I'm sick and tired of hearing about fines for clearly criminal activity. This is most likely a felony issue at hand, here. The executives who green-lighted this activity should be held accountable and charged accordingly. That's the only thing people understand. That, or ruinous fines. Not a paltry $2.2M for a company with revenues of $3.1B - that's less than 0.1%!!! That's a rounding error to them. $10,000 per occurrence for the company would be much better, and jail for the executive(s) who are responsible, and then this crap might actually stop.
With that in mind, I like what the EU seems to be doing with GDPR[0]. For failing to properly manage user data, you can end up with fines like:
- a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
...which, considering the stuff companies have been pulling off rencently, seems quite OK. A 10M EUR minimum might, hopefully, at least scare off some of the small "innovators" in the area of surveillance economy. As for big corporations, I doubt anything but jail time for executives will work though.
I like this law. Now the real question - is it actually enforced? Because it's meaningless otherwise.
In most cases we don't need new laws, we just need the existing ones to be enforced. Like all these "bullying" laws. I never understood why we needed them when we already have plenty of harassment laws on the books. Enforce those and problem solved.
> I like this law. Now the real question - is it actually enforced? Because it's meaningless otherwise.
Right, yeah, see regulators don't want a court challenge. They could find their whole charter declared unconstitutional. Not as punishment, but simply because nobody ever challenged it.
They try to strike a balance between going to court and enforcing the will of the people/legislators/regulations. If it seems akin to a traffic ticket, well thats because traffic cops are doing the same thing
Regulators and civil society groups have taken the GDPR's predecessor (the Data Protection Directive) to court plenty of times, usually very successfully. The most famous regulator-brought court case is probably the Google Spain/Costeja "right to be forgotten" ruling of the Court of Justice of the EU (CJEU).
The European Union is a new entity and is still forming its case law. Its courts are granting themselves more power and it is probably a few years until their own Marbury v. Madison equivalent. For now its just seeing what sticks and learning the whims of the judges, but you have to recognize the relativity of their authority.
It's not in force yet, but will be from May 2018. Then, like its predecessor the Data Protection Directive, it'll be enforced by over >30 regulators EEA-wide, with a brand new "consistency" mechanism to help multiple national regulators from different countries agree what to do about complaints that involve each one's country (though the defendant will in theory only need to deal directly with the authority of the country where the company has its main establishment; that lead authority will funnel questions etc. from all the others. Note that the existing Data Protection Directive is very actively enforced. Here's the UK's track record (and bear in mind the UK isn't one of the meanest): https://ico.org.uk/action-weve-taken/enforcement/
I hear you on that point and broadly agree that the penalties can be too trivial to cause deterrence (though VW's steep fines and criminal charges signal change).
However in this case, who doesn't assume that everything we do is tracked for optimization? Every recommended product, story, TV show, news feed article, whatever comes from boatloads of testing.
And it doesn't seem like people care. Although some bemoan Facebook and Google data tracking, almost everyone still uses the products.
People still use them because there are often significant consequences to not using them. Not using Facebook can often mean some level of social ostracism, missing out on important moments from family and friends. Not using Google means not being able to collaborate with people using Docs, not watching videos your friends send you, and so on. They're almost like public utilities, and saying "you use Facebook so you must not actually care about privacy" is like saying "you rely on the police, so you most not actually care about cases of police brutality."
> They're almost like public utilities, and saying "you use Facebook so you must not actually care about privacy" is like saying "you rely on the police, so you most not actually care about cases of police brutality."
While I agree that they are like public utilities in many ways, I think your analogy is grossly flawed. For Facebook and Google to do what we want them to, they have no choice but to constantly invade our privacy. The very features we desire most from them are directly related to and tied to our personal information. By contrast, a police department absolutely does not require a single officer to commit violent crimes in order for them to keep the peace, arrest criminals, and protect the public.
>They're almost like public utilities, and saying "you use Facebook so you must not actually care about privacy" is like saying "you rely on the police, so you most not actually care about cases of police brutality."
False equivalence. Facebook is NOT a public utility, despite your assertion. The police are. The police are paid for by your taxes (plus traffic fines...), and are part of your local government. You can vote for your local governmental leaders, who have control over the local police. Facebook is a private corporation with voluntary membership. It is not part of government, you have no say over it whatsoever aside from "voting with your feet", and you can't even compare it to actual public utilities like your local CableCo that you probably get your internet service from, or the cellular provider you get your phone and mobile data service from. It's not a utility, so it's not subject to any real regulation the way that utilities are in theory. It's entirely an optional, voluntary service.
So a better analogy is "'you use Facebook so you must not actually care about privacy' is like saying 'you drive a giant jacked-up pickup truck with gigantic wheels and commute 100 miles/day in it, so you must not actually care about the environment', or, "...'you participate in illegal dog-fighting and cock-fighting activities, so you must not actually care about animal rights and welfare'".
