, 20 tweets, 30 min read
My Authors
Read all threads
When we watch TV, our TVs watch us back and track our habits. This practice has exploded recently since it hasn’t faced much public scrutiny. But in the last few days, not one but *three* papers have dropped that uncover the extent of tracking on TVs. Let me tell you about them.
The first paper looked at Roku and Amazon Fire TV. These platforms let you subscribe to “channels”, which are basically apps. As you can guess, they are loaded with trackers. Doubleclick alone is on 97.5% of Roku channels. tv-watches-you.princeton.edu/tv-tracking-ac…
There are some channels with over 50 trackers. Also, the majority of trackers were able to grab a unique ID such as MAC address. A few channels leaked email addresses to trackers and many leaked video titles⁠—often unencrypted, so your viewing history is exposed on the network.
Reverse engineering is hard. The paper was possible due to the hard work and ingenuity of the five PhD/postdoc authors Hooman Moghaddam, Gunes Acar, @baburges, @aruneshmathur, and @danny_y_huang. The other authors are @feamster, @EdFelten, @prateekmittal_, and me.
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ The most technically challenging part of the paper was building a bot to automatically install thousands of channels, launch each channel, navigate to a video, watch it until encountering an ad, and collect data on everything that happens behind the scenes.
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ Here’s a doozy: Roku has a “Limit Ad Tracking” option. Turning it on increased the number of tracking servers contacted 🙃 It did prevent Roku’s AD ID from being leaked, but a whole bunch of other unique IDs are available. Even Pi-hole wasn’t that effective at limiting tracking.
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ The second paper is by researchers at Northeastern University and Imperial College London. They have an impresive testing setup! moniotrlab.ccis.neu.edu/wp-content/upl… Here’s a thread from one of the authors:
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ They analyzed 81 IoT devices including five smart TVs. Their method was quite different from ours: they did controlled experiments. This is powerful: for example, they can test if devices phone home when someone starts talking or moving.
Good news: none of the TVs did.
Bad news:
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ Some of their findings are what you’d intuitively expect: devices made by Chinese companies tend to talk to Chinese servers. Others findings are more surprising: Nearly all TVs they tested contacted Netflix, even though they never configured any TV with a Netflix account (?!?!)
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ The third paper is from my colleagues @danny_y_huang Noah Apthorpe Gunes Acar @frankli714 @feamster (I wasn't involved). They built software called IoT Inspector that lets you examine your own IoT devices and, in exchange, contribute data for research. iot-inspector.princeton.edu
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 It’s a really neat tool that I’ve tweeted before. Over 4,300 people have installed it and the team has just released their first set of findings using data on 45,000 devices, including nearly a thousand TVs from 19 vendors. arxiv.org/pdf/1909.09848…
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 (By the way, what I love love love about the three papers released near-simultaneously is that we now have three different ways to interrogate Smart TVs and IoT devices. It bodes well for future efforts to uncover tracking and surveillance in our homes.)
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 IoT inspector’s findings on TV tracking are consistent with the other 2 papers. In their sample, they find about half the TVs talked to tracking services (the authors tell me they think this is an undercount because many of the TVs were turned on only briefly during the study).
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 One creepy finding in this study is that some TVs connect to Automatic Content Recognition services. ACR involves sending a “fingerprint” of your screen contents to a server, say once a second, for a Shazam-like algorithm to figure out what you’re watching to serve you ads.
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 OK, so our TVs are watching us. Is that so bad? Well, TVs are going down the same road that turned the web & smartphone apps into a cesspit of surveillance. I worry that things like TVs ads emitting ultrasonic beacons for analytics will become more common. arstechnica.com/information-te…
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 It’s unfortunate that TV platforms are turning to targeted ads as the main way to make money. To maximize revenue, they will likely turn to data mining and algorithmic personalization/persuasion to keep people glued to the screen as long as possible. digiday.com/media/rokus-ad…
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 Unlike web tracking, our ability to control tracking on TVs is also limited, because TVs are closed platforms and there is no analog of browser extensions. And, in a familiar story, the law and regulations are easily worked around.
washingtonpost.com/technology/201…
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 I'm sorry to leave this thread without a satisfying conclusion. It's not obvious what's the most effective way to push back against privacy intrusions in our homes. I think more awareness is a necessary first step, and I see the recent papers as progress. I hope more will follow.
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 There are steps we can take. Stay away from vendors whose business model is targeted ads. Every device is a potential tracker; do your research before buying. Install tools that give you control, such as Pi-hole, even if imperfect. Install a monitoring tool on your home network.
@baburges @aruneshmathur @danny_y_huang @feamster @EdFelten @prateekmittal_ @frankli714 These individual steps are not enough: we need collective action. Researchers must keep doing our part; we look forward to teaming up with journalists, civil society organizations, and the public, so that we can choose our future, not sleepwalk into it one channel at a time.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Arvind Narayanan

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!