Posted by Matt on November 19, 2013 Tagged with: tech
Someone in the UK calling themselves "DoctorBeet" discovered that his LG "smart" TV was reporting information about his viewing habits back to LG. This included the names of files that were played off of external USB devices. This behavior continued even after DoctorBeet found and disabled the "Collection of watching info" option.
(As several commenters on DoctorBeet's post have pointed out, the fact that the web site the TV is sending the data to returns a "404 File Not Found" error doesn't mean that the data isn't being logged. Faking that kind of thing would be trivial).
If this is true, it represents an egregious invasion of customers' privacy by LG. The fact that the data continues to be transmitted even after the user has opted out is truly despicable. It's the kind of think that makes your average concerned citizen sit up and declare: how can they get away with this? there oughta be a law!
Well, there is. In fact, there are several.
In Canada, the collection of private information is regulated by a number of privacy statutes. Alberta, BC and Quebec have general purpose statutes regulating any collection of personal information by commercial enterprises. Ontario, New Brunswick and Newfoundland & Labrador each have statues which only regulate the collection of personal health information. (The fact of your addiction to House M.D. probably doesn't fall into this category). The collection of personal information in provinces and territories which don't have their own privacy statutes is regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal statute.
The gist of PIPEDA and the provincial privacy statutes is that enterprises which collect personal information are required to inform the people whose personal information is being collected of the collection and the purposes which the collected information will be put to and obtain their consent. For example, Schedule 1 of PIPEDA has this to say about consent:
4.3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.2 The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
There are (of course) exceptions, but that's the general principle. We don't know anything about the terms & conditions that Doctor Beet may have agreed to when he purchased his TV, so we can't really make any statements on whether they satisfy this standard. However, being that no one expects their TV to be phoning home with information about their viewing habits, I'd suggest that any terms dealing with it would have to be made very clear to the customer. Burying the fact that this information is collected in the middle of 5 pages of 8 point font probably won't cut it.
Of course, there's a threshold issue of whether your viewing habits are "personal information" under the law. PIPEDA defines personal information as "information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization". Courts, tribunals and the Federal Privacy Commissioner have given this phrase a broad interpretation. I'd guess that, if LG had any way to connect viewing habits to a specific customer (ie. if they could cross-reference viewing habit information with warranty information), a court would have no trouble finding that viewing habits were personal information.
Of course, DoctorBeet isn't in Canada. He's in the UK, which has their own privacy law: the Data Protection Act. I don't know anything about the Data Protection Act so I'm not going to opine on it's application here, but the Information Commissioner's Office has a lovely FAQ.
(Hat tip to Boing Boing for this one).
(Update: A friend points out that these are likely the same LG TVs that Telus is currently giving away to customers willing to sign a 3 year Optik TV contract. So be aware that when you sign that contract, you might be signing up for more than just high-def TV service.)