The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking
Authors: Janus Varmarken† (University of California, Irvine), Hieu Le† (University of California, Irvine), Anastasia Shuba (Broadcom Inc. (The author was a student at the University of California, Irvine at the time the work was conducted)), Athina Markopoulou (University of California, Irvine), Zubair Shafiq (University of Iowa)
Volume: 2020
Issue: 2
Pages: 129–154
DOI: https://doi.org/10.2478/popets-2020-0021
Abstract: In this paper, we present a large-scale measurement study of the smart TV advertising and tracking ecosystem. First, we illuminate the network behavior of smart TVs as used in the wild by analyzing network traffic collected from residential gateways. We find that smart TVs connect to well-known and platformspecific advertising and tracking services (ATSes). Second, we design and implement software tools that systematically explore and collect traffic from the top-1000 apps on two popular smart TV platforms, Roku and Amazon Fire TV. We discover that a subset of apps communicate with a large number of ATSes, and that some ATS organizations only appear on certain platforms, showing a possible segmentation of the smart TV ATS ecosystem across platforms. Third, we evaluate the (in)effectiveness of DNS-based blocklists in preventing smart TVs from accessing ATSes. We highlight that even smart TV-specific blocklists suffer from missed ads and incur functionality breakage. Finally, we examine our Roku and Fire TV datasets for exposure of personally identifiable information (PII) and find that hundreds of apps exfiltrate PII to third parties and platform domains. We also find evidence that some apps send the advertising ID alongside static PII values, effectively eliminating the user’s ability to opt out of ad personalization.
Keywords: Smart TV; privacy; tracking; advertising; blocklists
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.