Facebook is not a utility, it's not a necessary service at all. You have the choice to use it, or not, just like you have the choice to subscribe to cable TV, Netflix, Hulu, etc. or to use other web services like YouTube, Gmail, Yahoo! Mail, AOL, or MySpace. (There's actually people who still use those last 3!) If your social circle has a problem with you not using AOL and MySpace and Yahoo! Mail, then maybe you need some better friends. Same goes for Facebook.
This is the same line of thinking that is allowing the NSA to get away with mass surveillance programs and not having every single employee (or at least the high ranking ones) locked up for decades for what are obvious rights violations on a mass scale.
Case in point - you choose to do business with your cell phone provider. The general assumption is that they inherently know your location to provide you service (through triangulation and general connectivity to their cell towers). The government took that and then asserted a random claim saying they had a right to that information. That's literally what the federal judge said - that the government had a right to that private data agreement between you and your cell provider, without a warrant. So our privacy was stolen from us and when it finally came out what they were really doing and the scope of it all, people were shocked but half accepted it as the cost of doing business in the digital age. That's a lazy argument because the constitution expressly forbids such activity - "search and seizure", with seizure being the operative word here. Then they expanded this claim to include email and all private, non-public communications on social media as well.
NSA and the likes rely on the judicial precedent effect, and the generational effect.
I am 36. When I talk to people between 20 and 25 I am shocked to find out they find the whole spying thing pretty normal. They are kind of born into a world where this is already the norm. And we know that most people never challenge the rules of the environment they were born into, not until they turn at least 30 (more often 35-40 IMO) anyway.
Between their claim of "well, things have always been that way" (since they're too young to remember other times) and "I have nothing to hide so I don't care", I'd say NSA and Co. are winning crushingly.
Yes, you are absolutely right about this. And it's a sad situation.
Which is why it is up to us (the 30+ old timers, lol) to take a stand and demand our rights and the law be respected. Throughout the history of this country, people have fought and died to protect our freedoms. For this, we don't even need a physical fight. We just need to collectively take a stand to demand that the rule of law means something, or that they need to take the proper course of action and amend the constitution so that what they are doing is legal. I refuse to accept this middle ground where they violate the law and aren't shut down and prosecuted even when it's discovered.
That's a powerful motivation and I fully stand behind it -- in theory anyway.
But what about in practice? How do we fight exactly? NSA has shown time and again they don't care about ethics or even the law. Hell, they are well-connected enough to make the secret courts legal! You can receive a very particular phone call and/or email right now, and you can spend the rest of your life in a jail if you uttered a word about it.
Large organizations that suck data en masse will change something ONLY if they cannot suck data en masse anymore, it's as simple as that. For that, we need mass education which actually works -- and people who actually care. History is not on our side for now. Most people prefer the short-term dopamine brain injection provided by the current infrastructure and they won't lift a finger to change anything.
I am playing the Devil's Advocate here but it also reflects my beliefs. If I was born f.ex. in 1960 I'd probably be able to join the fight as it was starting. Nowadays the fight seem to be over and we seem to have lost.
As a person born in 1980 and being way too busy to fight for survival and decent human existence well until only 4-5 years ago, I feel I am arriving at the scene way too late.
> who doesn't assume that everything we do is tracked for optimization
This kind of acquiescence is dangerous. What you're essentially saying is "why bother enforcing the laws, nobody follows them" which is a terrible moral position if the laws are just.
No, but it is definitely a solid solution to criminal problems, which is exactly what this is. These are most certainly criminal acts. Why should I not expect criminal activity to be charged as such?
Most criminal activity is done for profit, and that's certainly the case here. For-profit crimes have two solutions. You either make them unprofitable by fining the offender(s) more than they are making from the illegal activity or you give them a free, extended stay at the Gray Bar Motel, courtesy of the US taxpayer. I am more than happy to help foot that bill if necessary.
There are a number of laws relating to "unauthorized access" of private, digital information. This would seem to fall squarely inside of those, at least in my opinion. Those seem like the low-hanging fruit.
Going out a bit further, you could make a case for fraud or even hacking. Fraud because they are clearly misrepresenting the product and what it does. Hacking because they slipped in an OS update for older TV's that allowed them to have this feature on models that they never intended to have it on.
Also, they admitted to selling this information to advertisers. That's redistributing information they were not legally allowed to have. There are laws regarding profiting from crimes. But even if you leave those out, there is the issue of them selling information they didn't legally own. That could also come with a copyright violation if a lawyer for a class action suit was able to successfully argue that the owners of the televisions owned that information that they stole without permission. That seems like a tough win, though.
