Skip to content

Privacy

Unroll.me — Not sorry we did it – just sorry you’re pissed off

Quote

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.
We’re ‘heartbroken’ we got caught selling your email records to Uber, says Unroll.me boss
Not sorry we did it – just sorry you’re pissed off
tears

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms & conditions and privacy policy, they would have seen the legalese that allows such practices

Ah Bullshit. 5000 Word legal beagle stuff no reads. But the point is that “you are the product”. Anybody foolish enough to use a free service to mine their emails is just plane stupid.

Researcher: 90% Of ‘Smart’ TVs Can Be Compromised Remotely

Quote
“So yeah, that internet of broken things security we’ve spent the last few years mercilessly making fun of? It’s significantly worse than anybody imagined. “

So we’ve noted for some time how “smart” TVs, like most internet of things devices, have exposed countless users’ privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible “advancements” in television technology.

As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.

And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting – Terrestrial) signals.

This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:

“By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city.”

Scheel says he has developed two exploits that, when loaded in the TV’s built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.

Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:

“But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good.”

Democrats draft laws in futile attempt to protect US internet privacy

At a the the present, I agree that this has a snowball’s chance in hell. But if more states take it seriously, just maybe it will negate the disgusting screwing of Internet users privacy by big corporate ISPs with their bidding done by their lackies in the congress, chief FCC lackie Pai and signed by the poorest excuse for a leader in years, Trump.

Hah Hah – Drain the swamp. What a joke. Just filled it with swine dung and does it wreak worse than it ever did. Hey maybe I show start a new category “swine swamp.”

Oh, do I sound angry? God damn right I am.

Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.

On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.

“Thanks to Congressional Republicans, corporations, not consumers, are in control of sensitive information about Americans’ health, finances, and children. The Republican roll-back of strong broadband privacy rules means ISP no longer stands for Internet Service Provider, it stands for ‘Information Sold for Profit’,” said Senator Markey.

“This legislation will put the rules back on the books to protect consumers from abusive invasions of their privacy. Americans should not have to forgo their fundamental right to privacy just because their homes and phones are connected to the internet.”

The bill has been cosponsored by ten senators, all Democrats except for the independent Bernie Sanders. No Republicans have added their name to the legislation – nor shown any support for it – which probably means it’s doomed to failure given the GOP-dominated composition of the Senate.

The new bill echoes similar legislation introduced in the House of Representatives earlier in the week. Representative Jacky Rosen, who was a software developer before she got into politics, has introduced the Restoring American Privacy Act of 2017.

“As someone who has first-hand experience as a computer programmer, I know that keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers,” said Representative Rosen (D-NV).

“I will not stand by and let corporations get access to the most intimate parts of people’s lives without them knowing and without consent. It is appalling that Republicans and President Trump would be in favor of taking Americans’ most personal information to sell it to the highest bidder.”

The FCC rules would have required internet users to sign up to allow their browsing histories to be sold, and put an increased onus on ISPs to protect their private data. One of the first acts of the new administration was to drop the FCC rules and legislate against them, with President Trump signing off on the legislation on Monday.

Facing a public backlash, the major ISPs have promised that they won’t sell off an individual’s browsing history – but left the door open for selling the data as part of a group. Customers will also have the choice to opt out, but you can bet the form to do so will be in the internet equivalent of a locked filing cabinet carrying a sign reading “Beware of the leopard.”

The bills will be welcomed by many but, realistically, have no chance of passing unless a sizable number of Republicans cross the floor. That’s not going to happen, so individual states have been taking action of their own.

Last week, Minnesota and Illinois legislatures began enacting legislation to provide privacy protections for internet users, and now New York has done the same. Senator Tim Kennedy (D-Buffalo) has introduced legislation to stop ISPs selling off their customers’ browsing histories.

“When voters across the country elected this House and US Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” said Senator Kennedy.

“This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real-world consequences.”

It’s possible the ISPs could have bitten off more than they can chew on this one by seriously underestimating quite how angry this issue has made people. Despite frantic PR moves, more and more states are now taking matters into their own hands – which is just as the Founding Fathers designed the system.

SOURCE: HERE

Corrupt Politician Signs Bill Recinding America’s digital privacy protections while Grunting

Oh and of course he said he was “for the little guy right.” Bullshit. Oink Oink Grunt Grunt.

So let’s do some work via the Register

Ajit Pai, the chief lackie…eerhh, chairman of the FCC, said

“resident Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers.”

BULLSHIT on the last part of that sentence, that the rules were “designed to benefit one group of favored companies, not online consumers.”

The rules were developed entirely and absolutely to protect online consumers. They required ISPs to get an opt-in from customers for sensitive information, to offer an opt-out for other uses of that data, and to ensure that they appropriately protected that data.


