"TVs are going down the same road that turned the web & smartphone apps into a cesspit of surveillance."
So said computer scientist Arvind Narayana, associate professor at Princeton and leader of its Web Transparency and Accountability Project, in a recent lengthy Twitter thread.
Narayanan pointed to three recently published reports. The first, which he co-authored, looks at "over-the-top" TV streaming devices, in particular Roku TV and Amazon Fire TV.
"Traffic to known trackers present on 69 per cent of Roku channels and 89 per cent of Amazon Fire TV channels. We also observed that certain OTT channels contact more than 60 tracking domains and the data shared with the trackers include video titles, Wi-Fi SSIDs, MAC addresses and device serial numbers," the paper reads.
The researchers also looked at Pi-hole, a free network-level blocker for trackers and advertisers, but discovered that it is only partially effective. "Simulating Pi-hole's blocking of the information leaks we find that 26.7 per cent of the AD ID leaks and 44.6 per cent of the serial number leaks are missed by Pi-hole," the paper says. It concludes: "Our analysis of the available privacy countermeasures showed that they are ineffective at preventing tracking."
The second paper (PDF), Information Exposure from Consumer IoT Devices, is co-authored by researchers at Northeastern University, Boston, and Imperial College London. Devices include cameras, video doorbells, home automation devices, TVs, smart speakers and appliances.
The paper reports: "TVs (i.e. Samsung TV, LG TV, Roku, Fire TV) contact the largest number of third parties among all device categories." Another notable fact is that "nearly all" TV devices in the study's testbeds contacted Netflix, "even though we never configured any TV with a Netflix account". The paper also notes that "57.45 per cent (50.27 per cent) of the overall destinations contacted by the US (UK) IoT devices are third or support parties, and 56 per cent of the US devices and the 83.8 per cent of the UK devices contact destinations outside their region."
The researchers found that smart TVs contacted 350 advertising or tracking domains. The top two were Google's DoubleClick and GoogleSyndication. 41 per cent of the TVs contacted domains that would be blocked by the Firefox Disconnect tool, though one of the issues is that smart TVs lack this kind of privacy control. The researchers noted that Roku now makes more from "platform", which is mostly advertising, than player revenue.
Narayanan said: "It is unfortunate that TV platforms are turning to targeted ads as the main way to make money. To maximize revenue, they will likely turn to data mining and algorithmic personalization/persuasion to keep people glued to the screen as long as possible."
He voiced worries about potential developments such as cross-device tracking, for example, using an ultrasonic beacon from TV to smartphone in order to link the two. "Unlike web tracking, our ability to control tracking on TVs is also limited, because TVs are closed platforms and there is no analog of browser extensions," he wrote.
In an era where algorithmic advertising is being used to sway voters and personalised content reduces an individual's exposure to balanced viewpoints, the implications of extending this to television content is troubling.
"I see only one way: let's de-legitimize targeted advertising as a business model," said Narayanan.
That sounds like a forlorn hope, though one slight mitigating factor is the improvement in tools to monitor and even block the trackers, as referenced by these papers. But even if they get much better, that does not mean they will be widely used. ®