the XBMC interface very usable). Then I found out about DLNA and MediaHouse on Android, and now I keep all of our media on the NAS in the basement
Re: (Score:3)
My TV is just the monitor for a laptop I bought to be a "settop box" (though it's actually connected with a 50' HDMI cable). My remote is my wireless mouse (and I choose a media player that gives me click-almost-anywhere pause and mousewheel volume control, which I find better than my home theater remote).
1080p makes it all work - I have a real UI, can run any sort of display app (Netflix etc) with the "full PC controls" instead of the annoyingly limited "app controls", and of course playing files from my m
Re:Built-in set top box (Score:5, Funny)
I'd rarther reverse engineer the protocol and then build a 'crap stats generator' which sends insane viewing patterns to LG. You know, just to tilt the balance in another direction, to make their entire stats database worthless and get a few managers fired. Not allowed? Collecting data like that is highly illegal and could cost LG their import license.
Re:Built-in set top box (Score:5, Funny)
Re: (Score:3)
Just plug in a USB stick with fake .avi's on them. For example, Bon-JoonKooFucksChickens.avi.
Re: (Score:2)
Just not plug in the CAT5 cable? it has the added benefit of making it Hacker and NSA proof.
Re:Built-in set top box (Score:5, Insightful)
Mine is called "don't hook the TV to the network."
Of course it didn't (Score:5, Funny)
This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.
Sure, whatever you say.
midget porn (Score:4, Funny)
I can feel the outrage in his comments.
They'll be prying his midget porn from his cold, dead, slightlt sticky hands
Re: (Score:3)
They'll be prying his midget porn from his small, cold, dead, slightly sticky hands
FTFY
I used to think totalitarianism came from above (Score:5, Insightful)
Now I realize that it's democratic: it comes from the people.
Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.
We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.
When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.
Re: (Score:3)
When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.
What about wrapped in a flag on a Harley, distributing Bibles, cheeseburgers and credit cards ? :)
Re: (Score:2, Interesting)
No, it comes from corporations, by way of any method that might maximize profits. There should be rules against what LG is doing here if this pans out. Rules put in place by the government. And there might in fact be, however that's a matter for the courts since it was probably documented in the owners manual or when you agreed to view content online.
That being said, this is disappointing to hear about LG. Thought they were the last reputable TV maker out there. If this does pan out, I hope there bottom lin
Re:I used to think totalitarianism came from above (Score:5, Insightful)
You think totalitarianism doesn't come from above? Who do you think is higher on the political food chain, the consumer or corporations?
You expect consumers to care about privacy, but what does it cost him to care? You almost can't buy a decent TV these days that's not "smart". So he has to put a packet analyzer on the network port and figure out if the thing is phoning home?
No, this a place where the consumer reasonably feels he ought to be protected by government regulation.
Back in 1972 the US Department of Health Education and Welfare developed a landmark report which anticipated a lot of the electronic privacy issues of the following 40 years. The report was prepared under squeaky clean Elliot Richardson, who was shifted from HEW to DoD shortly before the report came out. He was replaced by Caspar Weinberger (later Reagans' Sec'y of Defense, and mixed up with Iran Contra). If you read the report it is capped with a conclusion which doesn't seem to match: we can't really be sure about what's going to happen in the future, so we should avoid regulating any potential privacy abuses by the private sector until they become problems. That's the philosophy which controls the US approach to consumer data privacy to this day. Consumers have to figure out that their data is being abused, then win a political fight against companies who've invested money in the business of exploiting their data.
Re: (Score:2)
Re: (Score:2)
To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.
So far, LG hasn't done a flash-bang home invasion / shooting / kidnapping based on its surreptitious data stealing. If they did, some significant segment of its customer base would go to the competition.
The 'herds' actually have this security analysis fairly correct.
Re:I used to think totalitarianism came from above (Score:4, Informative)
Re: (Score:2)
However, with commercial entities specifically tracking an individual to target marketing to them, problems arise. Nothing like an 8 y.o. getting onto Mom's Amazon account to update their Xm
Re: (Score:3)
One of the most obnoxiously intrusive three-letter government agencies is the HOA. It's stunning what those petty little organizations think they have the right to dictate. You shall not have the right to paint your own house whatever color you please, let your lawn go unmowed, repair cars in your driveway, use a clothesline, or quite a few other things. Why? Because it might commit the grievous sin of Lowering the Neighbors' Property Values. Never know when a neighbor will notice something and make a
Re: (Score:2)
Since when is HOA government?
how is it not? (Score:3)
It's a grouping of people with some authority over the people living in a geographic area.
Re: (Score:2)
Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.
We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.
Do you honestly think the average person knows about the spying or even understands exactly what is happening or how it ultimately affects them? If they knew and understood it as we do I think they'd be as pissed about it as we are. Probably even more so considering how easily riled up the average person is by the talking heads on tv.
