Privacy and security experts are buzzing about this week’s decision by the Federal Trade Commission to fine Vizio $2.2 million because the company installed software on its “smart” TVs so it could secretly gather data about the viewing habits of millions of viewers.
Vizio sold that raw data to third-party companies, which then used it in a variety of ways, including the targeting of viewers with advertising appeals.
The fine has caught the interest of people like Stephen Cobb, a senior researcher in the San Diego office of ESET, an international security company. Cobb discussed the FTC action during an interview Tuesday. The following is an edited version of that conversation:
Q: Was Vizio effectively spying on consumers by secretly collecting information about what appeared on their televisions?
A: Well, that would sound a lot like spying to many people, although technically what Vizio was doing was more like making spying possible. In other words, it has not been alleged that the viewing activities of personally identified individuals were looked at by Vizio staff or the third parties to whom it supplied the data.
However, potentially that could have happened. For example, if law enforcement had subpoenaed viewing records or an unethical employee had abused access to the information. Some people won’t find it hard to think of several government agencies that might be tempted to get at that data.
Q: Does this fine from the FTC represent a major step toward protecting the privacy of consumers? Or is the $2 million fine fairly small?
A: I think the fine was in the millions to get the attention of other companies. … It was not higher because Vizio agreed to a 20-year settlement, the terms of which are very pro-consumer. Vizio has to remain squeaky clean on all consumer data privacy and security matters, and it will be subject to (periodic) outside audits to make sure this is the case. Past violations of this type of long-term settlement have brought forth even heavier sanctions.
Q: Could you help us understand what Vizio was doing by collecting demographic information? Was the company identifying the sex, age, income levels of the people likely to be watching the TV?
A: Vizio was collecting the raw data as to which programs each unit displayed (regardless of source: TV, DVD, DVR), then handing this data to a third party along with the viewers’ IP (internet protocol) addresses.
These “data aggregators” then used the IP addresses, along with their own data, to re-identify and market to consumers and households using details like gender, age, income, marital status, household size, education and home ownership. Vizio allowed its customers to be tracked and targeted by these companies across devices.
Q: Are there commercial TVs on the market that can take things one step further and actually watch people who are watching TV? Could they see well enough to say, “Oh, Stephen is wearing a red sweater today and drinking a Diet Coke”?
A: Yes, and hopefully consumers who have a TV which contains a camera are aware of this — and have placed the appropriate piece of tape over the lens. As with voice recording, of which some TVs and accessories are also capable, or basic activity recording, the key questions are: Does the user know about it? And have they consented to it?
Q: If Vizio had simply asked consumers for permission to collect data on what they were watching, do you think most people would have been fine with it?
A: In many ways, this is the crux of the issue. Should there be two versions of a device, one that has tracking and another that does not? The latter would presumably be priced higher because the manufacturer would lose the revenue from selling the tracking data. Right now, too many digital devices and services come with tracking by default and a lack of disclosure about how to opt out, if that is even possible. The FTC is pushing companies to make clear disclosures as to what data is collected and what is done with it so that consumers can make informed choices.
A tricky-to-spot phishing scheme targeting Gmail users is fooling even seasoned security experts.
A tricky-to-spot phishing scheme targeting Gmail users is fooling even seasoned security experts.
The Homeland Security Department warned Jan. 10 about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices. (Jan. 11, 2017)
The Homeland Security Department warned Jan. 10 about an unusual cybersecurity flaw for one manufacturer’s implantable heart devices. (Jan. 11, 2017)
Twitter: @grobbins
gary.robbins@sduniontribune.com
Our editors found this article on this site using Google and regenerated it for our readers.
