Town Hall With Congressman Stephen Lynch About Security And Rights
Are Smart Television Makers Gaming The Energy-Efficiency Tests?

VIZIO To Pay $2.2 Million To Settle Privacy Charges About Its Smart TVs

VIZIO Inc. logo Today's blog post highlights how easy it is for manufacturers to make and sell smart-home devices that spy on consumers without notice nor consent. VIZIO, Inc., one of the largest makers of smart televisions, agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC) and the State of New Jersey Attorney General. The FTC announcement explained:

"... starting in February 2014, VIZIO, Inc. and an affiliated company have manufactured VIZIO smart TVs that capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices. In addition, VIZIO facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value... VIZIO sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices... VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws."

The FTC complaint (Adobe PDF) named as defendants VIZIO, Inc. and VIZIO Inscape Services, LLC, its wholly-owned subsidiary. VIZIO has designed and sold televisions in the United States since 2002, and has sold more than 11 million Internet-connected televisions since 2010. The complaint also mentioned:

"... the successor entity to Cognitive Media Services, Inc., which developed proprietary automated content recognition (“ACR”) software to detect the content on internet-connected televisions and monitors."

This merits emphasis because consumers thinking that they can watch DVD or locally recorded content in the privacy of their home with advertisers knowing it really can't because the ACR software can easily identify, archive, and transmit it. The complaint also explained:

"Through the ACR software, VIZIO’s televisions transmit information about what a consumer is watching on a second-by-second basis. Defendants’ ACR software captures information about a selection of pixels on the screen and sends that data to VIZIO servers, where it is uniquely matched to a database of publicly available television, movie, and commercial content. Defendants collect viewing data from cable or broadband service providers, set-top boxes, external streaming devices, DVD players, and over-the-air broadcasts... the ACR software captures up to 100 billion data points each day from more than 10 million VIZIO televisions. Defendants store this data indefinitely. Defendants’ ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items."

That's impressive. The ACR software enabled VIZIO to know and collect information about other devices (e.g., computers, tablets, phones, printers) connected to your home WiFi network. Then, besides the money consumers paid for their VIZIO smart TVs, the company also made money by reselling the information it collected to third parties... probably data brokers and advertisers. You'd think that the company might lower the price of its smart TVs given that additional revenue stream, but I guess not.

Now, here is where VIZIO created problems for itself:

"Consumers that purchased new VIZIO televisions beginning in August 2014, with ACR tracking preinstalled and enabled by default, received no onscreen notice of the collection of viewing data. For televisions that were updated in February 2014 to install default ACR tracking after purchase, an initial pop-up notification appeared on the screen that said: "The VIZIO Privacy Policy has changed. Smart Interactivity has been enabled on your TV, but you may disable it in the settings menu. See www.vizio.com/privacy for more details. This message will time out in 1 minute." This notification provided no information about the collection of viewing data or ACR software. Nor did it directly link to the settings menu or privacy policy... In March 2016, while Plaintiffs’ investigations were pending, [VIZIO and VIZIO Inscape] sent another pop-up notification to televisions that, for the first time, referenced the collection of television viewing data. This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu... In all televisions enabled with ACR tracking, VIZIO televisions had a setting, available through the settings menu, called “Smart Interactivity.” This setting included the description: “Enables program offers and suggestions.” Similarly, in the manual for some VIZIO televisions, a section entitled “Smart Interactivity” described the practice as “Your TV can display program-related information as part of the broadcast.” Neither description provided information about the collection of viewing data..."

30 seconds? Really?! If a consumer left the room to grab a bite to eat or visit the bathroom for a bio break, they easily missed this pop-up message. No notice? Neither are good. VIZIO released a statement about the settlement:

"VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs.  Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors... the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang."

Terms of the settlement agreement and the Court Order (Adobe PDF) require VIZIO to:

"A. Prominently disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or other similar document: (1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information;

B. Obtain the consumer’s affirmative express consent (1) at the time the disclosure...

C. Provide instructions, at any time the consumer’s affirmative express consent is sought under Part II.B, for how the consumer may revoke consent to collection of Viewing Data.

D. For the purposes of this Order, “Prominently” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers..."

The Order also defines that disclosure must be visual, audible, in all formats which VIZIO uses, in easy-to-understand language, and not contradicted by any legal statements elsewhere. Terms of the settlement require VIZIO to pay $1.5 million to the FTC, $1.0 million to the New Jersey Division of Consumer Affairs (which includes a $915,940.00 civil penalty and $84,060.00 for attorneys’ fees and investigative costs). VIZIO will not have to pay $300,000 due to the N.j> Division of consumer affairs it the company complies with court order, and does not engage in acts that violate the New Jersey Consumer Fraud Act (CFA) during the next five years.

Additional terms of the settlement agreement require VIZIO to destroy information collected before March 1, 2016, establish and implement a privacy program, designate one or several employees responsible for that program, identify and risks of internal processes that cause the company to collect consumer information it shouldn't, design and implement a program to address those risks, develop and implement processes to identify service providers that will comply with the privacy program, and hire an independent third-party to audit the privacy program every two years.

I guess the FTC and New Jersey AG felt this level of specificity was necessary given VIZIO's past behaviors. Kudos to the FTC and to the New Jersey AG for enforcing and protecting consumers' privacy. Given the rapid pace of technological change and the complexity of today's devices, oversight is required. Consumers simply don't have the skills nor resources to do these types of investigations.

What are your opinions of the VIZIO settlement?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

George

Wise consumers realize that law enforcement treats smart TVs just like any other computing device (e.g., desktop, laptop, tablet, phone):

"Whilst Vizio and other TV manufacturers will likely pay more heed to consumers' desire to keep Big Brother out of their home lives, police are just starting to get their heads round the idea that such connected devices might have useful evidence within. Thus far, I've only been able to uncover one case in which the feds sought to look through the information stored on the set. It occurred in June 2016, when San Diego officers working for the Homeland Security Investigations (HSI) unit sought information from the Samsung smart TV of Mikhail Feldman... Feldman had admitted to watching adult and child pornography on his Samsung television, using Google on the TV to find the material. The warrant treats the TV like a normal computer, allowing the feds to access all files stored on the Samsung device that pertained to child abuse imagery and video, as well as browsing history, online profiles and associated passwords, amongst other data... Police were right to look at the TV like a standard PC. According to Rob Lee, digital forensics and incident response lead at the SANS Institute, said in many cases, TVs are just "very large smartphones." "So the potential for exploitation is there," he added."

And wise consumers do the same. Here's why:

"... malicious hackers have found weaknesses across smart TVs before. At the end of 2016, a software engineer warned about ransomware appearing on his LG TV. Reports of such activity emerged earlier that year... Whilst the case of the Samsung TV shows how home-connected devices should be treated like typical digital devices, smart televisions don't come with the same security protections. That extends to Apple TV too, says Mattia Epifani, CEO of Italian forensics experts Reality Net..."

That Time Cops Searched A Samsung Smart TV For Evidence Of Child Abuse
http://www.forbes.com/sites/thomasbrewster/2017/02/07/samsung-smart-tv-fed-search-child-pornography/#74b416225358

George
Editor
http://ivebeenmugged.typepad.com

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)