Skip Navigation

Televisions

It has become essentially impossible to buy a “dumb” TV in any retail store today. Instead, the available models are “smart” models that have built-in support for Internet streaming services. While this built-in streaming support is advertised as a useful feature of the television, the real reason manufacturers want their TVs connected to the Internet is much darker. These devices contain surveillance technology, and manufacturers can make more money selling users’ data than they do from the selling the TVs themselves. One company is even offering a dual-screen TV to users for “free” in exchange for personal information and constant in-home advertising.1

Page Contents

Internet Tracking Technologies

Since a smart TV normally just uses some type of Linux system (or a Linux derivative, like Android) to run its user interface, any tracking technology used on the Internet can be used to track a person on a smart TV. Cookies and Web beacons are both usable on these platforms. Most smart TVs also have an advertising ID of some kind, creating both a zombie cookie and something that TV apps can use for tracking purposes. Recall from earlier in this section that ads played on a TV can contain high frequency audio signals for cross-device tracking. Most modern TVs also display their own ads in various places, and these ads hypothetically could also contain their own XDT signals.

Automatic Content Recognition

While a smart TV can certainly track a person’s usage of its built-in streaming features or monitoring the channel set on its internal tuner,2 users have a pesky habit of connecting external devices to the HDMI ports and watching content from other devices that the TV cannot track directly. In order to track what externally sourced content users are watching, smart TVs often employ Automatic Content Recognition (ACR), which is technology that fingerprints the content being displayed through the TV. At present, most of this fingerprinting is performed using audio signals, since processing audio requires fewer computational resources than processing video, and televisions often have fairly inexpensive (and thus underpowered) CPUs. Companies such as ACRCloud create databases of songs, movie soundtracks, TV audio, commercial audio, and other media that match audio fingerprints to specific content. This same technology is used in mobile phone apps that can identify a song playing in a restaurant or even hummed into the microphone.3

One company that has worked to incorporate ACR into smart TVs is Inscape.tv, which is owned by Vizio. As of early 2025, Inscape.tv has an exceptionally creepy website with fingerprint-like wavy lines in the background and inferences about people that appear when hovering the mouse over the page.4 Even the name of the company is a bit telling, since the word “inscape” was invented by a poet to mean the “unified complex of characteristics that give each thing its uniqueness.”5 Inscape.tv markets their tracking services to a wide variety of clients, including political campaigns that can use the data to try to sway people to vote for a particular candidate or issue.6 The frank and upfront nature of this company’s ambitions is likely reflective of broader industry consensus, since they won an Emmy under their prior name (Cognitive Networks) in 2023 for “Extraction of Granular Census Level Behavioral Data Using ACR.”7

Vizio, the company behind Inscape.tv and a maker of televisions themselves, settled a Federal Trade Commission lawsuit in 2017 after they enabled ACR by default without first giving the user a chance to opt-in.8 This default data collection stance was especially problematic, since tracking data from Vizio TV sets was found to be vulnerable to a man-in-the-middle attack, enabling a threat actor (apart from Vizio itself) to steal users’ viewing habits.9 Even though users are now presented with a privacy policy and have to opt into tracking, more than 23 million people with Inscape.tv-provided ACR had done so as of 2024.6 Given the general state of privacy policies, and the fact that most people click “I Agree” without actually reading the agreement, one can only assume that most people are blissfully unaware of the information they have agreed to provide.

As more processing power becomes less expensive in the future, it is reasonable to assume that TVs will gain the ability to process video signals in addition to audio signals. More advanced ACR based on video fingerprints will become possible in this case. However, another approach will be to add a digital watermark to the videos themselves. A watermark is an embedded piece of data that allows video content to be identified without necessarily changing its visual appearance to the human eye, eliminating the need to perform measurements on the video in real time and consult an external database. This technology is already used to add built-in fingerprints to track the source of video file sharing online.10

Voice Commands

Apart from recognizing the content being watched on the screen, many recent models of television contain support for voice commands. Some TVs require pressing a button and speaking into a microphone on the remote control, while others have an always-listening microphone built right into the TV itself, approaching an Orwellian telescreen. Most TVs allow this “feature” to be enabled or disabled to varying degrees.

Although TVs may listen for their “wake words” using entirely local processing, effective voice recognition requires more computing power than may be available on the device itself. Therefore, manufacturers will typically send the microphone voice data to a third-party cloud service, such as Nuance, for processing.11 Depending on the third-party service provider’s contract with the television vendor, it is entirely possible that the third-party could be using people’s voice samples for their own tracking purposes, to train AI models, or for some other use that collapses the user’s original context. The use of a cloud service also increases the size of the attack surface that a threat actor might be able to use to hack into the TV.

Mitigation

Since it isn’t really feasible to buy a “dumb” television anymore, the best available mitigation is that you should never connect the TV to the Internet. Most TVs have some kind of non-connected mode, although the way to get the TV into this mode will vary by manufacturer. Many consumer TVs are also sold for institutional use (such as in hotels), so searching by the TV model number for a “hotel menu” is one way to find hidden settings on the TV. Accessing this menu often requires pressing a specific combination of keys on the remote while powering on the device, but once accessed, this menu may provide a way to disable all network interfaces on the TV entirely. On other models, simply declining to set up a network connection might be sufficient.

By making the smart TV “dumb,” it will be necessary to use an external device to display content on the TV unless you’re simply watching over-the-air broadcasts using the TV’s built-in tuner. At present, broadcast TV is one-way, so the tuner has no way to report what you’re watching to the TV manufacturer as long as the TV has no Internet connection. Even if ACR is enabled, it won’t have a way to transmit any information about the identified content. On the flip side, it is not safe to leave a network connection enabled for a TV even if it will only be used with the tuner or an external device. ACR could be operating and reporting activity if there is an active network connection to reach the Internet.

Speaking of external devices, DVD players, game consoles, and streaming boxes can collect and report data on their own if they have a network connection. These external devices can even implement ACR themselves. For this reason, it is best not to use connected capabilities on these kinds of devices, although disconnecting a streaming device from the network renders it completely useless. The best solution is to build your own external device in the form of a Linux-based computer, on which you can stream content via a Web browser that you configure and control. In cases where this approach isn’t practical, power to the network-connected external device should be removed whenever you aren’t consuming content from that specific device. It isn’t sufficient to turn the device “off,” since the device could still be collecting data in that state. Its power adapter should instead be removed from the wall outlet.

Notes and References

  1. Emma Roth. “This free TV comes with two screens.” The Verge. May 15, 2023. 

  2. David Jeon. A New Era of Local TV Data. Inscape.tv. January 8, 2024. 

  3. ACRCloud

  4. Inscape.tv

  5. Glenn Everett. Hopkins on “Inscape” and “Instress”. The Victorian Web. 1988. 

  6. Unlock the Power: Political TV Ad Attribution. Inscape.tv. May 20, 2024. 

  7. Eric Pedersen. “Technology & Engineering Emmy Winners Revealed.” Deadline. January 19, 2023. 

  8. Dan Goodin. “Vizio smart TVs tracked viewers around the clock without consent.” Ars Technica. February 6, 2017. 

  9. Dan Goodin. “Man-in-the-middle attack on Vizio TVs coughs up owners’ viewing habits.” Ars Technica. November 11, 2015. 

  10. Anna Solana. “How these hidden video watermarks can help spot piracy, doctored images.” ZDNET. August 17, 2017. 

  11. Glenn Derene. “Samsung and LG smart TVs share your voice data behind the fine print.” Consumer Reports. February 9, 2015. 

Mobile Devices

Pervasive Tracking
Video Games
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.