(Tim Cushing) The growing presence of “smart” devices, each one requiring a connection to the outside world, is a bit alarming (Samsung TV zero day exploit, anyone?). The territory still remains largely uncharted and device manufacturers are still pretty much free to decide just how much data these devices will cough up when phoning home.
A blogger (and developer and Linux enthusiast) going by the name of DoctorBeet noticed his newly-purchased LG Smart TV was displaying ads on the “home” screen. He dug around and found more info on an LG corporate page that described the process in cheery let’s-sell-some-ads tones.
LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
The endearingly sexist sales pitch attempting to sell other pitchmen on LG’s “smart” ad platform/TV makes it pretty clear that LG’s TV is very interested in any “interactions” you have with your device.
What the sales pitch failed to make clear is that LG will be grabbing this behavioral data no matter what.
In fact, there is an option in the system settings called “Collection of watching info:” which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no “balloon help” to describe what it does…
At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.
Not only was LG sucking up viewer data, it was sending the data on each interaction completely unencrypted. This isn’t necessarily a huge problem if the data collection was limited to the channel watched and for what length of time. But as the increasingly creepy sales pitch above points out, LG also wants “search keywords” and a potentially unlimited amount of “other information.”
At this point, LG already has a bit of privacy problem. Sending data on channel selection is one thing. Collecting and sending unencrypted web data like search terms is quite another. And it gets even worse.
It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG’s servers and that these filenames were ones stored on my external USB hard drive.
DoctorBeet tested his hunch by mocking up an .avi file that would be immediately distinguishable from any other “normal” traffic. Plugging in a USB stick with the bait (Midget_Porn_2013.avi) into his TV, DoctorBeet soon saw data on his faux porn headed to LG’s servers in unencrypted plain text. DoctorBeet (and his shocked wife) also watched his children’s names being harvested from the file name of a Christmas video located on another connected drive. [Click picture to open a full size version in another tab.]
The implications of this data collection are huge. As DoctorBeet points out, it’s simply an invasion of privacy at best. Who knows what ads LG might serve when faced with a hard drive full of porn? Who knows what it might do if it goes trolling through media files at the behest of publishers, studios and labels? It’s not tough to imagine a scenario where “connected” files become bricked because of a perceived lack of license. As we’ve seen before, companies are seeking to patent methods of utilizing connected devices (like the now-mandatory Xbox “camera”) to determine who’s enjoying what content for ad-serving purposes/licensing fee extraction.
If nothing else, a “smart” TV shouldn’t be gathering, much less sending, file data back home from customers’ non-LG devices. The fact that LG does this in unencrypted form is also troubling. The fact that LG does this even when you specifically tell it not to is the sort of thing that becomes the basis for a class action lawsuit.
LG’s pass-the-buck response to DoctorBeet’s complaints makes everything so much worse.
Thank you for your e-mail.
Further to our previous email to yourself, we have escalated the issues you reported to LG’s UK Head Office.
The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.
We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.
LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
In other words:
“Sorry” if you misunderstood the Terms and Conditions you were compelled to accept if you wanted to use your new purchase. “Sorry” these same terms and conditions nullified your preferences on sending data without your permission. Oh, and by the way, not our fault — the helpful people with the name tags at your local electronics store should have been intimately familiar with the Terms and Conditions of our entire product line and ensured that potential customers knew they were purchasing a SPY TV rather than a SMART TV.
If you have any other questions about our intrusive data collections, please don’t hesitate to fuck off and die.
LG’s representation may not care (at the moment) whether DoctorBeet feels LG’s watching him more than he’s watching its TV, but as this story continues to spread across the internet, I would imagine its tune will change. And when that changes, hopefully it will alter the Terms and Conditions as well.
People don’t implicitly surrender their privacy when they attach a “smart” device to the internet. There are responsible ways to collect data and responsible ways to protect this data and, from what’s being shown here, LG is doing neither.