EPIC Complaint to FTC Claims Samsung TVs Violate Privacy Provision in Cable Act

EPIC asked the FTC to look into Samsung’s alleged voice recording and transmission practices, to halt the interception and recording of private communications within the home, to cease transmitting recorded communications to third parties, to investigate Samsung’s violation of the Electronic Communications Privacy Act, to investigate other CE companies engaged in similar practices and to provide “necessary and appropriate” relief.

In the three-count complaint, EPIC charges Samsung with failing to disclose that the company records and transmits private conversations through its smart TVs; unfair disclaimer of liability for third-party privacy and security practices; and violation of the Children’s Online Privacy Protection Act.

The complaint alleges Samsung “routinely intercepts and records the private communications of consumers in their homes.” Consumers who have learned of the practices consider it “unfair” and “deceptive,” the complaint said, and Samsung’s attempts to disclaim its surveillance activities by means of a “privacy notice” don't diminish the harm done to American consumers. The complaint asks the FTC to take action and enjoin Samsung “and other companies that engage in similar practices from such unlawful activities.”

EPIC said Congress anticipated privacy threats with interactive TV as far back as the early 1980s when it became apparent that interactive TVs would enable functions such as “home banking, instant voting, storage of personal information, home shopping, instant-response study courses, automatic regulation of utility use, a selection from almost 1,000 data bases of specialized information, and security services which can monitor for fire, home intrusion and medical emergency.” The first deployment of interactive TV came via cable TV set-top boxes that transmitted user data to service providers, and after warnings by privacy experts and policy makers, safeguards against data collection were put in place by the Cable Communications Policy Act (CCPA), the complaint said.

The CCPA ensures that cable operators collect only the user data needed to operate the service, keep the data secure while it's in use, and delete the data once it has served its purpose, the complaint says. It also cites the Senate Commerce Committee, which said “the development of new and diversified services over interactive two-way cable systems should not impact adversely upon the privacy of the individual.”

The complaint cites the arrival in 2012 of TVs capable of monitoring and recording voice communications and refers to a Samsung announcement at CES 2012 (referred to as the Consumer Electronic Expo) of a “Smart Touch” remote control with a built-in microphone for voice recording. Other Samsung models included a camera and additional microphones to record voice and hand gestures, the complaint said. It also refers to Samsung’s recent purchase of mobile payment processing company LoopPay.

When the Samsung voice recognition feature is enabled, “everything a user says in front of the Samsung SmartTV is recorded and transmitted over the internet to a third party regardless of whether it is related to the provision of the service,” EPIC charges, citing a Wall Street Journal article. The complaint refers to a disclaimer from a Samsung privacy policy page detailing what information is sent to third-parties when consumers use the voice recognition feature of the TVs: “Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

According to the complaint, Samsung has represented that it encrypts the voice communications it transmits to text-to-speech software company Nuance “to secure consumers’ personal information and prevent unauthorized collection or use.” EPIC charges that Samsung doesn’t encrypt all the conversations it records and transmits to Nuance, citing a blog post, “Is Your Samsung TV Listening to You?” by security and testing company Pen Test Partners. The complaint also said Samsung later conceded it doesn’t encrypt all the voice recordings it transmits, citing a BBC report.

The complaint includes a laundry list of consumer comments from user forums and Twitter about Samsung and other companies’ recording practices as awareness of privacy issues with smart TVs has grown. The complaint alleges many users didn’t realize Samsung’s voice recognition feature involved recording and transmission of data. It quotes a user who asked “why is this info sent to third party at all it should just stop at the smart tv processor.” Many consumers believe the recording practices are illegal, said the complaint, which quotes consumers equating the practices with “phone tapping,” “voyeurism,” “invasion of privacy” and “cyberstalking.” Numerous consumers hoped that lawsuits would result from the exposed practices.

EPIC alleges Samsung is violating the Subscriber Privacy Provision in the Cable Communications Policy Act, which prohibits the collection of “personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned.” The complaint also cites a clause of the CCPA saying “a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.” It says Samsung doesn’t obtain such consent to record private conversations of people in their homes or prevent unauthorized access to customers’ information.

The complaint also said Samsung practices violate the Electronic Communications Privacy Act, which prohibits the “interception and disclosure of wire, oral, or electronic communications.” And it invokes the FTC’s authority on possible violation of the Children’s Online Privacy Protection Act (COPPA), enforced by the FTC, which regulates the collection of children's personal information by operators of online services. The Rule applies to operators of online services, websites, and apps directed to children under 13 as well as to a general audience and must provide notice of what information it collects from children and how it is to be used. To comply with COPPA, operators must obtain parental consent before collecting children’s personal information and data, the complaint states.

In a statement, Samsung said “the claims made by EPIC are not correct and do not reflect the actual features of our Smart TV. Samsung takes consumer privacy very seriously and our products are designed with privacy in mind.”

Consumers’ privacy concerns extend beyond Samsung to connected TVs in general, the complaint shows. A user said: “My Sony TV would be neutered if I didn't agree to a laundry list of data harvesting. As far as I can tell, ALL of my media surfing is sent back to the mothership. Any pausing, muting, viewing cable, viewing any of the 300 media content apps the TV provides access to, any music, any devices connected to the TV, any games played on the tv. There is NO way to know what is ‘shared’ or who has access to it. Pile on to that the fact of the huge Sony hack and loss of data. Any Agencies who buy this data could compile a dossier of my habits better than I think I know myself.”

Sony didn’t immediately respond to a request for comment. But CEA President Gary Shapiro, in a statement that used a play on words, called the complaint "an epic overreaction." EPIC "mischaracterizes Samsung’s voice-recognition technology as an attempt at pervasive surveillance of the home, but doesn’t acknowledge that it’s a very useful feature designed to serve consumers’ needs -- and a game-changing accessibility innovation for people with disabilities," Shapiro said. “We shouldn’t confuse voice-recognition applications with ‘spying.’ Increasingly, voice recognition powers the features behind some of our most innovative consumer products such as smartphones, gaming systems and car navigation systems. Companies use cloud-based infrastructure to provide these services because it’s powerful, efficient, lowers costs and saves energy. Transferring data from a user’s device to the cloud and back is a necessary part of providing these innovative services."

According to Shapiro, consumers need to know "exactly what kind of data their devices are collecting, and how that data is being used. To that end, technology companies are bending over backward to earn consumers’ trust." Users who remain unconvinced "have the option to disable voice command features," he said. "That said, it’s important that manufacturers help consumers understand how connected systems work and how their information is collected and used, since more and more everyday objects will soon be ‘smart devices’ -- joining the Internet of Things. Innovation and strong consumer privacy can and do co-exist.”