Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices

The number of Internet-connected TV devices has grown significantly in recent years, especially Over-the-Top ("OTT") streaming devices, such as Roku TV and Amazon Fire TV. OTT devices offer an alternative to multi-channel television subscription services, and are often monetized through behavioral advertising. To shed light on the privacy practices of such platforms, we developed a system that can automatically download OTT apps (also known as channels), and interact with them while intercepting the network traffic and performing best-effort TLS interception. We used this smart crawler to visit more than 2,000 channels on two popular OTT platforms, namely Roku and Amazon Fire TV. Our results show that tracking is pervasive on both OTT platforms, with traffic to known trackers present on 69% of Roku channels and 89% of Amazon Fire TV channels. We also discover widespread practice of collecting and transmitting unique identifiers, such as device IDs, serial numbers, WiFi MAC addresses and SSIDs, at times over unencrypted connections. Finally, we show that the countermeasures available on these devices, such as limiting ad tracking options and adblocking, are practically ineffective. Based on our findings, we make recommendations for researchers, regulators, policy makers, and platform/app developers.

[1]  Felix C. Freiling,et al.  Fingerprinting Mobile Devices Using Personalized Configurations , 2016, Proc. Priv. Enhancing Technol..

[2]  Arvind Narayanan,et al.  I never signed up for this! Privacy implications of email tracking , 2018, Proc. Priv. Enhancing Technol..

[3]  Nikita Borisov,et al.  Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components , 2014, CCS.

[4]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[5]  Nick Feamster,et al.  Cleartext Data Transmissions in Consumer IoT Medical Devices , 2017, IoT S&P@CCS.

[6]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[7]  Nikita Borisov,et al.  Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses , 2016, NDSS.

[8]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[9]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[10]  Nick Feamster,et al.  Web-based Attacks to Discover and Control Local IoT Devices , 2018, IoT S&P@SIGCOMM.

[11]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Информатика Public Suffix List , 2010 .

[13]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[14]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[15]  Serge Egelman,et al.  Fingerprinting Web Users Through Font Metrics , 2015, Financial Cryptography.

[16]  Timothy Libert,et al.  Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on 1 Million Websites , 2015, ArXiv.

[17]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[18]  Claude Castelluccia,et al.  The Leaking Battery - A Privacy Analysis of the HTML5 Battery Status API , 2015, DPM/QASA@ESORICS.

[19]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[20]  Vijay Sivaraman,et al.  Systematically Evaluating Security and Privacy for Consumer IoT Devices , 2017, IoT S&P@CCS.

[21]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[22]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[23]  Aleksandar Kuzmanovic,et al.  Mosaic: quantifying privacy leakage in mobile networks , 2013, SIGCOMM.

[24]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[25]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[26]  Serge Egelman,et al.  "What Can't Data Be Used For?": Privacy Expectations about Smart TVs in the U.S. , 2018 .

[27]  Balachander Krishnamurthy,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Privacy Diffusion on the Web: A Longitudinal Perspective , 2022 .

[28]  Nikita Borisov,et al.  The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors , 2018, CCS.

[29]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[30]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[31]  Nick Nikiforakis,et al.  Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions , 2017, WWW.

[32]  Triet Vo Huu,et al.  Inferring User Routes and Locations Using Zero-Permission Mobile Sensors , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[34]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[35]  Claude Castelluccia,et al.  Near-Optimal Fingerprinting with Constraints , 2016, Proc. Priv. Enhancing Technol..

[36]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[37]  Nikita Borisov,et al.  Every Move You Make: Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures , 2018, Proc. Priv. Enhancing Technol..

[38]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[39]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[40]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.