So I think unauthorized access, fraud, and the sale of illegally obtained information would be fair charges to apply.
The FTC act is long-standing federal law and NJ apparently has its own strong laws for this kind of activity. The FTC itself states that there are clear violations of at least these laws, at bare minimum.
How about fraud? Why is tricking someone to give you a password and using it enough to go to jail, but recording everything someone watches without their permission and selling to 3rd parties not?
I have a Samsung "smart" TV. A while back, it started opening a pop-up every 10 minutes on top of whatever I was watching to reporting that my internet connection was down. My internet was just fine, but apparently their update server had gone down. I had to factory reset it to make it forget my Wi-Fi password and stop bothering me.
Now it just has an computer attached and isn't used for anything other than a dumb screen.
This will be the last time I buy a Samsung TV. I came home one evening and flicked on the tv to find that it had updated itself. As part of the update, it changed its UA. This one stipulated that I had to acknowledge that it can show popup ads (on a $1200 tv no less). I declined and then it proceeded to wipe out all my apps. Whether this was intentional or a "bug", I was obviously livid. I then spent the better part of 2hrs googling and sitting on tech support until someone walked me through resetting my system.
Absolutely dumbfounded how anyone could have thought this was a good idea. One of the few times I seriously would have joined a class action suit.
Imagine if all wifi were open. Those TVs and other IoT appliances would happily upload whatever the hell they wanted without asking you anything.
I used to bemoan that more people don't maintain completely open wifi connections in the spirit of sharing (assuming you have unlimited Internet). But there's the upside to everyone putting a password: You can choke off all those household devices that demand Internet access!
> But there's the upside to everyone putting a password: You can choke off all those household devices that demand Internet access!
Not for long. As those devices move to prepaid low-data rate cellular service, you won't be able to stop them from phoning home, short of RF shielding.
(Sometimes I wonder if a lot of the older electronic devices we consider junk now will become desirable in the future because they "just work" without the various user-hostile spyware, DRM, rootkits, anti-repair features and remote-exploitable security vulnerabilities that seem to be proliferating in modern devices.)
That's exactly the reason why I curse myself for not going into an engineering highschool and university and becoming a professional electronics engineer -- on top of being a programmer.
Nowadays I feel like a helpless puppet in the hands of vendors that want to make their tech transmit as much data as possible to their servers. I am not even sure the TV I have at home (and to which I didn't give any internet access) can't secretly negotiate a connection with my router.
I too feel that some of us have to start collecting some older tech just in case.
Older devices are going to have limited capabilities due to their older technology, plus when they break you won't be able to repair them because of the unavailability of parts.
A better solution is to build our own devices using readily-available parts, such as Raspberry Pis, and make the designs and source code freely available. Then these things can be updated as technology improves, and their cost will be low because they won't have their availability constrained by being out of production.
If they can get mobile providers on board, they definitely will. Amazon has an option for "free 3G" on their higher-end Kindle devices, I don't see why a smart TV couldn't provide it.
Indeed. There's also tons of stuff with built-in mobile connectivity deployed everywhere. Think electronic road signs, billboard displays, and even emergency systems in elevators. It's a tried and true technology.
Samsung TV's also had some check they would run and if the Samsung servers were down, you couldn't use certain features of the TV. Easily fixed by setting up a server to spoof it and fake the DNS requests
We need an adblock equivalent here. If you package this method (and appropriate methods for other TV vendors) into a trivially installable bundle, it should eventually get to normal people through their geek sons/daughters/spouses/neighbours, like it happened with ad blockers.
I have this same setup. I never gave my "smart" TV my wifi password. And it was for exactly the type of reason mentioned in this VIZIO article. I have an LG, but it makes no difference. I don't trust any of these manufacturers.
We experience a different issue with our Samsung TV. Whenever it updates, it decides to cover the screen with a SmartHub Update modal that ruins the TV watching experience. As a user, I could care less about each time the system updated and I just want to watch my content unobstructed.
I hated my Samsung "Smart TV". All the apps were slow, the Wifi receiver in it was crappy. Since I have so many devices now that have all the streaming apps (PS3, PS4, WiiU, Apple TV) I can save money when buying a TV by looking for the most dumbed down basic TV I can. I just need something with a good amount of inputs and that's it.
The last smart-type TV that I bought actually used Roku baked into it. At least Roku is a well-known and independent service and not a manufacturers proprietary shoddy system.
Are there any dumb TVs at all? I keep thinking there has to be a market for it. It just doesn't make sense to be at the mercy of the TV makers to be able to provide apps and updates - when we have Apple TV, Roku, Fire TV, Chromecast, PS4, Xbox One and on and on that can provide a much better experience.
Back before Christmas, I picked up a Sharp 40" set that was very much a dumb TV, exactly how I wanted it. Any smarts (for now, a Raspberry Pi running OSMC) plug into the HDMI ports.
