Warning: Beware of What You Do in Your Home. Your TV May be Watching
Chinese Company’s $2 Billion Deal Adds Intrigue to Vizio Smart TV Privacy Lawsuit: Plaintiffs say that Vizio TVs are too nosy already, but the issue could go cloak and dagger as LeEco purchases the U.S. company. (Jonathan Handel, Hollywood Reporter, Aug 19, 2016)
We are ever vigilant for possible personal or corporate security challenges, particularly because of this connected world we live in. The frightening idea that your personal television might become a Peeping Tom is not pleasant, but one that we feel must be confronted.
A recent article in the Hollywood Reporter penned by Jonathan Handel and Eric Gardner with additional contributions from Patrick Brzeski caught our eye. Titled, “Chinese Company’s $2 Billion Deal Adds Intrigue to Vizio Smart TV Privacy Lawsuit,” it delves into the dark world of possible unauthorized internet surveillance, only this time, the camera and microphone might be looking at you in your own home when you are least aware.
You are encouraged to read the full article which can be found here.
We contacted Attorney Jonathan Handel for more information. You can listen to his interview by clicking below (or by reading the transcript accompanying this article).
================================
TRANSCRIPT OF US TIMES INTERVIEW WITH JONATHAN HANDEL
Cirina Catania: This is Cirina Catania with US Times. I’m speaking with Jonathan Handel who is an entertainment and technology Attorney of Counsel with Troy Gould in Los Angeles, California. He’s also the contributing editor on entertainment labor issues for the Hollywood Reporter, and a recent article of his caught our eye.
Jonathan, recently you and a colleague (Note: Jonathan co-wrote this article with reporter at the Hollywood Reporter wrote an intriguing story about a Vizio TV lawsuit and the potential for espionage. What is that all about?
Jonathan Handel: Well, it’s really the intersection of 2 issues that are converging here. One of them is that there have been privacy lawsuits filed against Vizio over the last year or so that have now been consolidated in a single federal lawsuit in Southern California, and the other is that Vizio, the TV manufacturer, has just been acquired, or the acquisition has been announced, and will close about in 6 months, by a Chinese company, LeEco.
They are little known in this country, but well known in China. They’re a tech conglomerate is probably the way to describe them. They have a film studio, they make TVs, they make cellphones, they’re working on a self-driving car, they make electric cars I think already, they have a steaming TV service, they have an internet platform. They refer to it as an ecosystem.
They’re run or owned by a Chinese billionaire, and it’s a big deal. It’s a 2 billion dollar acquisition, but the potential for the intersection between what are now domestic privacy issues currently, and potential espionage issues is what intrigued us, and let us write the article.
Cirina Catania: Well, I’m glad you did because frankly, when you mentioned that Vizio has already had something like 15 privacy lawsuits filed against them, that really was a red flag, wasn’t it?
Jonathan Handel: Well, it was and is, and the basis for the lawsuits is this. Vizio has what you call a video automated content recognition system that as the plaintiffs in the lawsuit put it, while you’re watching TV, it’s watching what you’re watching. It logs what you watch, and compiles what Vizio says is anonymous non-personally linked data, and sends it home to Vizio. A division of Vizio called Inscape Data Services, which is going to be spun off as a separate company, to be co-owned by LeEco and the Vizio founder, then analyzes and aggregates that data and sells it to marketers.
Now, the feature on the TVs, on the Vizio smart TVs is on by default. It can be turned off by the consumer, although a study, an analysis by Avast which is cited in the lawsuit, found that for some period of time, the off feature actually didn’t work and so even when a consumer turned the feature off, data was still being collected. That vulnerability has apparently been fixed at this point, but I think it underscores the potential issues here.
There are a couple of other aspects. One is that the Vizio TVs don’t come with webcams by default although I’m sure you can add a webcam, but some of the LeEco TVs do and I think one of their service offerings in fact, if I remember correctly, is a video chat feature. I would expect that as the companies get integrated, that you’re more likely to see webcams included on the newer Vizio TVs, once the acquisition closes.
The other is that because these are networked TVs, even now, the Vizio TV has to connect to your home network. You either have to give it your wifi password, or you have to connect it with an Ethernet cable to your network, and either of those things makes the TV potentially a vector, a methodology for breaking into a user’s home or office network. In fact, Avast study found vulnerabilities there, apparently, which again, those particular vulnerabilities have been patched, but it again underscores the issue.
