TV WATCHES YOU
TOPICS BELOW
Intro and Background, Defending your TV privacy (in general),
About Roku,
Defending your privacy on Roku,
Defending your privacy - Non-Roku,
Hacked TV?,
Articles, FYI
One reason Televisions are so cheap is because of advertising, and to make that advertising effective, the TV has to spy on you.
Part of the spying is Automatic Content Recognition (ACR) which watches the screen along with you. No matter the source of the video on the screen, ACR is watching and it takes a screenshot twice a second. The screen shot is sent to the cloud to identify what you are watching. You can probably disable ACR, but the game is rigged against you. In the worst case, it may take 37 clicks (see the December 2023 article from The Markup in the Articles section below).
INTRO AND BACKGROUND
Good introduction to the topic: The Hidden Cost of Cheap TVs by Justin Pot for The Atlantic. January 3, 2023. Quoting: "the story of cheap TVs is not entirely just market forces doing their thing. Perhaps the biggest reason TVs have gotten so much cheaper than other products is that your TV is watching you and profiting off the data it collects ... Smart TVs are just like search engines, social networks, and email providers that give us a free service in exchange for monitoring us and then selling that info to advertisers leveraging our data ... The companies that manufacture televisions call this 'post-purchase monetization,' and it means they can sell TVs almost at cost and still make money over the long term by sharing viewing data."
Background: Your TV set has become a digital billboard. And it's only getting worse. by Scharon Harding for Ars Technica. August 19, 2024. This not a technical article, it is an overall view of advertising and spying on TVs. Quoting: "Rather than selling as many TVs as possible ... LG, Samsung, Roku, and Vizio are increasingly, if not primarily, seeking recurring revenue from already-sold TVs via ad sales and tracking." One sneaky trick: initially a TV may not show many ads but a future firmware update could make things worse. Smart TV advertising revenue exceeds smart TV hardware revenue in the US. Only in the US. (me: unlike other countries, the US Congress has been bribed to not pass any privacy protection laws) Eight days after this article was published, there were 692 comments on it. People care about this.
Background: Smart TV Makers Will Soon Make More Money Off Your Viewing Habits Than The TV Itself by Karl Bode (May 2021). We can not buy a "dumb" TV that's just a display with HDMI ports because consumer data is so profitable.
Background: Reg reader returns Samsung TV after finding giant ads splattered everywhere by Gareth Corfield for The Register (November 2021). Note the excerpt at the end from the Samsung privacy policy: the manufacturer will collect "the networks, channels, websites visited, and programs viewed on your devices and the amount of time spent viewing them ".
DEFENDING YOUR TV PRIVACY (IN GENERAL)
- The ultimate defense is not to connect a Smart TV to the Internet (other than maybe to update the firmware).
- An external streaming box such as Roku, FireTV and Apple TV may be safer than the Internet operating system in a Smart TV. For one thing they can be powered off when not in use. Less spying and you save on electricity. In addition, when they stop getting software updates they are easier to replace than a TV.
- When the TV needs software updates, use Ethernet if possible. If Wi-Fi is the only option, make a new network (SSID) for the TV, do the updates, then delete the Wi-Fi network.
- Do not connect your Google or Facebook account to your Smart TV or to your streaming box (Roku, FireTV, etc).
- If your TV has a camera, cover it with tape. From the October 22, 2019 episode of the Hackable podcast.
- Advanced Defense: A profile is formed based on the public IP address of your home. One defense is to connect the TV to a router running VPN client software.
This will hide your public IP address and also let you change what appears to be your public IP address.
- Advanced Defense: a router that supports outbound firewall rules, such as the Pepwave Surf SOHO, can block the TV from phoning home. First, watch where it sends data, then block these transmissions one a time (in case some of them are necessary). Using a Raspberry Pi running Pi-Hole for DNS should also be able to block a TV from phoning home. Or, a free account at OpenDNS lets you audit the DNS on your home network and block some domains.
