Sophos Cloud Optix
Last week, we wrote about how a UK blogger named DoctorBeet became suspicious that his LG Smart TV was phoning home with more information about his use of the TV than he might have liked.
Some investigation with Wireshark followed – that’s a free, powerful and highly recommended network packet sniffer – and his suspicions were confirmed.
Even after he expressly turned off the clumsily but unambiguously named “Collection of watching info” option, his TV continued to send back information (or to steal it, if you want to call a specialised earth lifting leverage tool a spade) that any reasonable person would consider none of the TV maker’s business.
LG’s initial response, reports DoctorBeet, was pretty much to disown all resposibility for the firmware in its device:
The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.
When in doubt, blame the merchant!
If you think that is the worst excuse you’ve ever heard for a privacy breach, you’re not alone.
In fact, LG itself must have thought so (or the company decided to take a second opinion from another lawyer), because it soon changed its tune, sending our good friend and former Naked Security colleague Graham Cluley a PR statement that beat a different drum:
At LG, we are always aiming to improve our Smart TV experience. Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. Our customers’ privacy is a very important part of the Smart TV experience so we began an immediate investigation into these claims. Here’s what we found:
Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information. This information is collected as part of the Smart TV platform to deliver more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching. We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.
It has also been reported that the names of media files stored on external drives such as USB flash devices are being collected by LG Smart TVs. While the file names are not stored, the transmission of such file names was part of a new feature being readied to search for data from the internet (metadata) related to the program being watched in order to deliver a better viewing experience. This feature, however, was never fully implemented and no personal data was ever collected or retained. This feature will also be removed from affected LG Smart TVs with the firmware update.
LG regrets any concerns these reports may have caused and will continue to strive to meet the expectations of all our customers and the public. We hope this update clears up any confusion.
Graham already did a blow-by-blow dissection of this statement, and he wasn’t impressed.
You shouldn’t be, either.
The elevator pitch/lift summary is simple:
- The “collection of watching info” option collects viewing information, which LG defines as “not personal”, so stop moaning.
- LG collects that data even when you tell it not to, but it doesn’t actually do anything with it, so stop moaning.
- OK, so LG will alter the software so it tells the truth about collecting the info.
- OK, LG also collects data off your own storage devices, like filenames, but that was just a coding error, so stop moaning.
- OK, so LG will alter the software to remove the code that wasn’t supposed to have been released in the first place.
- LG is sorry if you somehow got confused and formed the opinion that it was helping itself to data that it shouldn’t have.
We wondered over the weekend why the statement sent to Graham wasn’t more widely circulated by LG.
We didn’t receive a copy, for example, and most stories covering this isasue ended up linking to Graham’s article, presumably lacking a primary source of their own.
We now seem to know why: LG must have been a bit less than sure of its facts, and has changed its tune again since telling Graham that this whole thing was really just a pile of confusion.
Its official on-line statement is different in an intriguing but subtle way.
LG told Graham that it collected viewing info “as part of the Smart TV platform to deliver more relevant advertisements,” but apparently it doesn’t do that.
In fact, says LG’s new statement, the company unequivocally if ungrammatically states that it “does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners.”
Clear as mud.
With a second blogger confirming and extending DoctorBeet’s findings, I wouldn’t be surprised if LG has a fourth go at explanining itself.
We’ll have to wait and see whether LG’s next statement starts with the words, “Dear customers, we made a mistake and we apologise,” or with, “Dear Information Commissioner’s Office…”
What do you think?
Would a proper apology still do the trick, or is it too late for that now?
Image of old school TV courtesy of Shutterstock. The static on the TV picture is inspired by the Happy Hour Virus, imagined in the era before NTSC.
It’s yet another example of a company who can’t keep their fingers out of other people’s data pie.
I’ve never been a fan of the ‘smart TV’ fad as personally I’d rather hook a computer up to my TV. So this interaction will definitely play in my mind the next time I go to buy a TV, and put LG at the bottom of the list (until something about one of the other TV companies no doubt crops up)
Thanks for the article
Personally I don’t care much about what else LG comes up with – I don’t have a smart TV yet, and when I buy one LG will be at the bottom of the list of candidates until I forget this issue. I have a good memory.
LG as others who have no accountability beyond viewers short term memories won’t repent their actions. You are merely a piece of marketing meat. Send your LG tvs/monitors/and mobile phones back to them. Nahh…you can’t do that because…then stop whining ladies and gentlemen.
One is left to wonder if other brands do like wise.
I’m sure this incident has set someone in motion to test other brands and get their 15 minutes of Internet fame when announcing the results.
it is still data collection and with respect to LG and Samsung you are in a grey area when it comes to the law as you are not entitled to collect it with out authorisation from the client.
Does the TV come up with a “Terms & Conditions” statement that you have to ‘ok’? If I got a TV with that, I would take it back! And if your viewing information is not personal what is it if they can target you for advertisements?
I have made it a promise that I will not purchase anything LG sells if it connects to the Internet, period.
What a bunch of BS.
Jack
I will boycott LG purchases for life. Since they were this fickle when they were caught imagine what they have been doing all along.
The correct information is probably much like Lucky Goldstar says:
“LG does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners”
They just turn around and “Sell” it.
As one who has never owned a Lucky Goldstar product that worked properly I would never buy another so I am safe… Or are all th “Smart” TV manufacturers in this boat also?
Nope, too late already. A proper apology is still needed, but it won’t be enough. I don’t know about a legal definition, but I’m pretty sure the ‘man on the Clapham omnibus’ would expect his viewing information to count as personal information.
Too many companies are trying it on, doing whatever they think they can get away with. We need to start hitting them with proper, punitive fines that make the rest stop and think.
