Mastodawn

@dangoodin yes but to be fair, some manufacturers are trying to sneak in a camera and other sensors. That’s a little overkill.

@GuillaumeRossolini

Yes, but can't the same be said of tablets and phones? And again, as long as you follow the guidance to turn that crap off, you should be fine.

Krupo Apr 29, 2024

@dangoodin @GuillaumeRossolini but the TV feels much more literally Orwellian in its fixed position, whereas handheld mobiles can go in a pocket or drawer.

Edit: also the creepy inserting of ads I saw on a vacation rental property's smart TV gave me the creeps.

@dangoodin yeah sure, or be aware of the practice and choose a different model that doesn’t have these sensors at all

@dangoodin @GuillaumeRossolini

RalfMaximus Apr 29, 2024

Tablets & phones are personal devices that people *generally* understand to carry some risk. Only children and the extremely naïve don't perform basic infosec.

A TV is different. It's an appliance, and older people assume it's a passive display like their old Magnavox but bigger & prettier. They don't think of it as a computer.

IMHO we need *more* paranoia about smart TVs, not less. It's not fear mongering if the risk is real.

@ralfmaximus @GuillaumeRossolini

There's no more risk than smartphones, tablets, computers and many other devices, or Facebook, Github, Google, Twitter or your credit card issuer. You should have as much paranoia related to these things as you do smartTVs.

@dangoodin @GuillaumeRossolini

RalfMaximus Apr 29, 2024

Oh I absolutely do.

@ralfmaximus @GuillaumeRossolini

OK, then we all agree that it's silly to single out smartTVs when they pose no more risk than other devices and services we use on an hourly basis. I'm glad we got that sorted out.

Raine Godmaire

Apr 29, 2024

@dangoodin @ralfmaximus @GuillaumeRossolini This feels like whataboutism.

"TVs shouldn't collect so much data."

"What about your smartphone, tablet, etc?"

I tend to agree that none of them should collect that much data, but we're talking about TVs right now, not the other things

@godmaire @ralfmaximus

No, we're talking about how silly it is to say "Don't connect your smartTV to the Internet" when you connect equally dangerous things to the Internet on an hourly basis. That's what this discussion is about.

RalfMaximus Apr 29, 2024

You're putting words in my mouth. "We're" not saying that, you are.

My point is that a TV is perceived differently by most consumers, who do not categorize it as "the same risk" as other devices. It's a perception problem. That's why IOT is so dangerous: people misunderstand that there are computers in there.

@godmaire

@ralfmaximus @godmaire

I'm pretty sure most consumers are equally in the dark about the security and privacy risks of phones and other devices.

Raine Godmaire

Apr 29, 2024

@dangoodin @ralfmaximus Whataboutism might be the wrong term. "Why bother-ism" might be a better one. Why bother with making smart TVs safer when phones exist? That's not good. Fighting back even a little is better than just giving up

@godmaire @dangoodin @ralfmaximus
No, there were some fair points above

TVs aren't seen as active listening/recording devices by the general public yet;
the precautions you (should) take with your phone, can also apply to the TV

@godmaire @dangoodin @ralfmaximus

Incidentally, I was reading about this earlier today

https://digital-markets-act-cases.ec.europa.eu/reports/compliance-reports

I didn’t know that the EU had this gatekeeper label but I’m glad for it, especially since they impose transparency and it’s working

(There’s also a big platform label for the biggest websites by traffic, with imposed transparency also)

Anyway all this to say: these transparency laws don’t apply to Samsung, LG or other tv manufacturers, yet. Make of this what you will.

Competition case search

Searches for published decisions can be carried out under policy area, case number, title and date.

Karl Auerbach Apr 29, 2024

@dangoodin Well, we do have some cautionary horror stories, such as this one from 2017 (which is referenced in the Consumer Reports article.)

"VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent"

https://www.ftc.gov/news-events/news/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it-collected-viewing-histories-11-million

VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent

VIZIO, one of the world’s largest manufacturers and sellers of internet-connected “smart” televisions, has agreed to settle charges that it installed software on its TVs to collect viewing data on consumer TVs without consumers’ knowledge or consent.

