Read on Twitter
Welp, this caused a bit more of a dust up than I expected, esp when I’ve said similar things over the last years. Exciting :) So, rather than a pithy tweet, allow me to explain my thinking on this (read on for a thread if you dare...) https://twitter.com/gdead/status/1336470048244903938
First off, what’s the risk from a “smart TV”. A smart TV is another potentially shitty IOT device on your home network that can have a negative impact on your privacy. For example:
- Smart TV’s use automatic content recognition (ACR) to detect what you’re watching
- Smart TV’s use automatic content recognition (ACR) to detect what you’re watching
ACR data is then sold to content providers and advertisers
- Smart TV’s also often have other features where they sell data based on what you’re searching for, what apps you use, and other characteristics
- Smart TV’s have historically bad track record on updates
- Smart TV’s also often have other features where they sell data based on what you’re searching for, what apps you use, and other characteristics
- Smart TV’s have historically bad track record on updates
Leaving you potentially vulnerable to attacks the longer you own, use, and trust the device with creds, network access, etc
You may not care about these risks. That’s cool if you’ve made the overt decision to accept them. The VAST majority of consumers don’t think about it tho
You may not care about these risks. That’s cool if you’ve made the overt decision to accept them. The VAST majority of consumers don’t think about it tho
Ppl don’t buy products based on privacy concerns. They buy TV’s b/c they’re cheap and looked good in the store. Geeks like us buy products based on privacy concerns (and yet somehow huge numbers of us use Facebook, but I digress)
So, the counter arguments.
“Lots of devices in you home have microphones, cameras, and networking. You must care about those too!”
I do care about those. But in general I care VERY differently about a device I bought as a one time purchase like a TV vs a device that..
“Lots of devices in you home have microphones, cameras, and networking. You must care about those too!”
I do care about those. But in general I care VERY differently about a device I bought as a one time purchase like a TV vs a device that..
I have a long standing relationship with the company I bought it from. Alexa/Home/Apple’s whatever are
A) relatively limited in hardware version so its easy for the developers to keep them patched
B) they are heavily motivated to keep the device functioning and secure...
A) relatively limited in hardware version so its easy for the developers to keep them patched
B) they are heavily motivated to keep the device functioning and secure...
In order to maintain revenue streams.
C) often have more serious regulatory/oversight frameworks in which to operate in than the smart TV manufacturers do providing the consumer more protections.
In short, if I pay you every month, you’re
C) often have more serious regulatory/oversight frameworks in which to operate in than the smart TV manufacturers do providing the consumer more protections.
In short, if I pay you every month, you’re
Probably getting more revenue from that action alone than from selling my ad data. So they focus on where the money is. SmartTV’s monetize your TV usage b/c that’s all that have post purchase.
Next up.. “What about roku’s et al?” Again, they have a much smaller set of hardware to maintain so it’s easier to get updates, and their revenue is tied ONLY to content (vs a tv which lets you play whatever you want) so they’re motivated to keep things secure
(An aside that @steve_tornio brought up. When the Roku is embedded in the TV you get the benefit of the content box but the downside of it being tied to the TV manufacturer. Better than when TV’s roll their own smart TV stuff worse than a standalone device)
Now, countermeasures. “You should just put it in a guest VLAN with all your other shitty IOT devices”. Yep. If you buy one of these you SHOULD ABSOLUTELY do that. However... this assumes a few things about the user
A) they know enough about the risks to do that
B) they have the infrastructure capable of doing that
C) they have the technical knowledge/can understand tutorials enough to do that
D) actually do that
The reality is, most ppl won’t do it. The VAST majority won’t
B) they have the infrastructure capable of doing that
C) they have the technical knowledge/can understand tutorials enough to do that
D) actually do that
The reality is, most ppl won’t do it. The VAST majority won’t
(Dirty secret.. I don’t. But I also have a very small set of IOT devices on my home network. We’ve made the choice to not adopt these types of technologies into our lives. )
So given the options of
- Get TV, turn on, accept all the agreements, configure WiFi and smart TV. YOLO!
- Get TV, turn on, accept all the agreements, put on guest WiFi, manage risk
- Get TV, turn on, don’t accept agreements and plug in my content device/ gaming system..
- Get TV, turn on, accept all the agreements, configure WiFi and smart TV. YOLO!
- Get TV, turn on, accept all the agreements, put on guest WiFi, manage risk
- Get TV, turn on, don’t accept agreements and plug in my content device/ gaming system..
I’d recommend the last one. Further, I’d recommend it to any average consumer for all the reasons above. It allows them to still have the content they want but not use the smart TV capability to get it.
I appreciate all the feedback on my initial tweet. It certainly got me to re-evaluate why I have this view... and upon re-reviewing my view, as it were, I landed in the same spot
Also, there are lots of resources for those looking to disable ACR and other features (such as https://www.komando.com/tech-tips/stop-smart-tv-tracking/544540/) however be aware there are things you CAN’T opt out of on your smart TV even with conservative settings. /fin
