TiVo Users Beware?
To prepare its report, the Foundation says that it simply monitored calls made on its own phone line and never had to open the TiVo case: "Roughly speaking, we constructed a modem sniffing station consisting of two phone jacks connected to modems on a standard laptop computer. We then connected the TiVo device's telephone jack to the station's incoming telephone jack, and we connected the station's outgoing jack to the real phone system. When the TiVo device made a telephone call, our system passed through the contents of the phone call undisturbed while saving a copy of everything transmitted over the line. We then analyzed the captured data, which led to the findings in this advisory."
TiVo immediately filed a response on its web site emphasizing that the company "has never collected personal information about its viewers without their express consent." The company adds that "although TiVo may share viewing information with certain groups in the TV industry, it is only in the form of aggregate, anonymous data—that is, a collection of data that covers the viewing habits of groups of people but is not linked or associated with any individual. For instance, a report may show data on how many people recorded a specific episode of a popular program. TiVo does not provide information that can identify a particular viewer or household, without express consent of that individual viewer."
Regardless of the TiVo position, the Foundations says that "given the conflicts between the stated privacy policies and their actual practices, as well as potential practices, TiVo would be wise to consider its potential legal exposure for breach of contract, deceptive trade practices, invasion of privacy, and other legal theories, according to an analysis by Privacy Foundation legal experts. In addition, the information in the diagnostic log named with a TiVo serial number may be subject to disclosure in response to a subpoena issued by a prosecutor in a criminal proceeding or by a litigant in a civil proceeding."
The Foundation concludes with a list of recommendations to TiVo, suggesting that the company should "resolve the discrepancies between its stated policies and its actual practices as documented in this advisory." The Foundation recommendations include:
"Until it adopts a long-term solution, TiVo can and should immediately stop collecting diagnostic logs and viewing information from all of its subscribers.
"Users should be able to change their privacy preferences at any time through the TiVo user interface. Some subscribers may, in fact, want their viewing information captured in order to communicate the popularity of a program—or to participate in an opt-in research study with Nielsen, a TiVo partner.
"TiVo should tell customers what happens in straightforward language. 'At night, we get a list of the shows you recorded and watched' is much clearer than 'We may use anonymous viewing information to benefit TiVo and strengthen our efforts to encourage the television industry to better serve the interests of TiVo subscribers.'
"TiVo should not claim that personal viewing information 'remains on your receiver,' because this suggests that the viewing information is never transmitted elsewhere. In fact, all of the constituent pieces of the personal viewing information are transmitted to TiVo's computers.
"TiVo should disclose that their customer-identified diagnostic log can indicate when the TiVo remote control was in use.
"TiVo should obtain subscriber consent before updating the software in their subscribers' TiVo units."