Smart TV tracking raises privacy concerns

The study, published in ACM Internet Measurement Conference (IMC) 2024, investigated how and when smart TVs collect user viewing data via ACR for the first time.

ACR is a technology built into smart TVs to identify and collect information about content being played. It gathers data such as viewing history, location, and user pathways, which can then be sold to third parties, such as advertisers, to assist them develop audience targets. Third parties, such as streaming services, can also use it to offer direct content recommendations to users.

For the research, the team connected Samsung and LG smart TVs to a dedicated internet hub, in both the UK and the US, to record user data being transmitted to external servers by the TVs in real time¹.

The results showed that ACR not only takes screenshots of what the viewer is watching on live TV many times per second, but does the same when content is being played through an external device such as a laptop – potentially allowing ACR to figure out what is shown on the external device.

Though ACR, which is enabled by default, stopped when the user opted out, the authors say that the way ACR is currently employed represents a privacy concern for users, and that manufacturers should be made to do more to inform users about how their viewing habits are collected.

Dr Anna Mandalari, co-author of the study from UCL Electronic & Electrical Engineering, said: “Automatic content recognition technology has been around for a while, though the average user is unlikely to know what it is or that they can opt-out from it if they want to.

“In this study we set out to understand precisely what information is being collected by second parties². We were able to see the frequency and volume of data collection, which included content viewed through external devices such as a laptop.

"Theoretically, the system could recognise and match certain types of known content displayed on your external device, such as specific shows or products. While this limits the scope of what is detectable, we believe that the fact that ACR is turned on by default during the TV setup process, requiring users to opt-in for various services, still raises important questions about the potential impact on user privacy."

The team were unable to see exactly what data was being collected because it was encrypted. But they were able to observe when and how much data was shared. Checking the ACR configuration file on an LG TV showed a sample rate of 48 kilohertz (kHz) – suggesting capture of 48,000 snapshots per second.

Given that the refresh rate of many modern HD televisions is only 60 hertz (Hz) (meaning that ACR could record the content being watched many times over) it is uncertain what else is being captured to necessitate such a high sample rate.

When the team made a General Data Protection Regulation (GDPR) request to see what data Samsung and LG held about the user(s) of the televisions, the response was vague and didn’t correspond to the volume of data that they had observed being transmitted from the TVs.

Dr Mandalari said: “Though we cannot see exactly what information is being shared with second parties, the fact that the volume of data returned under GDPR requests is much smaller than the volume that we’ve observed being shared suggests some information is being withheld.”

The team also observed national differences in the way that ACR operates. It records content viewed over traditional television channels (scheduled content received via an aerial, cable or fibre), but in the UK third-party streaming services such as Netflix were not recorded, possibly due to copyright issues.

Yash Vekaria, a co-author of the study from UC Davis, USA, said: “The way in which ACR opt-out is configured by these TVs is extremely complex, requiring users to opt-out of several advertising and tracking settings with multiple clicks under different sub-settings. This makes it extremely difficult for a typical user to exercise opt-out of ACR.

“On the other hand, smart TVs have made one-click based opt-ins very easy to execute. We believe that TVs should involve an explicit user consent by ensuring that the user is informed about what ACR is and what functions it performs. Currently, smart TVs label ACR as ‘viewing information services’, which doesn’t really indicate what it is.”

The UK Information Commissioner’s Office (ICO), which promotes openness by public bodies and data privacy for individuals, visited the IoT Laboratory at UCL Electronic & Electrical Engineering during data collection for this study. The ICO has been working on developing a Guidance for Consumer Internet of Things (IoT) for manufacturers, due to be published for consultation in Winter 24/25.

¹ When ACR is enabled on LG TVs, a single domain is contacted that belongs to Alphonso, a technology company that manages LG Ad Solutions. Samsung TVs contact multiple ACR domains, all of which belong to Samsung.

² The second parties are the smart TV companies LG and Samsung. ACR information can be sold to third-parties such as advertising agencies or streaming services. 

Links

• Dr Anna Mandalari's academic profile
• Department of Electronic & Electrical Engineering
• UCL Faculty of Engineering

Image

• Credit: demaerre on iStock.

Media contact 

Dr Matt Midgley

E: m.midgley [at] ucl.ac.uk