Privacy Analysis of Smart TV Communication

A case study of privacy threats in Smart TVs

Abdulaziz Abdugani

Thesis submitted for the degree of Master in Informatics: Programming and System Architecture 60 credits

Department of Informatics Faculty of mathematics and natural sciences

UNIVERSITY OF OSLO

Autumn 2020

Privacy Analysis of Smart TV Communication

A case study of privacy threats in Smart TVs

Privacy Analysis of Smart TV Communication

http://www.duo.uio.no/

Printed: Reprosentralen, University of Oslo Abstract

The increasing popularity of Internet–connected TVs promises new conveniences, possibly introducing new privacy concerns. Smart TV vendors have the power to gather many types of information from consumers that use a Smart TV. Unlike traditional old TVs, many modern Smart TVs have sensors such as cameras, microphones and other types of sensors that constantly monitor details of consumer usage. There is a need to study how Smart TV vendors gather data about their consumers and how this information is transmitted through the Internet. In this paper, five Smart TVs were put to the test to see if vendors follow their own policies. A single case study was conducted, where each Smart TV was monitored to see how each TV communicates with its vendors and other third parties while the vendor policies are accepted or declined. This was tested in two states, in one state the privacy policy was accepted while in the other state, the privacy policy was declined. The collection of data was done by intercepting and capturing the traffic from the TVs on a local network. The collected network traffic was further filtered, sorted and fed into an analysis process. The analysis process consists of an PII (Personally Identifiable Informa- tion) evaluation of the network endpoints which can have a direct relation to the privacy of the user. This is done by using the available data sources such as VirusTotal, McAffe and OpenDNS in addition to using sources from relevant research publications. The results for each TV are presented in tables with the relevant network endpoints and a PII classification. This study also gives an insight to privacy and GDPR, by introducing privacy concepts and the relation to the data protection rules. Privacy policies for each Smart TV vendor were examined and each data type is presented with a PII classification. The findings of this thesis show that Smart TVs communicate with PII related domains under a declined privacy policy. This is seen in the analysis chapter where an evaluation of each network endpoint is conducted. Another finding, which also confirms the current research about the use of personal data and advertisement, shows many advertisement related domains on each Smart TV. This thesis ends with a discussion about the findings and a short section on working countermeasures.

i ii Acknowledgments

The following thesis marks the end of my master’s degree in Programming and System Architecture at the University of Oslo. First, I would like to thank my supervisor Nils Gruschka, he has provided great feedback and guidance throughout this thesis. I would also like to thank my family and friends for supporting me, especially my close friend Hamza Muftic for helping me and keeping me motivated throughout the project. Finding Smart TVs to test has been challenging because of the Covid restrictions, I would like to thank my friends and neighbours for letting me test their Smart TVs.

iii iv Contents

List of Figures vii

List of Tables ix

1 Introduction 1 1.1 Motivation ...... 1 1.2 Problem statement & Objective ...... 1 1.3 Structure ...... 2

2 Background 3 2.1 Privacy ...... 3 2.1.1 Definition of Privacy ...... 3 2.2 GDPR ...... 5 2.2.1 Processing of sensitive data ...... 6 2.2.2 Privacy policy ...... 6 2.2.3 Privacy shield ...... 7 2.3 Personally Identifiable Information (PII) ...... 7 2.4 Privacy classification for IoT ...... 10 2.5 Network communication of Smart TVs ...... 11 2.5.1 HTTP ...... 11 2.5.2 DNS ...... 11 2.5.3 TLS ...... 11 2.6 Privacy in network traffic ...... 14 2.7 Smart TV ...... 15 2.7.1 Smart TV OS ...... 16 2.7.2 Android TV ...... 17 2.7.3 Tizen OS ...... 17 2.7.4 WebOS ...... 17 2.8 Smart TV security threats ...... 18 2.9 Smart TVs privacy issues ...... 20 2.9.1 Microphone and gesture sensor ...... 21 2.9.2 Web browser and cookies ...... 22 2.9.3 Automatic content recognition ...... 22

3 Data collection 25 3.1 Research methodology ...... 25 3.2 The data collection method ...... 26 3.3 Snifﬁng TLS communication ...... 26

v 3.4 Data gathering method ...... 29 3.5 Building data gathering method ...... 29 3.6 Data collection method setup ...... 31 3.7 Executing the data collection ...... 33

4 Analysis and results 37 4.1 Analysis method ...... 37 4.2 Comparison of vendor’s privacy policies ...... 39 4.2.1 Data types collected by vendors ...... 39 4.2.2 User’s privacy policy ...... 40 4.3 PII classification ...... 42 4.4 Captured traffic and analysis ...... 45 4.5 Sony TV Bravia 4K ...... 45 4.5.1 Idle mode ...... 46 4.5.2 Interacting with the TV ...... 47 4.5.3 PA and PD domain relation ...... 48 4.6 Samsung Q60 ...... 49 4.6.1 Idle mode ...... 49 4.6.2 Interacting with the TV ...... 51 4.6.3 PA and PD domain relation ...... 52 4.7 Samsung Q65 ...... 52 4.7.1 Idle mode ...... 52 4.7.2 Interacting with the TV ...... 55 4.7.3 PA and PD domain relation ...... 56 4.8 LG webOS TV SK7900PLA ...... 57 4.8.1 Idle mode ...... 57 4.8.2 Interacting with the TV ...... 59 4.8.3 PA and PD domain relation ...... 60 4.9 Philips 55PUT6101/12 ...... 60 4.9.1 Idle mode ...... 60 4.9.2 Interacting with the TV ...... 68 4.9.3 PA and PD domain relation ...... 69 4.10 Vendor vs ATS traffic ...... 70 4.11 Additional testing ...... 71 4.11.1 Third–party ad–domains ...... 72

5 Discussion 75 5.1 Analysis results ...... 75 5.2 Limitations ...... 77 5.3 Countermeasure ...... 78

6 Conclusion 79 6.1 Summary ...... 79 6.2 Future work ...... 80

Bibliography 81

vi A All of the captured domains 83 A.1 Sony Smart TV ...... 83 A.2 Samsung A Smart TV ...... 88 A.3 Samsung B Smart TV ...... 95 A.4 LG Smart TV ...... 105 A.5 Philips Smart TV ...... 110

vii viii List of Figures

2.1 TLS 1.2 handshake ...... 13 2.2 Smart TV OS 2018 marketshare (Source: Statista [30] . . . . . 16

3.1 Rooting attempt ...... 27 3.2 Simple overview of mitmproxy in the network ...... 28 3.3 ADB tool ...... 28 3.4 Permission denied ...... 29 3.5 Overview of the network setup ...... 32 3.6 Network ﬂow after ARP–spoof ...... 33 3.7 Wireshark with ﬁlters ...... 34 3.8 Flow of the data gathering ...... 35

4.1 Analysis ﬂow ...... 38 4.2 LG Privacy policies ...... 42 4.3 HTTP response from events.samsungads.com ...... 52 4.4 Advertisement on the main menu ...... 58 4.5 Cookies sent to cache.zeasn.tv under PD idle state ...... 63 4.6 GET requests to cache.zeasn.tv under PD idle state ...... 65 4.7 Total relation of packet size between vendor and ATS domains 70

ix x List of Tables

2.1 Smart TV OS list ...... 17

3.1 Smart TV model list ...... 25

4.1 Data types provided by Smart TVs to vendors ...... 40 4.2 Data types provided by a user to vendors ...... 41 4.3 Privacy principles and concepts ...... 43 4.4 Smart TV PII classiﬁcation concept ...... 44 4.5 Sony TV – Domains in idle mode PA state ...... 46 4.6 Sony TV – Domains in idle mode PD state ...... 46 4.7 Sony TV – Domains while using applications in PA state . . 47 4.8 Sony TV – Domains while using applications in PD state . . 48 4.9 Sony Smart TV PII related domains seen in both PA and PD states ...... 48 4.10 Sony Smart TV PII related domains only seen in PA state for both modes ...... 49 4.11 Samsung A – Domains in idle mode PA state ...... 49 4.12 Samsung A – Domains in idle mode PD state ...... 50 4.13 Samsung A – Domains while using applications in PA state . 51 4.14 Samsung A – Domains while using applications in PD state 51 4.15 Samsung Smart TV Q60 PII related domains occur in both PA and PD states ...... 52 4.16 Vendor PII related domains only seen in PD state ...... 52 4.17 Samsung B – Domains in idle mode PA state ...... 53 4.18 Samsung B – idle domains in PD state ...... 54 4.19 Samsung B – Domains while using applications in PA state . 55 4.20 Samsung B – Domains while using applications in PD state . 56 4.21 Samsung Smart TV B PII related domains occur in both PA and PD states ...... 56 4.22 Vendor PII related domains only seen in PD state ...... 57 4.23 LG TV - Domains in idle mode PA state ...... 57 4.24 LG TV – Domains in idle mode PD state ...... 59 4.25 LG TV – Domains while using applications in PA state . . . 59 4.26 LG Smart TV PII related domains occur in both PA and PD states ...... 60 4.27 Philips A – idle domains in PA state ...... 61 4.28 Philips A – idle domains in PD state ...... 62

xi 4.29 Philips A - Domains while using applications in PA state . . 68 4.30 Philips A - Domains while using applications in PD state . . 69 4.31 Philips Smart TV PII related domains occur in both PA and PD states ...... 70 4.32 Philips Smart TV PII related domains occur only in PA states 70 4.33 Samsung Voice - domains ...... 71 4.34 Google ad–domains ...... 72 4.35 Rakuten ad–domains ...... 72

xii Listings

3.1 Code snippet for finding unique DNS lookups ...... 30 3.2 Code snippet for finding total amount of transferred bytes . 31 3.3 Wireshark filters ...... 33 4.1 JavaScript code snippet from Zeasn ad sdk file ...... 66 4.2 JavaScript code snippet from Zeasn ad sdk file ...... 66

xiii xiv Chapter 1

Introduction

1.1 Motivation

Modern Smart TVs offer many comfortable features like voice control, access to online services, electronic program guide, social media integration etc. However, many of these features come with a threat to the privacy of the user, because the Smart TV transmits a lot of information to the manufacturer, tracking services or other providers, revealing user’s behaviour, interests and desires. It is now harder to find a TV in the market without any smart functions. Even though television mainly was made for national advertisement and for displaying media, modern TVs are capable of delivering much more direct advertisement with new smart features, features that can compromise users’ privacy by sending metadata to vendors. There are many ways of implementing new ”Smart” features, and users today typically don’t use all of the features available. The possibility of unused apps that run in the background and consistently broadcast data to the internet might lead to security and privacy related consequences. LG’s early Smart TVs were collecting information from consumers [24]. Mainly, it collected device ID, viewing information and USB filenames stored on the consumer’s external hard drive. Therefore, a consumer’s privacy is directly affected where sensitive information such as filenames is unnecessarily collected. A Smart TV that does not respect consumer’s privacy can further lead to privacy related consequences. There are also many different security threats a Smart TV is exposed to. A smart home ecosystem is in itself is an asset that needs to be carefully protected, unauthorized access to built–in cameras and microphones could be used to compromise privacy in a smart home ecosystem.

1.2 Problem statement & Objective

The objective of this thesis is to try and ﬁnd privacy related threats in modern Smart TVs. Privacy policies play a central role between the end– user and the vendor. Therefore, the Smart TV is assumed to work differently

1 based on the state of the privacy policy. An average user is often not very concerned with what kind of data is sent to vendors and third–party companies. Various studies [11] and market observations have shown that, on the one hand, consumers attach great importance to keeping their personal data private. On the other hand, they mostly do not act in a data protection–conscious manner in everyday situations. This phenomenon, known as the privacy paradox, can be largely explained by the fact that the consumer does not receive essential information about data protection in relevant decision–making situations. This thesis will therefore test different Smart TVs under accepted and declined privcay policies, and classify the outgoing data relative to the user’s privacy. Smart TVs and “Over the top” (OTT) platforms are the latest IoT devices found “spying” on users and leaking sensitive data to companies such as Facebook, Amazon, Google and Netﬂix [75]. Therefore, it is important to take a look at what kind of information about the consumer, TVs send to its vendor and to other third parties. This helps us to understand what impact it has on the privacy of the user. It is also necessary to research how a Smart TV operates in different modes and in idle mode under privacy policies. With the introduction of GDPR and with consumers being more privacy aware, it is also important to look at how TV manufacturers respect and follow their own privacy policies. Therefore, this study will try to address the following research questions: RQ 1: What threats to a user’s privacy do Smart TVs pose? RQ 2: Does declining the privacy policy have any impact on the user’s privacy?

1.3 Structure

The next chapter will introduce and define Privacy concepts, and present the current state of the art research, explaining some of the software and hardware of Smart TVs. Common specifications of modern Smart TVs are given and an insight to security and privacy relations of the Smart TV OS is presented. Smart TV leading manufactures and the privacy policies of each vendors will be discussed. Further, some important terminologies will be introduced and explained. Smart TV OSes will be presented for each TV with a short introduction to each OS. A chapter presenting an introduction to the data collection method is provided. The Data collection chapter focuses on research method and how data from each TV will be collected. Further, the Analysis and Results chapter presents the gathered data with an evaluation for each network endpoint. The Analysis chapter consists of two parts, first a definition of PII (Personally Identifiable Information) classification is given, that suits the data gathered from TVs, then the network data is evaluated using classification concepts along with other analysis tools. The thesis will end with a conclusion trying to answer the proposed research questions. An appendix is given at the very end with relevant data that was used in the analysis process.

2 Chapter 2

Background

This chapter presents an introduction to privacy and GDPR, followed by the current IoT privacy related research. An introduction to Smart TV OS along with common integrated technologies in a modern Smart TV is given, followed by a presentation of current Smart TV security threats and privacy issues.

2.1 Privacy

The goal is to have a clear understanding of how PII (Personally Identiﬁable Information) is related to the data used in the analysis chapter, where a simple PII classiﬁcation concept is created based on theories presented in this chapter. Therefore, an introduction is given to privacy, the relation between privacy and IoTs (Internet of Things), and how privacy is further used in this thesis.

2.1.1 Definition of Privacy Privacy is a complicated concept, the definition of Privacy is very well described by author Levente Buttyán [13]. Privacy is described as information one can control when, where, how information about oneself is used and by whom. The concept of privacy is often addressed with a combination of technical and legal means. Privacy is not about hiding the individual’s personal information from everyone, since authorized parties under well defined circumstances need access to personal information [13]. For instance, medical doctors need to look at patient’s personal information and medical record. However, it is clear that not everyone should have access to one’s personal information and medical record. The problem of privacy occurs once personal information has fallen into wrong hands. Hiding personal information from unauthorized parties is therefore an important act to make sure that privacy is controlled and maintained correctly. The current understanding of privacy is often linked to freedom, democracy, and when an individual defines what is sensitive or unique to them. An unauthorized intrusion therefore violates privacy and causes

3 a great need for protection of these concepts. It is however far from trivial to ensure a proper privacy protection for users because of how chaotic the concept of privacy may be. People often are not able to give a precise deﬁnition of the privacy term, but many countries have now adopted laws related to the right of privacy. The 1948 Universal Declaration of Human Rights article 12 declares the following:

”No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” [84]

One of the most common definitions of Privacy is one from Alan Westin’s book in 1967 [27], states that Privacy is the claim of individuals, groups and institutions to determine for themselves, when, how and to what extent information about them is communicated to others”. In most countries, privacy is now considered as a basic human right to guarantee personal autonomy and human dignity. In Germany (German Constitutional Court, 1983), privacy has been defined as a right to Informational Self Determination [33], a right of individuals to make their own decisions as regards the disclosure and use of their personal data. Meaning that if individuals are monitored and profiled without limitations, then the privacy rights would be breached and violated. From the year 2000, the Charter of the Fundamental Right of the European Union, article 7 (Respect for private and family life) and article 8 (Protection of personal data) brings together the fundamental rights to privacy for Europe [7]. The concept of privacy has different dimensions [17]: • Informational privacy, where the individual controls how the data can be gathered, stored and processed.

• Privacy of communications, covers the security and privacy of mail, telephones and other forms of communications.

• Spatial privacy, is protecting the users personal space against hacking or other type of intrusion.

• Territorial privacy, which concerns the protection of the environment around the individual or close physical are surrounding the person such as work or public place.

• Bodily privacy, is related to protection of data about individual’s physical body and health status.

• Information privacy and Privacy of communications are the ones that are mostly related to data protection rules. Data protection rules ensure the security of individuals’ personal data and regulate the collection, usage, transfer, and disclosure of the personal data. Vendors that are located in EU or that collect, store or transmit personal data of people situated in the EU must comply with GDPR.

