Originally published by Privacy Foundation

 

Chronology of Written Reports

Rough summary: TiVo's later privacy policies (including those available in 2001) no longer claim that "all of your personal viewing information remains on your [TiVo] in your home".  This is important, because the report below shows how that statement was (and perhaps even still is) not true.  But in no longer making that claim and instead promising not to misuse any personal viewing information that they might encounter -- as well as intentionally if not perfectly separating the viewing data from subscriber identity  -- TiVo is doing just fine.  In light of these changes, it seems appropriate that the FTC to declined to undertake a full investigation in 2001.  By the way, I love my TiVo.

David Martin


 

 TiVo's Data Collection and Privacy Practices

By David Martin
Assistant Professor of Computer Science, University of Denver
March 26, 2001

Introduction
Vendor Response
TiVo Background and Business Model
Information Gathering by the TiVo Device
The Diagnostic Log File
The Viewing Information File
Viewing Information: Anonymous or Not?
Technical Details: Transferring the Information
TiVo's Privacy Disclosures
Legal Concerns
Recommendations to TiVo Inc.
Recommendations to TiVo Subscribers
Listening to TiVo's Transmissions
Acknowledgments
Related Links


 Introduction

The TiVo personal television product gives home viewers the ability to pause live television, record TV shows by name rather than time and channel, and generally allows users to "time-shift" TV broadcasts into their own schedule. In exchange, TiVo collects both a subscription fee and information about the shows that home viewers record and watch. The Privacy Foundation and University of Denver Privacy Center have recently completed a 4-month independent investigation of the TiVo device.

According to our findings, TiVo:

 gathers enough information to track individual users' home viewing habits while apparently promising not to do so;

 could identify the personal viewing habits of subscribers at will;

 has a much more explicit privacy policy disclosure on its Web site than in the printed material that accompanies the purchase of the product.

The TiVo unit we investigated was sold as a Philips HDR312 at a local Circuit City store.


 Vendor Response

A draft version of this privacy advisory was provided by the Privacy Foundation to TiVo on March 14, 2001. Senior officers of the company responded in a phone call on March 19, 2001 with the following points:

 TiVo turns off all logging at the incoming FTP servers to prevent the correlation of the anonymous viewing files with the diagnostic files that contain customer ID numbers. TiVo takes a number of other steps to prevent anonymous viewing files from being traced back to TiVo subscribers.

 TiVo claims that it is only interested in compiling customer data to assess aggregate viewing behavior, and has no plans to identify the viewing habits of individuals, nor to use such data for direct marketing purposes.

 The server-side practices of TiVo are beyond the scope of the advisory. TiVo also notes that data about customers is kept in secure servers that can only be accessed by authorized TiVo employees.

 Version 2.0 of the TiVo software will encrypt files that contain personal information, as described in the latest Privacy Promise.

 The latest version of the TiVo Privacy Promise, dated September 2000, addresses many of the issues which the Privacy Foundation advisory brings up. This Privacy Promise is available online at http://www.tivo.com/support/service_privacy_pvr.asp.

 TiVo acknowledges that its privacy practices and disclosures may not be up-to-date in manuals sold with TiVo units, but the company notes that it attempts to alert all customers about the availability of the new Privacy Promise via email and messages on the TiVo service.


 TiVo Background and Business Model

Launched in 1999, the TiVo service allows viewers to easily record favorite TV programs, or types of programs, for later viewing through a set-top box that can record up to 30 hours or more of programming. The TiVo box can cost several hundred dollars at retail, plus a monthly subscription fee of $9.95; a yearly fee of $99.95; or a lifetime subscription fee of $199.

TiVo Inc., the publicly-traded parent company based in San Jose, Calif., has alliances with major media and technology companies, including its equipment vendors, Philips and Sony; General Electric/NBC; DirecTV; and a $200 million investment from AOL Time Warner. In August of 2000, Nielsen Media Research and TiVo announced a strategic agreement to enable opt-in audience measurement through the TiVo service.

As of Jan. 31, 2000, TiVo Inc. reported an installed subscriber base of 154,000. The net loss for the calendar year 2000 was $206.4 million, on revenues of $3.6 million.

Aggressive estimates by industry analysts claim that the market for "personal video recorders" from TiVo and other vendors could reach five-to-seven million units by year-end 2002. ReplayTV, a primary competitor to TiVo, was acquired in February by Sonicblue in a $123 million stock deal. In January, Microsoft announced the launch of its UltimateTV service, which integrates DirecTV programming, digital video recording, live TV controls, interactive television and Internet access.