Federal Trade Commission

@karlauerbach

True, but that was 7 years ago and those kinds of abuses are not remotely limited to smartTV makers.

Karl Auerbach Apr 29, 2024

@dangoodin Yes, it was ages ago in Internet time - but it was the fact of connectivity that made Vizio's clever snooping possible.

I've spent many years in the realm of security/diagnostics/repair. In that world one comes to recognize the large amount of data that leaks from systems via side channels. (I first learned this by watching then lights on 1970's computers and listening to the noises from power supplies - I shocked some people on a visit to an NSA site when I could tell them what their computers were doing without actually accessing them.) When we travel I can tell when our house sitter is at the house by remotely looking at the settings on the thermostat.

With gaming and things like content meta-tracks the fourth wall on TVs is eroding as the audience becomes part of the content.

Just as Javascript in browsers and no-click opening of content created data leaks on MS Windows the pressure for interactive services will, I fear, create ever more opportunities for data gathering.

@karlauerbach

SmartTVs have more side channels than other devices you use?

Karl Auerbach Apr 29, 2024

@dangoodin I can data leak even from a dumb TV by having an app - sort of like a spy version of Shazam - on an iPhone (or jailbroken Amazon Echo) that listens to the sound and music coming from a TV and using that, much as Vizio did, to report what that TV is tuned to watch on a second by second basis.

We are moving into a world in which a device itself need not be "smart" and have data gathering. Rather we are becoming immersed in electronic devices that can be woven (hard today, probably easier in the future) together to gather data from one another using ad hoc, informal, human-oriented interfaces.

Steffen Voß Apr 29, 2024

@dangoodin You are right. But it also means that every device is shitty.

Rob Bos Apr 29, 2024

@dangoodin Regulations should be put in place against data collection by all those entities.

Darwin Woodka Apr 29, 2024

@rbos @dangoodin yup

John Wilson Apr 29, 2024

@dangoodin we had a guy come in our company a few years back and give a talk about QA integration testing and he said the TV manufacturer he worked for was experimenting with adding cell modules so the TVs just connected to a cell network and transmitted their data that way.

I personally think this is something that would only be cost effective when 2G networks were still operational. I don’t think anyone ships a device like this today. But I still don’t trust the damn things

Andrew Douglass Apr 29, 2024

@crazybutable I removed the WiFi module from my tv when I opened it up to fix a panel lighting issue and it wasn’t too bad. It wouldn’t be ideal to have to remove a cell data module as soon as I got a tv, but I’d do it if I had to.

John Wilson Apr 29, 2024

@ardouglass yeah I don’t think this cell feature ever shipped in a production TV (at least where this guy worked) but they had prototypes. He was talking about how they could do pixel sampling to figure out what movie you were watching even if it was coming over HDMI because they had hashes of the pixel values in a little database

Andrew Douglass Apr 29, 2024

@crazybutable ugh, I should turn my entire house into a faraday cage

Jørn Apr 29, 2024

@dangoodin But why SHOULD I connect it to the internet. It's literally a HDMI-to-eyeball converter.

S.T. Veje Apr 29, 2024

@dangoodin Smart TVs may not be uniquely terrible, but that doesn't make them not terrible. I love the idea of smart TVs, I just wish I could trust them to not be awful. Saying I can trust smart TVs as much as Facebook etc. is the same as saying I can't trust them at all.

@stveje

Yes, exactly. So stop singing out smartTVs as if they pose more risk.

S.T. Veje Apr 29, 2024

@dangoodin Agreed. I just don't think it's right to say they're "perfectly safe" either. If smart TVs are singled out, it's perhaps because they're easier to do without than many other things. So since we have no choice but to use *some* bad things, we pick a few bad things to loudly live without as a form of protest (futile though it is). That's my guess, anyway.

Stephen Bannasch (316 ppm)Apr 29, 2024

@dangoodin I got a 40" Hisense Roku "smart tv" for $200 and just use it a a large tertiary monitor. It's never been connected to the Internet.