Cirina Catania: I think a lot of people might say, “Well, all they’re doing is watching what I watch. I don’t care,” but what worries me just a little bit, and maybe you can explain the potential for this, is the fact that down the road, they’ll be able to listen in to whatever’s going on in your household.
Jonathan Handel: Well, with webcams yes, they potentially could, and in addition, you don’t care, but you’re heterosexually married. Does your wife know you’re watching gay porn? Does your spouse of whatever gender know that you’re watching porn at all? Do your employers know that you tend to watch movies or TV shows or channels with a particular political aspect?
This gets, again, to the espionage issue, as well, as the general privacy issue, which is will it be possible for somebody such as potentially the Chinese government, to target a particular TV? In that example, rather than you being just a general you who’s listening to this program, what if the you is an Army Colonel who lives in Virginia, or CIA operative who lives in Virginia or wherever, or soldiers on a base anywhere, or a Vizio TV in an office location in an economically sensitive major company, or in the White House, or some government office?
Cirina Catania: Like me, I’m an investigative journalist. I don’t want everyone listening in, or anyone listening in to private conversations with sources.
Jonathan Handel: Right, or knowing what you search for on the Internet, because remember, LeEco is going to integrate their internet browsing platform with these TVs, and so if you’re browsing the internet on your smart TV, say to watch YouTube videos related to your journalism, or related to sensitive stuff or porn, or whatever it is, the various examples, that becomes potentially seeable and again if your home network is vulnerable to intrusion via the TV, then browse away on your PC or your cellphone or your laptop. That could also potentially be viewable.
Now, to give a bit of a reality check, I interviewed a woman named Susan Hennessy who’s a former counsel at the National Security Agency, the people in charge of monitoring communications for the intelligence community and breaking codes and things of that sort, and what she said was these scenarios are possible but potentially far fetched. She did say if the data … When I spoke with the executives at the press conference, they said the user data will all be kept in the US and Susan said, “Well, if the data’s kept in the US, then it’s subject to US law and the Chinese government wouldn’t be able to get it,” but I took a look at the Vizio privacy policy and it doesn’t actually explicitly say that the data is kept in the US, and it also does say, like really all privacy policies do, that Vizio has the right to modify their privacy policy unilaterally at any time.
That seems like a pretty thin wall and the company is also, the executives also said that LeEco is a private company, it’s not an arm of the Chinese government, and while that may be true, I think to accept that answer as a real answer is kind of naive, given the degree to which the Chinese government exercises … I mean, you don’t become a billionaire in China and you don’t run a tech company or a content company or both, without having close relationships with the government. That’s just sort of the reality there, and in fact, the government has, according to published reports, I think it was Bloomberg, has recently proposed that streaming video services of which LeEco has streaming video, will have to sell a certain amount of equity to the government and give the government seats on the boards of directors, so that the government can exercise more control.
Cirina Catania: Unbelievable.
Jonathan Handel: That’s China, you know?
Cirina Catania: I’m curious. Let’s talk about the difference for a minute. The United States has a couple of Acts. One is called the Video Privacy Act, and the other one is called the Wire Tap Act. Your co-writer mentions both of those in the article. Can you just address quickly what those are for the people who are listening to this?
Jonathan Handel: Yeah. Those are two separate acts. The Video Privacy Protection Act was passed actually during the era of video stores, and it resulted from a particular incident which shows the sensitivity of some of this, which was that during the hearings over Robert Bork, who was a very conservative, hard right judge who was nominated to the Supreme Court, the people investigated and got copies of his video store rental records, and found that he had been renting porn and that became an issue during the hearings. I don’t know that that was what sunk him. Frankly, the fact that he wasn’t very physically attractive and that he was very hard right, those things combined were probably bigger issues, but it was an issue, and so this act got passed that protects the privacy of video store rental records.
Now, the degree to which it actually applies here when you’re renting or viewing content on the television set, whether online or broadcast or cable or whatever is perhaps open to question. It’s just not entirely clear because the act was never updated as the technology changed, but that is one of the privacy laws that the plaintiffs in the lawsuit, now consolidated lawsuit, are citing.
Another is the Wire Tap Act, which prohibits private people from monitoring other people. Again, it was written in the era of telephone voice communications, so literally speaking, what it prohibits is private people from wiretapping someone else’s conversation.
Again, the degree to which it applies, there may be some question about that. They’re also citing state privacy laws in a number of states. It is a consolidated class action that comes out of, originally out of multiple states, and so there are state laws being cited as well.
Cirina Catania: The US Copyright Office recently allowed the circumvention of some protection issues with smart TVs. Now, I’m a layman, so I probably haven’t described that properly. Can you talk about that for a moment because there are potential privacy issues there?
