from the I-always-feel-like-somebody's-watching-me dept
Security isn't the only thing being ignored as hardware vendors rush to connect televisions, toasters, and tea kettles to the internet. Consumer privacy and data-collection transparency has also become a distant afterthought as companies rush to cash in on the ocean of data these connected-devices collect. The "smart" television sector has been notably problematic, with Samsung busted a few years back for not only recording customer living room conversations, but transmitting that data unencrypted back to the company mothership.
These are lessons that hardware vendors appear incapable or unwilling to learn. Case in point: this week the FTC announced that it had struck a $1.2 million settlement with discount TV vendor Vizio. According to the full FTC complaint (pdf), Vizio began using the company's smart televisions to track user behavior in 2014, without informing customers that this was happening. The FTC notes that Vizio for years heavily advertised a "Smart Interactivity" feature that "enables program offers and suggestions." But the complaint notes this feature never provided customers with a single suggestion.
But it did provide Vizio with a wonderful new way to collect and store a huge variety of consumer data under the pretense of adding consumer functionality. MAC addresses, IP addresses, nearby WiFi network names, metadata were all hoovered up and stored. And when the FTC says viewing data, it means that Vizio used pixel analysis to compile personal data on every program and device connected to the Vizio set:
"According to the agencies’ complaint, starting in February 2014, VIZIO, Inc. and an affiliated company have manufactured VIZIO smart TVs that capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices.
In addition, VIZIO facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value, the agencies allege. VIZIO sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices, according to the complaint."
Again, this in and of itself isn't that controversial, especially in the age of location data and cell phones. The fact that Vizio chose not to tell anyone this data was being collected is where the company ran afoul of the FTC. An FTC blog post has a little more detail on just how specific this data was, and to whom it was sold:
"And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership. And Vizio permitted these companies to track and target its consumers across devices."
It's here that we'll remind you that the "anonymization" of data doesn't mean much. Time and time again, studies have shown that anonymized data sets aren't really anonymous, given that it only takes a few additional contextual clues (the likes of which companies that collect this sort of data already have) to ferret out personal identities.
It's not really clear how many settlements of this type it's going to take before "smart" hardware vendors acknowledge that being transparent with consumers (which frankly is neither onerous or particularly difficult for them in the 400-page EULA era) is important. And should we continue to weaken FCC and FTC privacy oversight of ISPs and hardware vendors (as is strongly implied by both agencies), that's less likely than ever to happen anytime soon.