- Privacy of Streaming Apps and Devices: Watching TV That Watches Us from Common Sense Media (Aug 2021). There are two things here, a large report on extensive testing that they did and a short privacy rating for assorted streaming hardware boxes and streaming services.
- Defense: one type of attack comes from the LAN. Roku, and perhaps competing devices, can accept commands using HTTP from the LAN. To prevent this, isolate the streaming box. If using Wi-Fi, connect it to a Guest network. Some, not all, routers will isolate Guest network users from each other, blocking this type of attack. More advanced users can put the streaming box in a VLAN. The first suggested Roku setting above, should also block this, but it only applies to Roku and may change in the future.
- Drastic: rather than use a TV, any TV, consider using a computer monitor and an Apple TV box.
ABOUT ROKU
- Roku sells hardware only as a way to sell ads. In their last financial report (as of April 2024)
they lost $44 million selling hardware devices and made close to $1.6 billion selling ads and services. This matters for Defensive Computing because advertising companies
make more money by spying on people.
- Welcome to the Golden Age of User Hostility
by Charlie Warzel for The Atlantic. April 11, 2024. For subscribers only. Mentions the enshittification of Roku and other companies.
- Roku filed a patent to hack into an HDMI video stream and insert ads. See Hdmi customized ad insertion
- April 12, 2024: Roku warns 576,000 accounts hacked in new credential stuffing attacks by Sergiu Gatlan for Bleeping Computer. Despite the headline this does not sound like Roku itself was hacked. Rather people used the same email and password elsewhere and their credentials were stolen elsewhere, then used to login to Roku accounts. This also happened in early March 2024. A big big thing with Defensive Computing is NEVER to re-use a password. Its hard, but this is why. Roku has reset the passwords for impacted accounts and is notifying affected customers. They also added support for two-factor authentication (2FA) and has enabled it by default for all customer accounts.
DEFENDING YOUR PRIVACY ON ROKU
- Check these settings (as of OS version 11.5.0 Nov. 2023)
Privacy -> Advertising -> Advertising Preferences -> configure as desired
Privacy -> Advertising -> turn Personalize ads OFF
Privacy -> Advertising -> reset the Advertising ID every now and then
Privacy -> Voice -> Microphone access -> Channel microphone access -> set to Never allow
Privacy -> Voice -> turn off the Speech recognition checkbox
Privacy -> Smart TV Experience -> disable "Use info from TV inputs" (not on a standalone box)
System -> Screen Mirroring -> set Screen Mirroring Mode to either Prompt or Never Allow
System -> Advanced System Settings -> Control by Mobile Apps -> disable "Network Access"
Zip code -> Do not use your real one. Maybe none, maybe one in same time zone
- On the Roku website, visit this page Advertising & privacy preferences and lock down things there
- To use a Roku box, requires a Roku account, which uses an email address as the userid. If possible, create a new email address just for Roku. There is a page on this site devoted to creating multiple email addresses.
- The Mozilla Privacy Not Included website has a page devoted to Roku Streaming Sticks dated Nov. 9, 2022. They offer 10 defensive steps.
- Roku TV: From How to Disable Interactive Pop-Up Ads on Your Roku TV by Chris Hoffman October 2019. As of Roku OS 9.2, the TVs display pop-up advertisements over commercials on live TV. If an advertiser has partnered with Roku, that advertiser can display an interactive pop-up ad over the normal commercial. This only applies to Roku TVs, not the external sticks or boxes. To disable it: Settings -> Privacy -> Smart TV Experience -> disable "Use info from TV inputs".
- See also the December 2023 article from The Markup in the Articles section below.
- There are many articles about blocking Roku monitoring by blocking access to assorted domains and sub-domains. For a long time now I have blocked all access from my LAN to scribe.logs.roku.com and cooper.logs.roku.com. My Roku box works just fine without these. I chose them because they were the most popular logs my Roku box was accessing.