The other Republican commissioner on the FCC, Mike O’Rielly, had his own statement that, unfortunately, layered bullshit upon bullshit.

“I applaud President Trump and Congress for utilizing the CRA to undo the FCC’s detrimental privacy rules,” he said. “The parade of horribles trotted out to scare the American people about its passage are completely fictitious, especially since parts of the rules never even went into effect. Hopefully, we will soon return to a universe where thoughtful privacy protections are not overrun by shameful FCC power grabs and blatant misrepresentations.”

What O’Rielly does, however, is pinpoint the beating heart of the bullshit: the claim that since something hasn’t happened yet, it means that it won’t happen.

For someone who is a commissioner at a federal regulator, this willful blindness over how the real world works is borderline obnoxious.

Here is the absolute solid reality of what this decision to scrap the FCC rules means:

ISPs were previously able to do what they can do now, ie, sell their customers’ private data.
But they were previously at risk of being investigated by the FTC and then, later, the FCC.
If they had been found to have broken data privacy rules, they faced huge fines and most likely the requirement to get prior approval from the FTC/FCC before doing anything similar in future.
Now, however, there is no backstop. The FTC does not have jurisdiction. And nor does the FCC. The ISPs currently exist in a regulatory-free world.

What this means is significant and it is the source of (Democrat) claims that ISPs will soon be selling your private data and the counter-claims (by Republicans) that people are fear-mongering and inventing problems. Source: Here

Swine — oh wait, that is unfair…to the the swine I mean.

Amnesia’ IoT botnet feasts on year-old unpatched vulnerability

Why anyone would want to connect any home device to the internet at this stage in the game is beyond me.

“Hackers have brewed up a new variant of the IoT/Linux botnet “Tsunami” that exploits a year-old but as yet unresolved vulnerability.

The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide.

The vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed, specialists at Unit 42, Palo Alto Networks’ threat research unit, warn.

The Amnesia botnet is yet to be abused to mount a large-scale attack but the potential for harm is all too real.

“Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems,” the researchers warn. “A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall [autumn] 2016.”

El Reg asked TVT Digital, based in Shenzhen, China, for a response to Palo Alto’s warning but are yet to receive a reply. We’ll update the story as and when we hear more.” Source: Here

The House voted to wipe away the FCC’s Internet privacy protections

SJ 34 would repeal safeguards that prohibit Internet service providers (ISPs) from sharing data, such as e-mails and web history, with third parties without user consent. It would also do away with transparency requirements, which mandate that ISPs provide easily accessible privacy notices to customers and advanced notice prior to changes…..Assuming Trump signs the measure, Internet providers will be freed from those obligations, which would otherwise have taken effect later this year. With this data, Internet providers can sell highly targeted ads, making them rivals to Google and Facebook, analysts say.

Internet providers also will be free to use customer data in other ways, such as selling the information directly to data brokers that target lucrative or vulnerable demographics.

“ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you,” wrote Gigi Sohn, a former FCC staffer who helped draft the privacy rules, in a recent blog post on the Verge.

Selling your data is merely one of the four ways in which Internet providers intend to make money off consumers. The others include selling you access to the Internet, as they have traditionally done; selling access to media content they’ve acquired by purchasing large entertainment companies; and selling advertising that directly targets you based on the data the provider has collected by watching how you use the Internet and what content you consume.