Your viewing habits are, in my opinion, personal information. It may not be name, address, email, password, ID information, etc but it is certainly relevant to what you like or dislike to watch. The semantics they employ in their argument are not really relevant as it is data about a person or persons. That they mentioned targeted advertising is worrying as most don’t want any such targeting for monetary gain.
I will not be buying an LG product – they have shot themselves in the corporate foot.
I wonder if there was any revenue stream associated with that data….
LG needs to come clean. Admit they got caught with their fingers in the cookie jar, correctly and permanently fix any issues with their software, and change to an opt-in policy.
So if a person watches a lot of “adult entertainment” what kind of targeted advertisement are they going to get??
Seems to me that once the Genie has been outed, it’s way too late for an apology. Why you would need a “smart” TV in the first place. Do something archaic like read a book. Break your addiction to TV unless you really need to have your active conciouness flat lined.
Too late for an apology. The original response to DoctorBeet was borderline rude and likely most accurately portrays LG’s actual sentiments concerning this issue: you lost your rights the moment you turned our product on.
The only way LG is going to learn a lesson on this is if consumers now assert THEIR rights by leaving LG product sitting on the showroom floor and instead purchase other manufacturers’ products. Profits will send the loudest message.
One less vendor to consider in my upcoming purchase
The last thing I will purchase is a “Smart TV” ….. from any manufacturer.
I doubt you can avoid smart TVs indefinitely, unless you forgo TVs for the rest of your life.
I’d almost bet that smart TVs will eventually become the only TVs that are available for sale in online and physical retail stores precisely because of their surveillance capabilities.
Btw, do some TVs record people and voices that are in the vicinity?
yes a very smart tv but they all it how long before another companys found out collecting more info on ones family yep how long how many jeff3
I’m curious. At what point was DoctorBeet actually presented with these “terms and conditions” and what action was taken to agree with them?
I have a suspicion that they were buried somewhere in the documentation (either on paper or hiding in the setup menu) and there was no formal acceptance process.
“This feature, however, was never fully implemented and no personal data was ever collected or retained”
“Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information”
So they can label personal data as non-personal data as they see fit and collect that information, then claim they’re not collecting personal information.
Right on.
Hmmm. All these folks are swearing off LG. I wonder if they are the same ones who swore off SONY when it installed rootkits. If Samsung goofs up too, there won’t be any company left from which to buy a TV.
Sort of like what happened to me when I had bad flights on several different airlines in a row.
If this practice is being undertaken in the UK then it and the company are subject to the provisions of the Data Protection Act(s). Perhaps someone ought to alert the office of the Data Protection Registrar?
SO you get a smart TV and view sport, News, and home shopping, a few DVD films, some may not be M rated. Then you decide that you are sick of using the DVD player and get a smart idea, You will spend hours copying DVD’s to a PC hard drive or an entertainment unit with a HHD. most are legit but some are copied. The problem is that technically even though you own the DVD media that you have copied they are now copied. So are you in breach of copy right laws? Can LG get this information as well?
These issues have all started with the ACTA, PIPA and SIPA laws for Internet copyright legislation. Basically it means that even if you have legally purchased material there are clauses that restrict the use of that material. You DO NOT own anything you buy as there seems to be a lease agreement. As for your privacy? What is that? We have not had privacy in certain areas for years. Our rights and liberties as well as our core freedoms have been stolen over the years .
We always compare our democratic system to the bad communist regimes, thanks to the media and the deliberate con that we have been tricked by by the comparison of those that are worse off than we are.
I wonder how much worse off we are and how many secret laws and regulation there are that we do not know about or that are not enforced that often?
Our, emails, telephone conversations, browsing history, Medical and work history and many other aspects of our life are and have been stored on Servers. I wonder if all of this is used for marketing? What kind of marketing and whom can get the information?
Well, I certainly will not be purchasing an LG television; then I will be absolutely sure that they are not collecting my ‘not personal but viewing information’. Great move LG – you have not only shown how dodgy you are, but how much you really don’t give a toss about your customers.
Yes this is another area of Data Profiling of Users, that Market Research can use/expolit. Do these people that Rave about never buying another LG product have an Android (Google) Phone. Do they know how Google make there money. By having Phones, Apps, Search Engines that keep track of every move you do and selling to to advertisers. Data Profiling is Big Money to the Marketing Sector and they what more. Since 911 people have thrown away there personal freedom and anonymity for “security”, unfortunately the youger generation is only to happy to feed the world all there life on Social Medial, Why now be paranoid about a TV knowing what you are doing.
Yes if it has a setting that sayes turn off transmission of data collection, then it should do that fuction.
For those that don’t read the fine print, look next time at those “Apps” you are downloading, nothing comes for free.
Mark
what i don’t understand is how manufacturers/corporate entities/etc can legally persist in pulling the wool over the buying public’s eyes by allowing such “Terms and Conditions” to include reprehensible verbage. didn’t the banks agree as terms to a recent settlement to stop this practice? why are entertainment & technology behemoths continueing to practice such underhanded tactics to get what they want? i’m sure they figured they would do diligent damage control by making up those lame excuses for past behavior, i.e. ‘viewing info is not personal info’ if such info is not linked to an actual name or person (used in aggregate only). if the future of television means relinquishing our privacy i only hope my 2004 Sharp
monstrousity that weighs nearly one hundred pounds or 45 kgs better not break down any time for the remainder of my earthbound life. even were i filthy rich i still could not fathom being bombarded by targeted adverts oh-so-humbly trying their darndest to seperate me from my money. if that is not a problem for all the new generations of consumers sprouting wings then i’m glad i won’t be around to witness the flotsam and jetsam