Tag: privacy

Your ISP Is Spying On You..

Recently, I reviewed a 2021 Federal Trade Commission report detailing the data collection practices of six internet service providers. The report examined AT&T, Verizon, T-Mobile, Google Fiber, Comcast Xfinity, and Charter Spectrum Communications. It found that standard consumer privacy measures, such as web browser tracking protections, are ineffective against ISPs because many utilize a “supercookie” to persistently track network activity.

In my latest video, I dive into this topic and look at what you can do to stop this data collection.

Because households share a single internet connection, this tracking encompasses all users on the network, including children. ISPs gather information by observing the websites a household visits, the frequency and duration of those visits, and the amount of data transferred. Providers can send a user’s IP address to an ad affiliate, who then passes it to a data broker to build an informational profile. This data extends beyond basic demographics, categorizing users by religious affiliation, ethnicity, and political leanings.

The sale of this information presents distinct privacy risks. Beyond targeted advertising, the FTC report indicates that scammers can purchase access to these profiles. Additionally, a 2019 Motherboard report revealed that bounty hunters were able to buy customer location data originating from AT&T, T-Mobile, and Sprint phones. Despite these practices, consumer engagement with ISP privacy policies remains low. The FTC found that the provider with the highest engagement saw only 6.7 percent of subscribers look at their privacy pages.

I examined my own provider, Comcast Xfinity, to understand their specific policies. Comcast stated in a 2017 blog post and on their current privacy pages that they do not sell personal information without affirmative opt-in consent. However, agreeing to their terms of service during the initial account sign-up functions as that consent.

Navigating Comcast’s privacy section reveals numerous documents and a complex process for managing data disclosures. Users can opt out of certain disclosures, such as participation in audience measurement or personalized ads, but the application of these settings to broader tracking methods is ambiguous.

The ability to view, change, or delete the specific data an ISP holds depends heavily on state laws. For residents in states with applicable laws, Comcast provides a form to request a download of stored data, which includes account information, behavioral inferences, and details about telecommunication usage.

I submitted a data download request over a week ago, a process Comcast notes can take up to 30 days to fulfill. Until comprehensive federal regulations are established, the responsibility remains on the individual subscriber to navigate these varied settings and actively opt out of data collection.

I will be back with an update once Comcast hands over my data. Stay tuned!

Is Smart TV HDMI Spying Legal?

After last week’s video about how smart TVs spy on users, I wanted to take a deeper look at the legalities around allowing TV manufacturers to spy on everything we watch – including what’s connected to our TVs via the HDMI port.

Check it out in my latest video!

As a recap, most televisions don’t just track what apps you use—they can identify what’s on the screen or what’s coming through the speakers, then send that data off to advertisers and data brokers. It’s all done through automatic content recognition, or ACR, and it’s completely legal because users consent to it, often without understanding they have.

When I factory-reset my Roku TV, the setup process gave me two options in regards to ACR: “Agree” or “Manage Preferences.” There was no simple “Yes” or “No.” Most people, eager to get started, are going to hit “Agree.”

If you do click through to “Manage Preferences,” you can then opt out, and Roku will still let you use its smart features. That’s more than I can say for my LG TV, which shut down all its smart functions when I declined a new privacy policy after a firmware update. I could still use connected devices, but the built-in apps were locked out until I accepted the new terms. Roku’s approach at least lets you continue using the interface, but I doubt many users go through the trouble to opt out. A real opt-in should offer a clear yes-or-no choice, not bury “no” under layers of menus.

Roku’s privacy policy itself is over a hundred pages long printed out, and scrolling through it takes several minutes. Buried in that text are all the details about how the company collects and sells data. The numbers make it clear why this is so central to their business—Roku’s recent quarterly report showed more than a billion dollars in gross profit from its platform, compared to only about $146 million from hardware. The TVs are just the delivery mechanism; you and your data are the product.

Apple has taken the opposite approach by asking users directly whether they want to be tracked across apps. The first choice shown is “Ask App Not to Track,” followed by “Allow.” When Apple rolled this out, 96 percent of U.S. users opted out, and even now most people still refuse tracking when given a clear choice. Reports from analytics firms put the current opt-in rate somewhere between 15 and 30 percent.

Looking ahead, I’m concerned about where this technology might go as AI becomes more powerful. Right now, companies say they’re only sending “fingerprints” of screen images, not the images themselves, but even small local models that can run on smartphones analyze photos in surprising detail. It’s easy to imagine a manufacturer deciding that full-image uploads could make targeting more precise and profitable.

Many viewers told me the simple answer is to keep TVs offline. I agree—that’s the easiest fix. Unplug the Ethernet cable, disable Wi-Fi, and use an external device like an Apple TV or a computer if you want streaming apps. But most consumers don’t do that. When I stopped by Best Buy recently, the salesperson said people mainly care whether their new TV supports the apps they use most. They’re connecting their sets because they want convenience, not because they’ve read a privacy policy.

