Researchers from Northeastern University and Imperial College London found that smart TVs including devices from Samsung, LG and Amazon were sending data such as location and IP address to Netflix and third-party advertisers

The smart TVs in our homes are leaking sensitive user data to companies including Netflix, Google and Facebook even when some devices are idle, according to two large-scale analyses.

Researchers from Northeastern University and Imperial College London found that a number of smart TVs, including those made by Samsung and LG, and the streaming dongles Roku and Amazon’s FireTV were sending out data such as location and IP address to Netflix and third-party advertisers.

The data were being sent whether or not the user had a Netflix account. The researchers also found that other smart devices including speakers and cameras were sending user data to dozens of third parties including Spotify and Microsoft.

The findings are likely to heighten concerns about the privacy of user data on the internet just as smart devices, including televisions, are flooding homes.

In a separate study of smart TVs by Princeton University, researchers found that some apps supported by Roku and FireTV were sending data such as specific user identifiers to third parties including Google.

Roughly 68 per cent of US households had a connected TV device, including external hardware such as Roku and Apple TV, at the end of 2018, according to a Nielsen report from March. Tens of millions of these devices use content recognition technology that tracks everything you watch, to be able to target you better with TV advertising, which now accounts for about half of all digital ads.

The Northeastern University study, conducted on 81 different devices, both in the UK and the US, is the largest published experiment of its kind, and found “notable cases of information exposure”. Amazon, Google, Akamai and Microsoft were the most frequently contacted companies, partly because these companies provide cloud and networking services for smart devices to operate on, the researchers said.

A graphic with no description

“Amazon is contacted by almost half the devices in our tests, which stands out because [this means] Amazon can infer a lot of information about what you’re doing with different devices in your home, including those they don’t manufacture,” said David Choffnes, computer scientist at Northeastern University and one of the paper’s authors. “They also can have a lot of visibility into what their competitors are doing.”

By analysing network traffic, the Northeastern team concluded that third parties receive, at the very least, information about the device people are using, their locations, and possibly even when they are interacting with it. “So they might know when you’re home and when you’re not,” said Professor Choffnes. 

Because much of the data being sent out by device manufacturers was encrypted, the academics were not aware of exactly what additional data were being transmitted. “They can definitely see some [viewing] is taking place, but what they can exactly see depends on what the manufacturer is sending, which we have not made an attempt to re-engineer,” said Hamed Haddadi, computer scientist at Imperial College and another paper author.

Netflix said: “Information Netflix receives from smart TVs that are not signed in is confined to how Netflix performs and appears on screen. We do not receive any information about other applications or activity on smart TVs.”

Facebook said: “It’s common for devices and apps to send data to the third-party services that are integrated into them. This could, for example, include an app sending data to Facebook to create a login interface, or provide a Like button.”

Google said: “Like other publishers, smart TV app developers can use Google’s ad services to show ads against their content or measure the performance of ads. Depending on the user’s chosen preferences on the device and consents, the publisher may share data with Google’s that’s similar to data used for ads in apps or on the web.” 

Depending on the device manufacturer or the app owner, data sent to Google could include user location, device type and what the user is watching within a specific app so they can be targeted with personalised advertising. 

Experts warn minimal oversight exists of how smart devices store and share personal data. “People are spending more and more time on these devices, and they are placed in such critical places in people’s homes, so we need to hold them to account,” said Max Van Kleek, computer scientist at the University of Oxford, who works on smart devices and was not involved with either research paper. “The situation is dire.”

Get alerts on Internet of things when a new story is published

Copyright The Financial Times Limited 2022. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article