Among the future business opportunities for TiVo is providing targeted advertising to viewers, according to the company's year-end 2000 report: "This is accomplished by a software program utilizing data stored on the personal video recorder. Individual viewing preferences will not be released to advertisers or other third parties."

TiVo is aware of privacy concerns. In the risks section of its 2000 Annual Report, TiVo writes: "Consumers may be concerned about the use of personal information gathered by the TiVo Service and personal video recorder. Under our current policy, we do not access this data or release it to third parties. Privacy concerns, however, could create uncertainty in the marketplace for personal television and our products and services. Changes in the privacy policy could reduce demand for the TiVo Service, increase the cost of doing business as a result of litigation costs or increased service delivery costs, or otherwise harm our reputation and business."

TiVo has received generally favorable press coverage, including a March 18 segment on "60 Minutes." An Aug. 13, 2000, New York Times Magazine story on TiVo made this observation about the promise of its technology: "While the viewer watched the television, the box would watch the viewer. It would record the owner's viewing habits in a way that TV viewing habits had never been recorded."


 Information Gathering by the TiVo Device

During TiVo installation, the installer connects the TiVo unit to a cable TV feed or other video source, a television, and the home phone line. The home user then controls the television exclusively through the TiVo remote control.

During an automatic daily phone call, the TiVo device gets a new copy of the most recent TV schedule from computers at TiVo headquarters. But during the same phone call, the TiVo device also transmits information to TiVo headquarters. At least two different types of information are transmitted: a diagnostic log file and a viewing information file.




 The Diagnostic Log File

The diagnostic log file (a "syslog") contains various debugging and system status reports, such as memory consumption, user interface response time, modem communication records, enclosure temperature, and enclosure fan speed. Here are some sample lines from the diagnostic log:
Jan 13 06:29:44 (none) fancontrol[54]: The current board temperature is 41
Jan 13 06:29:44 (none) fancontrol[54]: Setting the fan speed to 9
Jan 13 06:39:44 (none) fancontrol[54]: The current board temperature is 37
Jan 13 06:39:44 (none) fancontrol[54]: Setting the fan speed to 0
Jan 13 17:42:10 (none) LogTime[94]: WatchTV: change the channel: 0.015 sec
Jan 13 17:42:55 (none) LogTime[94]: Lineup: update the OSD: 0.949 sec
Jan 13 17:42:56 (none) LogTime[94]: Lineup: arrow up/down: 0.011 sec
Jan 13 17:42:57 (none) LogTime[94]: Lineup: arrow up/down: 0.009 sec

Even though the diagnostic log does not indicate which shows are being watched by the home viewer, entries like the last lines above do indicate that someone was manipulating the TiVo remote control at 5:42 pm on January 13.

The diagnostic log contains an enormous amount of information about the TiVo’s device’s internal processes. On one day, for instance, we observed almost 100 pages of information being deposited in the diagnostic log. We are not aware of any other consumer device that routinely transmits so much operational information to corporate headquarters.

A sample diagnostic log file is available in the Related Links section of this advisory.


 The Viewing Information File

The viewing information records transmitted to TiVo headquarters look like this in raw form:
980389559|WatchTV|recorded|KDVR|3134603|980127000

The two numbers beginning with 980 are timestamps that count the number of seconds that have elapsed since midnight on January 1, 1970, and the number 3134603 identifies a specific television program. This record can be interpreted as:

"On Wednesday, January 24 2001 at 7:26pm, the home viewer began watching an episode of King of the Hill that was originally recorded on Sunday, January 21 2001 at 6:30pm on the KDVR station."

We also observed TiVo transmitting viewing records such as these:
980389520|WatchTV|live|IFC|27666|980384400
980389546|MWEvent|tyTivo
980389550|MWEvent|tySurfDown
980389565|MWEvent|tyVolumeUp

The first line above reveals the home user tuning in the movie "My Own Private Idaho" on the Independent Film Channel (IFC), and the three lines below it correspond directly to pushing buttons on the TiVo remote control.


 Viewing Information: Anonymous or Not?

When the viewing information file is transmitted to TiVo headquarters, it is deposited into a common area for gathering subscriber data. The TiVo unit does not explicitly attach the viewer's identification number to the file in this step, and this is partially why TiVo considers the information "anonymous".

TiVo describes this practice as a "very sophisticated mechanism" to ensure that the subscriber information cannot be linked with the "anonymous" viewing information. However, the viewing information file is nonetheless transmitted during a session identified by the home viewer's TiVo serial number. In fact, this serial number is transmitted multiple times during the single phone call. TiVo receives all of the information necessary to attribute the viewing information to a particular subscriber during this phone call but gives no indication of this fact in any of its documentation. Therefore, the home viewing information can only be truly anonymous when TiVo headquarters intentionally treats it as such. TiVo’s current "anonymization" procedure does not change that fact.