- Roku networking: I have seen a Roku 2XS running firmware 9.1.0 make outbound requests to the Google DNS server at 8.8.8.8, port 53, using TCP. This is suspicious for multiple reasons, one being that the router assigns other DNS servers. Thus, the use of 8.8.8.8 is hard coded into either the Roku system or one of the channels. One reason to do this is to avoid DNS based restrictions in the router. Also, UDP is the norm for DNS, not TCP. I have not captured the actual packets.
- More Roku networking: I always see the same Roku 2XS box making outbound connections to IP address 172.29.243.255. This should never occur as this is a private IP address, one that can never exist on the Internet. These connections use UDP and both the source and destination port are always 1975. This seems to be part of the OS, I see it even when just powering on and not using any channels. I contacted Roku about this and they would not explain why this happens.
- From Roku: Protecting your Roku account April 12, 2024
- From Roku: How to keep your Roku account secure April 2024. Create a PIN to limit who can make purchases through your Roku device, Roku TV, as well well as to add parental controls. The PIN is needed to authorize transactions after it is created.
DEFENDING YOUR PRIVACY - NON ROKU
- ACR is a big thing to disable. It may be turned on by default. Chances are that the OFF switch wil be buried somewhere deep in the settings menu.
- Netflix: login to netflix.com with your userid/password. Click on the profile icon in the top right corner, then click Account. To see all the info Netflix has on you, click on
"Download your personal information". To remove something from your viewing history: start at Account info, then click on a profile, then Viewing History. To remove an item, click the circle on the far right.
- Hulu: Log in to Hulu.com and open the Account page. Go to Privacy and Settings. Select Manage Nielsen Measurement and opt out. Select California Privacy Rights. Under Right to Opt Out, click Change Status and opt out. To clear the watch history: Under Manage Activity, click Watch History, then Clear Selected.
- Fire TV: Go to Settings -> Preferences -> Advertising ID. Then, disable Interest based ads. This may be old (I don't have a Fire TV). If so, try: Settings -> Preferences -> Privacy Settings. From there, disable Interest-based Ads, Device Usage Data and Collect App Data Usage. Also do: Settings -> Preferences -> Data Monitoring and turn it off.
- Apple TV
- Settings -> General -> Privacy -> Tracking -> turn it off
- Adjust privacy settings on Apple TV from Apple. Undated. Has instructions for multiple versions of tvOS
- From the Mozilla Privacy Not Included website, a report on Apple TV 4K November 1, 2023. Quoting: "All in all, yes, Apple is generally better than other Big Tech companies (cough, Meta, cough cough, Amazon, cough Samsung), when it comes to privacy. They seem to do a better job at collecting less data, probably because they aren’t trying to sell as many ads as Google and Facebook -- yet. So when we hear that more ads are coming, that does alert our privacy Spidey Sense a bit."
- Vizio TVs: How to turn Viewing Data On, Off, or Delete by Vizio (no date). See also their Privacy Policy (Last Updated Jan 2021)
- Amazon Prime video suggested settings are in the Amazon section
- Configuration articles
- November 27, 2024: Protect Your Privacy: Essential Settings to Modify on Roku, Apple TV, and More by Sarah Lord and Eli Blumenthal of CNET. Covers: Amazon Fire TV Stick, Google Chromecast with Google TV,
Roku and Apple TV.
- How to disable ACR (and greatly reduce ads) on every TV model - and why you should by Chris Bayer for ZDNet. August 26, 2024. Covers Samsung TVs, LG TVs, Sony TVs, Hisense TV, TCL TV (and other Roku-powered TVs)
- How to Turn Off Smart TV Snooping Features by James K. Willcox of Consumer Reports. This article has been continually updated. This version was Published February 17, 2021 then updated October 14, 2022 and again November 11, 2023. When I first linked to this article, it was dated September 2019. The article only covers TVs but it does include Roku TVs.
- Your smart TV is spying on you. Here are step-by-step instructions to stop it by Jefferson Graham in USA TODAY (January 2020). Covers Fire TVs, LG, TCL/Roku, Samsung, Sony and Vizio.