About the only thing I can ding it for is that some buttons on the remote aren't available for CEC, so I still have to use my RC6 remote and IR receiver on the Pi to control Kodi for all but the most basic functions.
Also, if you're looking for a 4K set, I'm not sure there are any out there that are dumb.
Seiki and a few others make dumb-as-nails 4k screens for dirt cheap prices. Using a 39" one I got a year or so ago right now, and even then it was ~$285 pre tax. Not bad.
Yes: Humax has released their Pure Vision Display exactly for this reason. It's a 4K IPS display in 43", 49", and 55" sizes with a bunch of HDMI and USB ports. I'm having trouble finding an English product page, but a quick Google should get you the info you need.
I had something similar with a Magnavox CRT TV years ago. It would "helpfully" show on the screen "STEREO" or "MONO". Every time the signal lost the stereo signal, it would flash MONO, then a couple seconds later flash STEREO. Was a real problem on some channels that a slightly weak audio signal.
Awesome. Note that this isn't merely a fine, but also comes with the stipulation that they "prominently disclose and obtain affirmative express consent for its data collection and sharing practices, and prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect". And they need to destroy the data collected before March, last year.
That's pretty good! At the very least, this will make it so people are more aware of the constant telemetry. Some find that sort of feature useful, and others find it chilling, but at least this is a step in the direction of making it obvious.
> Sure, they can destroy their data, but everything shared with those 3rd parties is still at those third parties.
Agreed.
I think it would be more effective deterrent if VIZIO had to work with those third parties to locate and delete the material that was transferred to them. This
1) would nullify the contract between VIZIO and those parties forcing VIZIO into back payment and
2) create an annoyance for the third-parties, hopefully making them think to ask how any data they're purchasing is being collected.
At a minimum I think that customers whose data was collected prior to March 2016 have a right to know which third-party companies purchased their information.
In California, there is the "Shine the Light" law [0] that requires a company to release third-party information to a consumer if there is identifiable information given to third-parties along with the data collected. So in this case, Vizio would be required (at least to California natives) to release those third-parties' names and associated data collected from you.
[0] http://leginfo.legislature.ca.gov/faces/codes_displaySection....
This is a step in the right direction but it's unfortunate that the obligation to disclose appears to be opt-in and not opt-out as detailed in paragraph (a).
> that business shall, after the receipt of a written or electronic mail request, or, if the business chooses to receive requests by toll-free telephone or facsimile numbers, a telephone or facsimile request from the customer, provide all of the following information to the customer free of charge
To compile a list of all companies that have their personal information an user would have to identify every business they have a business relationship with that could possibly be gathering this information and then send a written request to each on a regular basis as the request is only valid for information disclosed in the proceeding year. It seems then that this law only really covers consumers in the event that they find one specific and recent instance where they'd like this information disclosed.
> To compile a list of all companies that have their personal information an user would have to identify every business they have a business relationship with that could possibly be gathering this information and then send a written request to each on a regular basis as the request is only valid for information disclosed in the preceding year.
This may or may not help you, but it's typical in these sort of data deals to
(1) mostly sell aggregate data (eg these demographics actually watch these shows / actually saw these commercials). You'd probably be more interested in the latter in order to connect commercials with purchasing habits, but you're going to operate at the zip code or grocery store level.
(2) If you are selling individual records, make up identifiers and not tie to IP addresses. Both because of privacy concerns and to force your ad-vendor customers to continue to purchase the dataset.
(3) from the perspective of someone in the ad industry, I don't buy 11m cookies for ad targeting. These data deals require custom programming on both sides, time from bizdev at both vizio and ad companies, and for ad-company sales to be instructed and helped to sell to their customers. So unless Vizio tv viewing data has pretty high reach, I'm just not interested. I can't really see someone interested in 11m cookies unless that data is integrated with all available tv viewing data from Vizio, Netflix, Samsung, set-top boxes, etc. I'm aware of some pieces of that being sold, but not all of them.
(3a) also, from the in-industry perspective, household data is often not that helpful. You're going to get demographics, if you get them, from the person in that household that happens to pay the bills. That's often unrelated to the person that spends time consuming media. So if eg parent X pays the bills in that household, but kids or parent Y spend the most time watching tv, this data is nowhere near as helpful for ad targeting as you would think.
So, I worked there along with the others who are all HN regulars. I cant comment on this fine at all, but I can comment on the reaction:
The system for identifying an individual via their digital habits is advanced and (in internet terms) ancient.
The credit card industry, for example, is way more an invasion of your privacy than what are effectively Neilsen Ratings on steroids... so I think people over react to this.