Jonathan Handel: Well, that’s right. This was intriguing. The copyright law as updated for the technological era, in addition to saying you can’t copy things that are copyrighted, and distribute other people’s copyrighted material and all that kind of thing also prohibits circumventing copy protection mechanisms. If someone has copy protection on DVDs and Blu Rays, copy protection on software, you’re not normally allowed to circumvent that and make copies, say of the software. It’s a double protection, so you can’t make the copies because it’s copyrighted software, but you also can’t even break the protection, but recently the Copyright Office did give some people the right to break protection in smart TVs and the reason for that was that the people, these were people who wanted to investigate the vulnerability of the TVs, in particular with webcams, and so the Copyright Office said, “Okay, that is a justification for you having the ability to circumvent the protection and examine the software,” not for the purpose of competing with the manufacturer or using their software, but rather for the purpose of examining the software for vulnerabilities.
By the same token, there also was a Samsung privacy policy at one point that advised TV owners, with regard to smart TVs, “Be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a 3rd party.” When some of us were kids, long before this era, and read George Orwell’s “1984,” one of the funny aspects about it and seemingly silly aspects was that when people would watch TVs in the world that Orwell constructed, he wrote the book in 1948, which is why he transposed it and called it “1984,” was that the TVs were watching the people who were watching the TVs, and we thought, “Isn’t that crazy?”
Cirina Catania: Yes.
Jonathan Handel: In fact, that world is technologically, is right now. What Hennessy from the former NSA, now Brookings Institute E xpert said was even though these scenarios are possible but potentially far faxed … Far fetched, rather, that anyone in a sensitive position, she particularly said the intelligence community, but I think it applies to anyone whether it military, corporate, executive and so forth, does need to be concerned and practice what she called “High levels of operational security with regard to network devices in the home.” She also pointed out that there is a committee, an inner agency committee based in the Treasury Department, and with representatives from the Department of Defense, and Commerce, and Homeland Security, and FBI, I think, or Justice, and on and on, that examines transactions where a foreign company is going to buy a US company, and it’s confidential so we don’t know whether they’re going to examine this transaction or not, the acquisition of Vizio, and if they are, whether they’re going to put conditions on it, or even potentially block it.
It seems unlikely they’d go that far, I guess, but she did say, Hennessy did say there are legitimate reasons for that committee and for, by extension, anyone concerned with privacy, to be worried about the Internet of Things, about network devices in the home, whether it’s a thermostat or an internet connected refrigerator that companies have been trying to sell without much success for a while, or in this case, television sets. By transforming the home and also the office, we have all built huge threat surfaces that have enormous vulnerabilities, and to put this in a larger context, people talk about software engineering. The word “software engineering” which is the rigorous discipline of writing software, and trying to make sure that it doesn’t have bugs and that it’s not vulnerable, that word is only 50 years old and the rigorous practice of writing softwares is even more recent than that, really.
By contrast, the practice of civil engineering say, building bridges, the oldest bridge now I think is something like 3000 years old. Bridges don’t usually collapse in and of themselves, as long as they’re maintained. Every now and then there’s a counter example, but it generally doesn’t happen because we’ve learned a lot in 3000 years about how to build bridges, but in 30 years, basically 1% of that time, we haven’t learned nearly as much about how to write software, and our reliance on technology, on computer technology in particular, has really outrun our ability to implement that technology in a reliable, bug free, secure and private way. That’s the vulnerability that you’re seeing here.
Cirina Catania: I’m recalling a school and I can’t remember which one it was, that gave either iPads or laptops to their students, and then watched them through the webcam and there was a lawsuit about that. The parents were really upset about that, because the kids had no idea that they were being monitored. I’m also thinking about Spokeo v. Robins that you mentioned.
Jonathan Handel: I was just going to, if I can jump in on the laptops. The other thing that’s often happened when schools have given kids laptops is the schools will put software on them to keep the kids from going to websites that are sexually explicit or whatever, and the kids are uniformly able to break that software within a week and that just shows, again, how little we really know about computer security. You can’t even secure a machine from a 14 year old.
Cirina Catania: You talked about Spokeo v. Robins making the injury harder to prove, doesn’t it?