HACKED TV?
Has your TV been hacked? In the worst case, there will be no obvious symptoms. If you are lucky, some symptoms might be: unusual activity on the TV, strange popup windows or slow performance.
Bad guys might also change the privacy and/or security settings on the TV. So, review all these settings, change what you can and make a note of all the settings. Yes, a pain in the neck. Perhaps print the list and keep it near or under the TV so you can easily find it in the future. Then, every now and then, review the privacy and/or security settings to insure they have not changed.
If anything seems wrong, you may be able to restore the TV or external streaming box to factory settings. This is usually called a "reset"
ARTICLES
- December 16, 2024: Buying a TV in 2025? Expect lower prices, more ads, and an OS war. by Scharon Harding for Ars Technica. TV brands have become so dependent on ads that some are selling TVs at a loss to push ads.
Are you willing to share your data with retail conglomerates and ad giants to save money on a TV? Walmart bought Vizio in December 2024 for approximately $2.3 billion.
Why? Data collection done by the TV. For years, Vizio has been shifting its business from hardware sales to ads and the ads account for all the company's profit. Walmart wants to be BIG in the ad business. Why? The article says that the ad business has higher margins than groceries.
- September 25, 2024: LG TVs start showing ads on screensavers by Scharon Harding for Ars Technica. "The move embodies how ads are a growing and virtually inescapable part of the TV-viewing experience - even when you're not watching anything." The ad is fullscreen and appears before the conventional screen saver kicks in. The ad was localized to the region the TV was set to. You can disable the ads in the TV Settings. LG is focusing more on selling ads and tracking. they have a partnership with Nielsen that sends automatic content-recognition data to Nielsen.
- December 12, 2023: Your Smart TV Knows What You're Watching by Mohamed Al Elew and Gabriel Hongsdusit for The Markup. The article has instructions on disabling ACR for Roku, Samsung and LG.
It is not easy. Turning off ACR took them between 10 and 37 clicks.
The Roku ACR system is called "Smart TV Experience". It only exists on TVs, not Roku streaming boxes.
The Samsung ACR system is called "Viewing information services"
The LG ACR system is called "Live Plus"
- How to Stop Smart TVs From Snooping on You by Lance Whitney in PC Magazine (April 2020).
- Things are bad: You watch TV. Your TV watches back by Geoffrey Fowler for the Washington Post September 2019. No defense offered. Discusses ACR (automatic content recognition) on Smart TVs. Quote: "some TVs record and send out everything that crosses the pixels on your screen. It doesn’t matter whether the source is cable, an app, your DVD player or streaming box." They watched the data a TV transmits using IoT Inspector software from Princeton University.
- Things are bad: From Lily Hay Newman in Wired (September 2019) On Roku and Amazon Fire TV, Channels Are Watching You. The article discusses academic research from Princeton University and the University of Chicago that found over 2,000 streaming apps doing tracking even when told not to (see the Settings at the top of this topic). 89 percent of Amazon Fire TV channels and 69 percent of Roku channels contained easily spottable trackers that collected information about a viewing habits and preferences, along with unique identifiers. No defenses offered. Here is an article by the researchers: Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (September 2019) and their more formal research paper
Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming
Devices (PDF) by Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal and Arvind Narayanan.
- How to Access Secret 'Service Menu' for All Samsung TVs a YouTube video by WorldofTech.
December 2019
FYI
One of the companies watching you is incscape.tv. See their sample of live data.
Samsung can remotely disable their TVs worldwide using TV Block by Sergiu Gatlan of Bleeping Computer (August 2021)
Audio: For many reasons, the audio on TV sets is poor such that it makes it hard to understand what people are saying. Some TVs have a feature to boost the dialog or reduce loud noises. On Samsung look for the Amplify feature. On LG, look for Clear Voice II. On Roku TVs look for Dialog Enhancement or Speech Clarity. If you can afford to, connect the TV to a stereo system or a sound bar that has a center speaker.