The fact is, that if you look at netflix, they have way more specific viewing habit info than any random TV which can state what it is watching. They already have their customer info, demographics, if they have kids, if they have account leechers like a brother or a friend who maintains a profile. They can see what IP/Device/app install anything is coming from -- and they have agreements with various device manufacturers to NOT track their (Netflix's) viewership/app use etc...
Netflix is probably the most savvy digital media company at this point.
While this data will enrich various entities over time at the expense of 100% privacy as to the content one is viewing, I would state that one would be better served to be worried about their chrome and credit card history than the viewing of particular TV shows.
Additionally - having a very intimate knowledge of how the vizio system works, I would not be concerned about this at all in the scheme of things as truly, its literally impossible to have a system watching all media streams on TVs throughout the world.
Finally, Vizio has done a stand-up job of enforcing opt-in/opt-out in the actual firmware of every set.
While Netflix does have a lot of data about what you watch on Netflix, I believe that the reason people react so strongly to things like this is that, as the platform provider, using automated content recognition and other techniques, Vizio (or Samsung, ...) can know everything that you watch across all sources flowing through the TV. Even including things such as YouTube, linear broadcast TV, etc. That's a lot broader surface area than Netflix has...
There are contractual stipulations, by companies such as netflix, for example, that preclude image sensing on screens. (Netflix doesnt want anyone else having their viewer data as one logical argument) -- that doesnt mean that Netflix doesnt share viewer data with other third parties... [I have no idea if they do, I havent read their policy]
but here is the issue that 99% of people fail to get: The TV can only ID what it is that you are watching if the system has also been watching the same video/seen the same video/is also watching the same in real-time as you watch it.
So, yeah, it is impossible to ID any and all.
Further, the agreements between companies like vizio and others are very specific as to what is legal and allowed.
Having been-there -- These guys are on the up-and-up and while we all want to have the right to do anything we want in secret, there is nothing to panic about. However, there is a larger question that is raised regarding privacy; We already have laws around PCI/PII/Med data -- media consumption data is an open issue; How much behavioral data do you think Facebook has? "Show me the total count of males in Brazil between the age of 18-24 that identifies as single and lives within 50 miles of Rio who liked [object] where name begins with the letter 'R'" -- Yeah, I wouldnt worry about what TV Show a Vizio TV reported as displaying.
The FB example shows that you were at your machine, and clicked on the [object] etc...
Vizio(and all other brands) TVs are running in kiosk/unattended mode all over the place. How many screens in every sports bar were on last night? Well, they can certainly ID the # of TVs that were watching the Superbowl, but there are likely >~1 person at each screen. So, the worry about your demographics is meaningless in this case. Same as an election/election-debate.
But, as an aggregate you can see where the attention of the millions of TVs are pointed.
Like I said - it is simply neilsen ratings, but much much more accurate.
Thats why it is opt-in.... just like every other form of in-line marketing.
Are you expecting a check from google for your use of Gmail? Whats more invasive, Google reading your emails to mom about your colonoscopy, or the fact that Vizio knows that your TV watched the superbowl last night?
Thats why it is opt-in.... just like every other form of in-line marketing. Are you expecting a check from google for your use of Gmail?
Hmm, I may not be entirely up to speed on what happened here. If so, I apologize. The lead paragraph of the story says (in part) that Vizio "installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent," and that's what my comment was based on.
So if the service was "opt-in," as with the Nielsen business model, then why are they being forced to pay a seven-figure fine?
"installed software" is a bit of a misnomer - its a feature baked into the firmware, when you first setup the TV it asks you for permission to do enhanced content recognition. If you say yes, it will enable the system - if you say no, the TV will never send data of fingerprints on the screen.
when you first setup the TV it asks you for permission to do enhanced content recognition. If you say yes, it will enable the system - if you say no, the TV will never send data of fingerprints on the screen.
But how do I reconcile this with the article, which says it was done without consumers' knowledge or consent?
Someone's lying, which I'm sure you'll agree is always kind of annoying.
This is my understanding and it's not the official opinion of anyone other than my own;
Iirc the statements were in the TOS to begin with, but it was not 100% obvious (meaning "CLICK HERE TO ACCEPT") yet I recall going through deployment heck to ensure that the TOS pop-ups were actually working... and we ensured this 100%.
The agreement was there, but it wasn't a button... We had to make a button, which was done.
I can encrypt my e-mail. Can I encrypt my video signal so that the TV doesn't read it off?
Also, Gmail gives me a pretty damn good service in exchange for me allowing them to read my e-mail - I get free search, categorization and arguably the best spam filtering solution in the world. What do I get from Vizio in exchange for all its spying?
A cheaper TV - or to go a level deeper, still having the manufacturer in question in the business of making TVs. TVs, and more generally high-unit-volume embedded hardware products, are incredibly competitive. This is particularly true at the price points where Vizio moves significant volume. Margins were squeezed to zero years ago.
