Vizio TVs caught tracking viewing habits, selling data to advertisers

Vizio has won a significant chunk of the US television market, but new data on the company’s advertising tracking could put the kibosh on its holiday sales. If you own a Vizio television, chances are it’s monitoring what you watch — then selling that information to various advertisers and other firms. More troublingly, Vizio shares this information to advertisers in ways that allow them to target you on other platforms.

ProPublica reports that Vizio has stepped beyond companies like LG and Samsung, which offer some similar features but require users to activate them and do not share personal information with advertisers to allow for additional user tracking. Vizio, in contrast, states that ““non-personal identifiable information may be shared with select partners … to permit these companies to make, for example, better-informed decisions regarding content production, programming and advertising.”

“Non-personally identifiable information” is a contradiction in terms, particularly when the companies in question have access to mobile data. The entire point of Vizio’s advertising push is to sell this information to companies so they can track you on multiple devices. In order to do that, they’re going to need to find those devices. If an advertiser can pick up on the fact that you watch, say, Arrow in order to send you ads enticing you to watch The Flash, then that advertiser effectively knows you who you are. Specifically, Vizio monitors video streams, whether you are watching Netflix or traditional cable. It performs analysis to determine if you watched content live or recorded it. Then it links that data to your home IP address. While home IP addresses have generally been found to not equate to personally identifiable information in a court of law, they’re more than enough for advertisers. Data companies like Experian offer a “data enrichment service” that tie “hundreds of attributes” to IP addresses.

Vizio recently updated its privacy policy to note that it “may combine this information with other information about devices associated with that IP address.” In other words, your “smart” TV is smart enough to hunt for other devices that connect to the local network and to sell that information. Vizio does not appear to encrypt IP addresses before selling them, which makes the information it provides to third parties very personal indeed. Cable and video rental companies are forbidden by law to monetize user-specific content viewing, but Vizio is claiming that its business isn’t bound by that restriction.

The Internet of Stings

We’re seeing the same scenario play out time and time again. Samsung claims to take security seriously, then lies about the capabilities of its own products. Verizon is openly selling personal information to advertisers. Lenovo managed to ship the worst consumer security flaw since the Sony rootkit debacle and load Windows PCs with bloatware installers embedded in their firmware. Oracle told its customers to stop performing security audits and analysis of Oracle software in August, then released a jaw-dropping 154 patches at the end of October, many for critical vulnerabilities in enterprise software. Show-stopping security flaws can be used to shut cars off while driving, and even companies like Nvidia are planning to require an email address registration for future GeForce drivers. Granted, this last is minor compared to the other issues at hand, but I raise it because it’s part of a larger trend.

Companies in America have taken the advent of free services like Facebook and Google to declare that the mere act of existing in proximity to their own products constitutes permission to spy on you. Vizio does not use the information it collects about your viewing habits to offer any kind of improved services or products, and it explicitly disavows any need to protect that information or restrictions placed upon other companies that prevent its monetization.

Adding Internet capability and advanced processing features, in other words, doesn’t turn the TV into a new multimedia hub with awesome new functionality. Instead, it becomes ade facto beachhead that the company argues can be used to gather and sell user data with impunity. The data brokerage firms that handle these relationships, like Experian, Neustar, Tapad, Acxiom, and others are extremely reluctant to discuss their practices or partners, citing secure contracts and private agreements. Note, however, that all of the privacy and security is arrayed against the individual. The act of buying a Vizio television means agreeing that Vizio can monitor everything you watch with it and sell that information to others, unless you specifically opt-out. Ask the companies in question to name who they work with, however, and you’ll hit a wall.

These attacks on user privacy might be more forgiveable if the companies in question could actually be trusted to secure the data in question. Unfortunately, they can’t — what isn’t exposed by terrible security practices is broken by malice. Vizio customers who want to opt out of this incredibly questionable practice will find instructions on how to do so here.