 Technical Details: Transferring the Information

TiVo’s actual file transfer mechanism works as follows. During the daily phone call, TiVo headquarters chooses a name for the receiver’s viewing information file and a name for the diagnostic log and transmits both to the TiVo unit. If one of these file names includes the word "RANDOMIZE", then the TiVo unit replaces that word with a large randomly chosen number. This allows TiVo headquarters to decide whether a file’s name will include identifying information or not. The TiVo unit then begins transferring the two data files to the TiVo headquarters computer, saving them under the chosen names.

Under normal operation, TiVo headquarters includes the word "RANDOMIZE" in the viewing information file name and the TiVo unit serial number in the diagnostic log file name. This means that the viewing information file name will not immediately identify a subscriber, but the diagnostic log file name will.

For example, we first saw TiVo headquarters choose and transmit the names
/TivoData/bprv/20010124/000000.RANDOMIZE.80208.bz2
/TivoData/bpub/20010124/184023.00840336485942.log.bz2

and then we observed our TiVo unit depositing files onto the TiVo server computer with the names
/TivoData/bprv/20010124/000000.C41CF33D1DC7F401.80208.gz
/TivoData/bpub/20010124/184023.00840336485942.log.gz

The first file, which contains the viewing information, is sent to the "private" (bprv) directory and stored under a name that only identifies the subscriber’s zip code. But the diagnostic log file goes to the "public" (bpub) directory, and is stored under a name that contains a TiVo unit's serial number – in this case 00840336485942. Both files clearly show the date of the transfer, 2001 01/24.

Since both files are transferred to the same computer during the same phone call, this computer can easily reattach the subscriber ID to the viewing information file. In addition, it is standard computer security practice to keep a record of every FTP file that is transferred. These FTP records normally indicate both the name of the file transferred and the IP address of the computer (or TiVo unit) that initiated the transfer. Just by consulting this log file – even months or years after the fact – TiVo could easily reconstruct the subscriber ID that deposited a viewing information file. (We have no direct way to tell if FTP logging is on or off, but TiVo representatives indicated that FTP logging is disabled.)


 TiVo's Privacy Disclosures

We found three privacy statements that concern our Philips TVR312. Two of them are in the manual that accompanied the Philips TiVo unit, and the third is on the TiVo Web site.

First disclosure. The first mention of privacy appears about halfway through the manual on page 56 as an answer to a frequently asked question:
Will the TiVo Service collect information about my viewing habits?
There has been quite a bit of misplaced hype about TiVo collecting viewing information. At TiVo, we absolutely respect and guard your right to privacy. We have a privacy policy that maintains complete viewer confidentiality. Unlike the Internet, all of your personal viewing information remains on your PTV receiver in your home. TiVo has created a very sophisticated system with both protection and customization for our viewers in mind. It is TiVo's promise to you that you will always maintain control over your own personal information. For more information see the TiVo Privacy Promise, pages 133-134.


This first disclosure is the most accessible to users because it occurs in the main text of the user manual. Users reading it are likely to understand that TiVo is offended at the notion ("misplaced hype") that TiVo might even be suspected of "collecting viewing information." Then stating that "all of your personal viewing information remains on your [TiVo] receiver in your home", TiVo sends a signal that any such suspicion is totally unfounded because viewing information never leaves the TiVo device.

It is important to observe that TiVo does not include their unusual definition of "personal viewing information" at this point. Therefore, a reader might rationally conclude at this point that absolutely no information about TV viewing ever leaves the TiVo device under the reasonable assumption that all information about the shows viewed at home is "personal" – i.e., due to personal action. For these subscribers, the first disclosure has the effect of limiting interest in the second and third disclosures.

Second disclosure. This disclosure begins with a preamble on page 132:
Privacy

Your Philips PTV Receiver is powered by the TiVo Service. Philips and TiVo are committed to protecting the privacy of your personal information. TiVo has established a strict privacy policy for the TiVo Service, which is published on TiVo’s website, www.tivo.com. We have reprinted it here as well for your convenience.


The privacy disclosure following this statement in the manual may be a reprinting of a policy that was posted on TiVo’s Web site at one time, but when we purchased the TiVo unit in late 2000, the TiVo manual policy and the Web site policy were no longer the same. The Web site privacy policy was already much more detailed and explicit than anything printed in the TiVo manual.

