Chinese Company's $2 Billion Deal Adds Intrigue to Vizio Smart TV Privacy Lawsuit

YTJia_William Wang_LeEco_VIZIO - Publicity - H 2016
Jeff Lewis/AP/Courtesy of LeEco

YTJia_William Wang_LeEco_VIZIO - Publicity - H 2016

It might sound like William Gibson meets Edward Snowden, but is there anything really stopping the Chinese from potentially using smart TVs to peek into American households?

In July, Beijing-based LeEco committed $2 billion to acquire Irvine, Calif.-based Vizio, the biggest U.S. maker of TVs. The move will give the Chinese tech conglomerate, with operations that span consumer electronics, content, cellphones, electric cars and more, a gigantic foothold in the U.S. and integrate LeEco’s internet and streaming platforms into Vizio TVs, but there could be privacy and even espionage ramifications as well.

In part that’s because in VizioLeEco is buying a company that’s been the subject of about 15 privacy lawsuits, recently consolidated via the multidistrict litigation process. On Monday, the plaintiffs filed an amended complaint in California federal court.

“If you own a VIZIO Smart TV, Friday night movie night in the privacy of your home is a surprisingly public affair,” opens the complaint. “This is because VIZIO Smart TVs watch what you’re watching while you’re watching it.”

The logging software is on by default. It can be turned off, according to the Vizio privacy policy, but a study by the security company Avast, cited in the lawsuit, found vulnerabilities (since corrected by Vizio) that rendered the opt-out function ineffective. And all this is before any future integration of what LeEco refers to as an ecosystem consisting of internet, cloud and streaming platforms, among others, which would seem to open up even broader data collection vistas.

The lawsuit asserts claims under the Video Privacy Protection Act, the Wiretap Act and various consumer statutes passed by legislators in California, Florida, New York, Massachusetts and Washington. For now, the litigation focuses on bulk data collection, and in particular, consumers’ viewing histories, but the lawsuit frames all this as highly sensitive fodder.

According to the complaint, “The movies or television consumers watch may reveal sensitive information suggestive of their politics, religious views or sexuality — in other words, their most personal and intimate details.”

Vizio told The Hollywood Reporter that their TV sets’ Video Automated Content Recognition feature “collects only anonymous data (no personal information) and matches it with publicly available broadcast programming to provide, for example, summary reports which may be helpful to media content providers.”

But Vizio also collects personally identifiable information, according to the company’s privacy policy, such as in connection with purchases of equipment and services. That scenario is likely to become more common with the integration of LeEco’s streaming services and other offerings.

And it’s not just about content. Just ask those who recently gained permission from the U.S. Copyright Office to circumvent protection measures in smart televisions. One of the reasons that the permission was necessary, wrote proponents, was to expose what malicious hackers might accomplish by using the built-in microphones and cameras in such devices. Worries of illicit remote access to smart TVs were sparked by a portion of Samsung's privacy policy that once advised owners to "be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

Vizio says its TVs don’t have cameras. But that could change, particularly since at least some LeEco models do.

In addition, since Vizio TVs are networked even now, they have to connect to home or office LANs via Ethernet cables or else the user has to enter a Wi-Fi password during setup. In either case, the contents of home PCs and cellphones may then become accessible. Indeed, the Avast study found that the vulnerabilities (subsequently corrected) in Vizio TVs would enable attacks on a user’s network.

All of this raises issues beyond the privacy lawsuit. In light of the close eye that Chinese officials keep on the country’s tech and content industries, could the Chinese government use these features — content logging, LAN access, microphones and cameras — to spy on specific targets of interest, such as a CIA operative at home in Virginia, a White House staffer watching CNN in the West Wing or soldiers on a base almost anywhere?

At least one expert, the Brookings Institute’s Susan Hennessey, thinks this sort of thing is possible but perhaps unlikely. “Supply chain security and data privacy have long been national security concerns,” she said. “So I don’t think the basic questions are fantasy, however the specific scenarios may be far fetched.”

She added, “Anyone in the [intelligence community] should be practicing high levels of operational security with regards to networked devices in the home. Unless there is specific intelligence regarding a particular company, the mere fact it is foreign-owned or even Chinese-owned is not necessarily a reason to avoid the product. The more probable threat would result from insufficient security making them vulnerable to a wide variety of sophisticated actors and not a supply chain compromise. … So corporate ownership is not the exclusive consideration.”