> or to go a level deeper, still having the manufacturer in question in the business of making TVs.
As a consumer, that's not my problem. If a commodity company can't survive on their margins, then so be it.
The problem is that even if such "innovation" allows a company to increase its margins (and maybe decrease price), there's nothing stopping competitors from adopting it too, and soon margins are back to near-zero - but the user-hostile crap remains a permanent part of the new landscape. This process needs to be actively opposed, and individual consumers are unfortunately nowhere near powerful enough to do so.
I understand. But understand that from their perspective, as a business deciding whether or not to stay in a particular market, it's also not their problem. They're going to act in their own interest; if the incentives are aligned as they are, the resulting behaviors shouldn't be surprising. Whether they should be condemned or whatnot is perhaps something interested people could debate, but interested they are not.
And, with a $2.2m settlement, the incentives are still solidly weighted towards behavior like this.
The TV can only ID what it is that you are watching if the system has also been watching the same video/seen the same video/is also watching the same in real-time as you watch it.
Aren't there digital watermarks on all broadcast TV shows and advertisements? If not, if there's a fingerprinting algorithm that can run on a screen's hardware, or filename matching for USB, media could still be identified. No need for the rest of "the system" to have video files in advance, or at all.
Think of it like this; people are concerned that the system can do Who, What, When, Where, Why, How, How-Much, Who-do-they-know,... etc,...
It cant. Surely things can be inferred... but nothing that should get you riled up any-more-so than any other online service you have ever used. Plus - the opt-out functions actually work.
> There are contractual stipulations, by companies such as netflix, for example, that preclude image sensing on screens.
So you're saying Vizio and Netflix have a contract such that Vizio TVs will not report to Vizio about what is being displayed on the screen if its a Netflix stream? That sounds dubious. Maybe they could have a built-in Netflix app ignore such content, but what about Netflix streamed from a separate device via HDMI?
but you have to think about the economics of the ingest side... how much does it cost to, as a client, ingest every single netflix show. Not going to happen. Plus it violates lots of various companies TOS.
This is a non-issue, IMO, and people shouldnt worry about it to the same extent that one should worry about FB and GOOG and AAPL's abilities...
It's not at all a scape-goat. It might be a minor player, but not a scapegoat. And as a minor player, it's been coasting under the radar. At least we try to keep tabs on Facebook and Google, etc.
Your defensiveness of Vizio is offsetting, as if covering for something. Should I be worried, and swap out my Vizio for a different company's television?
Can you expand a little on how the article said the identification worked? It says it takes a set of pixels, does this patch of pixels get stored? How big is it? If it's stored, how is it protected? Is it encrypted at rest?
I have a Visio TV, I use it as a computer monitor. There's every possibility that PII or plaintext credentials might have been transmitted as part of this collection scheme. What did you do to mitigate that danger?
The way the system works is that there are a series of patches on the screen, and the RGB values of the collection of patches is captured and creates a fingerprint of what is being displayed on the screen.
This fingerprint is sent to the detection engine that has a DB of all the screens that were ingested into the content DB.
The system simply looks up the fingerprint value against the vast DB to see if it was something that was ingested.
The only thing ingested are broadcast television shows. no netflix youtube etc...
So anytime you use the screen as a monitor, or a kiosk, or a security camera display - anything other than an actual television - the system will not recognize that you're watch Ellen at 4pm PST and are currently 10 minutes into the show.
Thats all it does.
The goal was to have overlay events that allow for interactivity if a certain show or commercial is shown. That system didnt really make it too far in production.
Finally, if youre using a TV as a monitor - the system will see that they have never detected anything from that particular TV and it will simply ignore it. At certain points all the TVs that had never detected any TV ACR were just turned off and told to not talk to the system at all.
There really is nothing personal to worry about with this, IMO - and I am not "defending Vizio" -- I just know very intimately how the thing works as I helped build some of it, and I know that its not nearly as invasive as people think.
For example - there is a lot of foreign content on TV - spanish, chinese, filipino, indian, etc... none of this is ingested and never detected.
If Visio made complete backups (say full HDD clones) of all their computers on a weekly basis, do all of the backups need destroyed? Is it feasible to open every backup and delete the relevant information? Is it possible to "forget" that a backup process exists and still maintain the data?
That's unimportant. What is important is legal penalties for accessing or selling that data. No-one with assets and in-house counsel would dare violate an order like this.