Jonathan Handel: Well, it does. Spokeo v. Robins is a recent Supreme Court case. It involves a statute that’s not at issue here. It involves the Fair Credit Reporting Act, but it says to have standing to bring a class action lawsuit or to bring a lawsuit in any case, but these are typically class actions as this one against Vizio is, that the injury is concrete and particularized. Now, this is part of the agenda that the Supreme Court has had really since the Reagan administration appointments, since Rehnquist and people like that, to cut off access to the courts for consumers, for workers, for a variety of people that are not politically favored by republicans, frankly, and so there are both … When you think about the Supreme Court, most people think about the explicitly political and obvious things, “Is the Supreme Court going to rule this way or that way on abortion/gay marriage/gun rights?,” et cetera, et cetera.
Those are the substantive issues and the issues that are easy for people who look at political issues to understand. They make a headline, but the other part of the agenda and the fight between conservatives and liberals, with regards to the courts, has been the whole issue of access to the courts in the first place. The republican conservative agenda has been to try to make it harder to file class actions, make it harder to file lawsuits, make it easier for businesses to divert people from the court system into arbitration, which in the case of individuals is often an unfavorable venue and denies them the ability to have their day in court, and other things of this sort.
These technical sounding and procedural type issues that at the end of the day make the difference between a lawyer saying, “Yes, I’ll take your case and we have some potential here,” versus saying, “We’re going to find the doors locked in our face, regardless of whether you’re right on the merits.”
Cirina Catania: Right. If Vizio does become Chinese owned, which it obviously is going to, do you think that any Americans who feel like their rights have been violated have recourse against the Chinese government in the future?
Jonathan Handel: I doubt it. I mean, it’ll end up being hard to prove if something is going on. I think that there are also various legal doctrines that make it hard for individuals to sue foreign governments. Look at another example. The apparent Russian intrusion with the Democratic National Committee and attempt to manipulate the election through release of information regarding, emails regarding the DNC and favoring Clinton, and stuff like that. Do you get to sue the Russians? I mean, not really. How do you prove it’s them? How do you prove that you’ve got a particularized injury? How do you actually get them in court? How do you get passed the legal doctrines that basically say this is a political question and a foreign relations question that is reserved to the executive branch, not to the courts, not to individuals?
The question really, if in fact the Chinese do end up using these as vehicles to either to spy on particular people in the government or in industry, or to gather mass data on Americans, it becomes more a political question of what does an administration do? What we’ve seen with the Sony hack and with the DNC hack and others that have been attributed to foreign state actors is that it’s very hard politically to figure out how to react and retaliate without creating an escalation, because we have so much vulnerability, and do you want to escalate a situation to where it becomes the foreign power is motivated to attack our electrical grid or something of that sort? I mean, do you want to start a cyber war?
It’s a very difficult situation potentially. I mean, what Hennesey says is, the issue really isn’t so much whether something is foreign owned per se. I mean, Apple’s stuff is manufactured in China, so Apple’s not foreign owned, but the issue really is, are there security vulnerabilities in the supply chain, and in the chain of the product here? All of that said, I have to say, previously I had a very positive feeling about the brand, about Vizio. I mean, I think they brought high quality TVs to the mass market early, at a more aggressive price point than other manufacturers, and grew very quickly as a result.
There was a lot of commercial success as a result of it being good product, but the default monitoring and now the Chinese ownership, I mean, you hate to feel like you’re reacting knee jerk and saying, “Well, they’re owned by Chinese therefore I won’t go near it,” but it’s a hard one.
Cirina Catania: I think it’s a case of buyer beware. Just at least know what you’re getting into, and see if you can get to the default and turn it off. I don’t know if you can with the new ones. I know that even with my computer, I turn off the microphone when I’m not using it, and I have tape over my webcam on my desktop, on my iPad, and even on my iPhone. It was really interesting that there was a very high level executive at a tech company and they did an interview with him and his laptop was in the background, and he had tape over the webcam.
Jonathan Handel: Yeah. People do, but you know, even turning the mic off doesn’t guarantee that the mic is really off.
Cirina Catania: That’s true, because they can turn it back on remotely, which a lot of people don’t know. We’re going to have to talk in the near future about what’s happening in terms of government surveillance on other technology instruments, but that’s another subject, Jonathan. I really appreciate you writing this story. I think it’s timely, I think it’s important, and hopefully it will help people at least realize what their vulnerabilities are. Thank you so much.
Jonathan Handel: Well, thanks. It’s my pleasure. I’m glad to be with you.
Cirina Catania: That was attorney Jonathan Handel, speaking with us about privacy issues relative to the purchase of Vizio by the Chinese company LeEco. I’m Cirina Catania for US Times. Visit us on the web at USTimes.biz. Follow us on Twitter @USTimes_News or click over to our page on Facebook. Thank you for listening.