Monday, 12 May 2014

LG Disables Smart TV features in the EU to force users to accept new oppressive Privacy policy

Last November, I Reported that Smart TVs from LG Electronics were silently transmitting information about private media files stored on USB devices (amongst other things) to their servers without notification or the possibility to opt-out.

Over the course of the last week, several users contacted me with concerns about the latest firmware update which their TVs had received. I had the opportunity to look at the update over the weekend and, whilst there are many interesting technical aspects to it, I wanted to share some information about the immediate impact and comment on what it it may mean for other owners.

After completing the update, the TV first notifies the user of some immediate data collection that will take place.
Then after watching some broadcast television, the user may decide to view content from an online service such as YouTube or the BBC's iPlayer.  I have used these features many times during the ten months I have owned the TV.

At this point, a message appears warning the user that new agreement is being sought for updated terms.
Upon pressing OK a new screen is displayed containing a "Legal Notice", "Terms of Use" and a "Privacy Policy". These run into well over 20 pages but most importantly: if you decline these terms, you are denied access to most of the previously available "Smart" features.

So, maybe the terms aren't too bad?  I am not a lawyer but some of them stand out to me as being quite draconian. Here is part of the section on what data may be collected (all emphasis mine):
  • "Viewing Information. This refers to information about your interactions with program content, including live TV content, movies, and video on demand. Viewing Information may include the name of the channel or program watched, requests to view content, the terms you use to search for content, details of actions taken while viewing (e.g., play, stop, pause, etc.), the duration that content was watched, input method (RF, Component, HDMI) and search queries.
  • Basic Usage Information. This refers to information which records your interactions within the LG Smart TV, such as the menu items you click on, the apps you access (but not your activity within apps), what channels are available to you, and information regarding external devices connected to the Smart TV.
  • Voice Information. This refers to voice commands and associated data (such as information about the input device that records your voice) used to recognize and act upon the command, OS information, TV model information, content provider, channel information and service results."
"Viewing information" is described later in the document as "anonymised" and "may be used to deliver targetted advertising".

Sensitive voice information will be captured.
"Many LG Smart TVs come with a remote control or other input devices that can be operated using voice commands. We may use your Voice Information to power the voice activation used by the Smart TV or input device (e.g., remote control). If you do not agree to our use of your Voice Information then you will not be able to use the voice command and recognition features. Apart from this Privacy Policy, you will be provided a specific opportunity to agree or disagree with the collection and use of Voice Information. Please be aware that if your spoken word includes personal or other sensitive information, such information will be among the Voice Information captured through your use of voice recognition features."
Data protection laws offer considerable protection to EU citizens, which must be inconvenient if you want to sell their data to the highest bidder:
"Overseas Transfers

We, our affiliates, subsidiaries, and suppliers may use information (including your personal information) in countries other than where your LG Smart TV is located in connection with providing you with our Smart TV Services and any other purposes outlined in this Privacy Policy. The data protection laws in many of these countries may not offer the same level of protection as those in the country where you are located. By agreeing to this Privacy Policy you expressly consent to us and our business associates and suppliers processing your data in any jurisdiction, including, without limitation, Korea and the United States of America, in accordance with this Privacy Policy."
I would encourage everyone to read the privacy policy in full, as these are just a few examples of what I consider to be deeply objectionable. The document seems to be available on-screen only to LG owners but I have transcribed it here.[1]

I do get the impression that LG have badly mis-understood the expressions of infuriation from consumers to the original spying features that had been discovered. I certainly didn't receive complaints that disclosure of these features was missing from the tens of pages of legal jargon that the user must agree to. What seemed to be the problem was that it was happening at all.

But rather than change their practices of spying on their paying customers, LG seem, instead, to have opted to sell data on their customers' private leisure time on the open market.  Arrogantly, they have also chosen to punish customers who wish to retain their privacy by crippling their TVs - months after they had been purchased, and with no forewarning.

