SMART TV manufacturer Vizio has been fined a total of $2.2m for deliberately collecting viewing habits from its devices.
In a US Federal Trade Commission (FTC) blog, the watchdog explains that the issue was not just the collection, but that the data was then monetised and sold on to advertisers.
The case was brought jointly by the FTC and the Attorney General of New Jersey.
The feature was described as "Smart Interactivity" and was used to "enables program offers and suggestions". A New Jersey court decided that wasn't explicit enough to explain ‘harvest IP addresses and aggregate them to identify individual customers in order to sell them shite'.
The FTC says that up to 100bn data points were collected from Vizio TVs every single day, and that they were matched by scraping the pixels, meaning that it was possible to identify habits not just from content fed directly to the television, but also from any device connected to it, including set-top-boxes, games consoles, optical disc players and computers.
The company told consumers nothing of all this and while the data was anonymised by name when sold, it was still collecting sex, age, income, marital status, household size, education and home ownership which, apart from being invasive in and of itself, represents data that can be turned back into identifiable information with very little social engineering.
Cases like this are part of the argument for caution in dealing with the Internet of Things, as we let more and more devices with the potential to spy on us into our homes. A recent case of Mirai malware relying on a botnet of IoT devices has added to the problem, whilst just this week it emerged that 160,000 printers were hacked in a similar way.
A new industry of home hardware based firewalls is emerging. We're currently testing Cujo, a system designed to block attempts to connect to individual devices on the home network.
Vizio was accused of not only adding the feature but retroactively "upgrading" TVs to include the feature through a remote update. It has agreed to stop collecting data, destroy "most" of the data it has already collected, agree to apply for explicit consent from the consumer before any future data collection, and set in place a privacy programme to evaluate the practices of the company and anyone it deals with. µ
ISPs will soon be forced to be more honest about average speeds
But not they saw paid-for advertising
INQ takes a nosey around before it opens to the public on Friday
UK regulator says it has 'huge concerns' about the breach