4 2.2 GDPR

General data protection regulation (GDPR) is a set of European regulations for handling of the consumer data [20]. The regulations were enforced by The European Union and its Member States where each country is required to apply for an independent public Data Protection Authority (DPA). GDPR restricts private businesses and state administrations from processing, collecting or sharing personal data without consent. GDPR comes from the concept of the right to privacy. GDPR also regulates that data has to be stored and processed securely with use of cryptographic encryption. If a company does not comply or operate by the GDPR regulations, then there will be fines issued by the DPA. For such cases, DPA often collects relevant evidence launching an investigation which takes a significant amount of time, but if approved, a fine or a penalty will be imposed ranging from a few thousand to several million euros depending on the severity of the case [16]. The fine framework can be up to 20 million euros or up to 4 percent of their total global turnover of the preceding year [25]. By proposing the GDPR [20], the Commission aims to increase the trust in use of information by EU users, while also protecting the fundamental rights. In other words, GDPR is trying to ensure the trust between the consumer and the company, the regulation also provides some economic advantages to companies. The EU GDPR was set in motion on May 25th 2018 and replaced the EU Directive 95/46/EC which also had relative data protection regulations but GDPR is now more focused towards protection and is directly applied in each Member State. There are some exceptions that GDPR does not apply for, these are the cases of public security and of criminal law enforcement (EU Police Data Protection Directive 2016/680). Another exception is for individuals where data processing is carried out privately or for household activities. The private personal data in GDPR is directly linked with any information relating to an identifiable natural person, these could be names and addresses, IP–addresses, Web cookies, location data etc. A "Controller" in GDPR, is a legal person or a public authority which determines the purposes and means of the processing of personal data. In many cases, a cloud server is seen as a "Data Processor" which collects and processes personal data on behalf of the Controller. Overall, the GDPR regulation focus on the lawfulness, fairness and the transparency of processing personal information. Data should always be adequate, accurate and relevant to what it is necessary for. The data storage minimisation or limitation needs to be presented and applied. The data also needs to be processed in a manner that ensures appropriate security to protect the integrity and confidentiality, and the Data Controller is responsible for demonstrating the compliance. There are also some important requirements for the lawfulness and consent in GDPR. Processing personal data always requires a legal ground in form of consent or if the law already addresses the requirements.

5 2.2.1 Processing of sensitive data The sensitivity of personal data is mainly influenced of how the data will be further used and its purpose. According to the principle of proportionality [91, 52], data collection and sharing should be minimized related to how adequate and relevant the processed data is. This also means that data should be deleted if data is not needed any longer and the data storage should also be minimized. Another important aspect of the privacy principle is the principle of purpose specification [52], which means that data should only be collected and later used for specified purposes. According to the OECD [52], there is no data that can be called or given as a non–sensitive data. Dependent on the purpose and the context of use, all type of data may be listed as sensitive. Therefore, even public information such as an address or a name can become a highly sensitive information. This also means that data, if collected, needs to be clearly addressed for its collecting purposes and the use of data for any other purpose is therefore illegal.

2.2.2 Privacy policy It is a widespread phenomenon that companies use uniform data protection regulations for all possible applications [12]. For example, Samsung writes in its data protection policy [63] that the Privacy Policy applies to all Samsung devices and services, from cell phones and tablets to TVs, home appliances, online services and more. This type of approach is understandable as far as online services are in question that can be accessed via several types of devices. However, if the consumer only uses one device and other services are not of interest, then the relevant set of policy rules will become more confusing. Anyone who uses Android TV for instance, does not necessarily have to use services such as Google Maps, Gmail or Google Photos. In the case of cross–device and cross–service data protection regulations, it is difﬁcult to describe exactly what data is actually processed in the context of use. This can also be seen in Google’s privacy policy:

”The data we collect includes unique identiﬁers, the type and settings of the browser, the type and settings of the device, the operating system, information about the cellular network such as the name of the cellular provider and telephone number, and the version number of the app. We also collect data about the interaction of your apps, browsers and devices with our services. These include the IP-address, crash reports, system activities and the date, time and referral URL of your request...”

From the consumer’s point of view, this formulation is questionable in several respects. On the one hand the list of examples contains data that is not collected for devices other than smartphones. On the other hand, the list is particularly important for more sensitive data categories [12]. In addition, the list is obviously incompletely formulated, the information is therefore presented to the consumer as a non–transparent "black box". The GDPR, requires the use of "understandable language" for the consumer in Article 12.

6 2.2.3 Privacy shield In year 2015–2016, the U.S.–EU Safe Harbor Framework was updated with new laws and regulations and was called Privacy Shield [64]. Privacy Shield provides a privacy framework for companies to transfer personal data to the United States from EU with consistent and compatible laws with EU. However, on July 16 2020, the Court of Justice of the European Union (CJEU) has invalidated the EU–U.S. Privacy Shield [83]. The Court (CJEU) ruled the Privacy Shield did not include sufﬁcient enough limitations to ensure the protection of EU personal data from access and use by U.S. public authorities. Which is why the Court immediately invalidated the Privacy Shield, which can no longer be used for EU–US data transfers. The reason behind this decision is the overall challenges to U.S. privacy practices where the protection of personal data is a fundamental right in the EU, similar to the constitutional right in the U.S. The General Data Protection Regulation (GDPR) enshrined these fundamental rights and established uniform data protection standards across the EU designed to protect the personal data of EU–based individuals. [65].

2.3 Personally Identiﬁable Information (PII)

In this thesis, the term PII will be used instead of Personal Information/Data, the term will be used in the analysis chapter where PII related network endpoints are identified. The term PII is mainly used within the U.S. while Personal Data is considered to be the equivalent of PII in Europe [56]. NIST has a great definition of what Personally Identifiable Information (PII) is defined by the following description [44]:

... any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, ﬁnancial, and employment information.

Article 4 of GDPR has the following deﬁnition of Personal Data [5]:

... Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person...

The PII and personal data terms are different as seen in the deﬁnition of each term. Personal data in GDPR covers a wider range of information than PII deﬁned by NIST [56, 82]. For instance, location and GPS data is considered as personal information in GDPR while this type of information

7 is not directly mentioned in the PII deﬁnition by NIST. GDPR also states that cookies can be considered as personal information [68]. NIST have listed some examples of data that may contain PII [44]:

• Name, such as full name, maiden name, mother‘s maiden name, or alias • Address information, such as street address or email address • Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host–specific persistent static identifier that consistently links to a particular person or small, well defined group of people • Telephone numbers, including mobile, business, and personal numbers • Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x–rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry) • Information identifying personally owned property, such as vehicle registration number or title number and related information • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

Both PII descriptions by NIST and GDPR will be used as a merged definition of PII for this thesis. This is further described in the analysis chapter where PII classification is created. PII can be further be separated into different sections such as linked information, linkable information [56] and sensitive PII [82]. Linked and linkable data differs where linkable data is information that on its own may not identify a person, but when combined with another piece of information could identify, trace, or locate a person [82]. While linked data is the information that directly is connected to an individual. sensitive PII is data where loss, compromisation, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual [44, 82]. This type of data is often linked to medical, educational, financial, and employment information. Similarly, GDPR has its own classification for sensitive data in Art. 9 Processing of special categories of personal data [6, 82]. The following is an example list of special data categories defined by GDPR Art. 9: • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs trade–union membership • Genetic data, biometric data processed solely to identify a human being

8 • Health–related data

• Data concerning a person’s sex life or sensitive data

One amoung many companies that collect data is Google [32]. Google speciﬁes what data they collect [31] and many of these data types can be considered as PII. Everything a consumer watches, searches, which ads that are clicked on and the location data are all of the information Google collects when using Google services. There is also information that user provides which are the following:

• Name, birthday and gender

• Password and phone number

• Emails sent and received

• Photos and videos saved

• Comments posted on Youtube

• Contacts addressed

• Calendar activities

Also, companies need to get consent from a consumer to collect PII and personal data, they would need to get consent before a consumer viewed a page containing ads, which is impractical. Companies that collect PII or personal data from consumers need to decide whether they are a data controller or a data processor, especially if they operate in countries bound by the European data–protection law (GDPR).

2.4 Privacy classiﬁcation for IoT

Since a Smart TV is connected to the internet, it is common to recognize a Smart TV as a part of IoT. According to research from Gartner [29], it states that by the year 2020, there will be around 20 billion IoT units, mostly in regions such as Western Europe, North America and China. IoT devices are used for a variety of reasons that most likely make our day–to–day life easier. Researchers from Princeton University [96] found that many of medical IoT devices leak personal information in clear text. The analysis was done by using an open–source tool called Princeton IoT Inspector [59]. The IoT Inspector has the ability to scan and detect IoT devices in the local network. One way to classify general privacy of IoT into different level categories, is proposed by researchers from Hong Kong University of Science and Technology and Beijing University of Posts and Telecommunications in a research paper [40]. The classiﬁcation was based on the big data of queries from the "Baidu knows" search engine. In this proposed research paper, each stage describes the security consequence level. Level 1 privacy for

9 instance includes the public information similar to an address information or a phone number. The level 2 consists of information containing personal data such as age, height, weight, current location as well as legal and social identity information, these could be social security numbers, passport or driving license information. Level 2 also includes the financial information such as bank accounts, credit card numbers and personal property material data. The last but not least, is the level 3 privacy, which mainly composed of the information directly corresponding to person’s biological biometric data such as the fingerprint, face–ID, as well as identification card or number and the internet protocol (IP) address. If level 3 privacy information is compromised or leaked, the consequences might lead to serious identity theft. The sensitivity of privacy is very closely related to the understanding of consequences for any leaked private information. There is a degree for the sensitivity of privacy [40] and it is different for each individual person. Common consumers usually trust companies that his or her data is maintained in a safe manner even though not everyone is able to check and research if an IoT product leak sensitive data. Privacy vulnerabilities of Encrypted IoT traffic was examined in a Princeton University research paper [4]. Network traffic from the following smart home IoT devices was collected, Sense sleep monitor, a Nest Cam Indoor security camera, a Belkin WeMo switch, and an Amazon Echo. The analysis was based on how the device operate in the network with or without user interaction. They found that network traffic rates of all IoT devices revealed user activities, making it apparent that encryption alone does not provide adequate privacy protection for smart homes. The research specifies that TLS inspection is not used, but rather the analysis relies on metadata such as IP packet headers, TCP packet headers, and send/receive rates. This type of metadata is also collected by ISPs (Internet Service Providers) for traffic analysis.

2.5 Network communication of Smart TVs

The analysis will be executed on the outgoing Smart TV network communication. Smart TVs use standard network protocols, for instance in the application layer DNS and HTTP i used, and TLS in the presentation layer. Therefore, this section gives a short description on how TLS 1.2 works, what DNS and HTTP are.

2.5.1 HTTP

The Hypertext Transfer Protocol (HTTP) is an application–level protocol for distributed, collaborative, hypermedia information systems [37]. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access. It is designed to permit intermediate network elements to improve or enable communications between clients and servers.

10 2.5.2 DNS The Internet relies on DNS, DNS stands for Domain Name System and is used on the Internet to correlate between IP–addresses and readable names [98]. A more detailed description about DNS can be found in RFC2929. DNS privacy issues have been examined in RFC7626. Currently, most of the DNS queries is not encrypted and is sent in clear text over UDP.

2.5.3 TLS The usage of TLS (Transport Layer Security) has increased in Smart TVs. TLS provides communication security over network and has many strong cryptographic algorithms speciﬁcally designed for this purpose [22]. The goal is to provide both privacy and data integrity between two or more communicating parties. TLS protocol accomplishes three main components: Encryption, Authentication, and Integrity [93].

• Encryption: hides the data being transferred from third parties

• Authentication: ensures that the parties exchanging information are who they claim to be

• Integrity: veriﬁes that the data has not been forged or tampered with

Encryption is done by using one of many supported cryptographic algorithms. Authentication is achieved by using the certificates. A TLS certificate is issued by a certificate authority (CA) to the person or business that owns a domain. The certificate contains important information about who owns the domain, along with the server’s public key, both of which are important for validating the server’s identity. TLS makes Man–In–The– Middle attacks difficult because of the authentication phase with signed certificate. Once data is encrypted and authenticated, it is then signed with a message authentication code (MAC). The recipient can then verify the MAC to ensure the integrity of the data [93]. There is also another problem that TLS solves with an extension called Server Name Indication (SNI). If a server hosts multiple websites, each with its own TLS certificate, the server then does not know which exact certificate to display for the client who is trying to connect to a website. SNI solves this problem by specifying the hostname or domain name during the TLS handshake [92]. Figure 2.1 shows an overview of TLS 1.2 handshake.

11 Figure 2.1: TLS 1.2 handshake

As of August 2018, TLS 1.3 was released [34]. There are many important improvements with TLS 1.3, but most significant improvement in TLS 1.3 is that it is more secure by providing perfect forward secrecy. TLS 1.3 uses the Ephemeral Diffie–Hellman key exchange protocol as default, which generates a one–time key that’s used only for the current network session. The key is discarded at the end of the session. Also, the handshake process is reduced which means that this version is slightly faster than the previous 1.2 version. TLS 1.2 required two round–trips (RTT) to complete the handshake, while TLS 1.3 only need one RTT. Round–trip time (RTT) is measured in milliseconds and is a duration time it takes from a client’s request to the response received from the server. Another difference is that in TLS 1.2, certificate is sent over in plain text while in TLS 1.3 it is encrypted. It is important to notice that TLS is difficult to decrypt without installing certificates on client hosts, which is why [50] researchers used best-effort TLS interception, by rooting Amazon Fire TV, manually installing the root certificate and decrypting all of the encrypted traffic. It showed that many of the apps send personally identifiable information (PII) to third parties and platform domains. On Roku TV, only HTTP traffic was analysed, since there was no methods to get access to system [50, 85].

2.6 Privacy in network trafﬁc

Privacy in communication networks is about controlling personal identiﬁ- able information (PII) in the network. The analysis of network trafﬁc can be categorized into encrypted and non–encrypted communication. Encryption

12 is used to exclude unauthorised parties having access to PII type of data. This ensures that only authorized parties are able to decrypt data, however, there are cases where even if the data is encrypted, it is still possible to observe who the receiver and the sender is by inspecting metadata. The header information is used in network communication to route the message to its destination address, this type of metadata is not encrypted by default. Personal data and interest can be revealed by looking at unencrypted metadata such as, the name of destination server, the size/length of each packet, as well as the rate of occurrences and duration of communication session [13]. Design guidelines for preserving privacy of IoT was issued by [58]. The guidelines introduced can be used in govern privacy concerns of smart homes, healthcare, public safety and supply management. The research provides an insight into requirements of privacy that needs to be integrated in the development of privacy frameworks, which can partially be used in this thesis’ privacy measurement context. An analysis of privacy disclosure in DNS queries has been done by researchers of Kyushu University [98]. The analysis results show that DNS queries can potentially leak sensitive information about the user. This type of information shows what and where a user/client wants to connect to, which reveals consumer’s interests. The unpleasant side effect of DNS queries as stated in the research [98] is that there are third parties that collect this type of public information. As stated in RFC7626 [9], DNS requests received by a server can be triggered by different reasons.

• Primary Request: This is the main domain name in the URL

• Secondary Requests: These requests are additional requests performed by the user agent without any direct involvement or knowledge of the user

• Tertiary requests: additional requests performed by the DNS server itself

The data in a DNS request consists of different fields, two of these data fields are important when it comes to privacy issues, the IP-address and the DNS query name. The DNS query name is the full name sent by the user and reveals information about what the user does [9]. This type of information can be considered as user log data which is collected by Smart TV vendors and third parties. The IP-address in itself is not directly tied to PII but combined with other type of data can reveal user’s behaviour, this is further discussed in the analysis chapter. The lack of privacy in DNS has an impact in security, therefore there are standards developed that is able to ensure privacy, these are DNS over TLS (DoT) and DNS over HTTPS (DoH) [23]. The main difference between these two standards are the usage of different ports, DoT uses port 853 while DoH uses port 443 which is standard HTTPS traffic. As seen in the previous section, TLS assures encryption of data and it is difficult to extract this information without decrypting the data. However, a

13 study [86] shows that it is still possible to analyse and classify the encrypted traffic. The study starts by introducing different encryption protocols and presents how one could extract information. Two types of information are common to most protocols that can be extracted. The first type covers the connection itself, and its properties exchanged in the initial handshake. The second type covers communicating peers’ identifiers, which are exchanged in the authentication phase [86]. Information extraction from encrypted traffic can provide valuable information such as extracting the Server Name Indication which can be used by a home router’s firewall to filter traffic. This method will be utilized in the analysis chapter.

