LG Smart TVs logging USB filenames and viewing info to LG servers

I was on helpowl.com to see if there were any notices ... there were none.

Cluley may have gotten away without an apology but he can recover from this blunder by directing customer support to contact all their registered product owners with an explanation and 'personal' apology. They should also let them know that a firmware fix is available with a link to the official download site. Email addresses are required for registration so this should be easy. I have registered my LG Smart TV, so let's see if they seize this window of opportunity to manage it with some finesse and goodwill. My gut feel is that they will just plunk the fix on the website without notification and the owners will continue to be exposed. This would be admitting that 'customer care' is lacking at LG.

 

It is up to individuals to spread the word, in part because many people know NOT to register products or otherwise give manufacturers personal info. Perhaps we'll each hear "Is this the LG TV that was in the news for spying on people?" at electronics stores this holiday season

 

Why not? I registered online. It was not intrusive. Name, address, product type and serial number. I provided my email address for online notifications. I deselected offers/promotions. I have never received anything from them in the way of ads, or from any other like seller either by snail mail or to my in-box, so they honored their privacy statement. By registering I get online support, firmware upgrades and recall notifications. I know that my warranty is not voided if I do not register, but it does mean that I do not need to keep receipts if I were to make a warranty claim. Registering also helps with insurance claims (receipts burn).

 

Those who are interested in privacy (does this include you?) avoid the sharing of information with commercial companies unless/until there is a legitimate and compelling need to do so. From the consumer's POV mind you. They do this because to share information is to lose control over it. You can't control, or even reliably determine, how the company uses the information... whether it is sharing it in some way with other parties, whether it is using the information in some way that you wouldn't like, etc. Even giving out a unique name, physical address, and email address to a company (a technique used to monitor for information sharing, compromises of databases, etc) won't guarantee you will know what is happening. Very few people even do this, especially when it comes to names, physical addresses, and particularly phone numbers.

If you provide personal information along with a unique identifier, that personal information becomes linked to/with that unique identifier and also any other unique identifiers that may become linked to the first one. This is of considerable concern to privacy oriented people when the context is computer/networking equipment that can collect and transmit various sorts of information along with a unique identifier to a manufacturer and/or other parties that can lookup the personal information associated with that unique identifier. For example, does the X-Device-ID phoned home by this TV (along with viewing information, etc) reveal to LG the serial number of the device and, in cases where someone has registered their serial number, the personal information for someone who was doing that viewing? That is but one of numerous possibilities that would have to be carefully looked for/into and ultimately may be impossible to rule out due to encryption/encoding of unique identifiers before they are sent and lookups being done server-side.

One should not have to register or create an account in order to gain access to software/firmware updates for a product such as this. Having to do so would be a red flag. FWIW: http://www.lg.com/uk/support-product/lg-42LN575V#.

For insurance purposes I would suggest:

- Scan or take picture of receipt
- Scan or take picture of product label which often contains other important information
- Take picture of product
- Protect these files and include in off-site backups in case of fire or other disaster.

There is the possibility that by sharing contact information in advance you will be actively informed of an important safety/security issue that you haven't (yet) learned of via some other means. Whether that positive possibility outweighs the negative possibilities is up to each consumer to weigh. If we were talking about a car, or a gas appliance, I could easily understand one feeling compelled to share their contact information. I just don't see it in the case of a Smart TV though, mainly because the potential negative consequences are so serious.

 

That vaguely rings a bell now that you mention it. FWIW, after glancing at that legislative page, I went to Wikipedia and spotted "Until 2013, dealers in television receiving equipment were required by law to provide TV Licensing with identifying information about everyone who buys or rents such equipment. However this requirement has been lifted by the Enterprise and Regulatory Reform Bill passed in 2013." with footnote http://www.publications.parliament.uk/pa/bills/cbill/2012-2013/0007/en/13007en.pdf a section of which says:

Then I went back to the legislative page and spotted the "Act repealed by 2013 c. 24 Sch. 21 para. 1" which leads to http://www.legislation.gov.uk/ukpga/2013/24/schedule/21/paragraph/1 and

IOW, it looks to me as though retailers are no longer required to do that. Do you concur?

Edit: Found this which was somewhat amusing/informative... http://tv-licensing.blogspot.com/2013/06/dealer-notification-tide-is-turning-on.html

 

The "store may also have some personal info" point still stands though, due to credit cards, someone providing a delivery address, etc. I don't know if any retailers actually do share such information with manufacturers, but there is that possibility. Along with various other scenarios where personal info could become connected with a Smart TV unique identifier. So although I'd consider not registering the safer approach, it doesn't mean you're guaranteed to be safe.

Its ironic that what makes this more severe... LG using HTTP connections that are easily sniffed... is what allowed the guy to spot the problem and warn people off. Encryption is nice until they use it to hide what they are doing!

 

To your first point (above), stores that collect 'required' personal information are more likely to share, trade or sell to third parties. It is general practice at the retail level nowadays to profile buyers. To purchase a large ticket item with cash is highly unusual, but it would be a way of avoiding this snare. The manufacturer collects the same information at registration except they also request your email address in order to provide support services. It is not mandatory, you can phone support services. When you identify yourself and your product, that info goes into the call log. I agree, you are never guaranteed absolute safety, so it becomes a managed risk. I believe there is a benefit to registering large ticket items with reputable companies. A deliberate break of trust will hurt them too.

To your second point, LG failed miserably. They have entered into dangerous territory and need to be more transparent. They have been snared and are now being watched by the hawks. They have gone from hunters to the hunted.

 

LG fumbles response to Smart TV spying revelation, withdraws Smart Ad video -
• http://grahamcluley.com/2013/11/lg-...pying-revelation-changing-official-statement/

 

I find it a show of utter contempt for it's customers how LG handles this shitstorm.

They're only sorry for the stress some media reports might have caused.
Not a single apology towards consumers for their own intentional feckup, deliberate use of non-encrypted communication of private data and making a mockery of their consumers privacy.
Unlucky Goldstar has managed to not shoot themselves in the foot but in the face, while I thought losing face was something really bad in quite a few Asian countries.

 

Dutch site Tweakers.nl reports on a statement from LG Netherlands. link
Currently a dutch firmware upgrade is being rolled out. According to LG NL, the new firmware will make sure no more 'user information' will be transmitted to LG servers.
So no more plundering of NAS and usb drive filenames, whether it's the title of a poem your child wrote or your pr0n collection. Good.

As tweakers member 'The Eagle' writes link, no filenames are being transmitted anymore, only some banner GETs to an LG subdomain from yumnetworks from the smartshare ads.
According to him, when you accept the new T&C's, LG still claims the right to collect 'user data'.
LG stated previously that what you watch, when you watch, how long you watch etc. isn't 'personal information' but 'viewing information'. link
More detailed info (and probably an IP lawyer) is needed to know exactly how LG differentiates 'viewing information', 'personal information', 'user data' and 'user information'.