TiVo presents the main text of this second privacy disclosure on page 133:
TiVo's Privacy Promise to You

Please read this policy document carefully [...]
1. Personal Viewing Information. Your Personal Television (PTV) Receiver keeps track of viewing information – the programs you ask it to record and any time buttons on the PTV Remote Control, such as "Thumbs Up" or "Thumbs Down," are pressed. Your PTV Receiver uses it to tune, schedule, record, and recommend programs for you. Personal viewing information which identifies you or your household's TV viewing practices belong to you, and no one outside your home, not even the TiVo staff or any of TiVo's computer systems, will have access to it without your prior consent.
2. Anonymous Viewing Information. Anonymous viewing information is viewing information that does not identify you as an individual or your household. This means it is not linked to you or your household in any way. We may use anonymous viewing information to benefit TiVo and strengthen our efforts to encourage the television industry to better serve the interests of TiVo subscribers. If you don't want anonymous viewing information used in any way, simply tell us by calling our toll-free telephone number and it will not be.
[...]
Please note: Our privacy policy may change over time. In addition to posting any changes on our web site, www.tivo.com, we will provide or send a notice to each TiVo customer before any changes are implemented. You have our commitment that, regardless of any changes that might be made in the future, you will remain in complete control of your personal viewing information. Use of your PTV Receiver or TiVo Service will signify your acceptance of these privacy policies.

The statement in point 1 that "[none] of TiVo’s computer systems will have access to [your personal information] without your prior consent" appears to be incorrect. As previously described, the TiVo headquarters computer receives viewing information and the subscriber identity during the same phone call.

TiVo introduces "personal" and "anonymous" viewing information for the first time in this second disclosure. Only now can subscribers who also read the first disclosure suspect that all of its 5 sentences of reassurance must have concerned only "personal" information, since apparently an opt-out action is required to limit the use of "anonymous" information, while the first disclosure did not mention any required user action.

The text in point 2 above is the complete description of "anonymous" viewing information in the TiVo manual, and it offers an extremely vague statement of the intended use of the information. In particular, it does not disclose that this "anonymous" information is transmitted routinely to TiVo headquarters. The only possible indication that "anonymous" information might be transmitted comes from the juxtaposition between point 1 declaring that "personal" information is not transmitted, and the lack of a similar statement in point 2.

The phrase "Personal viewing information which identifies you or your household's TV viewing practices belong to you" is TiVo’s clearest attempt to define "personal viewing information" in the TiVo manual. But equating "personal information" with the industry-standard term "personally identifiable information" is incorrect and likely to mislead readers. According to standard dictionaries, "personal" means "pertaining to or concerning a particular person", not "explicitly labeled with a subscriber identity".

Neither the first nor the second disclosure even mentions the existence of the diagnostic log.

Third disclosure. The second disclosure refers its users to the TiVo Web site for the third privacy statement. Forcing the user to hunt through a Web site for a more current statement is an unfair practice: TiVo is not itself a Web browser, nor does it otherwise require the use of the Web. Users without Web access have no practical means to obtain this third disclosure.

Those who do have Web access must start at www.tivo.com and pick the correct choice from the more than ten links visible on this page. Only some customers will choose "Customer Support" in order to continue their search for the third disclosure, because no instructions are given anywhere that this is the correct way to proceed. Users can then select "Privacy Promise" and then "Personal Video Recorder With TiVo Service Privacy Promise" in order to begin viewing the third statement. The third statement itself is split over four Web pages. Only determined customers will have the patience to click through these seven pages total in order to read the third disclosure.

The third disclosure is more extensive and much longer than the first two. It is consistent with the paper-based policy where they overlap, but is more carefully written and volunteers much more information about TiVo's privacy and business practices. For example, the Web-based policy states clearly that the "anonymous" viewing log and the diagnostic log are indeed transmitted from the TiVo device to TiVo headquarters.

Although the third disclosure includes more information, it also introduces some new problems. Section 9.4 reads in part:
This Privacy Promise constitutes the entire agreement, and replaces and supersedes all prior agreements, between you and TiVo concerning the subject matter discussed in this Privacy Promise. Use of your Recorder with TiVo will signify your acceptance of this Privacy Promise.

It is hard to believe that users without Web access truly signify their acceptance of this disclosure, which they have not read, simply by using the device under the assumption that the privacy policy included in its manual was complete. In addition,

 Section 5.1 claims that the diagnostic log contains "no Contact Information whatsoever", even though we observed that the diagnostic log is deposited under a name that includes the TiVo device's serial number – and this links directly to a customer's account.

 Even the third disclosure does not state that the diagnostic log indicates the times when the TiVo remote control was in use.

 Section 8 states that TiVo uses "industry-standard methods such as encryption to secure the communication of Subscriber Information from your Receiver to TiVo". However, we observed no encryption protecting the viewing information or the diagnostic log.