2.7 Smart TV

An IoT device is considered ”Smart” if the device has computing hardware that is able to run an operating system (OS), handle data from various sensors and the possibility for internet access. Smart TVs are often closed systems, some of these run on Linux with an application called ”exeDSP” on top of the kernel. ExeDSP application is responsible for handling and controlling all of smart functions that a Smart TV needs. A Smart TV or an Over–the–top (OTT) television device, is defined as an internet connected TV that offers regular traditional TV with additional features such as installation of applications, possibility of accessing the internet with a web browser, and many other integrated functions. A Smart TV also allows to connect other OTT devices, Blu–ray players, game consoles and other network–connected interactive devices that utilize television–type display outputs. Modern Smart TVs come with Wi–Fi and ethernet ports to easily connect the TV to the internet, but some TVs also leverages the use of traditional systems such as cable and satellite to receive television content. The main difference between an external Smart TV box/stick (OTT television) and a regular Smart TV is that the OTT device is more portable and is able to connect to any type of a monitor. Smart TVs also support installation of apps, the installation of an app can either be from a USB drive, app stores or even from a user–provided web server [47]. A Smart TV is considered to be a part of Internet of Things (IoT) in research publications [69, 71]. This definition will be further used in this thesis by presenting privacy and security aspects of Smart TV as an IoT device. IoT devices are growing rapidly over the years, almost all of the electronic devices we use daily are directly connected to the internet, without any filtering of possible sensitive information that is sent over the line. The use of microprocessors in internet connected devices has become ubiquitous. Modern IoT devices may collect and send information [4] to the vendors and other third parties, as the devices are heavily equipped with smart sensors such as motion sensors, built–in microphones, cameras and other types of sensors. The information from these sensors has major privacy implications, especially when this type of data is sent to third parties that collect and track information about consumers. Since there are no

14 regulations on what a Smart TV (or an IoT) can collect and send over the internet, it is assumed that consumers generally value functionality over privacy. IoT are made to be simple and easy to use so that the task is executed or completed without any concerns about security. Privacy is an important aspect of information security. Ensuring privacy is becoming more difﬁcult after such fast growth of IoT market.

2.7.1 Smart TV OS

In this section, a short introduction to current operating systems (OS) of Smart TVs is given. It is important to have an understanding of the type of Smart TV operative systems that exists and see if there are any differences between the popular OSes [2]. Figure 2.2 shows the most popular Smart TV OSes worldwide in year 2018 [30], where Android OS is the most popular Smart TV OS used.

Figure 2.2: Smart TV OS 2018 marketshare (Source: Statista [30] )

Since internet is the main source where Smart TVs get content from, these devices are therefore depended on internet access. Most popular tech companies that make Smart TVs are Samsung, LG, Sony, Philips, and Panasonic. The technology used for manufacturing these Smart TVs are often different both in hardware and software. There is one thing that is common in all types of Smart TVs, it is the possibility of installing and using different applications, the installation ﬁle often comes from an integrated vendor App store. Android TV for instance, which is an OS used by Sony and Philips TVs, does give the users the ability to install apps through Google Play Store. It is the operating system (OS) that controls the installation from an App store. Smart TV vendors use different operative systems, Samsung’s Tizen OS and LG’s WebOS use Linux as a base kernel.

15 Table 2.1 shows operating system for each Smart TV vendor.

Vendor OS Samsung Tizen OS LG webOS TV Sony Android TV Philips (modiﬁed) Android TV, WhaleOS Amazon Fire TV Panasonic Firefox OS

Table 2.1: Smart TV OS list

2.7.2 Android TV Different types of Android OS with detailed background and technical information is described in paper [14]. Android TV was launched by Google in 2014 as a newly conﬁgured version of its successful Android mobile OS. There are many Smart TV vendors that choose Android TV as the main OS for the TV. Android TV appears as a restricted version of Android for mobile phones, where the interface seems to be specially designed for use with a remote control and the settings are very similar to Android mobile settings.

2.7.3 Tizen OS Early Samsung Smart TVs were running a Linux application called exeDSP [46]. Tizen OS [42] is an open–source software developed by Samsung Electronics for different media platforms such as wearable Samsung smart watches, cameras and TVs. The operating system Tizen OS for Smart TVs was released in 2015 and has been updated over the years.

2.7.4 WebOS WebOS is different to other Smart TV systems, mainly because the OS uses web–based applications meaning that most of the applications are developed in HTML, JavaScript and CSS. This means that WebOS, as the name suggests, needs an internet connection to be fully functionable.

2.8 Smart TV security threats

In this section, a small introduction to current security threats will be given along with the common hardware of Smart TVs. Security vulnerabilities lead to privacy exposures and vice versa. As seen in the previous privacy section, GDPR and other privacy laws require companies to keep the data safe through security. If a company collects, processes and stores personal data, then privacy relies heavily on the security related measures. To keep the privacy of the user safe, Smart TVs need to be secured from unauthorized parties or actors.

16 Early Smart TVs had slow hardware and greatly lacked usability of apps [46], which lead to low usage of these integrated apps by users. Current models of Smart TVs are catching up to the complexity of a modern smart phone. A lot of gesture sensors are now included in addition to cameras and microphones. A typical standard mid–range priced Smart TV often has an ARM processor, with around 500MB of RAM and 1 to 2GB of flash memory. Smart TV vendors focus more on the usability rather than focusing on security of the devices. Currently, there has not been many cases where a Smart TV is compromised, and an attacker gains remote network access. The security of a Samsung Smart TV was tested and attacked for research purposes to show how feasible the attack could be [48]. Legacy Smart TVs are known to have different software vulnerabilities [48], an attacker is able to gain full control over the Smart TV by injecting a malicious media file which exploits vulnerability in FFmpeg library. FFmpeg is an open–source software library and has a lot of tools for handling and processing of audio and video data. Vendors like Samsung and LG make use of FFmpeg libraries, unfortunately there are over 300 CVEs for FFmpeg [19]. Any Smart TV that uses FFmpeg project’s libraries are therefore exposed to a variety of attacks, depending on the version of FFmpeg [48]. Even though there are different vulnerabilities, it is not common for hackers to attack Smart TVs. However, early Smart TVs are guaranteed to have vulnerabilities found in the present year [73]. Therefore, privacy concerns are increased with elder Smart TVs. Important differences between the legacy TV systems and the modern Smart TVs are presented in [2]. The research shows how a Smart TV is more capable of capturing private data, analysing the smart TVs from both hardware and software perspectives. Moreover, the paper also presents a study of issues and challenges faced by Smart TV viewers, which includes the issues related to interactivity, content overloading, privacy, and security. Smart TV vendors always limit the users’ experience by eliminating access to the system, meaning the user can only interact with what is given and there is no full system access. However, there is a risk of ”bricking” the Smart TV if the user has root privileges. Rooting a Smart TV OS is possible, just like rooting an Android OS or jailbreaking an Apple iOS. By rooting a device, user gains full access to the system and its recovery mode, this will in most cases break the warranty. There are different community forums that offer rooting tools specially designed for Smart TVs, one of the popular forums is the SamyGO forum which offers a variety of tools including a modified version of exeDSP [73]. A research from Noroff University [80], did an analysis of the security for two LG Smart TVs model 42LS570T–ZB and model 55LA740V. The analysis process proposed for the LG Smart TV [79] suggests 10 steps for acquiring potential information and outlining the functionality by highlighting some of the problems, including some security issues. There is also an article from Consumer Reports [70], where they analysed different Smart TV models and concluded that disagreeing with vendors’ privacy policies will cause the TV to lose basic functionality. The security analysis of Samsung and brands that use Roku TV platform (2018 Smart

17 TV models) showed that these were vulnerable for web–based attacks. According to the analysis, devices that use Roku TV are poorly secured because of remote control APIs that are enabled by default. Consumer Reports also conducted a survey [70] of subscribers who owned a Smart TV, 38000 Smart TV owners completed the survey. Around 51% were worried about the privacy implications and 62% were concerned about the overall security of a Smart TV. It is possible that a Smart TV might have serious security vulnerabilities that a hacker might use and exploit. One of the most dangerous cyberattacks could be when an unsecured TV is hacked and used as a spying tool since the TV is perfectly equipped with the right tools such as microphone, camera and even more. Even the FBI [54] have issued a warning about the Smart TV cyberattack possibility and addressed some steps on how one could prevent such attacks. Smart TVs are often placed in sensitive areas such as bedrooms or living rooms. According to the Wikileaks [21], CIA agents used a malware called Weeping Angel that was able to run in the background as a ”legitimate” Smart TV app. The malware was designed for a Smart TV from Samsung F8000 series. An article from Forbes newsletter magazine [10] clarifies that the malware infiltrates the TV physically via USB but there is also a possibility that CIA has remote infection techniques. Weeping Angel is able to record audio from the built–in microphone both when the TV is in a ”powered on and off” states. The malware never turns off the TV, rather fakes it by dimming down the screen and making the LED–indicator to mimic a powered off state. The recorded audio is stored as files, the TV will only send these files to a ”CIA Wi–Fi” hotspot nearby. It is also important to notice that if the TV uses Wi–Fi as internet source, then Weeping Angel will also extract Wi–Fi credentials.

2.9 Smart TVs privacy issues

In an article published by The Washington Post, four of the most popular Smart TVs were tested to see how these TVs record everything a user watches [15]. The research was done on Smart TVs from Samsung, TCL Roku TV, Vizio and LG. Each TV was given data policy permission and the IoT Inspector tool was used to capture the transmitted data to vendors and other thirds parties. The conclusion was that some TVs send data every second and others once per speciﬁed period of time. The data is often a ﬁngerprint or a screenshot of what the user is watching on the TV. The main motivation for vendors collecting user data, is to deliver more targetable advertisement. This type of consumer data is valuable as the data is shared and further sold to other third–party companies. VIZIO Inc, is one of the largest manufactures and sellers of Smart TVs, has collected data of 11 million TVs without consumers’ consent from year 2014 to 2016 [87]. In 2017, since VIZIO failed to inform consumers about the "smart" setting that collects viewing data, they had to pay 2.2 million dollars to settle chargers with the Federal Trade Commission (FTC).

18 A recent study [85], shows how advertisement services and Smart TV applications operate. The analysis of 57 different Smart TVs showed that apps communicate with many different advertising and tracking services. Some of these advertising organizations only appear on certain platforms. The research also addresses PII Exposures in Smart TVs. They identify PII values (such as advertising ID and serial number) for Amazon Fire TV and Roku TV. Both TVs showed PII exposures where advertising ID alongside serial number and device ID was sent to third–parties and platform–specific party (Amazon). The research then evaluated the DNS–based blocklists such as Pi-hole, Firebog, MoaAB and StopAd Smart TV (SATV) to see how effective these were. Their results showed that some of the advertisement services were missed (false negatives) and more aggressive blocklists suffered from false positives where the app functions would simply fail. The leakage of PII values from Amazon Fire TV as seen in a conference paper [50] was confirmed. Both research publications [50, 85] had automated scripts that simulated a user using the application, this would in some cases speed up the research process. The analysis of domains was done by using VirusTotal, McAfee and OpenDNS [85]. Another research study [69] examined IoT devices where Smart TVs were included, they addressed research questions such as What is the destination of network traffic? What data is sent in plain text and what content is sent using encryption? and Does a device expose information unexpectedly?. The research findings show that 72 of 82 IoT devices, including the Smart TVs, have at least one destination that is not a first party. 56 % of the US devices and 83.8%of the UK devices contact destinations outside their region, all devices expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behaviour from the traffic (encrypted or otherwise) of 30/81 devices [69]. Smart TVs appear mainly in two different forms, a regular Smart TV and an external (box/stick) Smart TV also called Over-the-Top (OTT) streaming devices, that offer an alternative television with subscription. Roku TV and Amazon Fire TV are well known OTT streaming devices that offer special streaming content compared to a usual Smart TV. In a research paper [50], the network traffic from these devices was tested and examined by performing TLS interception. The results showed that both Roku TV and Amazon Fire TV devices were tracking and collecting the user identifying information as well as the user viewing behaviour. All of the IoT devices that expressively use the internet, are able to introduce privacy related risks. In addition to collecting information directly related to user behaviour, Smart TVs have been found to collect other pieces of identifying information such as device IDs, serial numbers, Wi–Fi SSIDs and MAC–addresses.

2.9.1 Microphone and gesture sensor One of the "smart" features of modern TVs is the ability to control the TV with voice commands. Some TVs implement this feature by integrating a microphone into the TV or (like in most cases) a microphone on the remote controller. A Smart TV with an integrated microphone and camera increases

19 the privacy threats. Therefore, it is important that vendors specify in the privacy policies on how and why microphone and other sensors are used, especially in countries that follow GDPR. Modern Samsung Smart TVs have voice control or voice assistant Bixby included. Bixby is a popular voice assistant created by Samsung and is integrated in all of the Samsung smartphones. Some devices even have a dedicated Bixby button. A voice assistant makes it easier for a user to search and find content. Android TVs and LG’s WebOS for instance use Google Assistant. The voice control is made up with predefined commands that checks for the user input, but it will also render what the user says in order to provide better search results for content both locally and on the internet. To indicate that voice control is used, an icon of microphone is displayed on the Samsung Smart TV. 2012 Samsung models (mainly E-series) [46], were the early versions with a built-in microphone. These TVs were configured to continuously record surrounding sounds, even when the user has disabled the voice control feature. An article from Cnet [43] discusses how Samsung’s Smart TVs not only record what a user is saying for voice control, but also share this data with third parties. This means that a consumer should be careful about using voice control by not including any personal information as it might end up in the database of third parties. Samsung flagship Smart TV models have built-in cameras. This allows users to use video communication apps such as Skype directly on the TV [46]. These Smart TVs are high end models that also have gesture sensors, meaning a user can interact with the Smart TV right in front of it without the controller.

2.9.2 Web browser and cookies Most of the IoT devices with a display and with a possibility for some input, have an integrated simple web browser. Although entering input like text is still a struggle on Smart TVs, most of TVs allow users to connect a USB– keyboard and Bluetooth keyboards on TVs that have Bluetooth available. The web browser in itself is not very powerful and does not respond nearly as fast as a web browser on a computer, but it does allow users to search for content and browse web sites. There are two main reasons that make web browsers slow. Firstly, web sites that are heavily made of JavaScript and have a lot of content to load, this requires more processing of data. Second, web sites are often created in such a way that is more suitable for web browsers in computers or mobile phones. Not all of the TVs have a built-in web browser, Smart TVs that use Android as an OS will have to download and install a web browser through the Google App Store. A cookie is a piece of data stored in text ﬁles that websites place on a visitor’s device. This allows websites to identify visitors by storing speciﬁc information. Cookies are essential for many websites and web– applications. But there is also another side of cookies, these can be used to track the pages users visit from site to site, which allows advertisers to track user’s interests and behaviours. This is called targeting and advertising

20 cookies [89]. Targeting and advertising cookies are designed to gather information from user’s device to display advertisements based on relevant topics of interest. Advertisers will place these cookies on websites with the permission of the website’s operator. With the GDPR in place, websites now have to ask for permission and inform about which cookies are used.

2.9.3 Automatic content recognition Since 2012, Smart TVs gained the ability to gather the screen information a user is viewing on the tv, this technology is called Automatic Content Recognition (ACR). ACR technology works by identifying video and audio fingerprints which enables vendors to identify one video from another [38]. With ACR, it is possible to determine what shows or movies are trending and are popular. ACR data works because Smart TVs (with permission) capture a few pixels (fingerprints) from the content the viewer is currently watching on the TV and share that data with the TV manufacturer’s ACR tracking software [95]. The software takes these pixels and matches them to a database that keeps track of local broadcasts in the region the viewer is watching in. The ACR data also includes the length of commercial breaks and which commercials are being watched. With this technology, ACR providers know the following things: • Is the viewer watching linear, OTT, DVR or VOD? • What shows and commercials they are watching on a second–by– second basis • What the viewers IP-address is, which will then allow them to know their physical address and which websites and apps they visit. This data is all anonymized, e.g., there are no actual PII attached [95], this is further discussed in the analysis chapter where the PII values used in this thesis are introduced. ACR typically collects both audio and video, making it easier to identify what shows or series is being watched including the episode number as well as the viewing time. Since the audio is collected, some ACR systems are also able to detect the language of the content [88]. This type of behaviour is happening in the background and a consumer will not notice this process. All of the information is stored in the ACR cloud application and is then handled by an ”Event System” [76]. The Event System generates the data to deliver directly to the tv client. With ACR, advertisers are able to craft targeted ads and determine user’s interests or desires. ACR is built to gather screen information from consumers. Samsung and LG’s Smart TVs allow the user to disable ACR [24], but it is still configured enabled as default. This means that if the user turns off the ACR function, a factory reset will change the ACR back to default state. ACR companies such as SambaTV also uses web beacons to identify each user [62], this information is then combined with video and audio fingerprints as well as a device-ID and user’s IP-address. Smart TV vendors partner with advertising firms that make use of the combined data from consumers.

