Your smartphone is not the only device that can collect personal data about you. Your television too, at least if it's connected.

In 2012, we had already written on the subject, relaying the research of a Korean hacker, SeungJin "Beist" Lee, who warned that surfing the web from your connected TV (at the time, often Samsung, or in any case under Android) was "a huge risk", comparable to "surfing a web browser several years old." The hacking of a "smart TV" is in fact similar to that of a conventional PC - a hijacker accessing (via an infected web page, or a malware downloaded on an app store) to the server of your connected television, to access your documents, to block your TV or even to spy on you via the camera of your device.

Seven years later, several studies reveal that in addition to being easily piratable, smart TVs also expose you to the collection of personal data, for advertising purposes, just like a smartphone. "The TVs are following the same path as the one that has turned smartphone and web applications into a septic surveillance system," said Princeton professor Arvind Narayananan, who revealed the deal on Twitter.

Tracked like on a PC or smartphone

The first study echoed by the researcher is his, with 5 PhD students from Princeton and Chicago Universities. It focuses on streaming TV boxes, including Roku TV and Amazon Fire TV. But that's probably the case with most Android devices, including those used by some smart guys who go through IPTV to watch TV and VOD illegally, or even Chromecast.

Concretely, these boxes "over the top" (OTT) that connect via HDMI use technology different (but close) to IPTV, because it allows to watch Internet TV without going through offers provided by an ISP, the latter is limited to distributing IP packets, without being able to see what passes on its network. They actually allow you to access streaming "channels" through apps that offer paid subscriptions - for example, Molotov, Netflix, Google Play Movies & TV, Apple TV and Amazon Prime Video in Europe, or Vudu, Hulu and AT & T Now in the USA; but also the very illegal Volka Pro and Smart IPTV, which allow access to pirated (diverted) flows.

"As you can guess, these channels are loaded with trackers," says Arvind Narayananan. Just like it does on the web when it collects and shares "cookie" files when you surf and click on links, the Google advertising sniffer, Doubleclick, would monitor 97.5% of streaming through streaming apps TV that can be installed on Roku TV devices (via its official channel store). In total, researchers at Princeton and Chicago found trackers on 69% of the flow transiting Roku TV boxes and 89% of those from Amazon Fire TV devices.

What is collected

But what do these snitches collect, exactly? To find out, the researchers used a bot, which imitated the behavior of a human viewer who would use a TV streaming device: he installed hundreds of streaming TV apps, watched thousands of channels, and then watched what was going on. As soon as an advertisement was broadcast on a stream, the robot observed what data was collected.

First, channels collect information about the location (city and region) where the user is. Then, data likely to allow you to track you finely, but also sometimes ... to identify you. "We found that some OTT feeds contacted more than 60 cookies, and shared data with these trackers, including video titles, WiFi network names, MAC addresses, and device serial numbers," he said. 'study. In addition to unique identifiers, "strings" have also, researchers note, "leaked e-mail addresses to trackers". The titles of the collected videos are, by the way, unencrypted - so that the viewing history transits in clear on the network.

"Trackers have, more broadly, access to what you watch and the time you spend on certain programs," says Hooman Mohajeri Moghaddam, one of Princeton's researchers who worked on the study. "Basically, it's another dimension of data that adds to your profile." Arvind's Green Narayananan: "If you're using a device like Roku and Amazon Fire TV, there are many companies that can build a pretty complete picture of what you're watching." According to him, "we know very little about the intentions of these companies and their practices, including potential resales of data."

Google, with Doubleclick, and Facebook are obviously among these organizations, but many are little known to the general public. Of course, it's hard not to make the link between the low prices of TV streaming devices (between 35 and 45 euros for a Roku TV, and about the same for an Amazon Fire TV Stick) and a funding partly derived from the Targeted advertising, and therefore all these proposed carousel applications ... "For manufacturers such as Roku, advertising has exceeded sales of devices as the main source of revenue," observe also the researchers in their study. "It's unfortunate that TV streaming platforms are turning to targeted advertising as the main way to make money, and to maximize their revenue they will probably turn to data mining and algorithmic personalization / persuasion to keep people stuck on the screen as long as possible, "observes Arvind Narayananan.

Ineffective protection tools

Fun fact (or not), notes the latter, the Roku TV offers an option to "limit advertising tracking" by blocking cookies. "But activating it has increased the number of trackers contacted by the channels, and the option has prevented the sending of persistent unique identifiers (AD IDs), but not all," he says. Ditto using Pi-hole, free software that blocks ads and trackers by acting directly on the network and DNS resolution (that is, it can block DNS queries that go without your knowledge to sites advertisers and other activity trackers): "26.7% of AD ID leaks and 44.6% of serial number leaks are not detected by Pi-hole," the researchers say. Which concludes that "the privacy protection tools currently available are ineffective to prevent being tracked" via connected TV.

The chains are watching you

Another study, conducted by Northeastern University and Imperial College London, comes to the same conclusion. This time, researchers analyzed the data leak of 81 devices using the Internet of Things (IoT), not just smart TVs - because connected TVs are not the only ones that can be turned into data collection machines. : smart cameras, home appliances and connected appliances too.

According to this survey, the five connected TVs analyzed (Roku, Amazon Fire TV, but also LG TV, Apple TV and Samsung TV) "contact a large number of companies" - including Google and Netflix. In the case of the latter company, the researchers even say that "almost all tested TV streaming devices contacted Netflix ... even when we had not set up an account." What data does Netflix receive, in this case? "Information on the television model used, and where it is used".

Finally, a second study of Princeton University was conducted on 45,000 IoT devices, including a thousand TVs "connected" via 19 TV streaming devices. The researchers analyzed the network traffic of these machines, and discovered that smart TVs had contacted not less than 350 advertising agencies, advertisers and trackers - the two main ones being Google DoubleClick and GoogleSyndication. In addition, 41% of connected TVs contacted trackers that would normally be blocked by the Firefox Disconnect tool, in the case of web browsing via a smartphone or PC. In other words, most TV streaming devices are infested with the same cookies as the websites and apps we use via our mobile devices and computers. The difference being that this time, no "ad blocker" can help us.

"Better privacy controls would certainly be useful, but they are ultimately bandages." The business model of targeted advertising on television is incompatible with the protection of privacy, and we must face this reality, "Arvind Narayananan concludes. Who sees only one solution to get out of it: "delegitimize" these practices. Before forcing the manufacturers of TV streaming boxes to put an end to this business model?

In a Washington Post article, a tech columnist, Geoffrey A. Fowler, explains that he himself examined the coming and going of data from four smart TVs (Samsung TV, TCL, Roku, Vizio and LG TV) thanks to software developed by Princeton researchers ("IoT Inspector), and found that his devices" sent reports every second. "According to him, companies buying data collected by these connected TVs would have recognized that they are finally" similar to Facebook "because their content" can be measured, and the ads better targeted and more powerful. "In other words, you could very well see the next day seeing ads different from those of a friend watching an episode of Walking Dead via your smart TV, advertisers getting to know your taste and the way you watch TV - you said scary?