 Section 9.1 declares that modifications to the stated privacy policy will be announced and described via the TiVo messaging system – i.e., TiVo subscribers will be alerted by their television that a new privacy policy has been issued. However, we never received notice of the Web-based third disclosure after installing our TiVo unit. Since this third privacy statement is substantially different than the first two, we should have been alerted to its presence.

 Not even the third disclosure mentions that TiVo modifies its receivers’ software from time to time. In other words, TiVo Inc. changes the behavior of the purchased device without obtaining the consent of the purchaser. This has security, reliability, ownership, and privacy implications.

In summary, the first disclosure appears to say that no viewing information is transmitted and directs users to the second disclosure. The second disclosure indicates that anonymous viewing information exists, but says nothing useful how it is used in practice, and directs users to the third disclosure if they have Web access. The third disclosure is explicit and well written but introduces some new errors.


 Legal Concerns

Given these conflicts between the stated privacy policies and their actual practices, as well as potential practices, TiVo would be wise to consider its potential legal exposure for breach of contract, deceptive trade practices, invasion of privacy, and other legal theories, according to an analysis by Privacy Foundation legal experts. In addition, the information in the diagnostic log named with a TiVo serial number may be subject to disclosure in response to a subpoena issued by a prosecutor in a criminal proceeding or by a litigant in a civil proceeding.


 Recommendations to TiVo Inc.

 TiVo should resolve the discrepancies between its stated policies and its actual practices as documented in this advisory. Until it adopts a long-term solution, TiVo can and should immediately stop collecting diagnostic logs and viewing information from all of its subscribers.

 If TiVo wants to collect viewing information, it should ask for subscriber permission. New TiVo owners must already go through a lengthy "guided setup" that asks many questions about their audio, video, and telephone equipment in order to properly configure the TiVo unit. TiVo could easily ask for user permission to gather viewing information during this phase. The current practice of assuming that the subscriber, simply by turning on the TiVo box, has consented to the Web-based privacy policy – while TiVo complains of "misplaced hype" – is confusing, at best.

 Users should be able to change their privacy preferences at any time through the TiVo user interface. Some subscribers may, in fact, want their viewing information captured in order to communicate the popularity of a program – or to participate in an opt-in research study with Nielsen, a TiVo partner.

 TiVo should tell customers what happens in straightforward language. "At night, we get a list of the shows you recorded and watched" is much clearer than "We may use anonymous viewing information to benefit TiVo and strengthen our efforts to encourage the television industry to better serve the interests of TiVo subscribers."

 TiVo should not claim that personal viewing information "remains on your receiver," because this suggests that the viewing information is never transmitted elsewhere. In fact, all of the constituent pieces of the personal viewing information are transmitted to TiVo’s computers.

 TiVo should disclose that their customer-identified diagnostic log can indicate when the TiVo remote control was in use.

 TiVo should obtain subscriber consent before updating the software in their subscribers’ TiVo units.


 Recommendations to TiVo Subscribers

TiVo permits its subscribers to disable the collection of viewing information and diagnostic logs by calling TiVo toll-free at 1-877-367-8486 (1-877-FOR-TIVO).


 Listening to TiVo's Transmissions

In order to prepare this report, we simply monitored calls made on our own phone line. We never even opened the TiVo case.

Roughly speaking, we constructed a modem sniffing station consisting of two phone jacks connected to modems on a standard laptop computer. We then connected the TiVo device’s telephone jack to the station’s incoming telephone jack, and we connected the station’s outgoing jack to the real phone system. When the TiVo device made a telephone call, our system passed through the contents of the phone call undisturbed while saving a copy of everything transmitted over the line. We then analyzed the captured data, which led to the findings in this advisory.

We plan to describe our modem sniffing platform more fully in a future report.




 Acknowledgments

Julie Rech, Phil Gordon, Stephen Keating, Richard M. Smith, and Prof. John Soma contributed to this report. Matt Blaze of AT&T Research originally suggested the modem sniffing approach.


 Related Links

A Sample TiVo Diagnostic Log File
We captured this diagnostic log on January 13, 2000. It contains almost 100 pages of text (6543 lines, 455KB), all concerning the TiVo unit's operation on that day. We have used asterisks (*****) to replace some possibly sensitive information in the log.

The Official TiVo Web Site

The TiVo Area Within the AVS Forum

The TiVo Hacking Web Site

Boom Box, The New York Times Magazine, 8/13/00

The Spy Interactive Web Site

New Bill Targets TV Privacy, Wired News, 2/23/00

Is Your TV Set Watching You?, Richard's Tipsheet, 1/16/01