Sources: The Hill, Washington Post

Here is the roll call Miscreants who voted to repeal. Source Senate.Gov

Miscreants who voted For BillVoted AgainstNot Voting
Alexander (R-TN)Baldwin (D-WI)sakson (R-GA)
Barrasso (R-WY)Bennet (D-CO)Paul (R-KY)
Blunt (R-MO)Blumenthal (D-CT)
Boozman (R-AR)Booker (D-NJ)
Burr (R-NC)Brown (D-OH)
Capito (R-WV)Cantwell (D-WA)
Cassidy (R-LA)Cardin (D-MD)
Cochran (R-MS)Carper (D-DE)
Collins (R-ME)Casey (D-PA)
Corker (R-TN)Coons (D-DE)
Cornyn (R-TX)Cortez Masto (D-NV)
Cotton (R-AR)Donnelly (D-IN)
Crapo (R-ID)Duckworth (D-IL)
Cruz (R-TX)Durbin (D-IL)
Daines (R-MT)Feinstein (D-CA)
Enzi (R-WY)Franken (D-MN)
Ernst (R-IA)Gillibrand (D-NY)
Fischer (R-NE)Harris (D-CA)
Flake (R-AZ)Hassan (D-NH)
Gardner (R-CO)Heinrich (D-NM)
Graham (R-SC)Heitkamp (D-ND)
Grassley (R-IA)Hirono (D-HI)
Hatch (R-UT)Kaine (D-VA)
Heller (R-NV)King (I-ME)
Hoeven (R-ND)Klobuchar (D-MN)
Inhofe (R-OK)Leahy (D-VT)
Johnson (R-WI)Manchin (D-WV)
Kennedy (R-LA)Markey (D-MA)
Lankford (R-OK)McCaskill (D-MO)
Lee (R-UT)Menendez (D-NJ)
McCain (R-AZ)Merkley (D-OR)
McConnell (R-KY)Murphy (D-CT)
Moran (R-KS)Murray (D-WA)
Murkowski (R-AK)Nelson (D-FL)
Perdue (R-GA)Peters (D-MI)
Portman (R-OH)Reed (D-RI)
Risch (R-ID)Sanders (I-VT)
Roberts (R-KS)Schatz (D-HI)
Rounds (R-SD)Schumer (D-NY)
Rubio (R-FL)Shaheen (D-NH)
Sasse (R-NE)Stabenow (D-MI)
Scott (R-SC)Tester (D-MT)
Shelby (R-AL)Udall (D-NM)
Strange (R-AL)Van Hollen (D-MD)
Sullivan (R-AK)Warner (D-VA)
Thune (R-SD)Warren (D-MA)
Tillis (R-NC)Whitehouse (D-RI)
Toomey (R-PA)Wyden (D-OR)
Wicker (R-MS)
Young (R-IN)

The Death of Smart Devices?

With the release by WikiLeaks today that detail how U.S. spy agencies can hack into phones, T.V.s and other “smart devices,”  I am wondering if this will slow down the mindless adoption of such devices by consumers.

….probably not, there is no shortage of mindlessness.

Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”…

If C.I.A. agents did manage to hack the smart TVs, they would not be the only ones. Since their release, internet-connected televisions have been a focus for hackers and cybersecurity experts, many of whom see the sets’ ability to record and transmit conversations as a potentially dangerous vulnerability.

In early 2015, Samsung appeared to acknowledge the televisions posed a risk to privacy. The fine print terms of service included with its smart TVs said that the television sets could capture background conversations, and that they could be passed on to third parties.

The company also provided a remarkably blunt warning: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

source: NYT Article Here

Google Voice, Siri, Alexa, IoT devices — Just say No

Cloud Pets! Your Family & Intimate Messages exposed to all sorts of Miscreants

… Now I know the average parent spends a good deal their time on Facebook and other “look at me .. look at me” social media and can care less about such hard to understand things like I.T. Security.

BUT THESE ARE YOUR CHILDREN AND YOU NEED TO PROTECT THEM!

…sorry, as a parent, this stuff makes my blood boil. Look parents, you scour the pedophile databases for your neighborhood, but leave the barn door open on the Internet. If you think governmental entities are going to protect you, you are only fooling yourselves. Companies peddling these things are about making the maximum amount of money at the lowest possible cost. They will **NOT** invest in expensive and complex security. Why? they do not have to. By the time the breach is discovered, they have made there millions. And there is absolutely no teeth in any governmental mandates op provide security such that any really exist in the first place.

Ok, on with the story!

The personal information of more than half a million people who bought internet-connected fluffy animals has been compromised.

The details, which include email addresses and passwords, were leaked along with access to profile pictures and more than 2m voice recordings of children and adults who had used the CloudPets stuffed toys.

The US company’s toys can connect over Bluetooth to an app to allow a parent to upload or download audio messages for their child.

Of course the company denied it and shot at the messenger

CloudPets’s chief executive, Mark Myers, denied that voice recordings were stolen in a statement to NetworkWorld magazine. “Were voice recordings stolen? Absolutely not.” He added: “The headlines that say 2m messages were leaked on the internet are completely false.” Myers also told NetworkWorld that when Motherboard raised the issue with CloudPets, “we looked at it and thought it was a very minimal issue”. Myers added that a hacker would only be able to access the sound recordings if they managed to guess the password. When the Guardian tried to contact Myers on Tuesday, emails to CloudPets’s official contact address were returned as undeliverable.

Troy Hunt, owner of data breach monitoring service Have I Been Pwned, drew attention to the breach, which he first became aware of in mid-February. At that point, more than half a million records were being traded online. Hunt’s own source had first attempted to contact CloudPets in late December, but also received no response. While the database had been connected to the internet, it had more than 800,000 user records in it, suggesting that the data dump Hunt received is just a fraction of the full information potentially stolen.

The personal information was contained in a database connected directly to the internet, with no usernames or passwords preventing any visitor from accessing all the data. A week after Hunt’s contact first attempted to alert CloudPets, the original databases were deleted, and a ransom demand was left, and a week after that, no remaining databases were publicly accessible. CloudPets has not notified users of the hack.

