Consumer Reports found that Samsung and Roku Smart TVs were vulnerable to hacking through a web-based attack. Photo: Michael A. Smith
Over the past few years, the Digital Lab evaluated and test a number of products and services informed by criteria, indicators and testing processes from the Digital Standard. To bring more transparency to the Digital Standard, we are launching a series of case studies aimed to highlight examples that will help clarify:
- Problems & Context: What type(s) of problems with products and services does Consumer Reports look into for further testing and evaluation?
- Processes & Methods: What processes or methods does the team use to evaluate and investigate products and services?
- Impact: What type of impact do the product and service evaluations have on stakeholders like industry practitioners, manufacturers, and policymakers?
- Using The Digital Standard: How was the impact of this work informed by the Digital Standard?
Our next case study covers Consumer Reports’ work on Smart TVs.
Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds
Project timeframe
First test scores: February 2018
Latest update on test scores: May 2020
Problem
Smart TVs can monitor watching behavior: Smart TVs are sets that connect to the internet, making it easy to stream videos from services such as Hulu and Netflix. Most smart TVs are equipped with “automated content recognition” (“ACR”) that scans images on viewers’ screens and identifies the content by comparing it to its own known videos, shows, and movies. In doing so, smart TVs can generate a detailed log of what consumers watch — often without clear notice or permission. In addition, consumers often cannot buy a TV that is not smart these days, thus making them more likely to be creeped on by their TV manufacturer.
Data sharing to advertising companies: Other researchers have found much the same thing. In one study, researchers at Northeastern University and Imperial College London looked at smart TVs and other internet-connected devices and found that many of them sent data to Amazon, Facebook, and Doubleclick, Google’s advertising business. Nearly all the TVs sent data to Netflix even if the app wasn’t installed or the owner hadn’t activated it.
Many channels to share more data: Another study, by researchers at Princeton and the University of Chicago, looked not at TVs but at two popular set-top streaming devices from Roku and Amazon Fire TV. More than 2,000 channels were offered, and the researchers found trackers on 69 percent of Roku channels and 89 percent of Amazon Fire TV channels. The numbers are likely to be the same for smart TVs that have Roku or Amazon platforms built in.
Potential hacks or security issues: The smart TV itself may be subject to hacks or other security issues due to the connected nature of the product. Consumers often don’t know about how much data is collected about them while they use their tv and they often don’t know how or if they can change how much they share. Additionally, consumers have no way of evaluating the security of their smart tv. As part of one of our first case studies under the Digital Standard, we looked to evaluate smart tvs in order to respond to these two concerns.
[Excerpts gathered from CR Article: How to Turn Off Smart TV Snooping Features]
Process
Full testing: In February 2018, we performed our first ever tests on TVs using the Digital Standard. In 2020, we conducted another update on 2019 smart TVs in accordance with criteria of the Digital Standard. These generated new scores on the ratings site, incorporating data privacy and data security into our overall rating.
Qualitative interviews: In March 2020, we conducted a recent study with 16 volunteers around the country showing that people may not understand what information their TVs collect, or know about settings they can use to boost their privacy. The project was part of CR’s consumer experience and usability research program, in which we study how consumers interact with products to better inform our lab testing. In this case, a user-interface expert interviewed participants in an online environment as they clicked through screen shots taken from smart TV platforms. The participants helped us evaluate the type of smart TV platform they used at home, performing tasks such as finding privacy policies and the right settings for cutting down on data collection. Like laptops and smartphones, modern TVs collect consumer information, and the TVs come with privacy disclosures in their user agreements, which are typically displayed during the setup process. None of the volunteers in our study had read through an entire user agreement when they set up their TV.
Smart TV Digital Standard Test Protocol: Along with this, we published raw data from our Digital Standard testing including the workbook, test protocol, and test summary.
Output & Impact
Consumer Reports Article: Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds. This February 2018 report highlighted that our tests found that millions of smart TVs can be controlled by hackers exploiting easy to-find security flaws — this includes Samsung televisions, models made by TCL, and other brands that use the Roku TV smart-TV platform. Moreover, the TVs collect detailed information on their users, which raises privacy concerns.
Some key findings shared in the report include:
Overcollection by design. The platforms are designed for people to race through their TV’s setup, agreeing to everything, and a constant stream of viewing data will be collected through automatic content recognition. The technology identifies every show you play on the TV — including cable, over-the-air broadcasts, streaming services, and even DVDs and Blu-ray discs — and sends the data to the TV maker or one of its business partners, or both.
A choice between your data or your internet. People can limit data collection, but they may lose functionality. For example, if people turn off ACR monitoring while still agreeing to the set’s basic privacy policy, that may keep them from getting recommendations (“You liked ‘Westworld.’ Have you checked out ‘Godless’?”) Even the basic privacy policies may ask for the right to collect information on your location, which streaming apps you click on, and more. If you say no to these basic policies, the sets revert to old-fashioned dumb TVs: without the ability to stream anything from Amazon, Netflix, or other web-based services.
All-or-nothing privacy policy. The Sony television was the only one that required people to agree to a privacy policy and terms of service to complete the setup of the TV. The set uses Google’s Android TV platform, and consumers have to click yes to Google agreements, even if they don’t plan to connect to the internet. That could be a frustrating thing to discover only after you’d bought the big-screen TV at the store, lugged it home, and maybe mounted it to a wall. Even though you can’t skip the Google privacy policy, you can say no to the user agreements from Sony itself and from Samba TV, a provider of ACR technology.
Additional awareness:
- Home security buying guide: Consumer Reports created a home security buying guide outlining security camera options and what to look for when purchasing one.
- FTC Conference: We presented the smart TV testing results at the Federal Trade Commission’s PrivacyCon and incorporated this in Congressional testimony in June 2018.
- Video and Op-ed surrounding the Superbowl: We continued to promote the updates of this work by launching an awareness video around the time of the 2020 Super Bowl and published an op-ed on smart TV privacy for the San Francisco Chronicle just before the 49ers played in the Super Bowl.
[Excerpts gathered from CR Article: Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds]
How was this work informed by the Digital Standard?
This work incorporated several specific elements from the larger Digital Standard framework. Specifically, the comparative analysis used elements from the Security and Privacy sections of the Standard:
To see The Digital Standard in full, please visit: https://www.thedigitalstandard.org