21 Another interesting fact mentioned in a Forbes article by Alan Wolk and in a Washington Post article by Geoffrey A. Fowler [95, 15], is that SambaTV targets mobile phones based on ACR data from Smart TVs, this is done by analysing IP–addresses and ﬁnding smartphones that is in the same network as the Smart TV. The value of ACR data, according to Forbes [95], is estimated to grow and become a $5 billion industry by 2021. Advertisers use ACR data to help determine who is watching what across a wide variety of formats and options. The persistence of this technology does take into consideration of what application is used, ACR will still collect viewing content. SambaTV has its own privacy policy, this policy is seen in Philips Smart TVs alongside with Philips’ policy. SambaTV speciﬁes what kind of data is collected and why [62]. The collected data is mainly Content Viewing Information, Log Information and Device Information. The following is a snippet from the privacy policy:

Where the law permits, we may also obtain information from other sources and combine that with information we collect through our Services. For example, we might obtain information from data providers and advertising exchange services, including assumed demographics and interests, and data about your engagement with certain ads.

It is also mentioned that Samba TV is a participant in the EU-US Privacy Shield and Swiss-US Privacy Shield programs, but as mentioned in the background chapter, EU-US Privacy Shield is no longer valid. SambaTV also states that the gathered ACR data is not further sold to any third parties [41]. Instead, advertisers pay SambaTV to direct ads to other gadgets in a home after their TV commercials play. Early versions of ACR data collection are seen in year 2013, a blog post [24] shows that LG’s Smart TV collects viewing information as well as connected device names and even ﬁle names. There was an option in the system settings called "Collection of watching info" that was set to be ON by default, which, after network interception analysis, showed that viewing information appears to be collected regardless of whether this option is set to ON or OFF. The transmitted data to LG was done using HTTP, which included the unique device ID, viewing data and ﬁle names that were stored on consumer’s external USB hard drive.

22 Chapter 3

Data collection

This chapter focuses on the data gathering methods and shows how the collecting method will be executed. The goal is to gather as much network trafﬁc as possible in different modes for each policy state. Under data collection, TVs will be in idle mode, while turned off mode and a mode where the TV is controlled and interacted with. The voice and microphone function will also be tested for the TVs that have microphone included. Each test is executed under the accepted and declined privacy policy states.

3.1 Research methodology

For this thesis, a single case study was done to research PII exposures in Smart TVs under different privacy policy states. A case study is a research method that focuses on understanding the dynamics of single settings [51]. Meaning the research provides a deeper understanding of speciﬁc instances of a phenomenon. Each Smart TV is experimented with where policies have been accepted and declined for each test. A controlled experiment was conducted on ﬁve Smart TVs, Table 3.1 shows each TV data was collected from. Since the collected data may contain PII of an end–user, the project was therefore reported to the Norwegian Centre for Research Data (NSD).

Samsung QE65Q7FNA LG webOS TV SK7900PLA Sony TV BRAVIA 4k Samsung Q60 Philips 55PUT6101/12

Table 3.1: Smart TV model list

3.2 The data collection method

The data collection method needs to be systematic and portable in order to achieve an easy setup and to provide consistent and precise results that can

23 further be used to extrapolate data. One way to approach this is to create a simple check list with the requirements and setups listed in a chronological manner. This allows the data collection method to make use of the limited time in an efficient way. Smart TVs will mainly be in two different states for each test. The first state will be executed with the privacy policies accepted and the second state with all of the privacy policies rejected. This will show a perspective on how a Smart TV from each brand operates in the network under each policy state. In order to make the analysis for later more systematic and easy to read, aliases will be used where ”PA” (Policy Accepted) indicating that the privacy policy is accepted and ”PD” (Policy Declined) where privacy policy is declined. The network traffic from TVs will be monitored where each TV is in idle mode and by using the apps that are already preinstalled, this will be executed for each state. The usage of applications is done to see if the TV will trigger any network endpoints related to the Smart TV vendor. This shows how the Smart TV operates under the usage of other applications and while interacting with the TV. It is also interesting to see if the TV is active in the network while it is turned off or in a ”sleep” state. When the On/Off button is pressed on the remote controller, depending on what vendor the TV is made from, the TV should ether enter a sleep mode or be completely shut down. In this thesis, each TV’s network traffic will be monitored while the TV is turned off. Voice functionality for Smart TVs that have this function available, will also be monitored to see if the policies are followed by vendors.

3.3 Snifﬁng TLS communication

To successfully decrypt TLS 1.2 packets, there is a need to install a custom certificate on the client. At this point of time, there are no ways to configure or install certificates on Smart TVs. Even Android TV, does not allow users to write on system files, however it is achievable if the Android TV is rooted. In this thesis, two unsuccessful attempts to root Sony TV showed that common tools for rooting Android such as oneclickroot and kingoroot do not work on Android TVs. Figure 3.1 shows the failed rooting attempt on the Sony TV. Executing the kingoroot tool on the Sony’s Android TV will brick the TV’s boot loader, resulting in an endless loop in the booting stage without accessing the OS. To solve this problem, a forced factory reset had to be performed on the TV by using the physical buttons on the TV. A guide for the hard factory reset can be found in the Sony’s official support article [77]. In the background chapter, the IoT Inspector tool was introduced. IoT Inspector collects IoT network data and is able to do this at a larger scale. The tool uses ARP spoofing technique to intercept traffic in the network [35]. The main reason this tool was not used is because IoT Inspector sends the gathered data to Princeton University where the data might be further shared with non–Princeton researchers. There are different methods one could use to intercept traffic coming from Smart TVs. Tcpdump was used in the research paper [69] with a server

24 Figure 3.1: Rooting attempt

that provides network connectivity and data gathering. There is a traffic analysing proxy called mitmproxy [49], which is free and open–source. Mitmproxy is a powerful tool that is able to decrypt encrypted packets, perform replay attacks and is able to generate SSL/TLS certificates for interception on the fly. This tool has a Python API and it is possible to develop and add addons. In this thesis, an active MITM (man in the middle) attack was attempted by using mitmproxy [49]. The intention was to specifically extract data from encrypted packets.

Figure 3.2: Simple overview of mitmproxy in the network

If changing the root certiﬁcate of a TV was possible, it would enable us to use mitmproxy to intercept and gather data while saving SSL keys, which later can be imported into Wireshark for a more detailed and decrypted

25 overview of transmitted data. The Sony TV runs on Android 7, there is a command–line tool called ADB (Android Debug Bridge) [3] which is able to connect and communicate with an Android device. With ADB it is possible to install and debug apps, and it provides access to a Unix shell that allow to run a variety of commands on the device. After experimenting with ADB connected to a Sony TV, an attempt to install a custom TLS certificate into the system file was unsuccessful, this shows that ADB does not come with full privileges to the system files.

Figure 3.3: ADB tool

Figure 3.4: Permission denied

Both mitmproxy and ADB tools were unsuccessful to decrypt TLS packets. A custom certificate was provided to the TV, and the attempt was unsuccessful. The TV did not accept invalid certificates. Since there are no ways to inject or install certificates on Smart TVs, we have to use other tools to gather as much information as possible. This means that the content of each transmitted TLS packet will not be accessible to read and evaluate later in the analysis, but it is still possible to intercept the network communication from TVs. Another data gathering approach is to connect the PC/MacBook

26 directly to the ethernet port of the Smart TV providing internet access and monitoring the ethernet interface at the same time. However, in most cases, it requires to physically move the Smart TV since the ethernet ports are often located at the back of the TV. The data gathering approach in this thesis needs to be wireless and portable for practical reasons.

3.4 Data gathering method

In this thesis, an eavesdropping attack was performed using a network analysing tool Wireshark and a security framework Bettercap [94, 8]. Wireshark is one of the most common tools used for network analysis, the tool allows for a closer inspection of each packet with a lot of metadata. Bettercap is considered to be the Swiss Army knife for network reconnaissance and MITM attacks. Bettercap will be used to ARP–spoof the network, ARP–spoofing is an attack technique where the goal is to associate the attacker’s MAC–address with the IP-address of the default gateway. It is important to note that ARP–spoofing is used to route all outgoing traffic from the TV to the MacBook machine where Wireshark is running at the current network interface. Without ARP–spoofing technique, the communication from the TV would directly go through the hotspot. After ARP–spoofing, all of the traffic flow from the TV is set as default to go through the MacBook computer which is used as a main device for the data analysis. Therefore, the chosen data gathering method requires tools that are able to ARP–spoof and capture network traffic. The only thing that is required from the client TV is to be in the same network where data gathering tools operate.

3.5 Building data gathering method

Since each Smart TV has its own and unique idle mode, in this thesis, a TV is considered to be in idle mode when it’s turned on, but no instructions are given. Idle mode for each TV will be described in the analysis section. Idle mode and while off mode for each TV will be monitored for exact 10 minutes. The 10–minute time period was chosen due to practical reasons making the data collection process shorter, it is also assumed that a longer time period would not show major differences for idle and while off modes. To make the analysis for later easier, a very simple python script was created to count the total amount of unique domains. The script goes through each packet’s DNS section, counts all unique DNS queries and writes the results to a ﬁle which will be used in the analysis. 1 import pyshark 2 from array import * 3 4 pcapFile= pyshark. FileCapture( ’SAMSUNG_12_IDLE_PA.pcapng ’ ) 5 6 f i l e 1= open ( "utest.txt" , "w+" )

27 7 8 udns= {} 9 10 def get_unike(): 11 f o r packet in pcapFile: 12 #print(packet) 13 i f "DNS" in packet: 14 15 domain= packet.dns. qry_name 16 17 i f domain in udns: 18 tmp_counter= udns[domain] 19 udns. update({ domain: tmp_counter+1}) 20 e l s e: 21 udns. update({ domain:1}) 22 23 f o ri,k in udns.items():#write to file 24 f i l e 1.write(i+ "\t" + s t r (k)+ "\n" ) 25 ... Listing 3.1: Code snippet for ﬁnding unique DNS lookups

To find unique DNS lookups, a Wireshark wrapper for python was used, which allows to easily analyse Wireshark files with python. Each .pcap and .pcapng file was generated accordingly to the PA and PD states, where the file name is carefully formatted according to the states of the TV. For instance, the .pcapng file name in python code is SAMSUNG_12_IDLE_PA, which makes it easier to see that the TV is Samsung with ip address 172.20.10.12 in idle mode with privacy policies accepted (PA). By labelling the files accordingly, makes it easier to separate data of TVs from the same vendor. For each known unique domain, a total number of bytes needs to be calculated, this shows how much data is sent to a domain, possibly revealing patterns where the bytes are consistent per packet for each domain. In order to find and calculate this type of data, a simple python script can do the job. Both python scripts will help us to do the analysis in an efficient way.

28 1 import csv 2 3 f i l e 1= open ( "done.txt" , "w+" ) 4 5 with open ( ’Book1_philips2.csv’ , mode=’r’ ) as csv_file: 6 csv_reader= csv.reader(csv_file, delimiter= ’;’ ) 7 Cbytes=0 8 name= "" 9 amount=0 10 11 data= {} 12 uniqueDomains= {} 13 14 f o r row in csv_reader: 15 name= row[6] 16 Cbytes= i n t (row[5]) 17 i f name in data:#COUNT BYTES PER DOMAIN 18 temp= data[name] 19 data. update({ name: Cbytes+temp}) 20 e l s e: 21 data. update({ name: Cbytes}) 22 i f name in uniqueDomains:#COUNT AMOUNT OF UNIQUE DOMAINS 23 temp= uniqueDomains[name] 24 uniqueDomains. update({ name: amount+temp}) 25 e l s e: 26 amount=1 27 uniqueDomains. update({ name: amount}) 28 f o ri,k in data.items(): 29 #file1.write(i+"\t"+ str(k)+"\n") 30 p r i n t(i,k) 31 p r i n t( "______" ) 32 f o ri,k in uniqueDomains.items(): 33 p r i n t(i,k) Listing 3.2: Code snippet for ﬁnding total amount of transferred bytes

The traffic from pcap and pcapng files will be dumped to a csv file where further analysis and presentation can be performed. The python script that counts the number of total bytes per domain uses the csv library to work with csv files with a specific delimiter. It will also count the unique name servers from HTTP and TLS packets, this is done by extracting hostnames from HTTP packets and counted together with TLS SNIs.

3.6 Data collection method setup

This section shows how the data gathering setup is conﬁgured for each TV. The main reason for this type of data gathering approach is to make the tests as systematic as possible. The TV needs to be in the same network where the data gathering tools operate, a mobile hotspot from an iPhone was used which both the MacBook and the TV was connected to. The local IP-address is then noted for each TV.

29 Now that both devices are in the same network, we ﬁrst execute Bettercap’s ARP–spoof and activate Wireshark snifﬁng tool. Because of ARP–spoof, the MacBook computer will act as a ”router” for the TV and at the same time, Wireshark will be running and gathering all of the TV’s outgoing data in the network. Figure 3.5 is an illustration of how the network looks like before our data collection method is executed.

Figure 3.5: Overview of the network setup

30 When the Smart TV is in the same network, the data collection method is ready to be executed. Figure 3.6 shows the network after ARP–spoof, blue line between the Smart TV and MacBook is the communication line that will be intercepted and recorded.

Figure 3.6: Network ﬂow after ARP–spoof

Wireshark will collect trafﬁc from the TV and store appropriate ﬁles.

3.7 Executing the data collection

The data collection method was executed for each policy state, Accepted and Declined state. The TVs tested in this thesis each had the option to find the privacy policy in the settings menu where the user can read and decide whether to accept or decline the policy. For each TV, around five to six .pcap and .pcapng files were generated based on the available functions of the TV such as voice recognition. These files are not filtered where there is hosts and protocols that are not needed. Data packets to and from the mobile gateway are not very interesting along with protocols such as ICMP, SSDP and OCSP since it is assumed that these does not include privacy relevant information. Which is why Wireshark needs to be filtered appropriately. 1 1 : ip.src && ip.dst != 172.20.10.6 2 2 : (ssl. handshake. type == 1 && ip.src ==TV_IP ) || http || dns Listing 3.3: Wireshark filters

The ﬁrst line ﬁlters out our mobile hotspot gateway which has an IP- address of 172.20.10.6. The python script collects all of the accessed domains

31 in DNS packets, the second filter will display only TLS, DNS and HTTP packets of the TV. Figure 3.7 below shows the captured data in Wireshark, the data is already filtered where only HTTP, DNS and TLS packets are displayed. As seen in the Figure 3.7, Wireshark’s column display has been configured so that TLS’s SNI is shown in the server name column.

Figure 3.7: Wireshark with ﬁlters

32 Figure 3.8: Flow of the data gathering

Figure 3.8 shows the stages before the data is fed to the main analysis. After the data gathering is executed for idle modes and while use of applications, the last but not least mode to test is while the TV is turned off. The time range for this test is 10 minutes as in idle mode. To summarize what ﬁles were generated for each PA (Policy Accepted) and PD (Policy Declined) states, a list is given below:

• Idle mode PA state

• Idle mode PD state

• Interacting with the TV’s applications in PA state

• Interacting with the TV’s applications in PD state

• Turned off state

• Using microphone & voice recognition function

It is important to test the Smart TV in different modes for each policy state. This shows how the TV operates in idle mode where no user inputs are given and a mode where the TV is interacted with by using the installed applications. The trafﬁc from each TV needs to be examined while the TV is turned off, this will be done on all TVs. The microphone function is only tested with the Samsung Smart TV Q65 since the voice function is not available on other TVs such as Sony, LG and Philips.

33 34 Chapter 4

Analysis and results

Before the analysis is presented, it is important to have an understanding about the common data types vendors usually collect. Therefore, a short comparison of privacy policies from different Smart TV vendors will be presented. Further, a simple PII classification concept is introduced before the TV’s collected data and analysis results are presented. The PII classification will be used in the analysis of a network endpoint to define if it collects or operates with PII related data from consumers.

4.1 Analysis method

As seen in the data gathering chapter, TLS makes it difficult to look into the contents of network packets, therefore the network analysis is done without TLS inspection of network packets. The analysis is rather based on the DNS lookup query names, HTTP hostnames and TLS Server Name Indications (SNIs). Each TV will be presented in more detail regarding the chosen idle mode and how the TV behaved under the data gathering stage. For each TV, results from data gathering will be presented in PA (Policy Accepted) and PD (Policy Declined) states, followed by a short analysis for relevant domains. Additional analysis and classification will be discussed in the last section. The evaluation for each domain in this thesis will be slightly different based on the available information of the domain on the following services: VirusTotal.com, AlienVault.com, Cookiepedia.co.uk, Dnsdumpster.com and Trustedsource.org by McAfee. These tools are open–source services and they are a part of OSINT (Open–Source Intelligence [28]). By using these open–source services and looking further into the domains, it is possible to sort the domains into three main categories such as vendor/ACR based domains, advertisement and tracking services (ATS), and domains linked to third–party apps and services. Many queries can be easily mapped to a specific device, manufacturer or an advertisement related service just by looking at the domain name itself. Since VirusTotal will automatically output Google search results for the inputted domain, some results and decisions will be based on the

35 information from these searches. HTTP GET request will be performed on each domain to see how the domain responds. The goal is to identify vendor domains that receive or operate with data related to PII, under each privacy policy state. This will be done by using the analysis tools seen in Figure 4.1 along with the privacy classification concept presented in the PII classification (section 4.3). Figure 4.1 shows the analysis flow where the information for each domain is sorted into specific domain classes such as vendor/ACR, advertisement/tracking services and the application/third–party domains.

