12:08pm PT by Eriq Gardner , Jonathan Handel
Chinese Company's $2 Billion Deal Adds Intrigue to Vizio Smart TV Privacy Lawsuit
It might sound like William Gibson meets Edward Snowden, but is there anything really stopping the Chinese from potentially using smart TVs to peek into American households?
In July, Beijing-based LeEco committed $2 billion to acquire Irvine, Calif.-based Vizio, the biggest U.S. maker of TVs. The move will give the Chinese tech conglomerate, with operations that span consumer electronics, content, cellphones, electric cars and more, a gigantic foothold in the U.S. and integrate LeEco’s internet and streaming platforms into Vizio TVs, but there could be privacy and even espionage ramifications as well.
In part that’s because in Vizio, LeEco is buying a company that’s been the subject of about 15 privacy lawsuits, recently consolidated via the multidistrict litigation process. On Monday, the plaintiffs filed an amended complaint in California federal court.
“If you own a VIZIO Smart TV, Friday night movie night in the privacy of your home is a surprisingly public affair,” opens the complaint. “This is because VIZIO Smart TVs watch what you’re watching while you’re watching it.”
The lawsuit asserts claims under the Video Privacy Protection Act, the Wiretap Act and various consumer statutes passed by legislators in California, Florida, New York, Massachusetts and Washington. For now, the litigation focuses on bulk data collection, and in particular, consumers’ viewing histories, but the lawsuit frames all this as highly sensitive fodder.
According to the complaint, “The movies or television consumers watch may reveal sensitive information suggestive of their politics, religious views or sexuality — in other words, their most personal and intimate details.”
Vizio told The Hollywood Reporter that their TV sets’ Video Automated Content Recognition feature “collects only anonymous data (no personal information) and matches it with publicly available broadcast programming to provide, for example, summary reports which may be helpful to media content providers.”
Vizio says its TVs don’t have cameras. But that could change, particularly since at least some LeEco models do.
In addition, since Vizio TVs are networked even now, they have to connect to home or office LANs via Ethernet cables or else the user has to enter a Wi-Fi password during setup. In either case, the contents of home PCs and cellphones may then become accessible. Indeed, the Avast study found that the vulnerabilities (subsequently corrected) in Vizio TVs would enable attacks on a user’s network.
All of this raises issues beyond the privacy lawsuit. In light of the close eye that Chinese officials keep on the country’s tech and content industries, could the Chinese government use these features — content logging, LAN access, microphones and cameras — to spy on specific targets of interest, such as a CIA operative at home in Virginia, a White House staffer watching CNN in the West Wing or soldiers on a base almost anywhere?
At least one expert, the Brookings Institute’s Susan Hennessey, thinks this sort of thing is possible but perhaps unlikely. “Supply chain security and data privacy have long been national security concerns,” she said. “So I don’t think the basic questions are fantasy, however the specific scenarios may be far fetched.”
She added, “Anyone in the [intelligence community] should be practicing high levels of operational security with regards to networked devices in the home. Unless there is specific intelligence regarding a particular company, the mere fact it is foreign-owned or even Chinese-owned is not necessarily a reason to avoid the product. The more probable threat would result from insufficient security making them vulnerable to a wide variety of sophisticated actors and not a supply chain compromise. … So corporate ownership is not the exclusive consideration.”
Both companies insisted at their joint press conference in July that all customer data would be kept in the U.S. Said Hennessey, formerly an NSA attorney, “If data is in fact stored in the United States and not elsewhere, then it is protected by U.S. law and could not be handed over to the Chinese government.”
The companies pointed out at the press conference that LeEco is a private company, not an arm of the government. But that boundary is scarcely impregnable in China. In fact, the country’s media regulator, the State Administration of Press, Publication, Radio, Film and Television, is reportedly proposing that streaming video companies grant board seats and sell equity stakes to the government. LeEco’s streaming video service would presumably be affected by the proposal.
“Our customers mean everything to us,” was Vizio’s answer to THR’s specific questions about the above issues. “We respect our customers' privacy and adhere to fair data collection practices.” The company didn’t otherwise address potential espionage vulnerability. For its part, LeEco was reviewing THR’s queries but wasn’t able to respond in time for the initial publication of this article. We’ll supplement with any responses received later.
Is anyone in the U.S. government paying attention? Possibly. “The transaction is likely within the regulatory authority of CFIUS,” said Hennessey, referring to the inter-agency Committee on Foreign Investment in the United States. However, she noted, that “does not mean they will actually exercise” their authority. The Committee, based at the Treasury Department, also includes representatives from numerous other U.S. agencies and cabinet departments.
Several of those members’ spokespeople failed or refused to comment or referred questions to the Treasury, whose spokesperson also declined to comment, citing legally mandated confidentiality. But Hennessey said that CFIUS has focused on Chinese investments in the past, adding, “I can’t speak to the merits of the decision to investigate or not in this particular case, but there are reasons why CFIUS should be taking a particular interest in investments related to the Internet of Things.”
Whether these issues will come into play in the pending lawsuit is uncertain, and plaintiffs’ counsel Andre Mura refused to comment on that. But there are a number of more mundane matters that will keep the parties busy.
One is whether the VPPA applies at all. Past lawsuits asserting violations of the VPPA — a statute passed in 1988 after Supreme Court justice nominee Robert Bork’s video rental history was leaked to a newspaper — explored the meaning of “personally identifiable information.” Courts have been skeptical that something like Roku device serial numbers amount to identification, though an appeals court recently allowed a lawsuit to proceed against Gannett because of the disclosure of GPS coordinates.
For this reason — and one that could spark fears over how Vizio’s overlord could target specific TV viewers — the plaintiffs in the privacy lawsuit address what other sorts of information are available for disclosure.
“Such information includes, but is not limited to, the online services a consumer visited and the presence of a consumer’s other Internet-connected devices,” states the complaint. “VIZIO also disclosed consumers’ Internet Protocol (IP) addresses, media access control (MAC) addresses, and zip codes. This personally identifiable information can be used to pinpoint a consumer’s physical location.”
At the pleading stage, the plaintiffs may be asked to address a recent Supreme Court ruling, Spokeo v. Robins, that held that privacy plaintiffs under another statute, the Fair Credit Reporting Act, must show an injury that is both “concrete and particularized.” The high court justices largely left it to lower court judges to figure out what harm is sufficient to survive dismissal of a claimed privacy breach.
Patrick Brzeski contributed to this story.