Researchers from Northeastern University and Imperial College London confirmed that smart TVs from Samsung, LG and Amazon were sending data such as location and IP address to Netflix, Google and Facebook.
Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy risks, since these devices can communicate information about their users to other parties over the Internet. However, understanding these risks in depth and at scale is difficult due to heterogeneity in devices’ user interfaces, protocols, and functionality.
In thiheir study, the researchers conducted a multidimensional analysis of information exposure from 81 devices located in labs in the US and UK. Through a total of 34,586 rigorous automated and manual con- trolled experiments, thet characterized information exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that can be inferred from such content, and whether there are unexpected exposures of private and/or sensitive information (e.g., video surreptitiously transmitted by a recording device).
The researchers found that the data were being sent from their devices whether or not the user had a Netflix account. They also found that other smart devices including speakers and cameras were sending user data to dozens of third parties including Spotify and Microsoft.
Amazon, Google, Akamai and Microsoft were the most frequently contacted companies, partly because these companies provide cloud and networking services for smart devices to operate on, the researchers said.
“Amazon is contacted by almost half the devices in our tests, which stands out because [this means] Amazon can infer a lot of information about what you’re doing with different devices in your home, including those they don’t manufacture,” said David Choffnes, computer scientist at Northeastern University and one of the paper’s authors. “They also can have a lot of visibility into what their competitors are doing.”
By analysing network traffic, the Northeastern team concluded that third parties receive, at the very least, information about the device people are using, their locations, and possibly even when they are interacting with it.
Because much of the data being sent out by device manufacturers was encrypted, the academics were not aware of exactly what additional data were being transmitted.
In a separate study of smart TVs by Princeton University, researchers found that some apps supported by Roku and FireTV were sending data such as specific user identifiers to third parties including Google.
The findings are not suprising, but they are once again expected to heighten concerns about the privacy of user data on the internet just as smart devices, including televisions, are flooding homes.
Commencting on the study, Netflix said: “Information Netflix receives from smart TVs that are not signed in is confined to how Netflix performs and appears on screen. We do not receive any information about other applications or activity on smart TVs.”
Facebook said: “It’s common for devices and apps to send data to the third-party services that are integrated into them. This could, for example, include an app sending data to Facebook to create a login interface, or provide a Like button.”
Google said: “Like other publishers, smart TV app developers can use Google’s ad services to show ads against their content or measure the performance of ads. Depending on the user’s chosen preferences on the device and consents, the publisher may share data with Google’s that’s similar to data used for ads in apps or on the web. Depending on the device manufacturer or the app owner, data sent to Google could include user location, device type and what the user is watching within a specific app so they can be targeted with personalized advertising.”