Figure 4.1: Analysis ﬂow

ACR companies will be categorized as one together with Smart TV vendors even though ACR vendors have their own policies. The reason behind this decision is the fact that all of Smart TVs come with ACR software pre-installed and not all Smart TV vendors inform about ACR. Therefore, all of ACR vendors have to comply with the policies of the Smart TV vendors. Before the privacy classiﬁcation is created, there is a need to analyse and present vendors’ policies to get a better understanding of the exact data types vendors tend to collect.

4.2 Comparison of vendor’s privacy policies

All Smart TVs require that the user reads the vendors privacy policies. It is common for the TVs to provide this process at the very start of ﬁrst boot and

36 give the user the ability to change the policy decision in the settings of the OS. It is essential for vendors to provide the policy information to the user, speciﬁcally, sufﬁciently clear and transparent information for consumers about the data processing, the time of this information, and the legality of data. Vendor’s privacy policy also has to comply with GDPR if the TVs are sold and used in Europe. Newest versions of Samsung’s Tizen OS have a built-in app called Privacy Choices where the user can access and read all of the privacy related information and accept or decline each of the policies. Samsung’s Privacy Choices app is split into three different privacy policy categories, these categories are called Information Display services, Privacy policy for interest–based advertising services and Privacy policy for voice recognition services. The user will get a window with all of the legal privacy policy information and check boxes to approve the agreement. Declining one or more of these policies will result on functionality loss, for instance declining voice recognition will disable the voice control feature of the TV. Samsung states that the TV does not actually record or store data from microphone, but merely processes the requested command into data in order to obey the command or search for content [18]. Samsung also states that voice data is not sold to a third–party.

4.2.1 Data types collected by vendors The examination of each policy was done by looking into each vendor’s main policy sites [61, 63, 60, 66]. Specifically, the extraction was done on the privacy policy section where it is specified what data vendors collect and how the data is further used. The results showed that vendors gather the same data in similar ways. Privacy policies found on the vendor’s website are not directly aimed at Smart TVs but cover all of the vendor’s products, these vendors are Sony, Philips and Samsung. Therefore, it can be confusing for the end–user reading an overall privacy policy which are not directly related to the TV itself, for instance, Samsung’s policy [63] states that the GPS signal and the information about Wi–Fi access points as well as cell towers will be collected. However, Smart TVs currently do not have a GPS tracker integrated. It is common for vendors to inform what data is gathered, but none of the vendors actually inform exactly what type of data is gathered if privacy policy is declined. Samsung’s privacy policy also informs that the user has the option not to provide certain type of information, which in some cases, may limit the ability to use some products and services. Assume a consumer accepts all of the policies from the vendor, which is the PA state in this thesis. It is then possible to classify the data sent to vendors in five different types of information, ACR / Viewing content, Log data, Device info, Location data and Voice commands. ACR or viewing content data is collected by all vendors, where each vendor has its own unique third–party partner. Samsung does not publicly disclose the third parties but informs the user in the privacy policy that ACR technology is used. Samsung clearly specifies that they collect what the consumer is watching including what applications are used. LG specifies that the viewing information goes to LGE (LG Electronics) [60] and Sony along with Philips use Samba TV

37 which also has its own privacy policies [62]. Viewing data is information a consumer views on the TV, this could be everything from browsed web sites to channels and services, one important metadata here is the amount of time spent viewing each service. Log data is information such as software errors, usage time for each application, diagnostic and technical information of services and even search queries. Location data contains information about which country the Smart TV is located at, and some vendors also get zip code. Each vendor also speciﬁes that advertisement is not based on the viewing content on the TV but can rather be based on information such as product location, search history and in some cases also the voice information. Only LG’s privacy policy has a dedicated Smart TV policy section [60], where they also specify that the end–user can disable the collection of viewing data.

You may prevent the collection and use of your Viewing Information in connection with some of the enhanced services by clicking the appropriate on-screen button in the Settings menu or by agreeing or disagreeing with the User Agreement related to that service.

To summarize the exact data types each vendor collects, a Table 4.1 is given with what type of information is considered as device information and collected by vendors.

Hardware model Current software version Serial number MAC–address Screen Fingerprint/ACR IP-address Device ID and cookie Country/Location Language of the TV User log data

Table 4.1: Data types provided by Smart TVs to vendors

4.2.2 User’s privacy policy There are mainly two ways vendors get information from: information provided by the user and information sent from the TV by default. Vendors like Samsung, Philips, Sony and LG give users the possibility to create an account which can be used by different products. During the ﬁrst setup of a brand–new Smart TV or any smart device, the TV or the device that is connected to the internet might request the consumer to register the product with personal information such as name, address, phone number and device id or model name [39]. All of the vendors specify

38 that if an account is created, it will be used for marketing purposes and for delivering news to the consumer. By creating an account, a user directly provides account information to vendors as seen in Table 4.2.

E-mail address Username Password Date of birth Selected language Location Phone number

Table 4.2: Data types provided by a user to vendors

Smart TVs offer a wide range of technical options that allow companies to understand the behavior of the user. For instance, ACR technology shows viewing content the user is interested in and the Smart TV vendor is also able to monitor the application usage and clicking behaviour. PII metadata the TV sends is often merged with the data a consumer might provide as seen in the Table 4.2 [11]. Looking into the differences between what data the TV provides and what data a user provides to vendors, Table 4.1 and 4.2, show that location and language data is provided regardless. Figure 4.2 shows how most of the privacy policies look like where the privacy policy is often divided into three categories if the TV has a microphone on the remote controller. Sony and Philips TVs had only one privacy policy section a user could read and make a decision on accepting or declining the policy. Privacy policies also inform about the usage of third–party applications. A consumer that uses third–party applications such as Youtube or Netﬂix, will provide PII related data to these services. A snippet of Sony’s privacy policy displayed at the ﬁrst boot informs the following:

If you have refused consent for Sony to review data, you may still have provided consent to other third–party application (such as Youtube). Although Sony will only use your IP-address for this TV to access the Internet, it may be collected and stored by third–party application or websites you visit.

This is also valid for other Smart TV vendors, since all Smart TVs allow the usage of third–party applications such as Youtube, Netﬂix, Facebook, Spotify etc. Samsung TVs have an app dedicated to privacy policy. The application allows users to read the policies and choose between three main policy categories: information display services, interest–based ad service privacy statement and privacy statement for speech recognition service. If, for instance, the policy regarding speech recognition service is declined, the user will not be able to use voice features. This is valid for all Smart TVs that have a privacy policy for voice and speech recognition.

39 Figure 4.2: LG Privacy policies

The information provided by a user to vendors is PII related data as seen in the Table 4.2. Next section indtroduces the PII classiﬁcation which will be executed on data types that the TVs send out, as seen in the Table 4.1.

4.3 PII classiﬁcation

The goal is to create a simple and usable privacy classification concept to define the use of PII in network traffic without decrypting and looking at the contents of each network packet. It is possible to determine PII exposure in both encrypted and non–encrypted network packets. This is utilized in this section by creating a simple PII Table 4.4 to classify TV’s outgoing traffic. The information collected from TV’s network traffic such as packet–contents, patterns, and metadata can all reveal PII of a user and user’s online activity. In this thesis, the PII exposure classification is based on concepts presented in a summarized Table 4.3. Table 4.4 shows an example where the privacy policy data which was extracted from each vendor’s policy, Table 4.1, is classified by using the definitions and concepts from research publications listed in Table 4.3. The PII classification along with concepts regarding the analysis of the network traffic seen in research publications in Table 4.3 are utilized in this thesis.

40 Year Publication Concepts adopted for this thesis 2010 NIST National Institute of Stand- PII definition and PII Confid- ards and Technology: Guide to entiality Safeguards Protecting the Confidentiality of Personally Identifiable Information (PII) [44] 2016 GDPR General Data Protection Reg- Personal data definition and ulation: Art. 4 GDPR – Definitions privacy policy requirement [5] 2017 Princeton University: A Smart Metadata analysis of TLS/SSL Home is No Castle: Privacy Vulner- and DNS Queries abilities of Encrypted IoT Traffic [4] 2014 Hong Kong University of Science Classify the security level of and Technology : Privacy Informa- the privacy information tion Security Classification Study in Internet of Things [40] 2020 University of California: The TV is Differentiating PII exposures Smart and Full of Trackers [85] in Smart TVs by searching for PII values in the HTTP header fields and URI path 2015 Masaryk University: A Survey of Information extraction of en- Methods for Encrypted Traffic Clas- crypted traffic, Server Name sification and Analysis [86] Indication (SNI) 2007 Kyushu University: Analysis of Pri- Privacy disclosure analysis of vacy Disclosure in DNS Query[98] DNS

Table 4.3: Privacy principles and concepts

Data type PII TV Hardware model Current software version Serial number Country/Location MAC–address User Log data Screen Fingerprint/ACR Device ID and cookie IP-address Language of the TV

Table 4.4: Smart TV PII classiﬁcation concept

IP-address is considered as PII by NIST, while GDPR clariﬁes that IP– addresses might be PII related in certain circumstances. However, an IP-address combined with other type of data such as user log data or

41 query patterns does make it PII related. In this thesis, IP-address will be overlooked. This makes the PII evaluation of network endpoints more meaningful simply because it is interesting to see PII relations on other types of data in the network traffic. After the domains are analysed using the tools seen in Figure 4.1, three categories of domains will be created for further analysis. These are specific domain classes such as vendor/ACR, advertisement/tracking services and the application/third–party domains. In cases where it is clear that the vendor domain operates with ACR data, the domain will be classified as ACR rather than vendor. Roku and Fire TV apps send the advertising ID along–side a static identifier (serial number) to third parties such as advertising and tracking services (ATS) [85]. This allows ATS to have a linkable user profile with associated advertisement ID. Therefore, the serial number, user log data and screen fingerprint/ACR information is considered as PII. This type of data is sent to and processed by third–parties and advertisement services. Location and GPS data by itself is not a direct PII but can be crucial if combined with any other type of data, which is why it is considered as PII in this thesis. Data types that are not considered to be PII are metadata information related to TV model, software version and the configured language of the TV. Further in the analysis of domains, all of the ATS and ACR related network endpoints will be considered as PII related domains. ATS companies are able to collect PII and it is also possible that the advertisements are not directly based on PII, but since the content of packets are not readable, the advertisement services will be marked as PII included domains. By looking at the sub–domain, it is possible to get an indication to what the domain might contain. For the domains that are qualified as vendor or third–party application domains, further PII evaluation will be done where the same tools such as VirusTotal are used along with Google search results. Domains that are classified as "web analytics" by VirusTotal gather and analyse data related to web traffic and usage patterns. When these types of data are combined with an IP-address, this will qualify as consumer’s PII as discussed in the GDPR section.

4.4 Captured trafﬁc and analysis

A table containing domain name, accessed frequency and the total number of bytes sent from the TV to a speciﬁed domain will be presented. The rate of occurrences f1 represents the number of DNS lookups, f2 is the total number of domain names which are combined from HTTP hostnames and TLS Server Name Indications (SNIs). From DNS lookups it is only interesting to count the number of lookups without taking the packet size into the consideration. The total amount of transmitted bytes for a domain is extracted only from HTTP and TLS packets. For each domain, a checkmark will be noted if the analysis end–results point towards PII transmitting. Since there are a lot of domains accessed when using applications, only relevant domains that are interesting to analyse will be presented. Some of

42 the servers that deliver static content and OCSP (Online Certificate Status Protocol) servers will be excluded from the table. Since some of the third– party applications will generate domains related to advertisement, these will be presented separately later in this chapter. A full list of the domains will be available as an appendix for this thesis. Each TV tested in this thesis has a main menu a user can interact with and choose different applications. The idle mode for all of the TVs will be the main menu of the TV’s OS. The main menu can be accessed by pressing the ”Home” button on the remote controller. This button is present on all of the TVs tested in this thesis. The third–party domains contacted in idle mode will not be filtered out as it is interesting to see which applications are constantly running in the background. All of the domains in the idle mode for each TV will be included. These domains can give an indication to what applications are running in the background. Therefore, all of the idle domains will be presented, while the domains accessed during the use of applications will be filtered accordingly, presenting only relevant vendor domains.

4.5 Sony TV Bravia 4K

At the very ﬁrst boot, the Sony policies are presented followed by a policy from Google which cannot be declined. Sony TV uses Android 7 kernel version 3.10.79, the TV comes with preinstalled apps from Google such as Youtube, Google Play Music, Google Play Movies & TV, Google Play Games and Google Play Store. There are also stock apps from Sony such as Album, Video, Programme Guide and Music. All of the mentioned apps were tested in both PA (Privacy Accepted) and PD (Privacy Declined) states. The main menu page of Android TV was used as idle mode, there is also a recommended section where the suggested videos from Youtube are listed.

4.5.1 Idle mode

Domain name f1 f2 Bytes PII Type connectivitycheck.gstatic.com 3 32 11889 Third Party bdcore-apr-lb.bda.ndmdhs.com 3 3 799 Vendor mtalk.google.com 3 3 1749 Third Party clients3.google.com 1 1 643 Third Party cdn.meta.ndmdhs.com 1 3 923 Vendor www.sony.net 1 4 908 Vendor cert-cdn.meta.ndmdhs.com 1 2 571 Vendor clients4.google.com 1 2 571 Third Party

Table 4.5: Sony TV – Domains in idle mode PA state

As seen in Table 4.5 and 4.6, four of the server names are owned by Google, these are mtalk.google.com, clients4.google.com,

43 Domain name f1 f2 Bytes PII Type connectivitycheck.gstatic.com 3 37 13789 Third Party www.sony.net 3 10 2270 Vendor mtalk.google.com 2 3 1797 Third Party clients3.google.com 1 2 1142 Third Party reg.biv.sony.tv 1 1 923 Vendor ssm3.internet.sony.tv 1 1 571 Vendor bdcore-apr-lb.bda.ndmdhs.com 1 1 571 Vendor sa.sde.sony.com 1 1 232 Vendor www.googleapis.com 1 2 809 Third Party

Table 4.6: Sony TV – Domains in idle mode PD state clients3.google.com and connectivitycheck.gstatic.com. There are many content delivery servers from Google, one of these is the clients3.google.com domain. The mtalk.google.com domain is classified as media messaging and online chat by VirusTotal, the domain is used to receive push notifications and will not be defined as PII related domain. It was noticeable that Sony TV sends HTTP v1.1 keep–alive checks to connectivitycheck.gstatic.com and to sony.net almost every fifth second. The domain connectivitycheck.gstatic.com only uses HTTP for sending data of the user–agent. The accessed frequency of this domain shows that both Sony and Google track whether the TV is connected to the internet. Sony.net gets the following user–agent data: • Dalvik/2.1.0 (Linux; U; Android 7.0; BRAVIA 4K GB ATV3 Build/NRD91N.S140) while connectivitycheck.gstatic.com gets a different user – agent data: • Mozilla/5.0 (Linux; Android 7.0; Build/NRD91N.S140) AppleWeb- Kit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.54 Safari/537.36 CrKey/1.47.216070 From these HTTP packets it is clear that both Google and Sony get information about the OS of the TV regardless of the privacy state. In idle mode, vendor domains such as sa.sde.sony.com, reg.biv.sony.tv and ssm3.internet.sony.tv were contacted only in PD state. This behaviour could be a result from background running applications, it also might be an indication where vendors are interested in consumers’ data in PD state. McAfee lists ssm3.internet.sony.tv as ”Enter- tainment”, reg.biv.sony.tv as ”Streaming Media” by VirusTotal, and sa.sde.sony.com is categorized as ”Business”. Since there are no clear indication why these domains were accessed in PD idle mode, Sony (.tv and .com) domains will be categorized as PII included domains. Domains where the top level ends with ndmdhs.com and sony.net are owned by the Japanese PSI (Public Services International) and are categorized as ”Games” by both VirusTotal and McAfee. Domains such as cdn.meta.ndmdhs.com

44 and bdcore-apr-lb.bda.ndmdhs.com can be found in a Reddit discussion forum where users believe that their Sony headphones collect information about consumers [78]. The bdcore-apr-lb.bda.ndmdhs.com domain is only seen once in both modes while PD state. This domain is accessed more frequently while PA state.

