Eroding Trust: How New Smart TV Lacks Privacy by Design and Transparency

A year ago I got a new Samsung DVD player for Christmas. It’s a lovely device that I use most every day—mostly for streaming video from Netflix and Amazon. I apparently can also make Skype calls from it, though I haven’t tried — I’m told there are hundreds of other applications out there, so I’m probably underutilizing the device. But I’ve recently wondered—does Samsung log what I do on the player? Does it send information about my viewing back to Samsung. I . . . I guess I have no idea.

Last week, UK blogger Doctorbeet revealed that his LG Smart TV was reporting back to LG every time he changed the channel. It was also scanning all shared files on his home network and sending a running tally of those back to LG as well. The company allegedly offered an opt-out of “Collection of watching info” in its options menu, but apparently toggling the opt-out didn’t actually do anything. Oh, and all the data was unencrypted, so someone else with access to the network could see the information in the clear. Not the sort of story you want to come out just before Black Friday.

LG initially dismissed the concerns with a curt response to Doctorbeet saying, “you accepted the Terms and Conditions on your TV.”  But once the story started to get mainstream attention, the company backtracked and said they were looking into the situation. Earlier this week, they announced they were going to fix the problem: After the next firmware update, the opt-out for the collection of TV watching data will work, and LG will turn off the collection of shared file names altogether.

Is an opt-out enough?

That’s a start, but LG shouldn’t stop there. First of all, should home appliances be monitoring consumers and reporting everything back to manufacturers by default? Certainly, other interconnected devices don’t do this today. Your computer doesn’t report back to Lenovo or HP everything that you do. Your phone doesn’t report everything back to Motorola or Apple. When I buy a TV, I’m not typically looking for a relationship with LG or Samsung: I may appreciate additional “smart” capabilities like connecting to Skype or the web, but my TV is a platform for me to access others’ content—it’s not a destination in itself.

Last year, the U.S. Federal Trade Commission (FTC) held a workshop on comprehensive monitoring by intermediaries like ISPs, devices, browsers, operating systems and, sure, TVs. As the CDT noted in our comments after the workshop, this sort of monitoring is particularly invasive. First, it’s comprehensive—it monitors how consumersuse all the various services accessed through that intermediary (such as websites, apps or here, TV channels). Second, it’s out of context—you’re trying to connect with other services, not the platform itself. Consumersexpect the intermediary to act as a pass-through on theirbehalf (especially when they’ve paid for it!), not as a man-in-the-middle that monitors all that you do.

We’ve argued for years that intermediaries and platforms should only monitor their customers on affirmative opt-in basis absent a compelling operational necessity (no, showing behavioral ads doesn’t count). We think that should be the case for Smart TVs as well. The FTC has previously said that this sort of comprehensive monitoring without informed choice is illegal; LG is treading in dangerous legal territory if it’s engaging in similar practices. Hopefully their privacy team, assuming they have one, is voicing such a concern. Are they not being heard? If not, this might not bode well for the company.

Can we even tell what LG’s data practices are?

If LG wants to make a pitch to consumers about how it can use their data to offer better services, I say: Go for it! Google, for example, does this for Chrome—it tries to convince Chrome users to sign in to sync bookmarks and settings across devices. But that’s not what’s happening here.

In fact, it’s really hard to tell exactly what LG is doing. We only know about the data collection in the first place because a blogger decided to watch the traffic going out of his home router. LG updated their privacy policy with a brief response to the controversy, but the explanation is utterly cryptic. First, LG bluntly states that viewing history is not personal information. This seems to rely on an outdated concept of personal information—if the company is logging viewing information by device ID or IP address, which could later be tied back to a particular household, most people—and regulators—would recognize that as personal information.

The company also variously says that it collects information “to deliver more relevant advertisements” but also that “LG does not, or has ever, engaged in targeted advertisement using information collected from LG Smart TV owners” [sic]. I’m not sure how to parse that. Perhaps the company isn’t logging IP or device address at all and is just aggregating usage numbers on the fly; they then serve targeted advertisements based on generalized data about how people are using their TVs. That might be perfectly defensible from a privacy point of view. If the channel viewing is immediately de-identified or aggregated, perhaps the data collection by default—or even without choice at all—is OK. On the other hand, perhaps the company is logging everything by unique household—including TV watching, web browsing and other TV app usage—and storing it forever, in the hope that Big Data will happen.

Right now, we have no idea, and that’s a big problem.

And now, LG has a pretty big PR issue on their hands that could have been avoided if privacy had been designed into the TV from the start. Transparency from the beginning would certainly help engender trust, too. Instead, the company is on the defensive, issuing contradictory statements every couple of days, and desperately hoping the issue just goes away.

