Own a Samsung or LG smart TV? If so, whatever you’re doing with the screen is tracked with the help of snapshots. A new research paper says it’s like watching TV with a second party.
The Shazam-like technology, named “Automatic Content Recognition (ACR),” isn’t exactly new but was previously only found in a few apps such as Netflix or Hulu, conducting third-party tracking.
ACR works by periodically capturing the content displayed on a TV screen and matching it against a content library to detect what content is being displayed at any given point in time.
However, in a new research paper, a team of academics from various elite universities in the United States, the United Kingdom, and Spain found that ACR tracking has crept into the core firmware of modern-day smart TVs.
“While prior research has investigated third-party tracking in the smart TV ecosystem, it has not looked into second-party ACR tracking that is directly conducted by the smart TV platform,” says the paper.
Personal data bonanza
After testing two major smart TV brands, LG and Samsung, the researchers concluded that, actually, ACR operates even when it’s used as a “dumb” display via HDMI. This type of tracking is conducted directly by the smart TV platform via its operating system.
According to the researchers, ACR periodically captures visual and/or audio frames, builds a fingerprint of the content, and then shares it with an ACR server to match it against a database of known content such as movies, ads, or live feeds.
When the fingerprint matches, the ACR server can determine exactly what content is being watched on the smart TV. This enables smart TV platforms like Samsung and LG to profile users into audience segments, which are then used to target personalized ads.
In 2015, Samsung was forced to explain that its smart TVs do not collect personal or other sensitive information via voice recognition functions. In a blog post, the firm said: “Samsung takes consumer privacy very seriously, and our products are designed with privacy in mind.”
“Smart TVs sit in your living room or bedroom, and can have microphones, cameras, and access to your TV-watching habits – which can produce incredibly personal data.”
The Electronic Frontier Foundation.
However, in the case of ACR and the potential for privacy violations, the fingerprints are essentially a hash of the content, which can be matched on the server side to identify the type of content being viewed.
“The fact that the hash of content rather than raw content is sent to ACR servers does not necessarily make the data anonymous. Moreover, the viewing habits of a user are potentially identifying,” said the researchers.
In 2015, the Electronic Frontier Foundation, an international non-profit digital rights group, said the urgency of the issue was obvious: “Smart TVs sit in your living room or bedroom, and can have microphones, cameras, and access to your TV-watching habits – which can produce incredibly personal data.”
Opting out takes precious time
According to the experiment, ACR snapshots were taken multiple times per second, but the data was only uploaded to ACR domains only once every 15 seconds. Plus, it didn’t matter whether the user had registered an account on their TV.
Surprisingly, there was no ACR traffic when users watched streaming apps such as Netflix or YouTube. That’s probably because copyright issues complicate collecting snapshots of third-party-owned streamed content.
Another explanation could be that the third-party app wants to preserve the privacy of its users. For example, Netflix prefers to have ACR deactivated during its streaming “in order to preserve the integrity of its subscribers viewing experiences and maintain sole control over measurement of its viewership,” says the paper.
Thankfully, researchers have also concluded that configuring the devices to opt out of tracking stops traffic to the ACR domains. For instance, The Markup offers a useful opting-out guide.
Still, the paper points out: “Opting out is typically not straightforward, often requiring navigation through various settings in multiple subsections, with no universal off switch.”
Your email address will not be published. Required fields are markedmarked