Smart TVs and so-called “over the top” (OTT) platforms are the latest IoT devices found “spying” on users and leaking sensitive data to companies such as Facebook, Amazon, Google and Netflix, according to two separate studies conducted by university researchers as well as independent research done by a Washington Post reporter.
Two reports–one by researchers from Northeastern University and Imperial College London and another by researchers at Princeton University and the University of Chicago–analyzed how smart TVs collect and then pass on information about users’ viewing habits and preferences to partner companies.
The former report analyzed information exposure from 81 devices—including ones from Samsung, LG and Roku–located in labs in the United States and United Kingdom, finding that 72 of the devices sent data to a destination that was not the device manufacturer itself.
Companies most frequently contacted by the devices included Google, Akamai and Microsoft, mostly likely because they provide the cloud and networking services for smart-device operation, researchers said.
The Princeton report discovered that information being sent from devices also originates with channels being viewed through the use of trackers, which are predominantly managed by Google and Facebook. Eighty-nine percent of Amazon Fire TV channels and 69 percent of Roku channels contained trackers collecting information about viewing habits and preferences, researchers found.
These trackers also feature information that can uniquely identify the device and where it’s being used, including device serial numbers and IDs; Wi-Fi network names; and Wi-Fi identifiers known as MAC addresses.
A privacy experiment conducted by Washington Post reporter Geoffrey A. Fowler also discovered similar habits from smart TVs, breaking it down even further to identify spying from pixels and screenshots.
Fowler used the open-source tool IoT Inspector from Princeton University to observe how his own Samsung smart TV—as well as other best-selling devices from TCL Roku TV, Vizio and LG—were tracking his viewing activity and data.
“On many smart TVs, a few nosy pixels report back to the manufacturer everything that crosses the screen. Once per second,” Fowler Tweeted of his experience. “Others send snapshots of the entire screen.”
Moreover, data firms use TV IP addresses to link what people are watching to what they do and see on smartphones, tablets and laptops, he said. “It’s like your TV is following you around,” Fowler Tweeted.
All in all, these reports demonstrate the myriad ways in which a smart TV is the latest IoT device—alongside virtual assistants like Alexa and smartphones—to keep tabs on consumers for technology and media giants.
These companies—which already have been scrutinized, criticized and even fined for data-privacy issues–in turn use that data for targeted advertising and content on social-media platforms and for other marketing purposes.
“Our research shows that users, who are already being pervasively tracked on the web and mobile, face another set of privacy-intrusive tracking practices when using their OTT streaming platforms,” said Hooman Mohajeri Moghaddam, a PhD student at Princeton who participated in the research.
With a third of U.S. households estimated to “cut the cord” and use internet-connected streaming services by 2020, this problem will only get worse, he said. Moghaddam called for new consumer protections against such unauthorized data collection in a blog post on Freedom to Tinker about the report.
“OTT platforms should offer better privacy controls, similar to Incognito/Private Browsing Mode of modern web browsers,” he said. “Insecure connections should be disincentivized by platform policies.”
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.