Hunt argues the security flaws should undercut the entire premise of connected toys. “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

“If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”

John Madelin, CEO at IT security experts RelianceACSN, echoes Hunt’s warnings. “Connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2m voice recordings were stored online, but not securely, along with email addresses and passwords of 800,000 users, this is unforgivable.”  Source: Guardian Article Here

Now for the technical, here are some tid-bits from the researcher. Full article here

Clearly, CloudPets weren’t just ignoring my contact, they simply weren’t even reading their emails”

There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

But then I dug a little deeper and took a look at the mobile app:

CloudPets app

This app communicates with a website at spiraltoys.s.mready.net which is on a domain owned by Romanian company named mReady. That URL is bound to a server with IP address 45.79.147.159, the exact same address the exposed databases were on. That’s a production website there too because it’s the one the mobile app is hitting so in other words, the test and staging databases along with the production website were all sitting on the one box. The most feasible explanation I can come up with for this is that one of those databases is being used for production purposes and the other non-production (a testing environment, for example).

My Friend Cayla

…Or is it My Friend Spy Cayla. And what is the difference between this and Google Voice and Siri? Not much.

Quote:

The My Friend Cayla doll has been shown in the past to be hackable

An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.

The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.

Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

But the UK Toy Retailers Association said Cayla “offers no special risk”.

In a statement sent to the BBC, the TRA also said “there is no reason for alarm”.

The Vivid Toy group, which distributes My Friend Cayla, has previously said that examples of hacking were isolated and carried out by specialists. However, it said the company would take the information on board as it was able to upgrade the app used with the doll.

But experts have warned that the problem has not been fixed.

The Cayla doll can respond to a user’s question by accessing the internet. For example, if a child asks the doll “what is a little horse called?” the doll can reply “it’s called a foal”.
Media captionRory Cellan-Jones sees how Cayla, a talking child’s doll, can be hacked to say any number of offensive things.

A vulnerability in Cayla’s software was first revealed in January 2015.

Complaints have been filed by US and EU consumer groups.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.”

The Commission is investigating whether such smart dolls breach EU data protection safeguards.

In addition to those concerns, a hack allowing strangers to speak directly to children via the My Friend Cayla doll has been shown to be possible.

The TRA said “we would always expect parents to supervise their children at least intermittently”.

It said the distributor Vivid had “restated that the toy is perfectly safe to own and use when following the user instructions”.
Privacy laws

Under German law, it is illegal to sell or possess a banned surveillance device. A breach of that law can result in a jail term of up to two years, according to German media reports.

Germany has strict privacy laws to protect against surveillance. In the 20th Century Germans experienced abusive surveillance by the state – in Nazi Germany and communist East Germany.

The warning by Germany’s Federal Network Agency came after student Stefan Hessel, from the University of Saarland, raised legal concerns about My Friend Cayla.

Mr Hessel, quoted by the German website Netzpolitik.org, said a bluetooth-enabled device could connect to Cayla’s speaker and microphone system within a radius of 10m (33ft). He said an eavesdropper could even spy on someone playing with the doll “through several walls”.

A spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a “concealed transmitting device”, illegal under an article in German telecoms law (in German).

“It doesn’t matter what that object is – it could be an ashtray or fire alarm,” he explained.

Manufacturer Genesis Toys has not yet commented on the German warning.

Not so Smart using a Smart TV

As reported Vizio’s Smart TVs spied on you

Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio even retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without clearly telling consumers or getting their consent.

What did Vizio know about what was going on in the privacy of consumers’ homes? On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.

Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others. And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership. And Vizio permitted these companies to track and target its consumers across devices.

That’s what Vizio was up to behind the screen, but what was the company telling consumers? Not much, according to the complaint.

Source here

Well for their offense Vizio was slapped with 2.2million fine. Sounds like a lot, right? Well as a colleague of mine observed, that is 20cents per TV. In other words, it was a great ROI for Vizio and points out how toothless the FTC really is.

So what to do? Turn off all the Smart TV features, boycott Vizio (that said, Samsung and others are just as bad it may appear). Better Yet, unplug the TV from the Internet.

Some sites suggest that Roku and Apple streaming boxes front-ending your TV are better. I am not so sure as I know with the Roku, at least, one needs to reset your ID often to clear the tracking and there does not appear to be a permanent “Kill” switch for this type of spyware crap.

I am toying of building my own set top streaming device using the RasberryPI. If I do so, I will pay pay special attention to the privacy aspects of the embedded software I use and report findings here. Don’t hold your breath, time is at a premium of here.

Anyway – welcome to the iDIoT. The Insecure Dumbed-down Internet of Things

Nick