I've always wondered whether a datastore built on an immutable architecture could be designed to cope with an expectation of receiving court orders to delete data. I think you'd arrive at a somewhat "DRM"-like design. That is:
1. the datastore system would be designed as an "appliance", intended to be installed directly on hardware, and would mandate (and check that) the hardware it was installed on provided both a TPM to store disk encryption keys in, and a full Secure Boot trust-chain granting only its bootloader boot privilege;
2. the datastore software would maintain a mutable index within the store (in the Merkle-tree-ref sense) of all data that is to be "considered deleted"—a master "tombstone" record, in the DBMS terminology—and would prevent anyone from accessing said data through the system's API.
With such a design, the data is effectively "gone", just as if it was really erased from the disks; the only way for a company running such a datastore to "recover" the data would be to find an exploit in the appliance allowing them to modify either the tombstone list (somewhat easy to thwart by choice of data structure), or the code that applies the tombstone policy.
It's like every service providers wet dream to arbitrarily lock up our private files. Currently only the russian cybercriminals are a bit ahead of the competition.
Foof, this is yet another reason for me to be completely out on smart tvs.
I really don't see the appeal of hooking up my tv to the internet if the only thing I'll get in return is buggy service integrations and, worse, the tv spying on my viewing habits. This is on top of the added potential for security exploits on a poorly maintained device connected to my home network.
I agree that Smart TVs need to die. I think some sort of law or regulation mandating security updates for the average life expectancy of such devices would ago a long way towards killing off Smart TVs. That's assuming the life expectancy is something reasonable like 5-10 years.
It's about more than security updates. And this may seem off topic, but bear with me for a moment.
Smart devices, including but not limited to Smart TVs. The manufacturers need to be legally and financially liable for damages caused by their devices getting hacked and used as a botnet.
When I buy a toaster, I have a reasonable expectation that it won't burn my house down.
When I buy a Smart TV, I have a reasonable expectation that it won't get hacked, become part of a botnet and cause massive damage to someone else, far away that I don't even know.
It is not impossible to build a very secure IoT device. Anyone who has ever gone through PCI compliance to build a web site or anything else that accepts credit card data knows this. It's not impossible. It's just a very high bar to jump over. Demonstrating a similar level of security should be enough to be able to get insurance in case your IoT devices do get hacked and cause harm.
The costs of this would be passed on to consumers. This would make Smart TVs more secure. But I'm also happy to pay more for a toaster that doesn't burn my house down, instead of a super cheap one that is dangerous.
This would either kill smart TVs as an economical consumer item, or it would make them very secure. If it kills them, then the data / privacy issue is solved -- to move this back on topic.
In the case where your device was compromised and used in a botnet attack, wouldn't you need to prove damages? I'm just curious what that argument would look like to a layperson.
I suspect the average person wouldn't get too riled up to hear that their internet connection was used to block someone's website, as long as they don't notice it in their service quality.
Another tangent -- do any sophisticated botnet systems throttle their connection during an attack to minimize impact on the device/network owner?
[edit - in case it's not clear, I'm admittedly ignorant about this kind of stuff, so I was just curious if anyone else can shed some light]
I used to think that too until I bought a new TV that has great Amazon/Netflix/Youtube apps. I suddenly didn't need a different box and have one remote. I'm sure I'll need a new external box in a few years but for now its so simple its perfect.
I recently got a Vizio 4K 'tuner free' tv. Basically it's just a chrome cast built in to the display and you just plug your dish/cable tuner in if you have it. Everything runs off your phone or cable box remote.
It's nice because I don't have to worry about stuff like the Netflix app aging out and not supporting X,Y,or Z feature. Is my phone up to date? That's it. I'd like to take it a step further and have it COMPLETELY dumb and plug my own chromecast/Roku/whatever in to it. No WiFi, no anything. Give me a good 4K display with whatever processing capabilities make the experience better and then get the hell out of the way.
I feel like this one is ALMOST there, just need to go one more step or two- and then quit spying on me would be nice too.
Smart TVs really need to follow 3D TVs and die as soon as possible. If I want my TV to be "smart". I'll just buy a $50 set top box and change it every 3 years. I don't want a TV that I will keep for 10-12 years to be "smart" and abandoned in terms of updates a year or two after appearing on the market (so not even after purchase).
Even worse than the spying is LG Smart TVs that actively display advertisements in the GUI. I remembered incorrectly which television brand did that, bought a LG on sale, and now I have to remember to keep its MAC address blocked in my router to prevent it from displaying advertisements.
As a Vizio tv owner who will probably by more Vizio tvs... Meh. I just assume every electronic device I own is spying on my habits and selling the data to whomever. Glad to see them busted on this, because I want to see the line for this stuff set as far back as possible, to be the most trouble and risk possible for businesses.
But yeah, you can't really expect corporate ethics or laws to protect you.
>But yeah, you can't really expect corporate ethics or laws to protect you.
Sure, in a general sense you can't expect human morality or police to protect you all the time either. Do you just assume everyone you meet is a violent pathological criminal? That would be a very paranoid point of view to maintain.