@stepheneb

That's silly.

Stephen Bannasch (316 ppm)Apr 29, 2024

@dangoodin It was very cheap and the quality is acceptable on my M1 macbook pro. I have no need to connect it to the Internet which means I don't have to think about the security issues ... which means I have. a bit more energy for digging into other security issues.

@stepheneb

Sigh. If you practice basic common sense when using your smartTV there are no more security issues to worry about then when you use your M1.

Stephen Bannasch (316 ppm)Apr 29, 2024

@dangoodin Right now I don't have any closed devices connected to the Internet only computers and routers where with effort I can do security forensics. Just common sense not to connect closed devices if I don't need the services offered by enabling the Internet connection. I'm not opposed to a smart tv but I I wanted that capability I'd also expect to first make an effort to understand what are the security implications.

@dangoodin I disagree with the last point - when my Android TV pushed an update that started showing unsolicited ads, it went to e-waste recycling and I was out a couple hundred to buy a different device. If my TV decides I need to start seeing mandatory ads to use it, I'm out thousands.

My TV isn't and has never been allowed on the internet, because I'm not willing to roll the dice that the manufacturer won't push a malicious update to show ads or collect data or something. It's too expensive to replace.

@dangoodin I also don't trust the threat model of TV developers. I am fairly confident that for all their flaws Apple and Google practice decent sandboxing and OS hardening and put real money and effort into security. I'm not at all confident that the TV manufacturers do that (nor the vast majority of other smart-home vendors).

You're concerned somebody is going to exploit a buffer overflow in your Samsung TV?

@dangoodin I'm more concerned that an app I install will interfere with other apps or my Cloud account in unexpected ways. Safety from internet attacks is one thing (super unlikely), but having a reasonable app permission model is also important, and something that Google and Apple have spent a lot of time on for their mobile platforms.

But honestly I'm MOST concerned with the manufacturer deciding I need to see more ads. I've worked very hard to keep ads out of my life, and I don't trust TV manufacturers not to hop on that bandwagon. I never plan to let my TV have an IP address or to update it.

Perfectly legit reasons for concern, but they apply equally if not more to your phone, AppleTV and most other internet-connected devices as well.

@dangoodin Apple TV is much, much cheaper to replace than a TV. We actually DID replace our nVidia Shield (which runs Android TV) when they decided to push ads and moved to Apple.

If every platform collectively starts showing ads, maybe I'll just go back to reading books. :)

Royce Williams Apr 29, 2024

I'd also argue that the "two minutes" is only briefly true. The TV manufacturers are constantly trying to figure out new ways to re-enable the tracking (and keep getting caught doing so), and also keep pushing the knobs to disable it deeper and deeper - such that the CR piece started to become outdated as soon as it was published.

If I use an Apple TV, but then also hook up a VHS player to my TV, Apple knows what I played through Apple TV, but not what VHS tapes I played. By contrast, unless I disable Internet access on the TV* or keep checking frequently for changes, the TV manufacturer does.

** and even then IIRC haven't we caught TV manufacturers caching the data, waiting for an open AP, and then uploading the backlog?

@tychotithonus @dangoodin If a device looked for / used nearby open APs, that'd be a clever way of messing with people like me. Hopefully they never do that!

At least if I don't ever update my TV or give it an IP, it's stuck at the point-of-time firmware when I bought it, which I'm perfectly fine with

Royce Williams Apr 29, 2024

And to make it explicit why I bring the surveillance up during "is there a vuln" discussions:

In my experience, the more developers contort the code to surveil, the more likely they are to introduce vulnerabilities, of two classes:

just general bad/complex code, or
stuff intended to be NOBUS that ends up being exploitable

Darwin Woodka Apr 29, 2024

I'm pretty pissed at all the info all those companies collect actually. We should own our own data and we should be allowed to charge THEM for it. Why should they all get the benefit of selling our data and we don't? AND we have to pay for them to do it?

