Before this update hits, please y'all techies out there- log as much network traffic as you can. Then update, then compare if you see SSL traffic that wasn't there before the update. Also compare the DNS requests before & after update. Oh, and UDP packets too. Basically, just record days worth of traffic, before and after, and upload it so people(like me?) with free time can search for anything suspicious.
EDIT: Okay, for Danieru's & verandaguy's replies to my comment[1], be sure to set in your wireshark filter "ip.addr == [IP of TV]" so we don't see anything random internet-folk are not suppose to see. That filter is traffic that is only coming from or going to the TV. Also Danieru, if your CC is flying around unencrypted in network traffic... something and/or someone has made a mistake elsewhere.
EDIT2: I'll also take this time to promote http://cloudshark.org/ , not because I have anything to do with the website. I just think it's super cool. You can upload a pcap file and it'll give you a unique url you can share with others.
EDIT3: It'd be cooler still if you could actually capture the firmware binary being downloaded to the TV!
... But wouldn't that alone require the data collector (e.g. whomever you're asking for the data) to sift over their logs in the first place, segregating what they know is their own traffic from something generated by a TV or other smart appliance?
Evidently, either I'm slow in understanding your reasoning, or you should be more verbose.
I have an idea, how about we delegate the job of data collecting to those who 1) have the resources to easily segregate their TV traffic from the rest of their network, or 2) don't have any problems publicizing their non-relevant traffic (because it doesn't contain anything sensitive).
Sorry I did not mean to be snide, I thought smtddr was setting up the joke and relying on someone to hit the punchline. I also thought the "people like me" was part of the joke implying "identity theives like I am pretending to be".
Edit: I should also mention why I did not take his request seriously. Now that all Ethernet networks use switches and not hubs you will only see traffic involving your desktop. The exception being a laptop connected to the same wifi as the TV provided said wifi is unencrypted.
Thus in the common case if you ask a random person to log their network they will only log their own computer's traffic.
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
------------------------------------------
... the big question is whether an IP address can be used to identify someone. It certainly can for ISPs, because they lease IP addresses. And IP addresses can certainly identify people down to neighbourhoods. But LG might be able to claim they have anonymised it sufficiently.
Of course, it's also possible that:
a) LG customers have registered their TV with LG, including identifying information, leading LG to be able to put two and two together.
or
b) There's data sharing between LG and a third party such as an ISP.
(please note I'm not excusing LG just trying to parse the double speak)
So in FCC land cable operators know what you watch, their box is tuning to it and they're able to log this information for diagnostic purposes. They're also allowed to share some of this information as long as its not personally identifiable information. IE "2000 people viewed CSI NY" not
J. Rockway from 123 Main St. viewed CSI NY".
They're trying to make the distinction here (though doing in poorly) likely to save themselves some privacy complaints later.
I have to admit being a little surprised about the uproar over the LG situation when I assumed it was common knowledge that cable/satellite boxes/DVRs are sending your viewing data back to the operating company.
Perhaps that's a tell: they don't see viewing information as personal, but instead belonging either to LG or to the content owners, who may just pay LG to hand over in some form.
"
>> although the data is not retained by the server.
>Well, that’s something I suppose. Although presumably it is retained for some period of time, otherwise how would the adverts and recommendations be possible?
" //
So, basically they flat-out lied about the data retention.
If the UK Information Commission doesn't apply the largest fine ever recorded it will show they're entirely toothless.
When will government stop protecting the financial interests of mega-corps and start doing something to favour the demos.
>Well, that’s something I suppose. Although presumably it is retained for some period of time, otherwise how would the adverts and recommendations be possible? " //
So, basically they flat-out lied about the data retention.
That isn't the case. The system could build a representation of the viewers preferences when the data is received, then discard the data. That means the data isn't retained (for any normal definition of "retained").
It does hinge on the definition of retention - but the definition here is to contrast not being retained at all. So even retaining it long enough to digest it (which IMO is still data retention) is to be considered retention because the claim is that there is actually no retention at all.