4.5.2 Interacting with the TV

Domain name f1 f2 Bytes PII Type connectivitycheck.gstatic.com 29 45 14473 Third Party www.sony.net 8 17 3859 Vendor bdcore-apr-lb.bda.ndmdhs.com 5 5 1321 Vendor cdn.meta.ndmdhs.com 4 12 3809 Vendor ssm3.internet.sony.tv 2 3 1713 Vendor update.biv.sony.tv 2 3 1713 Vendor service.biv.sony.tv 2 3 1713 Vendor reg.biv.sony.tv 2 3 1713 Vendor sa.sde.sony.com 1 1 232 Vendor log.core.cloud.vewd.com 1 1 238 Third Party

Table 4.7: Sony TV – Domains while using applications in PA state

The Sony TV sends HTTP packets to connectivitycheck.gstatic.com and sony.net regardless of the policy state and usage modes. Looking into the PII classification Table 4.4 shows that OS version data is not PII related and there is no other indication of PII in the HTTP packets to connectivitycheck.gstatic.com and sony.net domains, these will therefore not be classified as PII related domains. The interesting domain that only was accessed once in PD state without a DNS lookup is the flingo.tv domain seen in Table 4.8, this domain belongs to ACR vendor SambaTV. For Sony TV, the data gathering method was executed multiple times to see when exactly the flingo.tv domain is contacted, unfortunately this domain did not occur very often. Flingo.tv is the only directly identifiable ACR domain for Sony TV. The flingo.tv domain interestingly did not occur in PA state while using the applications, Table 4.7. Since it is an ACR vendor, the classification of this domain is therefore marked as PII included. Vendor domains such as update.biv.sony.tv and service.biv.sony.tv occurs only in PA state, meaning that these domains may contain PII of the consumer. While sa.sde.sony.com is looked up and accessed once in each idle mode regardless of the policy state, which could indicate that this domain does not handle PII. Another interesting domain is the log.core.cloud.vewd.com, which only occurs for this TV. Vewd is a company that provides OTT software solutions for Sony, Samsung, Philips and Verizon. Vewd was former known as Opera TV and Vewd Core formerly known as the Opera TV SDK, has become the most deployed HTML5 SDK in the industry [53]. There are

45 Domain name f1 f2 Bytes PII Type connectivitycheck.gstatic.com 30 34 10291 Third Party www.sony.net 3 7 1589 Vendor bdcore-apr-lb.bda.ndmdhs.com 1 1 277 Vendor cdn.meta.ndmdhs.com 2 8 2051 Vendor sa.sde.sony.com 1 1 232 Vendor log.core.cloud.vewd.com 3 5 1134 Third Party ﬂingo.tv 0 1 226 ACR

Table 4.8: Sony TV – Domains while using applications in PD state no privacy policies to ﬁnd and read on their main site vewd.com. From the domain name, the log term is seen indicating some form of log data, therefore this domain is marked as PII.

4.5.3 PA and PD domain relation Sony Smart TV communicates with PII related vendor domains in both privacy states is seen in Figure 4.9.

bdcore-apr-lb.bda.ndmdhs.com reg.biv.sony.tv ssm3.internet.sony.tv sa.sde.sony.com log.core.cloud.vewd.com

Table 4.9: Sony Smart TV PII related domains seen in both PA and PD states

Table 4.10 shows domains that only appeared in PA states. The only domain that is PII related and seen in PD state is the flingo.tv ACR domain. This indicates that declining the privacy policy will result in two vendor domains that will not occur as seen in Table 4.10, but ACR domain flingo.tv seems to ignore the declined privacy policy.

service.biv.sony.tv update.biv.sony.tv

Table 4.10: Sony Smart TV PII related domains only seen in PA state for both modes

There is also need for looking into how the TV operates while turned off. The recorded trafﬁc for Sony TV while turned off state showed that the TV still sends HTTP packets to connectivitycheck.gstatic.com with the same user–agent data seen above. Another domain that was contacted is the play.googleapis.com using TLS. Both of these domains were contacted immediately after the power on/off button was pressed, after a short time the TV seemed to be completely turned off and did not have any network activity.

46 4.6 Samsung Q60

4.6.1 Idle mode

Domain name f1 f2 Bytes PII Type api.eu-west-1.aiv-delivery.net 52 0 0 Third Party cdn.samsungcloudsolution.com 6 3 574 Vendor tvx.adgrx.com 6 3 846 ATS ichnaea.netﬂix.com 3 0 0 Third Party lcprd1.samsungcloudsolution.net 4 2 1142 Vendor osb.samsungqbe.com 1 2 574 Vendor device-metrics-us-2.amazon.com 4 0 0 Third Party

Table 4.11: Samsung A – Domains in idle mode PA state

Domain name f1 f2 Bytes PII Type cdn.samsungcloudsolution.com 2 1 151 Vendor tvx.adgrx.com 2 1 282 ATS osb-auth-eusvc.samsungqbe.com 12 6 2418 Vendor osb.samsungqbe.com 1 1 256 Vendor vdterms.samsungcloudsolution.com 6 3 903 Vendor api.samsungcloud.com 2 1 394 Vendor ichnaea.netﬂix.com 8 2 532 Third Party eu-auth2.samsungosp.com 2 1 292 Vendor osbstg-apps.samsungqbe.com 1 1 264 Vendor lcprd1.samsungcloudsolution.net 2 0 0 Vendor

Table 4.12: Samsung A – Domains in idle mode PD state

The PII domains in idle mode PA state, Table 4.11, are the ATS tvx.adgrx.com domain, the vendor domain osb.samsungqbe.com and device-metrics-us-2.amazon.com. There are blog posts online [45] where users tried to block ads by blacklisting vendor domains, one of these domains is osb.samsungqbe.com. Since there has been reports about this domain processing ads [74], it will be marked as PII included further in this thesis. The TV made a lot of DNS lookups for api.eu-west-1.aiv-delivery.net in idle mode PA state, this domain is a content delivery server owned by Amazon. In PD state idle mode however, this domain was not looked up by the TV. The only application that seemed to have a connection to Amazon is the Amazon Prime app which was launched without sign- ing in with an account, this was done while testing the TV in application mode. However, it is interesting since in PA idle mode there are domains related to Amazon, api.eu-west-1.aiv-delivery.net and device-metrics-us-2.amazon.com. The api.eu-west-1.aiv-delivery.net domain is classiﬁed as ”Video hosting” by VirusTotal but there seem to be

47 no HTTP or TLS traffic to this host. There is no information about this domain that can be tied with PII usage, therefore it will be marked as non–PII domain. The device-metrics-us-2.amazon.com domain is classified as web analytics by VirusTotal which is why it will be marked as PII related domain. This domain occurred only on Samsung Smart TV Q60. The domain cdn.samsungcloudsolution.com as seen in the name itself is a content delivery network (cdn) which occurs in all modes regardless of policy states. The only interesting part of this domain is that it is not clear what kind of content is delivered by this domain. If blocking this domain results in less ads then it is natural to list it as PII domain but since this domain occurs on both policy states and there is no clear indication of PII usage, it will be not be classified as a PII related domain. Since the Netflix app was running in the background while idle PD state, there are several Netflix content domains that were looked up and accessed. Only ichnaea.netflix.com domain collect client information, this is explained in a FireBounty site [26]. The FireBounty site [26] classifies several Netflix domains based on the usage. The ichnaea.netflix.com domain is a logging endpoint used to collect client information. Since this domain gets user login information, the domain will be included in the table and classified as PII related domain. The tvx.adgrx.com domain is directly related to advertisement and is the only ad–domain that is present in all policy states and modes for both Samsung TVs that were tested. The adgrx.com redirects to adgear.com which is an ATS company owned by Samsung Electronics. Adgear has also its own privacy policy [1] where it is specified that PII is collected under Networking Advertising Initiative (NAI) rules. The lcprd1.samsungcloudsolution.net domain occurs in both idle modes and policy states, this domain however is not seen while testing the applications for this TV. VirusTotal lists this domain as ”Media sharing and Information Technology” while McAffe categorizes it as ”Internet services”. Since there are no indications of the exact purpose of this Samsung domain, it will not be marked as PII included. The vdterms.samsungcloudsolution.com, Table 4.12, is marked as PII, this domain only occurs in PD states for both Samsung TVs. Further explanation about vdterms.samsungcloudsolution.com is found in the next section with Samsung Q65 TV.

4.6.2 Interacting with the TV Samsung domains that have ”auth” in the name can directly be related to authentication, these domains are eu-auth2.samsungosp.com and osb-auth-eusvc.samsungqbe.com. Both of these domains only occurred in the idle PD state. Since there must be some form of authentication which requires information from the TV and possibly from the consumer, these domains will be classiﬁed as PII related domains. While using the applications in different policy states, Table 4.13 and 4.14, show that only events.samsungads.com and osb.samsungqbe.com domains occur in PD state. The data transmitted to osb.samsungqbe.com seem to be

48 Domain name f1 f2 Bytes PII Type cdn.samsungcloudsolution.com 14 7 1065 Vendor tvx.adgrx.com 14 7 1982 ATS eu.api.amazonvideo.com 4 0 0 Third Party device-metrics-us-2.amazon.com 12 0 0 Third Party ichnaea.netﬂix.com 13 6 1628 Third Party api.eu-west-1.aiv-delivery.net 24 0 0 Third Party

Table 4.13: Samsung A – Domains while using applications in PA state

Domain name f1 f2 Bytes PII Type cdn.samsungcloudsolution.com 18 9 1367 Vendor tvx.adgrx.com 16 9 2538 ATS api.eu-west-1.aiv-delivery.net 8 5 1433 Third Party events.samsungads.com 4 2 580 Vendor ichnaea.netﬂix.com 6 7 1974 Third Party osb.samsungqbe.com 2 1 287 Vendor

Table 4.14: Samsung A – Domains while using applications in PD state

the same length for each packet, in PA idle state 4.11 the length of f2 is 574 bytes with two TLS packets indicating that the length of one packet is 287 bytes as seen in Table 4.14. Interesting vendor domain related to advertisement occur on PD state is the events.samsungads.com domain in Table 4.14. Figure 4.3 shows a message when doing HTTP GET request on the events.samsungads.com domain.

Figure 4.3: HTTP response from events.samsungads.com

4.6.3 PA and PD domain relation Table 4.15 shows two domains that appear regardless of policy states and usage modes. For this Samsung Smart TV only one domain appeared in PA state and was not seen in PD states, the domain is device-metrics-us-2.amazon.com

49 tvx.adgrx.com osb.samsungqbe.com

Table 4.15: Samsung Smart TV Q60 PII related domains occur in both PA and PD states which is qualiﬁed as PII related domain as seen in the analysis section.

events.samsungads.com eu-auth2.samsungosp.com vdterms.samsungcloudsolution.com

Table 4.16: Vendor PII related domains only seen in PD state

Table 4.16 shows PII related vendor domains that only occurred in PD states. Declining privacy policy for this TV will therefore result on device-metrics-us-2.amazon.com domain that will not appear regardless of usage modes. Furthermore, the TV under a declined policy does communicate with PII related domains as seen in previous sections and in Table 4.16.

4.7 Samsung Q65

4.7.1 Idle mode

Domain name f1 f2 Bytes PII Type ichnaea.netflix.com 8 1 282 Third Party cdn.samsungcloudsolution.com 8 4 604 Vendor tvx.adgrx.com 8 4 2284 ATS api-global.netflix.com 7 1 285 Third Party osb.samsungqbe.com 7 4 2005 Vendor cdn-0.nflximg.com 2 0 0 Third Party fc.samsungcloud.tv 4 2 1142 Vendor customerevents.netflix.com 2 0 0 Third Party lcprd1.samsungcloudsolution.net 2 1 571 Vendor

Table 4.17: Samsung B – Domains in idle mode PA state

The Samsung Q65 also runs Tizen OS as in previous Samsung Smart TV Q60, but there are some differences regarding the menu layout and pre–installed apps. Applications in Tizen OS can run in the background, which is why there are third–party application domains seen in both idle modes, Table 4.17 and 4.18. The tvx.adgrx.com domain still occurs in all states, from this TV it is clear that tvx.adgrx.com domain will be contacted more when the TV have applications running in the background. These applications are Netﬂix and Youtube. The cdn-0.nflximg.com domain is

50 classified as video hosting for Netflix and entertainment service. One interesting Netflix domain is the customerevents.netflix.com, from the Fire- Bounty site [26] this domain together with nmtracking.netflix.com, and presentationtracking.netflix.com are all aliases of beacon.netflix.com. The customerevents.netflix.com domain appears only by DNS lookups and no actual traffic is seen, VirusTotal classifies it as ”Video hosting” and there is no PII relation found. The fc.samsungcloud.tv domain only appears for this Samsung TV in PA idle state. Accessing the fc.samsungcloud.tv through a web–browser results in a error message "message":"Missing Authentication Token". Since this domain only appears in PA state, the domain must operate with PII.

Domain name f1 f2 Bytes PII Type d1oxlq5h9kq8q5.cloudfront.net 56 28 5416 Third Party osb-apps.samsungqbe.com 20 12 6852 Vendor osb-auth-eusvc.samsungqbe.com 16 12 4568 Vendor tvx.adgrx.com 16 12 4568 ATS cdn.samsungcloudsolution.com 12 6 906 Vendor osb.samsungqbe.com 11 8 4257 Vendor uimetadata.samsungiotcloud.com 8 6 2284 Vendor config.samsungads.com 8 4 2284 Vendor vdterms.samsungcloudsolution.com 6 3 1713 Vendor api.samsungcloud.com 7 2 1713 Vendor customerevents.netflix.com 3 0 0 Third Party www.msn.com 1 0 0 Third Party lcprd1.samsungcloudsolution.net 2 1 571 Vendor www.yahoo.com 1 0 0 Third Party samsungtifa.com 1 0 0 Vendor www.amazon.com 1 0 0 Third Party www.imdb.com 1 0 0 Third Party www.facebook.com 1 0 0 Third Party invitation.samsungiotcloud.com 2 1 571 Vendor noticecdn.samsungcloudsolution.com 2 1 571 Vendor acr0.samsungcloudsolution.com 2 1 571 ACR notice.samsungcloudsolution.com 0 1 571 Vendor eu-auth2.samsungosp.com 2 1 571 Vendor gld.push.samsungosp.com 2 2 1166 Vendor config.sbixby.com 2 1 571 Vendor oempprd.samsungcloudsolution.com 2 1 571 Vendor

Table 4.18: Samsung B – idle domains in PD state

In the idle mode PD state, this TV contacts many different vendor domains as well as third parties. The TV does DNS lookups for Facebook, IMDB, Amazon, Yahoo and MSN services. The uimetadata.samsungiotcloud.com domain is classiﬁed as content server by McAffee, and the domain only occurs in PD idle state. The domain will

51 be marked as non–PII since there is not enough evidence about this domain to classify it otherwise.. Table 4.18 shows domains appeared in idle PD state. The config.samsungads.com is an ad–domain from Samsung, this domain is only seen in this TV. Samsungads.com is a marketing page for the Samsung Ads by showing that they have industry’s largest ACR data set and nearly 60% of the U.S. ACR footprint. The config.samsungads.com was not seen in the previous Samsung TV. This Samsung TV showed that Samsung has its own ACR system. The domain acr0.samsungcloudsolution.com is an ACR domain as seen in the name. The Samsung ACR domain acr0.samsungcloudsolution.com however is not seen while using applications on the TV. This means that the viewing content is only sent in some periods of time. The domain name in itself also indicates that there are multiple ACR servers from Samsung. The Table 4.18 containing idle domains in PD state, alarmingly shows Samsung domains that operate with ACR, vendor advertisement and user PII. Since all of the policies were declined, including the voice recognition policy, there is still a domain related to voice recognition, the config.sbixby.com domain. All of Samsung high–end smart phones and some smart TVs come with Bixby function. The term config in the domain name indicates that this domain processes some voice related configuration data. Another domain related to voice and speech recognition is the svoice-vd-op.samsung-svoice.com domain with only one DNS lookup in PA state seen in Table 4.19. There is also a DNS lookup for samsungtifa.com domain in idle PD state seen in Table 4.18. Looking further into domain samsungtifa.com shows that the domain is used for advertisement purposes. Samsung sets an ID for each TV and uses this as an ad–id, it is also noted that the website is intended for consumers with 2016–2019 Samsung Smart TVs. TIFA (Tizen Identifier for Advertising) which also was mentioned in the privacy choices app, is a unique, randomized, and user-resettable identifier generated by Samsung to increase user’s privacy as a Smart TV user. On the samsungtifa.com website it is specified that TIFA identifies user’s Smart TV and is not connected to any PII. However, this domain only occurs in PD states and it is clear that there is no traffic but only DNS lookups. Even though it is said that Samsungtifa does not collect PII, it is not exactly mentioned what information they define as PII. Therefore, since this domain operates with advertisement by collecting user log data combined with an IP-address, it will be marked as PII included. The TV also by default will look up the samsungtifa.com domain if the TV model is from year 2016 to 2019. Other vendor domains that only appeared in idle PD state are the following domains: gld.push.samsungosp.com, notice.samsungcloudsolution.com, oempprd.samsungcloudsolution.com, invitation.samsungiotcloud.com and vdterms.samsungcloudsolution.com. Further research into these domains show a Samsung blog [72] where users had issues with the setup and registration, to solve this problem, users have to whitelist vdterms.samsungcloudsolution.com and gld.push.samsungosp.com do-

52 mains. This means that these two domains have to operate with user registration data, therefore these domains will be marked as PII. For the rest of vendor domains in idle PD state, there are not enough evidence to point towards PII usage.

