Not so smart: Samsung's web-connected TVs capture conversations

News by Doug Drinkwater

Samsung's latest line of internet-connected 'smart' TVs capture conversations through its Voice Recognition software, before sending this information onto third-parties.

This information came to light over the weekend after the South Korean consumer electronics conglomerate quietly detailed how its Smart TVs collect data in a new television privacy policy.

“Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features,” reads a brief extract from the policy.

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party." The firm did not go into additional details on who these third-parties are, or how this data will be used.

A Samsung spokesman later told The Daily Beast: "Samsung takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers' personal information and prevent unauthorised collection or use. Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. The TV owner can also disconnect the TV from the Wi-Fi network.”

Users can tell when voice recognition is activated because a microphone appears on screen, although deactivating the feature will likely impact on the TV's usability.

“If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands,” the policy reads.

"While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it."

One Reddit user compared this level of intrusion to George Orwell's critically-acclaimed novel, 1984, which predicts a time of state interference and surveillance.

Speaking to shortly after the news emerged, Jon Baines, chairman of NAPDO (National Association of Data Protection and Freedom of Information Officers), said that Samsung had at least detailed the data collection in its policy.

“I think people have become used to voice recognition software on their mobile devices and laptops, and perhaps don't realise that this will often involve their speech data being networked and sent to a remote server somewhere,” he said via email. “And whenever that sort of thing happens, issues about retention and reuse arise.

“Samsung has, at least, given some details in its privacy policy (although further information would be helpful - for instance about security/encryption etc).” Baines added that Apple had to be pushed to find out how long Siri user data was retained, and was unable to find a specific privacy policy from Google for its voice recognition at the time of writing.

“I think what has happened here is that people are waking up to the realities of the "Internet of Things": if everything is connected, then so, potentially at least, are the details of our private lives. It's essential, therefore, that companies are open with users about what happens with their information, and that they are given simple means of opting in, and out, of applications which involve the transfer of their personal data.”

Kevin Epstein, VP of advanced security and governance at Proofpoint, told SC that this kind of data collection has happened for years, although this latest example could serve as a reminder of the Internet of Things.

"While this specific example of data collection is not outside the norm, the publicity it seems to be generating certainly serves as a good reminder of the need for security layers around -all- networked computing devices,” he said via email. 

“Innocuous background data collection by systems vendors has been happening for years - from error-reporting in operating systems, to statistics on viewing in DVRs, to keystrokes on remotes (and yes, even audio snippets in speech-to-text systems).

“The concern, of course, is whether attackers could access these functions -- either as data in the vendor's central collection-point (less likely), or directly on the device (proven; there have been many, well-documented cases of hacked baby-monitors, laptop webcams, and the like).  Regardless, there's clearly a need for additional layers of security and both enterprise and consumer protection.

Last October, Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at NYU School of Law, detailed his own disillusion at Smart TV privacy. After buying his own set, he found himself reading a 46-page privacy policy.

“The amount of data this thing collects is staggering,” he wrote in a blog post. “It logs where, when, how, and for how long you use the TV. It sets tracking cookies and beacons designed to detect “when you have viewed particular content or a particular email message.” It records “the apps you use, the websites you visit, and how you interact with content.” It ignores “do-not-track” requests as a considered matter of policy.

He added on the microphone:  “More troubling is the microphone. The TV boasts a “voice recognition” feature that allows viewers to control the screen with voice commands. But the service comes with a rather ominous warning: 'Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party'.”"

"Got that? Don't say personal or sensitive stuff in front of the TV."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews