Skip to content
Naked Security Naked Security

Smart TVs are spying on you through your phone

Smart TVs in millions of homes are using other devices on the same network in order to snitch on everything you watch and everywhere you go.

Last year, the US Federal Trade Commission (FTC) slapped TV maker Vizio with a $2.2m fine for watching us watch its TVs: the spy boxes were collecting data that included IP addresses and demographic information on 11 million users.
Pffft! Amateurs. Vacuuming our data straight out of our living rooms to see what we’re watching so they can target-market us is so last year. Now, it turns out, one company that’s all about making personalized viewing recommendations is jumping beyond our living rooms in order to sniff out what’s happening on any device that’s on our networks, including our mobile devices, and that of course means following us around.
The New York Times on Thursday published a report about Samba TV, which collects data on 13.5 million TV viewers in order to make its personalized show recommendations. Samba has signed deals with about a dozen TV makers, including Sony, Sharp, Magnavox, Toshiba and Philips, to install its software on certain sets.
It calls that software Automatic Content Recognition (ACR) and says that it delivers “essential TV insights.”
As the Times reports, when a user gets one of these TVs out of the box, a screen urges them to enable a service called Samba Interactive TV. The service promises to recommend shows and provide special offers “by cleverly recognizing onscreen content.” As of 2016, company executives said that more than 90% of people clicked the enable button.
But they were likely agreeing to give away far more data than they realized. What the initial “enable” screen doesn’t include: a terms of service agreement that exceeds 6,500 words and a privacy policy that pushes past 4,000 words. That’s a lot of reading for somebody who just wants to find out if Jon Snow is going to accidentally sleep with his aunt.
With all those words, tucked into screens that Game of Thrones fans clearly aren’t clicking through to pore over, Samba gives itself the go-ahead to create a “device map” that matches TV content to devices sharing a network with a smart TV. And that, according to Jeffrey Chester, executive director of the Center for Digital Democracy, helps the company to leap out of living rooms in order to track users “in their office, in line at the food truck and on the road as they travel.”
Sounds a lot like the internet at large, doesn’t it? Online services follow us around after we leave, taking note of where we go. Facebook, in fact, found itself in quite a bit of hot water over that one: CEO Mark Zuckerberg was in the hot seat in Congress a few months ago, as Florida Rep. Kathy Castor asked whether or not Facebook collects personal data on people who aren’t even Facebook users.
Well, yes, the company eventually admitted, coughing up the reasons why and pointing out that Facebook is far from the only online service to do so: Twitter, Pinterest, LinkedIn, Google, and Amazon all offer services on other sites and apps, and following people around is part and parcel.
This tracking has, justifiably enough, met with forceful pushback. In 2015, a Belgian court gave Facebook 48 hours to stop tracking non-users, which resulted in Belgians who didn’t have Facebook accounts being unable to view any Belgian Facebook pages, including public profiles. In February 2016, the French data protection agency CNIL gave Facebook three months to stop tracking non-users in France. And just last month, to loud applause, Apple introduced the ability to block this type of tracking in Safari.
So yes, we’re all pretty accustomed to saying No when it comes to online tracking. But when it comes to internet TV tracking, the public is still fairly unaware of the extent to which it’s happening, critics say.

The TV industry also hasn’t been subjected to the strict rules and regulations surrounding viewing data that have traditionally applied to cable companies, as Jonathan Mayer, an assistant professor of computer science and public affairs at Princeton University and a former technology adviser at the Federal Communications Commission, told the Times. That’s helped to fuel “this rise of weird ways to figure out what someone’s watching,” he said.
Mayer told the newspaper that smart TV companies are overseen by the FTC, which means that “as long as you’re truthful to consumers, even if you make it really hard to exercise choices or don’t offer choices at all, you probably don’t have much of a legal issue.”
Bill Daddi, a Samba spokesman, told the Times that the company has been upfront about what it’s doing:

Each version has clearly identified that we use technology to recognize what’s onscreen, to create benefit for the consumer as well as Samba, its partners and advertisers.

One TV owner, David Kitchen, a software engineer in London, clearly disagrees. Three months ago, he took to Hacker News to describe how startled he was when his Sony smart TV updated itself and “tried to force me to use a new app” – specifically, Samba.
This is what the Samba opt-in message had told him:

Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.

But when he researched the Samba privacy policy, he found it was “worse than recent facebook stuff.” Kitchen pointed out that Samba’s privacy policy says that it tracks…

…what you watch, when you watch it, your location, your interactions with other apps. And they share this with …well, everyone basically.
This information is then used to market to you within the TV and offer you a ‘hot list’ … but it is also used to ‘Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights, safety and property of Samba and others.’

More from Samba’s privacy policy:

Information we receive about you or your household from using one device or Smart TV may be combined with information we receive from use of other devices or Smart TVs. For example, if we know you love watching football on your Smart TV, we may show you real-time football stats on your mobile device.

As Samba points out, you can always opt out of receiving such tailored content by following the instructions set forth in its “Your Rights and Choices” section.
Or, as Kitchen suggests, you can just disable Samba completely. It is, he suggests, “a snitch in your living room, snitching on everything you watch on your TV.”


First thing I did when I got my new Sony 900E, disable, in not enabling SAMBA, a wise choice in hindsight. Great article Lisa.


This kind of profiling is getting way out of hand. Between our Federal government and the telecommunications companies, the FCC in Congress we are trapped.
People really need to wake up and be aware of what ois going on.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!