The increasing prevalence of interconnected, smart devices—the Internet of Things—certainly present challenges for how to contextually let users know how they’re being monitored and by whom. But even setting aside the question of how to provide actionable—and not just annoying—real-time notice, consumers absolutely must be able to find this information somewhere. I’ve spent much of the last several days trying to figure out what LG Smart TVs collect and transmit to LG, and I still have no clear idea. (LG has not responded to multiple requests for more information.)  Even aside from LG’s confusing response to the Smart TV allegations, its privacy policy language is vague and inscrutable, and simply reserves broad rights over what it deems to be non-personal information. (I checked Samsung’s as well to compare—I would guess from this language that they’re not monitoring Smart TV—or DVD player—usage, but I’m not sure.) LG previously hosted a promotional video for a new “Smart Ads” product that promised the ability to link LG Smart TV data to data from LG phones and even LG refrigerators as well (the video has been pulled from the site but it’s been saved for posterity here).

Is LG doing any of these things today? Or have they stopped collecting data entirely in response to the controversy? Since I started writing this blog post, the privacy policy has been revised again and now makes no mention of the Smart TV data collection. Is it different in the U.S., the UK or the rest of Europe? I honestly can’t tell you.

And now, LG has a pretty big PR issue on their hands that could have been avoided if privacy had been designed into the TV from the start. Transparency from the beginning would certainly help engender trust, too. Instead, the company is on the defensive, issuing contradictory statements every couple of days, and desperately hoping the issue just goes away. LG would have been better served with an affirmative privacy strategy developed by privacy professionals—instead of an inchoate data play optimistically pushed by marketers. And even if it did make bad decisions in the past, the company should acknowledge the full extent of the issues to preserve trust, while taking steps to address all the consumer privacy issues I’ve mentioned above. Preferably in time for Black Friday!

Privacy in an interconnected home

The Supreme Court has repeatedly held that people have heightened privacy interests in what happens within their home—even over information that is technologically observable by others. We have “Peeping Tom” laws for the same reason—just because someone has a means to watch what you’re doing in the home doesn’t mean they should. Smart devices have the potential to do amazing things for consumers—smart, automated cars cannot get here fast enough—but it’s paternalistic to assert that those smart devices must be allowed to secretly surveil consumers without understanding them or contrary to their wishes.

Good security and internal accountability are necessary—but not sufficient. Consumers are the ones who pay for the products—they should be the ones in control. Unfortunately, today, we rarely even have access to the necessary information in order to make rational decisions. That needs to change.

photo credit: djLicious via photopin cc

Written By

Justin Brookman


If you want to comment on this post, you need to login.

  • Mr Paul Dec 5, 2013

    Your links to the LGTV policy policy are for its website policy, which is explicitly not relevant to the TVs.  Or is it?  The document is self-contradictory about what it applies to!
    The first line states:
    "This privacy policy applies only to the websites and services controlled by LG Electronics USA Inc..."
    But then, under section A, it states
    This privacy policy applies only to information collected on the Sites and does not apply to information collected by LGEUS through any other means."
  • Dec 26, 2013

    I need serious help. I'm being monitored, my 13 year old, my husband. He's in every pc, modem, cell, smart tvs, and more. ...I need help. I have evidence please help
  • Andrew James Mar 16, 2014

    Well said Justin but let me expand on LG getting all the bad press when it comes to spying please.
    Samsung TVs are even worse than LG when it comes to spying and I did try to put the word out using Twitter but it now seems that twitter take bribes to silence people and most the tweets never got out as can be seen if you open a second twitter account and check
    Samsung is a few steps ahead of LG when it comes to spying and the way that I captured the data was to hijack the DNS server to force my Samsung TV to use a proxy server.
    As soon as you switch a Samsung TV on it connects with Korea and uploads the TV's unique MAC address and then connects to Google,Twitter plus others and sends them a user-agent in the HTTP Request so that they know that a Samsung TV is connecting to them and they also know your IP address.
    All Google,Facebook need to do now is contact Samsung with the IP and Samsung can give them your name, address and anything else they know about you because they guarantee the TV and have your details.
    This all happens within a second of you switching your TV on and with no apps running.
    It gets worse and Samsung uses SSL to upload information but they don't use the usual HTTPS CONNECT but instead open a connection and listen for a reply without using the usual handshake.
    These TV's also scan your network using various protocols like SDDP:1900 to access drives and machines plus an odd one using port 7676.
    No wonder Samsung did not build the option of using a proxy server into these TV's because that would make it too easy to spot that Samsung is doing evil.
    What's strange is that when you do a Google for "TV spying on people" all that Google brings up is links about LG TV's as if no one in the world knows about Samsung so maybe good PR is the price Google pays Samsung for having these TV connect to Google and in return Samsung gives them your details free of charge.
    I could go on but the post would end up being bigger then the blog.
    Best Regards


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»