Jonas Köritz Apr 29, 2024

@dangoodin back when I still watched TV I redirected the HbbTV Domains on my LAN towards my own machine to have custom overlays accessible via the red button 😅. One feature I implemented was live Twitter feeds for trash-tv with a database of show-hashtags relationships.
The TV wasn't nearly smart enough to be more frightening than any other smart device around the house. Its JS engine was abysmally bad as well.

New England Clam Chowder Apr 29, 2024

@dangoodin the best argument against using smart TV features in favor of an external devices is that it's cheaper to get a new hardware dongle when the old one is no longer supported by the manufacturer. And even that is pretty thin.

Phillip Hallam-Baker Apr 29, 2024

@dangoodin I get pissed off when people try to dismiss other people's entirely justified security concerns.

You are utterly wrong in every respect, shamefully wrong. Security by analogy is a really terrible approach to security.

Here is how I look at the situation as a security expert, not a journalist.

First, the TV maker never informed me that the TV and remote had the ability to capture audio. So that is the first strike against them. Microsoft edge can't record any sound on the machine I am using now because the microphone is turned off and the webcam is disconnected.

Secondly, my laptop and desktop run anti-malware scanners from reputable sources and I only use well known browsers subject to massive amounts of peer review. While it is possible there might be some sort of backdoor in Edge or Chrome, I don't think it would stay there very long.

The same is not true of my TV. LG has really no clue what is being uploaded to their content center and neither does any other provider. Nobody is watching the app store, the scope for dropping a passive listener onto the user is actually very high.

I am not exactly pleased with the behavior of the tech companies mentioned. But they do at least have people who understand the issues and know they are targets. I see absolutely no evidence Samsung gets it and have stopped buying LG because they obviously have no interest in customer support.

The IoT schemes being promoted by the tech giants are all self serving attempts to establish a razor-and-blades captive market with absolutely no respect for the user's requirements. That is why they form a new IoT consortium every couple of years with exactly the same promises as the last one and the one before that which is being quietly shuttered having failed to deliver anything.

Emma Apr 29, 2024

@dangoodin "SmartTVs don't collect anymore data than Microsoft Windows" ah well that's a relief

@chipswithfries

OK, I'm starting to conclude that you and a bunch of other people in this thread will ever grasp my point.

Dragon Apr 29, 2024

@dangoodin having a dumb tv would be nice though, most smart tv software is terrible.

Or the software isn’t terrible but the hardware is underpowered so it still runs like poo

ThirdTier Amy Apr 29, 2024

@dangoodin The boogie man is not in your smart television.

Random Damage 🌻Apr 29, 2024

@dangoodin sounds like more work than searching for a dumb TV

Market signals can't work without effort on our part, even if that effort is frequently ignored

Gregatron5 Apr 29, 2024

@dangoodin How is it magical thinking that when streaming on an Apple TV only the app you’re streaming (and their embedded third parties) know what you’re streaming, but with a smart TV both the app (and their embedded third parties) AND the TV maker (and all their third parties) know what you’re watching. And worse, the TV maker knows what’s on the screen even if you’re not streaming. Can’t include Roku with Apple TV anymore, unfortunately.

Rogers Apr 29, 2024

@dangoodin Just don't buy the cheapest brands where they insert tracking, malware, advertisements etc.

pscrapy Apr 29, 2024

Other than the data collection angle, some smart TVs can be quite "easy-going" in their network stack implementations.

For instance this blog recounts the ordeal of an Hisense TV clogging the UPNP discovery tables of all devices connecting to the same network (network query with randomized UUID generation every few minutes) resulting in various and esoteric failures (task manager hanging, Settings unavailable, taskbar disappearing to name a few)
https://cohost.org/ghoulnoise/post/5286766-do-not-buy-hisense-t

hueso Apr 29, 2024

@dangoodin
> SmartTVs don't collect anymore data than Microsoft Windows, Google, Facebook, Twitter or even your credit card company.

Oh yeah as if that were acceptable.

@hueso

Like I keep saying: Either tell people not to use any of these or STHU. It's silly to say don't connect smartTVs to the internet when you're using the rest. I've been saying this the entire thread. How can you not have grasped my point by now?