The following article may be a smidgen tongue-in-cheek – as they say in Russia, “every joke contains an element of joke.” You have been warned.
Let’s do a bit of mathematics: if we combine a key axiom of Shakespeare (“music be the food of love“) with one from David & Bacharach (“what the world needs now is love sweet love – it’s the only thing that there’s just too little of“), by the transitive property of love, it follows that the world is in need of more music.
So how can we apply this wholly new mathematical finding to the field of privacy?
Fortunately, the great Motown record label covered this in 1984, with their greatest prophet, Rockwell, and his haunting question for the ages: “Can the people on TV see me, or am I just paranoid?”
In 2017, we can answer his question in the affirmative: yes, they can. He was not just paranoid.
What is a modern “smart” television? At heart, a smart-TV is an internet-connected video camera and listening device, connected to back-end systems for mass personal data extraction, storage, and analysis. A smart-TV also happens to allow viewing of entertainment content.
Am I just being as paranoid as Rockwell?
Let’s look at the uses for those internet-connected video cameras and listening devices:
Case three is mostly benign – it’s what you actually want your smart TV for. Let’s focus on the first two cases.
So, how do you replace a remote control device? By learning to respond to voice, gesture, or even eye-movement commands – like with Siri, Alexa, and Wii.
How does that work in practice? The software that answers your commands needs to know that it is being given a command. Most of the time you are not, you are just doing your thing in the ‘privacy’ of your living room or bedroom or wherever the TV is.
This is what the TV software must do, all the time, to make this work:
In other words, to be able to talk to and gesture at your TV instead of pushing a button, your TV needs to record you and your family at all times while you are within range.
Now, understanding what someone is saying or what their movements mean is very complicated mathematics (machine learning, artificial intelligence, etc). For this reason, most of the work is done in “the cloud” (someone else’s computers) where there is more computing power and more data stored from other people to compare against.
In other words, to get rid of that simple button, you are sending you and your family’s voices, images, and surveillance videos over the internet to someone else’s computers. Seems like an equitable exchange.
To make this magical automatic understanding of your words and movements work well, the software requires huge quantities of data from as many people as possible to learn the patterns and do comparisons. This means that to provide a good service, it is in the interests of companies providing these glorified remote controls to store any and all sounds, images, and videos that you send to them for processing. Indefinitely.
Can the people on TV see me? Well the TV manufacturer sure can!
OK, let’s move onto case two, tracking viewer attention for advertisers. From the old Nielsen boxes to surveys and viewership numbers, TV producers have always been obsessed with knowing how many people are watching their adverts.
You see, just as your TV is a surveillance device that happens to provide entertainment, your favourite TV shows are just adverts that happen to have breaks for entertainment.
To prove their worth to their bosses (the companies paying for the adverts), TV producers need to know as accurately as possible how many people are really watching their adverts. It is like this they can justify the prices to current and future advertisers, and thus pay for the entertainment part of their show.
Smart TVs are great for this – the embedded video cameras can even be used to track eye movement of each individual viewer, to accurately guage interest in each advert, or even parts of particular adverts.
Just like with the remote control, for the software to understand where your eyes are and where they are looking, it must record and analyse everything, and store as much as possible to learn from.
Am I just paranoid? Here is an example TV from 2012; here is just one SDK that smart TV developers can plug into their software to add this ‘feature’; and here is example of how the advertisers love this.
Also consider that it is already standard that hosts of telethons and TV votes have a screen with real-time data on calls coming into the show, provided by the telecoms software handling the phone calls. It is an easy task to combine these two sources of information in a vendor’s software.
Intrusive attention-tracking via smart TVs is already here.
Just for fun, the CIA decided to make this a whole lot worse – one of the Vault7 goodies released by Wikileaks was the Weeping Angel malware that the CIA inserts into smart TVs while on route to be delivered to you, or by breaking into your home. Supposedly they only target deserving people, or places they think deserving people will be (remember those NSA claims that they don’t collect bulk data on everyone?).
The bad guys put in a USB stick, which adds the CIA’s malware to your TV’s software. From now on, the TV can pretend to be off (screen black, status lights show standby or off) while in fact it is on, recording and transmitting to their command & control servers.
Now imagine the last hotel you stayed at. There was a big shiny new smart-TV in the middle, with a clear view of your desk and bed. Who last put their USB stick into it? You’re not paranoid if they really are out to get you!
Some of this mass surveillance can be mitigated via technology. This is one of the reasons F-Secure’s recently launched our first hardware product: F-Secure SENSE – securing your “smart” devices is not only about protecting you from illegal intrusion by criminal malware, but also about protecting your privacy from currently legal intrusion by corporate spyware.
Of course, technology is not a panacea. Smart devices and the mass surveillance long championed by Facebook, Google, the NSA, and many others are a huge ongoing societal change. Technology alone cannot divert the raging rivers of that change, social and legal reactions are needed also.
One simple reaction is an individual refusal to cooperate, and advocating within your family and friends – e.g. “friends don’t let friends use Facebook”.
As the inimitable (and somewhat linguistically colourful) Tim Minchin correctly put it, George Orwell “would surely thinking he was hearing a fiction if you tried to describe how far this s**t’s gone, would presume you were taking the p*ss being happy with technology like this”.
Beyond individual refusal, you can protest, donate to the EFF and similar organizations, contribute your time and expertise, talk to your local politicians, publicly explain why you won’t be buying these products, there are a million ways to work to guide society’s changes into less toxic riverbeds.
As Ollie proclaims “we’re so sick of being used, we’ll be no product for you”. So, let the music flow, fight back against the corporate and governmental Peeping Toms, and leave a little more love behind you! Simple right? 🙂
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018