4.7.2 Interacting with the TV

Domain name f1 f2 Bytes PII Type cdn.samsungcloudsolution.com 34 26 2424 Vendor tvx.adgrx.com 28 14 7994 ATS api.samsungcloud.com 18 10 5139 Vendor svpvodps-vh.akamaized.net 12 6 3486 Third Party ichnaea.netﬂix.com 10 6 1692 Third Party osb-apps.samsungqbe.com 2 1 571 Vendor lcprd1.samsungcloudsolution.net 2 1 571 Vendor api.raygun.io 1 2 526 Third Party osb-eusvc.samsungqbe.com 2 1 571 Vendor svoice-vd-op.samsung-svoice.com 1 0 0 Vendor osb.samsungqbe.com 1 1 292 Vendor

Table 4.19: Samsung B – Domains while using applications in PA state

The api.raygun.io is accessed only in PA state showing that API from raygun.io is used, VirusTotal classifies the domain as ”Media sharing”. Raygun.io redirects to raygun.com [67], which is a platform that delivers application monitoring and user tracking. Similar to ACR system where video and audio is collected, Raygun shows vendors how consumers use software applications. Raygun offers these services to known companies such as Samsung and Microsoft. The api.raygun.io domain appeared when opening HBO application, but will be included in the table since it is not clear whether the TV or the HBO application made the initial request. Since there is tracking of user behaviour linked to a specific application for each device ID, api.raygun.io the classifies as PII related domain.

Domain name f1 f2 Bytes PII Type d1oxlq5h9kq8q5.cloudfront.net 72 72 13920 Third Party tvx.adgrx.com 38 20 10849 ATS cdn.samsungcloudsolution.com 32 12 2424 Vendor apps-pub.samsungcloudcdn.com 24 24 4328 Vendor samsungtifa.com 1 0 0 Vendor ichnaea.netﬂix.com 13 6 1692 Third Party osbstg-apps.samsungqbe.com 2 2 2236 Vendor osb.samsungqbe.com 2 2 520 Vendor

Table 4.20: Samsung B – Domains while using applications in PD state

By looking further into pcap ﬁles, it is clear that tvx.adgrx.com domain

53 appears regardless of the policy state. In idle PD state 4.18 for both Samsung TVs, tvx.adgrx.com domain was contacted less times than in idle PA state. However, while using the applications and interacting with the TV, will result in more DNS lookups and TLS communication with tvx.adgrx.com domain. Meaning the communication to this domain increases while the user is interacting with the TV, in the previous section, the trafﬁc in idle state to tvx.adgrx.com is seen less times than while using the applications. Cookiepedia found 31 cookies set by adgrx.com domain, these cookies have been found on 1566 different websites. The osbstg-apps.samsungqbe.com domain only appears in PD states for both TVs, VirusTotal shows Google results such as forum and Github pages blacklisting this domain. McAffee classiﬁes this domain as content server, therefore this domain alongside cdn.samsungcloudsolution.com and apps-pub.samsungcloudcdn.com will be viewed as content delivery servers.

4.7.3 PA and PD domain relation

The summarized Table 4.21 contains PII related domains in both policy states.

tvx.adgrx.com osb.samsungqbe.com

Table 4.21: Samsung Smart TV B PII related domains occur in both PA and PD states

There is only one PII related domain that appears in PA state and is not seen in PD states, is the fc.samsungcloud.tv domain as seen in the idle mode section in Table 4.17.

samsungtifa.com vdterms.samsungcloudsolution.com acr0.samsungcloudsolution.com eu-auth2.samsungosp.com gld.push.samsungosp.com conﬁg.sbixby.com conﬁg.samsungads.com osb-auth-eusvc.samsungqbe.com

Table 4.22: Vendor PII related domains only seen in PD state

Declining the privacy policy for this TV shows new domains that appear only in PD states as seen in Table 4.22. The TV under declined policy will not contact the fc.samsungcloud.tv domain but it looks like new PII related domains will occur along with the ACR acr0.samsungcloudsolution.com domain. The domains related to voice recognition seems to be contacted in PD states, therefore a declined policy does not affect Bixby domains.

54 4.8 LG webOS TV SK7900PLA

The LG TV did not allow to use applications if the privacy policies were declined, therefore there are only three pcap ﬁles for this TV, where the ﬁle using applications in PD state is not included.

4.8.1 Idle mode In idle mode PA state Table 4.23, four of the domains can directly be identiﬁed as vendor domains. Two of these domains seem to operate and deliver advertisements, these are domains where top level is lgsmartad.com, from the names of these domains it is clear that LG have location speciﬁc servers. A Kaspersky blogpost [36] lists the domains from LG that track the consumer and deliver advertisements, one of these domains have lgtvsdp.com as top level domain. This domain will therefore be marked as PII included.

Domain name f1 f2 Bytes PII Type no.lgtvsdp.com 4 2 1142 Vendor no.ad.lgsmartad.com 2 1 571 Vendor no.info.lgsmartad.com 2 1 571 Vendor ngfts.lge.com 0 30 10430 Vendor www.google-analytics.com 1 1 291 Third Party www.googletagmanager.com 1 1 291 Third Party customerevents.netﬂix.com 1 0 0 Third Party www.google.com 1 0 0 Third Party

Table 4.23: LG TV - Domains in idle mode PA state

The main menu of LG TV has an ad on the side of the screen as seen on Figure 4.4, showing relevant advertisement on a speciﬁc time period. These advertisements are coming from ngfts.lge.com domain, the TV contacts this domain with HTTP request almost every second. While using the TV, the HTTP packets to this domain increases as seen in Table 4.25. In the PD idle state, the TV still has communication with ngfts.lge.com but contacted less than in PA state. Since this domain operates with advertisements, it will be marked as PII included domain. The LG TV is the only TV tested in this thesis where in idle mode, Google domains are looked up and accessed. From these Google domains, it is clear that www.google-analytics.com domain operates with consumer data to deliver analysed user data to vendors. This domain along with www.googletagmanager.com is seen in several TVs while using the TV’s applications. The www.googletagmanager.com is used by many vendors to manage and deploy marketing tags on websites or apps. Tags are deﬁned as snippets of code or tracking pixels from third–party tools, these tags are fed into Google Tag Manager (GTM). Google Tag Manager is a completely different tool used only for storing and managing third–party code. There are no reports of data analysis in GTM [90]. Since the LG TV

55 Figure 4.4: Advertisement on the main menu

Domain name f1 f2 Bytes PII Type no.lgtvsdp.com 6 2 1142 Vendor alt2-safebrowsing.google.com 3 2 862 Third Party no.info.lgsmartad.com 2 1 571 Vendor safebrowsing.google.com 1 2 857 Third Party ssl.gstatic.com 1 1 278 Third Party www.googletagmanager.com 1 1 291 Third Party www.google-analytics.com 1 1 291 Third Party www.google.com 1 0 0 Third Party ngfts.lge.com 0 10 3480 Vendor

Table 4.24: LG TV – Domains in idle mode PD state

OS is a web based OS, there are two safebrowsing.google.com domains which only occur on this TV. The safebrowsing.google.com service delivers notiﬁcations to website owners if the security on their website has been compromised by malicious actors. In this context, this domain is used to lookup if a domain that a user visits is malicious or not according to Google. There is no indications of PII usage found for the safebrowsing.google.com domain.

56 From the Table 4.24 it is clear that no.lgtvsdp.com and no.info.lgsmartad.com domains occur regardless of the policy state. The no.ad.lgsmartad.com sub–domain of lgsmartad.com appeared only in PA state, this indicates that the domain must operate with PII.

4.8.2 Interacting with the TV

Domain name f1 f2 Bytes PII Type ngfts.lge.com 4 66 27840 Vendor occ-0-2706-2705.1.nflxso.net 40 8 2328 Third Party ichnaea.netflix.com 28 7 1692 Third Party no.ad.lgsmartad.com 8 4 2284 Vendor no.info.lgsmartad.com 4 2 1142 Vendor no.rdx2.lgtvsdp.com 2 1 571 Vendor no.lgtvsdp.com 2 1 571 Vendor customerevents.netflix.com 1 0 0 Third Party no.lgrecommends.lgappstv.com 1 6 3150 Vendor no.tvsdp.lgeapi.com 1 3 910 Vendor api.one.accedo.tv 1 2 851 Third Party

Table 4.25: LG TV – Domains while using applications in PA state

The api.one.accedo.tv domain 4.25 is a content server, Accedo manages and provides SaaS platform for building and growing video services. The common domains for all TVs will be presented later in this chapter, including Google ad–domains and other third–party domains.

4.8.3 PA and PD domain relation

This TV only has one mode with a PD state, namely idle mode. The summarized Table 4.26 contains PII related domains in both policy states.

no.lgtvsdp.com no.info.lgsmartad.com ngfts.lge.com no.rdx2.lgtvsdp.com no.lgrecommends.lgappstv.com no.tvsdp.lgeapi.com

Table 4.26: LG Smart TV PII related domains occur in both PA and PD states

There is only no.ad.lgsmartad.com domain that occurs in PA states. Another difference is the reduced trafﬁc to ngfts.lge.com domain in PD state. Meaning that the TV under a declined privacy policy state will contact the advertisement content server less times than in PA state and the no.ad.lgsmartad.com domain will not be contacted at all.

57 4.9 Philips 55PUT6101/12

4.9.1 Idle mode In idle modes for both policy states, there are Netflix domains that are present. Most of the Netflix domains in idle mode are content delivery networks, classified by VirusTotal. These are the following domains: occ-0-2706-2705.1.nflxso.net, codex.nflxext.com and uiboot.netflix.com seen in Table 4.27 and 4.28. There is also a sdklog.tvstore.opera.com domain which seem to have the same function as log.core.cloud.vewd.com. Since Opera TV is now called Vewd, the sdklog.tvstore.opera.com is the older version of Vewd Core and will be classified the same way as log.core.cloud.vewd.com domain previously seen in the Sony TV.

Domain name f1 f2 Bytes PII Type customerevents.netflix.com 2 0 0 Third Party occ-0-2706-2705.1.nflxso.net 38 20 21903 Third Party uiboot.netflix.com 16 1 571 Third Party codex.nflxext.com 12 1 571 Third Party sdklog.tvstore.opera.com 5 8 2190 Third Party deviceportal.nettvservices.com 3 3 1343 Third Party authorize.nettvservices.com 2 2 766 Third Party meteo.dotscreen.com 2 2 1052 Third Party epg.corio.com 2 2 797 Third Party smarttv.zeasn.tv 2 4 1942 Third Party ad.sxp.smartclip.net 2 3 2241 ATS des.smartclip.net 2 3 1644 ATS wuakimarketing.s3-eu-west- 2 2 508 Third Party 1.amazonaws.com optimized- 2 2 488 Third Party by.rubiconproject.com ssp.zeasn.tv 2 4 1592 Third Party www.google.com 1 0 0 Third Party pubads.g.doubleclick.net 1 1 237 Third Party ping.zeasn.tv 1 1 226 Third Party cache.zeasn.tv 1 96 94266 Third Party imasdk.googleapis.com 1 1 234 Third Party deviceportal.zeasn.tv 1 1 571 Third Party

Table 4.27: Philips A – idle domains in PA state

The Google ad-domain pubads.g.doubleclick.net appears in idle PA state with one DNS request and a TLS packet.

58 Domain name f1 f2 Bytes PII Type appboot.netflix.com 1 0 0 Third Party occ-0-2706-2705.1.nflxso.net 37 23 25792 Third Party ichnaea-nrdp-future- 30 4 2284 Third Party dradis.prod.ftl.netflix.com sdklog.tvstore.opera.com 4 9 2357 Third Party deviceportal.nettvservices.com 3 3 1015 Third Party authorize.nettvservices.com 2 2 766 Third Party epg.corio.com 2 2 797 Third Party smarttv.zeasn.tv 2 2 800 Third Party wuakimarketing.s3-eu-west- 1 1 254 Third Party 1.amazonaws.com ssp.zeasn.tv 2 4 1592 Third Party ping.zeasn.tv 2 2 797 Third Party cache.zeasn.tv 2 102 95756 Third Party imasdk.googleapis.com 1 1 234 Third Party deviceportal.zeasn.tv 1 1 571 Third Party media.sfanytime.com 1 1 232 Third Party img.l.zeasn.tv 1 2 1943 Third Party tou.zeasn.tv 1 1 225 Third Party

Table 4.28: Philips A – idle domains in PD state

The Smart TV services on the Philips TVs are using the following domains: the zeasn.tv and nettvservices.com domains. Which is why these domains are present in both modes regardless of the policy states, Table 4.27 and 4.28. A Google search result shows a Github page [57] informing that if the deviceportal.nettvservices.com and epg.corio.com are blacklisted, the Vimeo application will not work. These domains appear in all tested modes besides while testing apps in PD (Policy Declined) state, indicating that one or both of these domains might be a content delivery server. The top level domain corio.com redirects to www.ibm.com/services and VirusTotal shows that the last DNS record the sub–domain epg.corio.com and epg.nettvservices.com. The term ”epg” might stand for ”Electronic Program Guide”, which means that epg domains deliver TV program guides, therefore epg domains will be seen as content delivery domains. Looking further into zeasn.tv domain, shows that it is a Chinese company delivering OTT and Smart TV solutions. Zeasn has its own privacy policy which was not mentioned in the privacy policy of Philips. The privacy policy of Zeasn [97], is where they specify that personal information is collected: ... We collect your Personal Information for the primary purpose of providing our services to you, providing information to our clients, and marketing. We may also use your Personal Information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure... There are several Zeasn sub–domains where each seem to have its own

59 purpose, these are the following domains: ssp.zeasn.tv, cache.zeasn.tv, ping.zeasn.tv, smarttv.zeasn.tv and deviceportal.zeasn.tv which appear in idle PA state. In idle PD state. There are two more sub–domains which are classiﬁed as content servers by McAffe, tou.zeasn.tv and img.l.zeasn.tv domains. Out of all Zeasn sub–domains, most trafﬁc is seen for the domain with around 100 HTTP packets. Alarmingly, cache.zeasn.tv domain receives information about the TV,location, serial number and MAC– address which are sent in PD state. This information is sent as cookie content in the HTTP packets. Looking up the MAC–address 1C:5A:6B:BD:D9:A0 online, shows the vendor Philips Electronics Nederland BV owning a MAC range: 1C:5A:6B:00:00:00 – 1C:5A:6B:FF:FF:FF. Figure 4.5 shows some of the cookie contents of HTTP packet for cache.zeasn.tv domain. Additionally, there are four TLS packets related to cache.zeasn.tv domain seen in PD idle state.

Figure 4.5: Cookies sent to cache.zeasn.tv under PD idle state

60 The user - agent data that is sent to cache.zeasn.tv is the following:

• Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36, TV5596L/012.003.039.001 (Philips, 55PUT610112, wireless) CE-HTML/1.0 NETTV/4.5.0 Si- gnOn/2.0 SmartTvA/4.0.0 en

It is clear that cache.zeasn.tv domain has most traffic, the TV uses HTTP to get CSS files, PNG images and JavaScript files from this domain. The PNG images are mostly background pictures, button and interface design for the main menu, for instance the GET request for the search button is GET /webstatic/homepage_web/images/btn_search_icon_def.png. Looking further into each HTTP packet, gives us the following JavaScript files:

• GET /webstatic/homepage_web/js/loadData.js

• GET /webstatic/homepage_web/js/index.js

• GET /webstatic/homepage_web/js/jquery-3.1.1.min.js

• GET /webstatic/homepage_web/ad/zeasn_ad_sdk.js

Some of the cookie data seen in Figure 4.5 is underlined to show that these are the crucial elements that break the privacy policy which was declined. Interestingly, there is a cookie called privaccepted which is set to equal true, indicating that the privacy policy is accepted.

61 Since McAffe classified most of the Zeasn domains as content servers, for the cache.zeasn.tv domain, the TV does send GET requests as seen in Figure 4.6. The first GET request gets a JavaScript file from /webstatic/homepage_web/ad/zeasn_ad_sdk.js.

Figure 4.6: GET requests to cache.zeasn.tv under PD idle state

62 Looking further into the cache.zeasn.tv/webstatic/ homepage_web/ad/zeasn_ad_sdk.js page. A JavaScript code that uses TVs device information to display advertisements in different formats is downloaded. By analysing the JavaScript code, we get a better understanding of how ads are provided and in which format, further we see how Zeasn generate different IDs for each user. The code snippet is given below shows PII related variables such as AdDeviceId, AdSes- sionId and WhaleADID. In the code snippet, we also see the ping.zeasn.tv and ssp.zeasn.tv domains.

