The number of Internet Connected TV (CTV) devices has grown significantly in recent years. However, CTV platforms and the application ecosystem they offer are operating with limited transparency and therefore introduce privacy risks. In this work, we present methods and tools to study the ecosystem of CTVs and shed light on the privacy practices of developers on these platforms.
First, we study the data collection and sharing practices on CTVs by platforms, applications, and trackers. To this end, we developed a system to automatically download CTV apps (also known as channels), and interact with them while intercepting the network traffic and performing best-effort TLS interception. We used this smart crawler to visit more than 2,000 channels on two popular CTV platforms, namely Roku and Amazon Fire TV. Our results show that tracking is pervasive on both platforms, with traffic to known trackers present on 69% of Roku channels and 89% of Amazon Fire TV channels. We also discover a widespread practice of collecting and transmitting unique identifiers, at times over unencrypted connections. We also show that the countermeasures available on these devices, such as limiting ad-tracking options and adblocking, are inadequate.
Second, we design a series of experiments to show how apps, third-party trackers and advertisers use the information they collect on users on CTV devices for behavioral targeting. To this end, we developed an end-to-end measurement system that utilizes controlled experiments to generate various user profiles, run concurrent crawls using these profiles, and measure and compare video commercials delivered to them. We also present a crowdsourcing system to assign labels to commercials observed during each experiment. The results from our preliminary analysis of behavioral targeting suggest certain channels may be targeting users based on past activity and in the case of one channel, it is potentially violating the privacy settings on the device.
We believe our tool and results will assist CTV developers, users, and regulators to have a better understanding of how users' data is used for targeting, whether privacy options are effective on these platforms, and whether different parties comply with the privacy requirements.
- Zoom link: https://princeton.zoom.us/j/96685890686