The FTC has charged VIZIO under the FTC Act and New Jersey consumer protection laws for collecting data on 11 million VIZIO TVs without consent. VIZIO has agreed to settle out of court for $2.2mil USD.
The settlement has implications for your data and IoT — an internet-connected TV is certainly an IoT device. The scale of what was allegedly collected is staggering, to the tune of pixel matching down to the second. Before you can ask if this scale of data collection, analysis, and inference is possible, the answer is yes, thanks to big data. Check out my explainer on big data — in this case, this is not a big data application, but a big data abuse by snooping on your viewing habits. Since it is possible to collect that scale of data from an IoT TV, it is possible to collect a similar picture of other IoT devices, which typically have less data to transmit.
Unfortunately, a concurrent statement released by the chairman of the FTC telegraphs that they will back off on consumer privacy concerns. The chairman supplies a weak argument claiming it is unclear if anything “unfair” is going on (emphasis mine):
[The case] alleges that granular (household or individual) television viewing activity is sensitive information. And it states that sharing this viewing information without consent causes or is likely to cause a “substantial injury” under Section 5(n) of the FTC Act.…[U]nder our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.
The data collection in question is hard to avoid when the practice is hidden from customers. What’s hidden here is questioning the effect of correlated data. Let’s give VIZIO the benefit of the doubt and assume they scrubbed all personally identifying information (PII) from the collected data. Bruce Schneier explains why correlated data is just as sensitive as PII in Data Versus Goliath:
[B]eing identified by a unique number often doesn’t provide much protection. The data can still be collected and correlated and used, and eventually we do something to attach our name to that ‘anonymous’ data record.
In addition to being a practice hostile to consumers — one would assume that's what lead to the charge in question — it is unfair to the competition; by collecting data and generating a customer database without consent, VIZIO is able to sell that database to advertisers, providing VIZIO with revenue unfairly earned at the expense of consumers. This could have been avoided with an opt-in.
I’ve warned before on the risk of providing your data to a second party without knowing its final resting place — when taken without your consent, that risk becomes unimaginable. So hurry and get your very own tele screen while supplies last.