Last week, we wrote about how a UK blogger named DoctorBeet became suspicious that his LG Smart TV was phoning home with more information about his use of the TV than he might have liked.
Some investigation with Wireshark followed – that’s a free, powerful and highly recommended network packet sniffer – and his suspicions were confirmed.
Even after he expressly turned off the clumsily but unambiguously named “Collection of watching info” option, his TV continued to send back information (or to steal it, if you want to call a specialised earth lifting leverage tool a spade) that any reasonable person would consider none of the TV maker’s business.
LG’s initial response, reports DoctorBeet, was pretty much to disown all resposibility for the firmware in its device:
The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.
When in doubt, blame the merchant!
If you think that is the worst excuse you’ve ever heard for a privacy breach, you’re not alone.
In fact, LG itself must have thought so (or the company decided to take a second opinion from another lawyer), because it soon changed its tune, sending our good friend and former Naked Security colleague Graham Cluley a PR statement that beat a different drum:
At LG, we are always aiming to improve our Smart TV experience. Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. Our customers’ privacy is a very important part of the Smart TV experience so we began an immediate investigation into these claims. Here’s what we found:
Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching. We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.
It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs. While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience. This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.
LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion.
Graham already did a blow-by-blow dissection of this statement, and he wasn’t impressed.
You shouldn’t be, either.
The elevator pitch/lift summary is simple:
- The “collection of watching info” option collects viewing information, which LG defines as “not personal”, so stop moaning.
- LG collects that data even when you tell it not to, but it doesn’t actually do anything with it, so stop moaning.
- OK, so LG will alter the software so it tells the truth about collecting the info.
- OK, LG also collects data off your own storage devices, like filenames, but that was just a coding error, so stop moaning.
- OK, so LG will alter the software to remove the code that wasn’t supposed to have been released in the first place.
- LG is sorry if you somehow got confused and formed the opinion that it was helping itself to data that it shouldn’t have.
We wondered over the weekend why the statement sent to Graham wasn’t more widely circulated by LG.
We didn’t receive a copy, for example, and most stories covering this isasue ended up linking to Graham’s article, presumably lacking a primary source of their own.
We now seem to know why: LG must have been a bit less than sure of its facts, and has changed its tune again since telling Graham that this whole thing was really just a pile of confusion.
Its official on-line statement is different in an intriguing but subtle way.
LG told Graham that it collected viewing info “as part of the Smart TV platform to deliver more relevant advertisements,” but apparently it doesn’t do that.
In fact, says LG’s new statement, the company unequivocally if ungrammatically states that it “does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners.”
Clear as mud.
With a second blogger confirming and extending DoctorBeet’s findings, I wouldn’t be surprised if LG has a fourth go at explanining itself.
We’ll have to wait and see whether LG’s next statement starts with the words, “Dear customers, we made a mistake and we apologise,” or with, “Dear Information Commissioner’s Office…”
What do you think?
Would a proper apology still do the trick, or is it too late for that now?