Re: (Score:3)
People are stupid and always go for the (seemingly) easy solutions presented to them. Even after millennia of documented bloody human history, the common person on the street remains completely ignorant how things work, despite it being glaringly obvious.
"The best argument against democracy is a five-minute conversation with the average voter." -- Winston Churchill
Great thing about being old (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Anti-freeze, I've been told, has a slightly sweet taste. You can add it to someone's drink without them knowing it. Until they have kidney failure.
Re: (Score:2)
Re: (Score:3)
Back in the mid eighties Austria got caught exporting wine sweetened with diethylene glycol which is what goes in anti-freeze. Pretty much destroyed their wine industry.
Re:Great thing about being old (Score:4, Insightful)
Actually it vastly improved their wine industry, as they refocused from "cheap" to "quality". There are really good Austrian wines today.
From the Ad to Advertisers... (Score:5, Funny)
LG staff apparently speak like robots. Or Michael Caine. Who can only say. A few words. At a time.
That's pretty creepy.
Re: (Score:2)
Re: (Score:3)
And your ISP, Netflix, and a half a dozen entities in the middle still know exactly what you're doing.
You've avoided ads, but you've not gained any additional privacy.
Re: (Score:3)
What Netflix do with the data is between you, them, and the lawyers.
Re: (Score:3)
Re: (Score:2)
Probably, but at least Netflix is currently ad-free. That's about all you can hope for these days.
Re: (Score:3)
Netflix, Amazon, and others provide paid streaming services without any advertisements. If you don't like one you can easily switch to another.
Youtube, Hulu, and networks' own sites like NBC.com stream content for free with advertisements. People aren't going to pay for something they can already get free.
Re: (Score:3, Funny)
Or Christopher Walken: "Yeah. I'm collecting data. On you. So you turned the setting. Off. What of it? Make a fuss and I'll stab you in the eye with a pencil."
FTW (Score:2)
No thanks.... (Score:3, Insightful)
This is exactly why my TV though having an either port does NOT have internet access connected to it. I get monitored enough, there's enough risk from being hacked. Leave my TV alone!
Re: (Score:2)
ethernet not either ....
What we need.... (Score:3)
For now, it's filenames. Next will be screenshots. After that, reverse-netflix?
What we need is for the protocol to be reverse-engineered, and then just start posting all sorts of randomized information to the servers, effectively making it useless. Advertisers won't pay for garbage data.
Of course, once LG notices, the protocol will be encrypted...
Re: (Score:2)
The "protocol" seems to be a simple POST with fields like "channel=32&antenna=no", etc.
That better not take too long to reverse-engineer.
Re:What we need.... (Score:4, Interesting)
If that's the case, it should be pretty easy to crap-flood them. Does it even need a be from a TV? I presume the TV reports it's identifcation with a serial number or such. So... make up a few valid serial numbers, and spin up a few AZW instances, and for pennies a day their database could be filled with so much invalid and malformed data that they never crawl out from under it. Also, why is the cheif of police watching so much porn?
No encryption? (Score:5, Interesting)
If I were to build a TV that spied on my customers, I would at least encrypt the traffic. By not encrypting the traffic, this opens up the possibility of a user getting revenge by posting misleading data or even something as evil as an XML bomb. Dumb move by LG.
Any Canadians here? (Score:5, Informative)
Contact the privacy commissioner. [priv.gc.ca]
Hardware Firewall (Score:3, Interesting)
So, does his TV connect to the internet via a cable modem? Perhaps it's time for someone to market a hardware firewall that you can place between your cable modem and your router to monitor and filter all of your inbound and outbound traffic. I suppose that some routers let you do this. I have an Airport Extreme and it does not give you access to any logs (suggestions as hoe to do this would be welcome).
Re: (Score:2)
Who is surprised by this? (Score:4, Interesting)
I think nobody should be surprised.
Once a company gets a network connection to what you do, they're going to track it, analyze it, and try to figure out how to monetize it. And, if requested, they're going to hand it over to law enforcement.
And this is precisely why I have no interest in having my TV connected to the internet.
The easiest way to avoid stuff like this is to stop giving companies a window into everything you do. Because the reality is, they're going to exploit it whenever they can for their own benefit.
Re: (Score:3)
Eventually appliances that have an Internet connection will require one. Consoles come to mind, and the only thing one can do is not buy one. It would not be surprising for TV makers to require an Internet connection for some "always on" next-gen DRM.
This DRM could constantly monitor (with facial recognition uploads) how many people are in the room, to shut off a video if more than a certain amount are watching a movie, of it someone banned from a service enters the room.
If you give an inch, they will tak
Love this part: (Score:2)
I love this lovely bit of weaseling:
So, once again, it's in the EULA and Terms and Conditions, so we can do any fucking thing we want.
Companies can cramp any opaque license in there t
And LG paralyzes your tv when it wants to. (Score:5, Interesting)
LG decided that it needed to update its user agreement and sent an update that paralyzed my TV. It would no long switch between inputs or do anything useful until I clicked their stupid agreement. They even supplied an email address for question about the process onscreen, but nobody ever responded.