The point of the law and in particular this ruling is to be enough of a deterrent to dissuade most actors from doing something bad, thus giving you some level of protection.
Cynics look at these types of cases and conclude like you have, that laws and ethics won't protect you. But if we never saw these types of cases come up it would be more likely that no one is enforcing the law, not that everyone is obeying it.
It has nothing to do with whether I have something to hide or not. I don't want them collecting data without my permission. But I assume they will do so.
And to the post comparing this to violent crime... um, no. It's not the same. I don't need to be paranoid and assume that everyone is a violent criminal. I do, however, need to be conscious it's possible.
Yeah, I don't understand this. I read the FTC complaint and it hinged on the issue of collecting the data w/o explicit user consent, ie a pop up or message. Wouldn't nearly all internet companies fall in to this bucket? Ie, log aggregators, analytics SDKs etc?
Super interesting to see the population's attitude shift over time with regards to privacy.
Feels like even the HN crowd is starting to get worn down and accept this sort of thing as a fact of life. It's absolutely going to get worse, and I'm surprised TVs aren't already using their cameras to measure physical movement during suspenseful scenes, or track how many people leave the room during commercial breaks.
Of course, most non-technical end users I know 100% just don't care about this sort of thing, which bums me out. "Well, I know I'm being spied on, but if it makes my life easier then does it matter?"
> "Well, I know I'm being spied on, but if it makes my life easier then does it matter?"
That is still a somewhat defensible attitude. But most tracking, Vizio included, doesn't give you any benefits. It doesn't make your life easier in any way. It exists so that other people can make more money selling information about you to people who make money trying to sell useless shit to you.
> But most tracking, Vizio included, doesn't give you any benefits.
It makes the products you want cheaper/more commercially viable.
It's usually not completely obvious, but look at the Kindle Fire tablets which have ads on the home screen for a $10 discount.
It's the same reason many computers come preinstalled with crapware; consumers want the cheapest price and are willing to tolerate crapware being installed by default for a cheaper computer.
Here's the thing with consumer "wants" - I feel it often is portrayed backwards. Consumers tend to not "want" stuff - they choose from what's available. There are no polls made in which consumers express an opinion that they'd happily buy a TV that tracks their watching habits if it was cheaper. Instead, somebody introduces such user-hostile way to make money on the side, allowing them to sell the product cheaper, and people start buying it because it's cheaper. Competition has to follow suit.
The point being, companies are guilty of putting such products on the market in the first place; you can't then turn around and say "look at the sales figures, it's obviously what people want!".
I couldn't find data on this, but I think the ads version of the Kindle Fire is the more popular one, and users have the option to pay more for no ads.
I don't know why everyone gets so torn up about this when we all know Netflix.and YouTube track what we're watching, and the dream of personalized content recommendations relies on this data. I'm guessing it's mostly because adtech companies and advertisers are generally disliked around here.
> Super interesting to see the population's attitude shift over time with regards to privacy.
Agreed, though I feel like it's shifting in the opposite direction to what you think. I bought a Google Home and the guy next to me wanted to talk about the NSA spying on me.
I think there's a lot of distrust of technology building up.
> "Well, I know I'm being spied on"
A lot of this is about framing; no-one wants to be spied on, but when you watch things on YouTube, you don't consider it spying that YouTube knows what you're watching.
On one hand, my Vizio comes built in with several apps—NetFlix, Hulu, Local News—that improves the overall tv watching experience. Without the apps installed, I doubt that the members of my house hold would be consuming half the amount of entertainment. On the other hand, I hate the fact that data leaks to Vizio.
So, what's the best way to strike a balance?
Buy a "non-smart" tv and plug in a laptop (or rasberry pi) via an HDMI cable?
Does your Samsung TV turns itself on in the middle of the day to make updates? (screen stays black but you can hear the click). About once a week I hear it click on and then click off 5 minutes later... It's just spooky. Why would anyone buy a TV with voice control?!
Vizio was sold to LeEco in July, right? Does anybody have an idea about whether this data went along with the purchase or not and/or whether it would have made for a significant boost in the price paid for the firm? Seems like pretty valuable data to re-sell to third parties.
Stealing entire viewing privacy is only worth 20 cents - painfully low for my tastes, but I guess it's about right given what people currently expose to get "free".
I know it's a pipe dream: It would be good for their retail and distribution channels to drop their product lines; it would be a noticeable way for outfits like Best Buy and Walmart to brand themselves with a "we care about our customers" aura.
Loss of access to markets is also a suitable consequence for this kind of monkey business.
Interesting. It's fine for the government to collect data and spy on its citizenry (without disclosing that it's doing so), but if a company does it it means millions in fines? Smacks of rank hypocrisy, to me.
