TiVo Users Beware?

Last week, TiVo found itself the focus flurry of unwanted media attention as a new report was released by the Privacy Foundation detailing at length how the TiVo system collects personal data. The report also reveals what the Privacy Foundation found while comparing a TiVo PVR's actual behavior under test with the company's stated privacy policy. The Foundation says that it and University of Denver Privacy Center have recently completed a fourth independent investigation of the TiVo device.

According to the report, the TiVo PVR (in this case a Philips HDR312 purchased at a Denver Circuit City store) collects information about the shows that home viewers record and watch. The Foundation report states that TiVo gathers enough information to track individual users' home viewing habits while apparently promising not to do so; could identify the personal viewing habits of subscribers at will; has a much more explicit privacy policy disclosure on its website than in the printed material that accompanies the purchase of the product."

To prepare its report, the Foundation says that it simply monitored calls made on its own phone line and never had to open the TiVo case: "Roughly speaking, we constructed a modem sniffing station consisting of two phone jacks connected to modems on a standard laptop computer. We then connected the TiVo device's telephone jack to the station's incoming telephone jack, and we connected the station's outgoing jack to the real phone system. When the TiVo device made a telephone call, our system passed through the contents of the phone call undisturbed while saving a copy of everything transmitted over the line. We then analyzed the captured data, which led to the findings in this advisory."

TiVo immediately filed a response on its web site emphasizing that the company "has never collected personal information about its viewers without their express consent." The company adds that "although TiVo may share viewing information with certain groups in the TV industry, it is only in the form of aggregate, anonymous data—that is, a collection of data that covers the viewing habits of groups of people but is not linked or associated with any individual. For instance, a report may show data on how many people recorded a specific episode of a popular program. TiVo does not provide information that can identify a particular viewer or household, without express consent of that individual viewer."

Regardless of the TiVo position, the Foundations says that "given the conflicts between the stated privacy policies and their actual practices, as well as potential practices, TiVo would be wise to consider its potential legal exposure for breach of contract, deceptive trade practices, invasion of privacy, and other legal theories, according to an analysis by Privacy Foundation legal experts. In addition, the information in the diagnostic log named with a TiVo serial number may be subject to disclosure in response to a subpoena issued by a prosecutor in a criminal proceeding or by a litigant in a civil proceeding."

The Foundation concludes with a list of recommendations to TiVo, suggesting that the company should "resolve the discrepancies between its stated policies and its actual practices as documented in this advisory." The Foundation recommendations include:

"Until it adopts a long-term solution, TiVo can and should immediately stop collecting diagnostic logs and viewing information from all of its subscribers.
"If TiVo wants to collect viewing information, it should ask for subscriber permission. New TiVo owners must already go through a lengthy "guided setup" that asks many questions about their audio, video, and telephone equipment in order to properly configure the TiVo unit. TiVo could easily ask for user permission to gather viewing information during this phase. The current practice of assuming that the subscriber, simply by turning on the TiVo box, has consented to the web-based privacy policy—while TiVo complains of 'misplaced hype'—is confusing, at best.
"Users should be able to change their privacy preferences at any time through the TiVo user interface. Some subscribers may, in fact, want their viewing information captured in order to communicate the popularity of a program—or to participate in an opt-in research study with Nielsen, a TiVo partner.
"TiVo should tell customers what happens in straightforward language. 'At night, we get a list of the shows you recorded and watched' is much clearer than 'We may use anonymous viewing information to benefit TiVo and strengthen our efforts to encourage the television industry to better serve the interests of TiVo subscribers.'
"TiVo should not claim that personal viewing information 'remains on your receiver,' because this suggests that the viewing information is never transmitted elsewhere. In fact, all of the constituent pieces of the personal viewing information are transmitted to TiVo's computers.
"TiVo should disclose that their customer-identified diagnostic log can indicate when the TiVo remote control was in use.
"TiVo should obtain subscriber consent before updating the software in their subscribers' TiVo units."