Some may observe that we are frequently asked to agree to policy changes by Facebook, Microsoft and others. But it is possible to decide not to use Facebook and users may choose to use alternative (free) software on their PCs.

By contrast, LG's software is cryptographically locked [2] to these SmartTVs and may not be replaced. Therefore, LG's arbitrary restrictions affect the devices capabilities and therefore impact the consumer's own property.

Aside from being repugnant, this action by LG appears to contravene the Data Protection act and Section 9 of the unfair contract terms legislation published by the Office of Fair Trading. This is something that I shall be looking into more when I get the opportunity.


[1] There may be typos, contact me for screenshots if required. I claim the "fair use" right to make this information available.

[2] Please see the article on relating to such locked down systems.

Monday, 18 November 2013

LG Smart TVs logging USB filenames and viewing info to LG servers

Earlier this month I discovered that my new LG Smart TV was displaying ads on the Smart landing screen.

After some investigation, I found a rather creepy corporate video (since removed, mirror here) advertising their data collection practices to potential advertisers. It's quite long but a sample of their claims are as follows:
LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.
In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default.  This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.

At this point, I decided to do some traffic analysis to see what was being sent.  It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off.

Here you can clearly see that a unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID.
Here is another example of a viewing info packet. POST /ibs/v2.2/service/watchInformation.xml HTTP/1.1
Accept: */*
X-Device-Product:NETCAST 4.0
X-Authentication:YMu3V1dv8m8JD0ghrsmEToxONDI= cookie:JSESSIONID=3BB87277C55EED9489B6E6B2DEA7C9FD.node_sdpibis10; Path=/
Content-Length: 460
Content-Type: application/x-www-form-urlencoded
&chan_name=BBC TWO&device_src_idx=1&dtv_standard_type=2
&broadcast_type=2&device_platform_name=NETCAST 4.0_mtk5398&chan_code=251533454-72E0D0FB0A8A4C70E4E2D829523CA235&external_input_name=Antenna&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_src_idx=1&chan_phy_no=&atsc_chan_maj_no=&atsc_chan_min_no=&chan_phy_no=47&atsc_chan_maj_no=2&atsc_chan_min_no=2&chan_src_idx=1&dvb_chan_nw_id=9018&dvb_chan_transf_id=4170&dvb_chan_svc_id=4287&watch_dvc_logging=0
This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.

It was at this point, I made an even more disturbing find within the packet data dumps.  I noticed filenames were being posted to LG's servers and that these filenames were ones stored on my external USB hard drive.  To demonstrate this, I created a mock avi file and copied it to a USB stick.

This file didn't really contain "midget porn" at all, I renamed it to make sure it had a unique filename that I could spot easily in the data and one that was unlikely to come from a broadcast source.

And sure enough, there is was...

Sometimes the names of the contents of an entire folder was posted, other times nothing was sent.  I couldn't determine what rules controlled this.

I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites. My wife was shocked to see our children's names being transmitted in the name of a Christmas video file that we had watched from USB.

So what does LG have to say about this?  I approached them and asked them to comment on data collection, profiling of their customers, collection of usage information and mandatory embedded advertising on products that their customers had paid for.  Their response to this was as follows:
Good Morning

Thank you for your e-mail.

Further to our previous email to yourself, we have escalated the issues you reported to LG's UK Head Office.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer.  We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

LG Electronics UK Helpdesk
[premium rate number removed]
Fax: 01480 274 000
UK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm
Sunday 11am - 5pm
I haven't asked them about leaking of USB filenames due to the "deal with it" nature of the above response but I have no real expectation that their response would be any different.

So how can we prevent this from happening?  I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.
This will free you from seeing ads plastered on your screen and having your viewing habits monitored, whilst it should still allow firmware updates to be applied.

(Update: removed llnwd domain, see comments)

(Update: 14 Dec 2013 - Changed Imgur images to Blogger to reduce dependencies. Minor formatting, Added mirror of linked Video)