Tracking and Privacy in Over-the-Top (OTT) Streaming Devices

Source: Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices by Mohajeri Moghaddam et al. (CCS ‘19)

Main Themes:

• Pervasive Tracking in OTT Streaming Devices: The study reveals widespread tracking practices within Over-the-Top (OTT) streaming devices like Roku and Amazon Fire TV. Trackers collect and transmit user data, often without explicit consent or effective countermeasures.
• Identifier and Information Leakage: OTT channels leak sensitive user information, including persistent identifiers like MAC addresses, serial numbers, and WiFi SSIDs, as well as video viewing preferences, to numerous tracking domains.
• Ineffectiveness of Privacy Controls: Built-in privacy controls like “Limit Ad Tracking” (Roku) and “Disable Interest-based Ads” (Amazon) are largely ineffective in preventing data collection and transmission to tracking domains.
• Security Vulnerabilities in Remote Control APIs: Vulnerabilities in local remote control APIs expose OTT devices to attacks by malicious web scripts, potentially allowing unauthorized access to device information and control over functionalities.

Key Findings:

• Prevalence of Trackers: Tracking domains were found in 69% of Roku channels and 89% of Amazon Fire TV channels studied. Google and Facebook tracking services are highly prevalent, mirroring similar findings on web and mobile platforms.
• Top Trackers: The most prevalent trackers included doubleclick.net (Google) and google-analytics.com on Roku, and amazon-adsystem.com and crashlytics.com on Amazon Fire TV.
• Leakage of Persistent Identifiers: A significant number of channels were found to leak persistent identifiers like AD IDs, MAC addresses, and serial numbers, undermining the effectiveness of resetting advertising IDs as a privacy measure. Quote: “Moreover, widespread collection of persistent device identifiers like MAC addresses and serial numbers disables one of the few defenses available to users: resetting their advertising IDs.”
• Video Title Leakage: Tracking domains were observed receiving information about the titles of videos being watched, revealing user viewing habits. Quote: “We found 9 channels on Roku and 14 channels on the Fire TV … that leaked the title of the video to a tracking domain.”
• Ineffective Privacy Settings: While “Limit Ad Tracking” on Roku eliminated AD ID leaks, it did not reduce the number of trackers contacted. Similarly, “Disable Interest-based Ads” on Amazon only reduced data collection by Amazon’s own advertising system. Quote: “Our data, however, reveals that even when the privacy option is enabled, there are a number of other identifiers that can be used to track users, bypassing the privacy protections built into these platforms”
• DNS Rebinding Vulnerability (Roku): Roku’s External Control API was found to be vulnerable to DNS rebinding attacks, allowing malicious web scripts to collect sensitive data, install/uninstall channels, and even geolocate users.

Recommendations:

• Implement stronger privacy controls, akin to “Incognito Mode” in web browsers, to limit data collection and prevent cross-profile tracking.
• Provide mechanisms for users to monitor their network traffic, enabling transparency and analysis of channel behavior.
• Enhance security of local APIs to mitigate risks of unauthorized access and control.
• Regulators should use the tools developed in this study to inspect channels and enforce privacy regulations in the OTT ecosystem.

Conclusion:

This research underscores the urgent need for improved privacy and security measures within the OTT streaming device ecosystem. Current practices expose users to extensive tracking and data leakage, often without their knowledge or consent. Stronger privacy controls, transparent data collection practices, and robust security measures are crucial to protect user privacy and build trust in these platforms.