Both companies insisted at their joint press conference in July that all customer data would be kept in the U.S. Said Hennessey, formerly an NSA attorney, “If data is in fact stored in the United States and not elsewhere, then it is protected by U.S. law and could not be handed over to the Chinese government.”

However, Vizio’s current privacy policy doesn’t actually appear to say that data is stored only in the U.S. or that it is not transferred to other countries. In addition, Vizio, like most companies, reserves the right to change its privacy policy at will. And, the corporate transaction will also include spinning off Vizio’s Inscape Data Services data analysis and marketing unit as a subsidiary to be jointly owned by LeEco and Vizio’s founder. That could bring LeEco even closer to the data, and the contours and effectiveness of Inscape’s future privacy policy are unknown.

The companies pointed out at the press conference that LeEco is a private company, not an arm of the government. But that boundary is scarcely impregnable in China. In fact, the country’s media regulator, the State Administration of Press, Publication, Radio, Film and Television, is reportedly proposing that streaming video companies grant board seats and sell equity stakes to the government. LeEco’s streaming video service would presumably be affected by the proposal.

In addition, Vizio’s privacy policy says it “will disclose Personal Information as required by law, or if … in our judgment it is necessary to respond to lawful governmental requests.” What if those are Chinese laws or requests?

“Our customers mean everything to us,” was Vizio’s answer to THR’s specific questions about the above issues. “We respect our customers' privacy and adhere to fair data collection practices.” The company didn’t otherwise address potential espionage vulnerability. For its part, LeEco was reviewing THR’s queries but wasn’t able to respond in time for the initial publication of this article. We’ll supplement with any responses received later.

Is anyone in the U.S. government paying attention? Possibly. “The transaction is likely within the regulatory authority of CFIUS,” said Hennessey, referring to the inter-agency Committee on Foreign Investment in the United States. However, she noted, that “does not mean they will actually exercise” their authority. The Committee, based at the Treasury Department, also includes representatives from numerous other U.S. agencies and cabinet departments.

Several of those members’ spokespeople failed or refused to comment or referred questions to the Treasury, whose spokesperson also declined to comment, citing legally mandated confidentiality. But Hennessey said that CFIUS has focused on Chinese investments in the past, adding, “I can’t speak to the merits of the decision to investigate or not in this particular case, but there are reasons why CFIUS should be taking a particular interest in investments related to the Internet of Things.”

Whether these issues will come into play in the pending lawsuit is uncertain, and plaintiffs’ counsel Andre Mura refused to comment on that. But there are a number of more mundane matters that will keep the parties busy.

One is whether the VPPA applies at all. Past lawsuits asserting violations of the VPPA — a statute passed in 1988 after Supreme Court justice nominee Robert Bork’s video rental history was leaked to a newspaper — explored the meaning of “personally identifiable information.” Courts have been skeptical that something like Roku device serial numbers amount to identification, though an appeals court recently allowed a lawsuit to proceed against Gannett because of the disclosure of GPS coordinates.

For this reason — and one that could spark fears over how Vizio’s overlord could target specific TV viewers — the plaintiffs in the privacy lawsuit address what other sorts of information are available for disclosure. 

“Such information includes, but is not limited to, the online services a consumer visited and the presence of a consumer’s other Internet-connected devices,” states the complaint. “VIZIO also disclosed consumers’ Internet Protocol (IP) addresses, media access control (MAC) addresses, and zip codes. This personally identifiable information can be used to pinpoint a consumer’s physical location.”

At the pleading stage, the plaintiffs may be asked to address a recent Supreme Court ruling, Spokeo v. Robins, that held that privacy plaintiffs under another statute, the Fair Credit Reporting Act, must show an injury that is both “concrete and particularized.” The high court justices largely left it to lower court judges to figure out what harm is sufficient to survive dismissal of a claimed privacy breach.

In an interesting twist, Vizio’s current privacy policy says that they do not collect viewing data from televisions located outside the U.S. That may be because some countries — particularly those in the EU — have stronger privacy protections than the U.S., but it’s certainly ironic that a U.S. company’s products offer more privacy to non-U.S. customers. And once Vizio becomes Chinese-owned, the plaintiffs and others may wonder whether their domestic privacy concerns have acquired an international dimension as well.

Patrick Brzeski contributed to this story.