If regulations ever catch up, maybe they’ll require true opt-in choices instead of manipulative prompts. Until then, the safest move is still to disconnect your television from the internet and think carefully about what you’re agreeing to.

For a good resource on taking back control, my friend Veronica over at Veronica Explained has a video on cutting these services out entirely and running everything with open-source tools. She’s got some solid ideas for handling your own streaming setup without giving away your data.

Your TV’s HDMI Port is Spying on You…

When I bought my LG OLED TV about eight years ago, I never imagined it would one day be spying on everything I watched. Like most people, I was aware that smart TVs track viewing habits for marketing purposes, but what I didn’t realize until recently is just how deep that surveillance goes. These devices actually capture images and audio from anything connected to the TV, whether it’s a game console, a streaming box, or even a home movie streamed from your phone. That information gets packaged up and sent to data brokers or used to target ads across the web.

In my latest analysis video, we dive into this issue and see how many popular brands implement it.

This kind of tracking happens through something called Automatic Content Recognition, or ACR. It works by sampling what’s on the screen, matching it against a database, and then building a profile around what your household watches. This data is also used to help marketers see how many viewers actually see their ads.

When I went through the privacy settings on my LG set after a firmware update, I discovered the TV was monitoring all HDMI inputs, not just built-in apps. And when I tried to opt out, the TV refused to let me use any of its “smart” features unless I agreed to those terms.

Other manufacturers handle it differently, though not necessarily better. Samsung buries its ACR disclosure deep in its privacy statements, and while there’s an option to disable “SyncPlus and Interactive Functions,” it’s not clear how complete that shut-off really is.

Amazon’s Fire TV–powered televisions create digital fingerprints from the shows and ads you watch, saying the goal is to verify ad impressions and “reduce repetition,” but that still means every pixel and sound might be analyzed.

Roku is the most open about its practices – and even brags about winning an Emmy for their TV spying technology – mostly because it uses that transparency to sell advertisers on the value of its data. The company even boasts about its ability to track what games are being played on connected consoles and for how long people play them.

Google TV is the biggest mystery of the bunch. There’s little public information about whether Google itself runs ACR or leaves it to each manufacturer. HiSense, for instance, admits to collecting both audio and video data through its Google TV sets. I couldn’t find any comparable details from Sony (a larger maker of Google TV sets), which suggests the fine print may only appear on the TVs themselves, hidden behind those long on-screen agreements few people read before clicking “accept.”

For anyone worried about this kind of data collection, the best defense is to treat your TV as just a display. Disconnect it from the internet and use a separate streaming box instead. I use an Apple TV for that reason—it isn’t perfect, but it’s far less aggressive about data sharing than the others. Consumer Reports maintains a useful guide explaining how to disable tracking features across most major brands, which I’d recommend checking out.

After reading through my LG’s privacy policy line by line, I was startled to realize how much of my personal life could be analyzed simply because it passes through an HDMI cable or streamed to it over my local network. The notion of “the privacy of your own home” is quickly becoming eroded by our “smart” technologies.

See more analysis pieces on my YouTube channel!

Is Your Generic Android TV Box Compromised?

In my latest video I dive into the security concerns surrounding generic Android TV boxes.

These devices, often found on platforms like Amazon, Walmart, and AliExpress, have been reported to contain spyware and malware that can execute in the background without the user’s knowledge. This malware can perform various nefarious activities, including click fraud, where the box clicks on ads generating revenue for the people operating the command and control server.

What’s more concerning is that these boxes have the potential to do just about anything from your IP address as they are located behind your router or firewall. Given that these devices are often connected to our Google accounts, this could mean that someone could potentially access your YouTube account, Gmail account, and any other services attached to Google through the TV box.

To ensure your Android TV device is secure, Google suggests checking if your device is Play Protect certified. This can be done by going into the Google Play Store on your device, navigating to the ‘Play Protect’ section, and checking if your device is certified. However, this process can be a bit tricky on devices running the Google TV OS, as the Google Play Store is not readily accessible.

In my video, I demonstrated how to check for Play Protect certification on the Onn 4k Google TV box, a device running the Google TV OS. Despite not being listed on Google’s list of Android TV partner products, the Onn box was found to be Play Protect certified, suggesting that it is a secure device.

However, given the potential security risks associated with non-certified devices, I recommend sticking to name-brand ones. There are good and affordable name brand options available, such as the Onn box from Walmart along with the Chromecast with Google TV (affiliate links). And for power users the Nvidia Shield TV Pro (affiliate link) is still the top device.

While generic Android TV boxes may be tempting due to their low price, the potential security risks they pose just isn’t worth it. It’s always better to opt for a certified, name-brand device to ensure your privacy and security.