Feb. 12, 2018
As everyday consumer appliances and devices like televisions are increasingly connected to the internet, concerns about privacy and security are mounting. Adding to growing consumer anxiety about the implications of bringing internet-connected appliances into our homes, on February 7th Consumer Reports reported that certain TV models sold by Samsung and TCL are vulnerable to hackers. The assessment, conducted in collaboration with Ranking Digital Rights (RDR) and Disconnect—a company that makes digital tools for preventing privacy invasions—revealed that security vulnerabilities in two of the five TV brands tested, Samsung and TCL, could allow a hacker to remotely take control of the TV.
Researchers also found that all “smart” or internet-connected TVs examined collect large amounts of information, which they send back to the TV manufacturers, software providers, and various third parties that deliver content, process payments and warranty claims, and provide marketing services. And yet, users do not always have the ability to control or minimize such data collection without losing the features of their TV that make them “smart” in the first place, and that enable streaming or searching for content on various apps such as Netflix and YouTube.
These unsettling findings are the first published results of an ongoing collaborative research and testing project that uses the Digital Standard to evaluate internet-connected products that make up what is often called the “internet of things.” The Standard is an essential list of privacy and security criteria to assess smart devices, services and apps, developed in partnership with leading privacy, security, and human rights organizations, including Ranking Digital Rights. The goal is to encourage technology companies to prioritize consumers’ security and privacy needs, and to help consumers make informed choices.
Many of the privacy and security criteria included in the Digital Standard are either directly borrowed or adapted from RDR’s Corporate Accountability Index methodology. While RDR’s 35 indicators were developed to evaluate internet, mobile, and telecommunications companies, with some adaptation the methodology is proving to be equally suitable for assessing networked devices and services such as smart TVs. As part of the collaborative research and testing effort led by Consumer Reports, other types of networked devices and applications are also being evaluated against the Digital Standard. Thus, while the RDR Corporate Accountability Index focuses on 22 internet, mobile and telecommunications companies, the Digital Standard project demonstrates how the core principles underlying RDR’s methodology can be used to evaluate many more companies and product types across the information and communication technology (ICT) sector.
The RDR indicators incorporated into the Digital Standard criteria focus on corporate disclosure of policies and practices around data collection and control, data use and sharing, and privacy and security oversight, among other issues. Collectively, these indicators have contributed to Consumer Reports’ findings about the disturbing amount of data that TVs collect when connected to the internet. These data can include log information, device information, location information, as well as viewing information about the content users watch, which can be combined and shared for targeted advertising on TVs and other platforms with significant implications for privacy and security.
More importantly, the findings reported this month by Consumer Reports highlight once again the importance of assessment tools such as RDR’s Index and the Digital Standard. Both provide companies with a roadmap to follow for establishing basic privacy and security standards. They also provide consumers with clear guidance for what they should be looking for in choosing internet-connected products. Furthermore, such evidence-based findings about privacy weaknesses and security vulnerabilities can be leveraged by advocacy organizations, shareholders, and users to demand more accountability from companies. They can also inform the work of policymakers as products from a growing number of industries get connected to the internet.