Vizio smart TVs tracked viewers around the clock without consent

Dan Goodin
Vizio, one of the world's biggest makers of Smart TVs, is paying $2.2 million to settle charges that it collected viewing habits from 11 million devices without the knowledge or consent of the people watching them.
According to a complaint filed Monday by the US Federal Trade Commission, Internet-connected TVs from Vizio contained ACR—short for automated content recognition—software. Without asking for permission, the ACR code captured second-by-second information about the video the TVs displayed. The software collected other personal information and transmitted it, along with the viewing data, to servers controlled by the manufacturer. Vizio then sold the data to unnamed third-parties for purposes of audience measurement, analysis, and tracking.
"For all of these uses, Defendants provide highly specific, second-by-second information about television viewing," FTC lawyers wrote in Monday's complaint. "Each line of a report provides viewing information about a single television. In a securities filing, Vizio states that its data analytics program, for example, 'provides highly specific viewing behavior data on a massive scale with great accuracy, which can be used to generate intelligent insights for advertisers and media content providers.'"
In an e-mailed statement, Vizio officials wrote: "The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors."
The tracking started in February 2014 on both new TVs and previously sold devices that didn't originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information—including age, sex, income, marital status, household size, education level, home ownership, and home values—to be associated. The collection occurred under a setting that was described as a "Smart Interactivity" feature that "enables program offers and suggestions." The menu never informed users that the feature also transmitted viewing habits or other personal information. The complaint offered these additional technical details:
Through the ACR software, Vizio's televisions transmit information about what a consumer is watching on a second-by-second basis. Defendants’ ACR software captures information about a selection of pixels on the screen and sends that data to Vizio servers, where it is uniquely matched to a database of publicly available television, movie, and commercial content. Defendants collect viewing data from cable or broadband service providers, set-top boxes, external streaming devices, DVD players, and over-the-air broadcasts. Defendants have stated that the ACR software captures up to 100 billion data points each day from more than 10 million VIZIO televisions. Defendants store this data indefinitely.
Defendants’ ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items.

Big Brother is watching

The allegations are only the latest to raise troubling privacy concerns about Internet-connected TVs and other so-called Internet-of-things devices. In late 2015, security researchers found that Vizio TVs failed to properly validate the HTTPS certificates of servers they connected to when transmitting viewing-habit data. That made it trivial for anyone who had the ability to monitor and control the Internet traffic passing between the TV and the Vizio servers to impersonate the servers and view or tamper with the transmitted data. Smart TVs manufactured by LG have also been caught collecting potentially sensitive data, including a list of shows being watched, the names of files contained on connected USB drives, and the names of files shared on home or office networks.
Under the terms of the settlement, Vizio will pay $1.5 million to the FTC and $700,000 to the New Jersey Division of Consumer affairs. The settlement also requires Vizio to delete all data collected before March 1, 2016. Additionally, Vizio has agreed to prominently disclose and obtain express consent for all future data collection. The FTC has more details about the case here and here.
Post updated to add comment from Vizio.

Comments