~"Data is not retained" here should mean something like the port that data is being sent on is closed, or the packets input on that port are dropped by a firewall.
Your terminology may make sense to you, but it isn't commonly used or understood that way.
The more common term for what you describe is "processed"
Additionally, there are legal issues around that definition. For example, redefining "retention" to really mean "processed" means that things like proxies may suddenly become liable for things like copyright violation.
A proxy or cache doesn't substantively process the data. Here they are processing it if they are constructing anonymised models from it as you suggest may be the case. If they're processing it then they need to retain it long enough to perform those operations.
In the case at hand if they're processing it then they've "retained" it long enough to do that which is contrary to the spirit of the statement that it was 'fine that data was being sent to them as they weren't using it'. They used different words but this is the point of contention.
Either they discarded the data without further processing, amalgamation, statistical analysis, model construction, archiving or anything else or they used the data.
If they used the data in any way then it's a constructive lie even if there is some weaselling way in which their statement can be construed to be true.
I don't know about others, but I don't need a stinking apology. I need to stay away from LG as a company per se, and its a great timing because this thanksgiving I'm getting 80" TV, and trust me, it WILL NOT be from LG.
Hope LG made up the $ difference by selling customers' info, or whatever else they do/did/continue doing with this data.
Apologies after getting caught are never genuine anyway, I don't know why it's gotten so trendy to call for people to "apologize" all the time, how about holding them accountable for the bad thing they actually did?
Le sigh. "Regrets concerns the reports may have caused" but yanno, not the oops, privacy didn't matter to us. LG: The place where customers are still numbers and lawyers get to write the press releases?
I think I should set up wireshark on my network asap. I never used my TV's "smart" features, and the only reason I even have it connected to the network is for its youtube app (because building a youtube app for roku apparently takes longer than building a rocket that can land itself...)
Also, I'm fairly sure my roku is sniffing my netflix usage as well: I recently started seeing ads on the roku start page for TV shows and movies that I'd just watched on netflix: has anyone else seen this behavior?
even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server.
Does anyone buy the claim that their servers weren't retaining the data?
For this to be true, the TV would need to transmit to the server a notification that data should no longer be stored. While it's possible, I find it implausible that they would go to the trouble to do all of that, rather than just make it a simple client-side switch that just stops transmitting the snooped data.
They mean they haven't put the data received so far into long-term storage, because the feature wasn't considered to be in production. This is consistent with the initial report.
So to make this true, they just need to wipe their logs and not set up the database until the firmware has been pushed out.
I do wonder if erasing those logs would violate the data retention directive, though.
Notice how it doesn't explicitly say that it's an OTA update to cover TVs currently in use. It also doesn't say if it will happen automatically in the background or if the user will be prompted to update (or not). Given how close it is to Black Friday, what are the odds that the update doesn't roll out until well after Christmas, when all those new TVs are plugged in?
Yes, it seems that is the new word companies and governments are now using to describe data that isn't quite as sensitive as other data and thereby OK to collect.
My TV supports DLNA which allows me to stream video and music files from my PC or NAS drive with no intermediate box. It's not that great though. Only a limited number of file formats are supported and the interface is clumsy compared to AppleTV or XBMC.
I guess this is why class actions are sometimes good. Even though the lawyers are the one that enrich themselves, atleast the company suffers the monetary cost so that it will think twice before repeating such shenanigans.
EDIT: Okay, for Danieru's & verandaguy's replies to my comment[1], be sure to set in your wireshark filter "ip.addr == [IP of TV]" so we don't see anything random internet-folk are not suppose to see. That filter is traffic that is only coming from or going to the TV. Also Danieru, if your CC is flying around unencrypted in network traffic... something and/or someone has made a mistake elsewhere.
EDIT2: I'll also take this time to promote http://cloudshark.org/ , not because I have anything to do with the website. I just think it's super cool. You can upload a pcap file and it'll give you a unique url you can share with others.
EDIT3: It'd be cooler still if you could actually capture the firmware binary being downloaded to the TV!
1. http://i.imgur.com/OHJAPGH.png