I was a good customer for them until that stunt.
Re: (Score:2)
Re:And LG paralyzes your tv when it wants to. (Score:5, Insightful)
Sounds nice, but "return the TV' means somehow finding an appropriate shipping box, filling out the required paperwork and paying to mail it back. If you are lucky you will then eventually get another TV to unpack and set up - and then have to repeat the process. Maybe you "win" and get your money back. The TV company doesn't care - very few of their customers will go to that effort rather than just click on the box, and your return will just be in the "user too stupid to use our TV" category.
This is the general problem with "returning" any sort of high tech product. The cost of the users time to do it is so high that most people simply won't bother - especially when they realize that the competitors product will likely have the same problem.
How would that help? (Score:2)
The first thing a tech at the store would do is hit 'agree', and then call me and tell me the set worked fine and to stop wasting his time.
Since they cannot know who agreed or even what jurisdiction the agreement was made in, the entire process was meaningless. I just will not buy any more of their stuff. Or purchase it on behalf of any company I work for.
Sites to Blacklist (Score:5, Informative)
So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
Re:Sites to Blacklist (Score:5, Informative)
llnwd.net is a CDN. You *can* block it if you like, but you'll be blocking a lot of other things, like Netflix, Amazon Prime videos, Sony DLC, and all manner of Internet content.
"It's between the retailer and the consumer" (Score:2)
That's a fantastic idea, LG! We certainly will abide by your wishes and make it a matter between the consumer and the retailer by not buying your tv's.
Done and done!
Well of course he's upset. (Score:2)
No Internet access (Score:5, Insightful)
Since we have more and more connected devices in our lives, you've got to take extra precautions. First and foremost, if your device doesn't need to be connected to the Internet, just don't. There is no reason your wired printer need Internet access, so block that MAC address for external access. If your device does need it, then make sure that it's in an isolated segment with no raw access to Ethernet frames from other systems in your house, and if it's WiFi-enabled, make sure you have guest isolation turned on. Then, setup a proxy, transparent or not, to make sure you have the chance to monitor that traffic for unexpected surprises. If you can, whitelist some specific sites that your application needs to access, like Netflix or VUDU for example and block access to everything else.
Finally, why use apps in the TV when you can have excellent open source software provide you with content, like XBMC or MythTV?
egress filtering (Score:2)
It's time for egress filtering, both at the TCP layer, and at the application (hello Privoxy) layer on home firewalls.
Re: (Score:2)
Yes. Thank you. I don't understand why there is so little in the way of outbound port and IP control on home routers. You have to install one of the open source WRT packages and know how to maintain iptables to even run a wifi access point safely, these days.
But... (Score:4, Funny)
LG Ubuntu (Score:2)
Since when did Ubuntu start supplying Smart TV builds?
Spam (Score:3)
Spamming them to death with garbage data would be the best way to take control of the issue. Since the information is unencrypted, posting gibberish data to their server will be a breeze. It would be even better to have a registry of device IDs that people can opt-in so that many people can be spamming them on behalf of other device IDs. Better yet is if the device IDs are serial, then the whole range can be randomly spammed. It doesn't have to go to the point of DDOSing them. Just throwing some bad data at them would be enough to totally screw up their ability to mine / sell that data.
Deniability (Score:3)
I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.
However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.
LG doesn't need to implement a valid page for the URL to get the data. The POST is logged on their servers and the 404 gives them deniability if this matter ever draws an executive out to testify in front of legislators.
Re: (Score:2)
Then sue LG for invading your privacy.
Yeah, who doesn't want a check for $1.74 or $25 off your next purchase of an LG smart television?
Re: (Score:2)
Re:Easy Solution (Score:4, Interesting)
Re:Easy Solution (Score:5, Insightful)
Re: (Score:2)
Remember that you can only get *actual* damages in small claims and you will need proof of these costs. Also, you are going to spend a LOT of money going to court because you have to get a process server to hand the lawsuit to LG for small claims, THEN (assuming you win) you will have to sue again to collect the debt in a jurisdiction where LG has something you can actually take (paying the process server there). With filing fees and paying the process servers, you are going to be out a chunk of cash (north
Re: (Score:2)
Probably the long term answer is a solid internal firewall, or putting the smart TV on its own subnet. Eventually all TVs will be "smart" ones, perhaps even not working unless they have an always-on connection, so I can see emulators being written to make the TV think its phoning home, except it is just communicating with a fancy /dev/null.
Re: (Score:2)
you have to pay $100 more for a dumb TV these days? Well, OK, I guess that's a feature.
(we're happy as a clam with our Vizio dumb LCD panel. LED/120Hz, buncha HDMI, all the 'enhancements' and speakers can be turned off and open source stuff plugs into the HDMI ports just fine).
Re: (Score:2)