LG Smart TV Caught Collecting Data On Files Stored On Connected USB Drives

from the if-you-give-a-TV-an-internet-connection... dept

The growing presence of "smart" devices, each one requiring a connection to the outside world, is a bit alarming (Samsung TV zero day exploit, anyone?). The territory still remains largely uncharted and device manufacturers are still pretty much free to decide just how much data these devices will cough up when phoning home.



A blogger (and developer and Linux enthusiast) going by the name of DoctorBeet noticed his newly-purchased LG Smart TV was displaying ads on the "home" screen. He dug around and found more info on an LG corporate page that described the process in cheery let's-sell-some-ads tones.

LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.

In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does...



At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.

It was at this point, I made an even more disturbing find within the packet data dumps. I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive.

Thank you for your e-mail.



Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.



The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.



We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.



Kind Regards



Tom



LG Electronics UK Helpdesk

Tel: 0844 847 5454

Fax: 01480 274 000

Email: cic.uk@lge.com

"Sorry" if you misunderstood the Terms and Conditions you were compelled to accept if you wanted to use your new purchase. "Sorry" these same terms and conditions nullified your preferences on sending data without your permission. Oh, and by the way, not our fault -- the helpful people with the name tags at your local electronics store should have been intimately familiar with the Terms and Conditions of our entire product line and ensured that potential customers knew they were purchasing a SPY TV rather than a SMART TV.



If you have any other questions about our intrusive data collections, please don't hesitate to fuck off and die.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

The endearingly sexist sales pitch attempting to sellpitchmen on LG's "smart" ad platform/TV makes it pretty clear that LG's TV isinterested in any "interactions" you have with your device.What the sales pitch failed to make clear is that LG will be grabbing this behavioral data no matter what.Not only was LG sucking up viewer data, it was sending the data on each interaction completely unencrypted. This isn't necessarily a huge problem if the data collection was limited to the channel watched and for what length of time. But as the increasingly creepy sales pitch above points out, LG also wants "search keywords" and a potentially unlimited amount of "other information."At this point, LG already has a bit of privacy problem. Sending data on channel selection is one thing. Collecting and sending unencrypted web data like search terms is quite another. And it gets even worse.DoctorBeet tested his hunch by mocking up an .avi file that would be immediately distinguishable from any other "normal" traffic. Plugging in a USB stick with the bait () into his TV, DoctorBeet soon saw data on his faux porn headed to LG's servers in unencrypted plain text. DoctorBeet (and his shocked wife) also watched his children's names being harvested from the file name of a Christmas video located on another connected drive. [Click picture to open a full size version in another tab.]The implications of this data collection are. As DoctorBeet points out, it's simply an invasion of privacy. Who knows what ads LG might serve when faced with a hard drive full of porn? Who knows what it might do if it goes trolling through media files at the behest of publishers, studios and labels? It's not tough to imagine a scenario where "connected" files become bricked because of a perceived lack of license. As we've seen before, companies are seeking to patent methods of utilizing connected devices (like the now-mandatory Xbox "camera" ) to determine who's enjoying what content for ad-serving purposes/licensing fee extraction.If nothing else, a "smart" TV shouldn't be gathering, much less, file data back home from customers' non-LG devices. The fact that LG does this in unencrypted form is also troubling. The fact that LG does thisis the sort of thing that becomes the basis for a class action lawsuit.LG's pass-the-buck response to DoctorBeet's complaints makes everything so much worse.In other words:LG's representation may not care (at the moment) whether DoctorBeet feels LG's watching him more than he's watching its TV, but as this story continues to spread across the internet, I would imagine its tune will change. And when that changes, hopefully it will alter the Terms and Conditions as well.People don't implicitly surrender their privacy when they attach a "smart" device to the internet. There are responsible ways to collect data and responsible ways to protect this data and, from what's being shown here, LG is doing neither.

Filed Under: information sharing, privacy, smart tv, usb drives

Companies: lg