Vizio, one of the world's biggest makers of
Smart TVs, is paying $2.2 million to settle charges that it collected
viewing habits from 11 million devices without the knowledge or consent
of the people watching them.
According to a complaint filed Monday
by the US Federal Trade Commission, Internet-connected TVs from Vizio
contained ACR—short for automated content recognition—software. Without
asking for permission, the ACR code captured second-by-second
information about the video the TVs displayed. The software collected
other personal information and transmitted it, along with the viewing
data, to servers controlled by the manufacturer. Vizio then sold the
data to unnamed third-parties for purposes of audience measurement,
analysis, and tracking.
"For all of these uses, Defendants provide
highly specific, second-by-second information about television viewing,"
FTC lawyers wrote in Monday's complaint. "Each line of a report
provides viewing information about a single television. In a securities
filing, Vizio states that its data analytics program, for example,
'provides highly specific viewing behavior data on a massive scale with
great accuracy, which can be used to generate intelligent insights for
advertisers and media content providers.'"
In an e-mailed statement, Vizio officials
wrote: "The ACR program never paired viewing data with personally
identifiable information such as name or contact information, and the
Commission did not allege or contend otherwise. Instead, as the
Complaint notes, the practices challenged by the government related only
to the use of viewing data in the ‘aggregate’ to create summary reports
measuring viewing audiences or behaviors."
The tracking started in February 2014 on both
new TVs and previously sold devices that didn't originally ship with ACR
software installed. The software periodically appended IP addresses to
the collected data and also made it possible for more detailed personal
information—including age, sex, income, marital status, household size,
education level, home ownership, and home values—to be associated. The
collection occurred under a setting that was described as a "Smart
Interactivity" feature that "enables program offers and suggestions."
The menu never informed users that the feature also transmitted viewing
habits or other personal information. The complaint offered these
additional technical details:
Through the ACR software, Vizio's televisions
transmit information about what a consumer is watching on a
second-by-second basis. Defendants’ ACR software captures information
about a selection of pixels on the screen and sends that data to Vizio
servers, where it is uniquely matched to a database of publicly
available television, movie, and commercial content. Defendants collect
viewing data from cable or broadband service providers, set-top boxes,
external streaming devices, DVD players, and over-the-air broadcasts.
Defendants have stated that the ACR software captures up to 100 billion
data points each day from more than 10 million VIZIO televisions.
Defendants store this data indefinitely.
Defendants’ ACR software also periodically
collects other information about the television, including IP address,
wired and wireless MAC addresses, WiFi signal strength, nearby WiFi
access points, and other items.
Big Brother is watching
The allegations are only the latest to
raise troubling privacy concerns about Internet-connected TVs and other
so-called Internet-of-things devices. In late 2015, security researchers
found that Vizio TVs failed to properly validate the HTTPS certificates
of servers they connected to when transmitting viewing-habit data. That
made it trivial for anyone who had the ability to monitor and control
the Internet traffic passing between the TV and the Vizio servers to
impersonate the servers and view or tamper with the transmitted data.
Smart TVs manufactured by LG have also been caught collecting potentially sensitive data,
including a list of shows being watched, the names of files contained
on connected USB drives, and the names of files shared on home or office
networks.
Under the terms of the settlement, Vizio will
pay $1.5 million to the FTC and $700,000 to the New Jersey Division of
Consumer affairs. The settlement also requires Vizio to delete all data
collected before March 1, 2016. Additionally, Vizio has agreed to
prominently disclose and obtain express consent for all future data
collection. The FTC has more details about the case
here and
here.
Post updated to add comment from Vizio.
Comments
Post a Comment