1 ... 2 var commonjsGlobal= "undefined" != typeof globalThis? globalThis: "undefined" != typeof window? window : 3 "undefined" != typeof global? global: "undefined" != typeof s e l f? self:{}, 4 _ t h i s= window, 5 _ad$ad={ 6 "ad" :{ 7 "AndroidPermissionsAPI" : "https://sas. nettvservices.com/api/permissions/" , 8 "ZeasnUrls" :{ 9 "ping" : "https://ping.zeasn.tv/ping?t= nv" , 10 "start" : "https://ssp.zeasn.tv/djt" 11 } 12 } 13 }.ad, 14 ZeasnUrls= _ad$ad. ZeasnUrls, 15 AndroidPermissionsAPI= _ad$ad. AndroidPermissionsAPI, 16 UA= window. navigator. userAgent, 17 AdSessionId= getAdDeviceSessionID(), 18 AdDeviceId= getAdDeviceID(), 19 WhaleADID= getWhaleADID(), 20 ZeasnADVersion= "0.3.2.25" , 21 ... Listing 4.1: JavaScript code snippet from Zeasn ad sdk ﬁle

A snippet from the JavaScript code zeasn_ad_sdk.js, shows how Zeasn services sets unique advertisement IDs for each device ID based on the cookies it receives from the TV as seen in 4.5. Here is how the Zeasn creates session and device IDs along with use of cookies and collecting the location data:

1 ... 2 function getCookie(e){ 3 var t,n= new RegExp( "(^|)" +e+ "=([^;]*)(;|$)" ); 4 return (t=(document.cookie || window. localStorage && window. localStorage.cookie || "" ).match(n)) ? unescape(t[2]) : "" 5 }

63 6 function getLocationOrigin(){ 7 return l o c a t i o n.origin || location. protocol+ "//" + (location.host || location. hostname) + l o c a t i o n.port 8 } 9 function getAdSessionID(){ 10 var e; 11 return getCookie( "AdSessionID" )?e= getCookie( " AdSessionID" ): setCookie( "AdSessionID" ,e= createUniqueId()),e 12 } 13 function getAdDeviceID(){ 14 var e; 15 return getCookie( "AdDeviceID" )?e= getCookie( " AdDeviceID" ): setCookie( "AdDeviceID" ,e= createUniqueId(), new Date(( new Date). getTime() + 48384e5)),e 16 } 17 function setCookie(e,t,n,o,i,a){ 18 var r=e+ "=" + escape(t)+(n? ";expires=" +n. toGMTString(): "" ) + (o? ";path=" +o: "" ) + (i? ";domain=" +i: "" ) + (a? ";secure" : "" ) ; 19 document.cookie=r 20 } 21 function getWhaleADID(){ 22 var e= getCookie( "WhaleADID" ); 23 return null !=e && "" !=e &&e != undefined || setCookie( "WhaleADID" ,e= createGuid()),e 24 } 25 function getAdDeviceSessionID(){ 26 var e= getAdSessionID(); 27 return getAdDeviceID() + "_" +e 28 }... Listing 4.2: JavaScript code snippet from Zeasn ad sdk ﬁle

When a consumer declines the privacy policy, the Philips TV and Zeasn services seem to violate the consumer’s decision. The reason might either be a misconfiguration of Zeasn services or misinformation provided by Philips’ policies. Therefore, all of the Zeasn domains will be classified as PII related domains. The wuakimarketing.s3-eu-west-1.amazonaws.com domain appears in both idle policy states, this domain will be marked as PII related domain since the term marketing is used in the domain name. Meaning that the wuakimarketing.s3-eu-west-1.amazonaws.com domain deliver some form of advertisement. In idle PD state, there are HTTP packets to img.l.zeasn.tv domain with similar cookie information seen in HTTP packets to cache.zeasn.com domain. The media.sfanytime.com domain serves media content from sfanytime.com which is a streaming service. The ad.sxp.smartclip.net and des.smartclip.net domains occur only in PA states, smartclip.net is classified as advertisements by

64 VirusTotal and will be marked as PII related domains. The meteo.dotscreen.com domain occurs only in PA states, this domain delivers weather information using the location data. Dotscreen is a company that creates and designs applications for any Internet-connected mass-market devices such as smartphones, smart TV, OTT/hybrid boxes etc. The meteo.dotscreen.com domain gets location data and IP-address, which combined is classiﬁed as PII.

4.9.2 Interacting with the TV

Domain name f1 f2 Bytes PII Type occ-0-2706-2705.1.nflxso.net 26 95 111851 Third Party nrdp-future-aws- 20 1 571 Third Party dradis.prod.ftl.netflix.com ichnaea-nrdp-future- 18 2 1142 Third Party dradis.prod.ftl.netflix.com uiboot.netflix.com 8 1 571 Third Party assets.nflxext.com 6 2 1656 Third Party smarttv.zeasn.tv 2 5 2855 Third Party des.smartclip.net 2 2 1096 ATS ping.zeasn.tv 2 2 1142 Third Party ad.sxp.smartclip.net 2 2 1502 ATS deviceportal.zeasn.tv 1 1 234 Third Party optimized- 0 2 488 Third Party by.rubiconproject.com tou.zeasn.tv 1 1 225 Third Party cache.zeasn.tv 1 6 1362 Third Party epg.corio.com 1 1 571 Third Party crossroads.geo.netflix.com 6 0 0 Third Party deviceportal.nettvservices.com 1 3 1385 Third Party ssp.zeasn.tv 1 2 1142 Third Party media.sfanytime.com 1 1 232 Third Party meteo.dotscreen.com 1 2 1114 Third Party customerevents.netflix.com 12 0 0 Third Party

Table 4.29: Philips A - Domains while using applications in PA state

The optimized-by.rubiconproject.com domain is classiﬁed as advertisements by VirusTotal and the domain only appears in PA state while using the TV. This domain does not seem to be triggered by opening applications, it is seen at the start and at the end of testing the TV. While using the TV and applications in PD state Table 4.30, only one domain from Zeasn is seen, which is the smarttv.zeasn.tv domain with one DNS lookup and a TLS packet. The customerevents.netflix.com domain is only looked up once while in PD state while in PA state there are 12 lookups. Another Netﬂix domain that seems to get the accessed location is the crossroads.geo.netflix.com domain.

65 Domain name f1 f2 Bytes PII Type occ-0-2706-2705.1.nflxso.net 10 151 172176 Third Party nrdp-future-aws- 8 3 1713 Third Party dradis.prod.ftl.netflix.com ichnaea-nrdp-future- 10 2 1142 Third Party dradis.prod.ftl.netflix.com cfptkzszlr5jwdu52l4fi- 8 2 1142 Third Party euw1.r.nflxso.net assets.nflxext.com 4 1 905 Third Party crossroads.eu-west- 2 42 1142 Third Party 1.prodaa.netflix.com aga.test.netflix.net 2 2 1142 Third Party customerevents.netflix.com 1 0 0 Third Party smarttv.zeasn.tv 1 1 571 Third Party crossroads.geo.netflix.com 2 2 1142 Third Party sdklog.tvstore.opera.com 1 1 571 Third Party

Table 4.30: Philips A - Domains while using applications in PD state

The difference between the Table 4.29 and Table 4.30 show us that Zeasn domains are decreased in PD state while using the TV where for instance cache.zeasn.tv domain is not present. However, cache.zeasn.tv domain still appears in PD state idle mode as seen in Table 4.28. There was only one TLS traffic to smarttv.zeasn.tv domain and no HTTP packets to Zeasn are seen, Table 4.28. However, HTTP traffic to Zeasn domains appear in idle PD state. Since these domains occurred in idle PD state and not while using the applications in PD state, it indicates that these domains are triggered when the user in on the main menu of the TV. The ACR related domains are not directly seen or identified for the Philips TV. However, while testing the Philips TV, there was a SambaTV privacy policy the end–user could accept or decline. For this TV, PA states are accepted together with vendor and the SambaTV policy while PD state is where both vendor and SambaTV policies are declined.

4.9.3 PA and PD domain relation To summarize domains that appear in both PA and PD states, a Table 4.31 is given. Philips Smart TV seem to minimize the advertisement domains while the TV is in PD state. By declining the privacy policy, the following PII related domains will not occur Table 4.32.

66 smarttv.zeasn.tv ssp.zeasn.tv ping.zeasn.tv cache.zeasn.tv deviceportal.zeasn.tv img.l.zeasn.tv tou.zeasn.tv

Table 4.31: Philips Smart TV PII related domains occur in both PA and PD states

des.smartclip.net ad.sxp.smartclip.net

Table 4.32: Philips Smart TV PII related domains occur only in PA states

4.10 Vendor vs ATS trafﬁc

This section presents the relation between vendor and ATS (Advertisement and Tracking Services) domains. The relation is based on the total amount of bytes transmitted to each domain.

Figure 4.7: Total relation of packet size between vendor and ATS domains

Note that third–party advertisement domains were not seen for the Sony Smart TV, therefore, only vendor domains with top level sony.net and sony.tv are included. For Samsung Smart TVs, there are many vendor domains, since the osb.samsungqbe.com vendor domain appears regardless of policy states and usage modes we chose to compare this domain with ATS

67 Adgear domains (tvx.adgrx.com). Total bytes transmitted to ATS domains are compared with total bytes transmitted to vendor domains, as seen in Figure 4.7 where the orange–coloured bar represents Advertisement and tracking services (ATS) and the blue bar is the main vendor domain for each TV. Samsung Smart TV Q65 has a lot more trafﬁc to ATS vendor Adgear (tvx.adgrx.com) than Samsung Smart TV Q60. The main reason for this phenomenon is that Samsung Smart TV Q65 had more applications which were accessed and interacted with. From the analysis it is clear that Adgear domain is contacted much more while the user is interacting with the TV and its applications. LG’s Smart TV had no third–party applications related to advertisement and tracking services. For LG’s Smart TV, Figure 4.7 shows the relation between the advertisement domain lgsmartad.com and lgtvsdp.com domains. The lgtvsdp.com domain appears regardless of the policy state and therefore the domain is assumed to be ”main” vendor endpoint for this TV. For the Philips’ Smart TV, Figure 4.7 shows the relation between ATS related domain smartclip.net and smarttv.zeasn.tv domains. Zeasn domains was considered as vendor domains in the Figure 4.7 since there are no Philips endpoints that are seen.

4.11 Additional testing

To enable the microphone, only the policy regarding voice recognition was accepted while other policies are declined. This test was only done on Samsung TV Q65, when holding the microphone button on the remote controller, shows the following domains Table 4.33:

cdn.samsungcloudsolution.com prd-euw1-user.aibixby.com bixby-developer-assets.aibixby.com device-metrics-us-2.amazon.com tvx.adgrx.com

Table 4.33: Samsung Voice - domains

Only the cdn.samsungcloudsolution.com domain is the content delivery server from Samsung, which previously was deﬁned as not PII related. Interestingly, there is also the device-metrics-us-2.amazon.com domain, which is also was seen for the Samsung Smart TV Q60. While bixby-developer-assets.aibixby.com and prd-euw1-user.aibixby.com domains related to Bixby, indicating the processing of voice data, was seen on both Samsung TVs. When the Samsung TV is turned off, there are two domains that occur regardless of the policy states, these domains are: tvx.adgrx.com and osb.samsungqbe.com for both of the Samsung TVs. These domains occur instantly when the power button is pressed, and there is no trafﬁc seen while

68 the Samsung TVs are turned off. There are also no trafﬁc for LG and Philips TVs when these were turned off.

4.11.1 Third–party ad–domains In this section, PII related third–party domains are presented for each TV. All of the TV tested, have Youtube application which if opened, Google ad– domains will be contacted. The main Google ad–domains seen in Table 4.34

securepubads.g.doubleclick.net static.doubleclick.net tpc.googlesyndication.com pagead2.googlesyndication.com googleads.g.doubleclick.net ade.googlesyndication.com ad.doubleclick.net www.google-analytics.com adservice.google.no www.googleadservices.com

Table 4.34: Google ad–domains

The Sony TV has a main menu where recommended videos are shown, these were tested in both policy states. It seems that advertisement related domains are contacted each time a video is played, these domains are pagead2.googlesyndication.com, tpc.googlesyndication.com and static.doubleclick.net. The Google ad–domains were seen when using Youtube app, the content delivery servers are yt3.ggpht.com, s.ytimg.com, s.youtube.com and lh5.googleusercontent.com. The advertisement related domains are mostly from Google, the static.doubleclick.net and doubleclick.net domains redirect to marketingplatform.google.com site. The ade.googlesyndication.com and googleads.g.doubleclick.net domains were only accessed in PD states for the Sony TV while using the applications. Some of the TVs have the Rakuten app installed, testing this application shows the following advertisement and PII related domains for each TV: The

a.zxcvads.com a-fds.youborafds01.com inﬁnity-c8.youboranqs01.com domains yb.rakuten.tv

Table 4.35: Rakuten ad–domains

a.zxcvads.com domain which is categorized as ”Content delivery server” by both VirusTotal and McAffe. This domain seems to appear when Rakuten is launched or is running in the background. It also seems that the ”zxcv” characters are typed in an order on a keyboard layout similarly to ”qwerty” pattern, this shows that the name does not hold any special meaning.

69 However, it is clear that ”ads” term comes after ”zxcv” which might indicate that the domain is related to advertisement. The fact that there is an ”ads” term in the name and since this domain is classiﬁed as a content server, these details point towards a possible advertisement delivery server.

70 Chapter 5

Discussion

5.1 Analysis results

For the Sony TV PII related domains occurred in PD (Privacy Declined) state. For both policy states, there are consistent vendor domains from Sony and only one domain related to third–party ACR vendor, SambaTV with the domain flingo.tv. However, SambaTV was not mentioned in the privacy policy of Sony. There are no other third–party advertisement domains besides Google, which only appear by using Google applications such as Youtube and Google Music. While the TV is in PD state, only update.biv.sony.tv and service.biv.sony.tv domains were missing, which indicates that declining the policy for this TV does affect the privacy of the user by minimizing the contact to PII related domains. In this thesis, these domains were not seen in PD states regardless of usage modes. Both Samsung Smart TVs showed that the advertisement related domain tvx.adgrx.com is contacted regardless of policy states and usage modes. However, while interacting with the Samsung TVs, there was an increase in trafﬁc to tvx.adgrx.com. Another domain that also occurs regardless of policy states and usage modes is the vendor domain osb.samsungqbe.com, which also was classiﬁed as PII related domain in the analysis chapter. These PII related domains increases privacy concerns for the user since the tvx.adgrx.com domain operates with PII of the consumer to craft targeted advertisements, and the vendor osb.samsungqbe.com seem to also deliver advertisements while collecting device information along with consumer log data. The Samsung Smart TV Q65 had several applications running in the background as seen in the idle mode with privacy policy declined in Table 4.18. Samsung’s Tizen OS allow applications to run in the background even while another application is currently used, this has been observed in the analysis chapter. Tizen OS seems to be the only system that enables the application to run in the background without giving the user the option to close the program/application. This type of OS behaviour does increase the privacy concern for the user since the applications that run in the background do send data about the user’s TV usage, whether these are third–party or Samsung’s native applications. Even when the

71 Samsung Smart TV Q65 was turned off, there was traffic to Samsung domain osb.samsungqbe.com and Adgear domain tvx.adgrx.com. This shows how Tizen OS was designed to track the user’s interaction with the TV. Therefore, these two domains play a big role for the privacy of the user, since these domains ignored policy states for both Samsung Smart TVs as seen in Table 4.21 and Table 4.15. As seen in the first part of the analysis chapter, Samsung’s privacy choices app had three main policies a consumer could read and decide to accept or decline each policy type. When the examination of privacy polices was done on Samsung Smart TVs, it specified that ACR data is collected and the consumer had an option to ”uncheck” this policy section indicating that the ACR data will not be collected. However, there was an ACR related domain that occurred under a privacy declined state, the domain is acr0.samsungcloudsolution.com as seen in the summary Table 4.22 and in Table 4.18. This indicates that the privacy policy regarding ACR data collection is not followed by the Samsung Smart TV Q65 which violates the consumer’s decision on privacy policy. LG’s privacy policy stated that the user is able to disable the gathering of viewing data in the settings where the privacy policies are located. However, disabling the privacy policy of the LG Smart TV instantly limits the usage of online applications and other basic functions. All LG Smart TVs use webOS, since webOS requires online connection to deliver basic functionalities, the end–user is forced to accept the policies of LG Electronics. The webOS under the policy accepted state will provide targeted ads and collect PII metadata. Which shows how LG treats the privacy of the consumer by eliminating the ability to use the TV in a privacy policy declined state. LG’s Smart TV showed constant vendor domains that appeared in idle mode privacy declined state. This shows that if a user declines the privacy policy, the TV will continuously send data to LG and get advertisements placed on the right corner of the main menu of webOS, this is seen in the analysis chapter Figure 4.4 where the domain ngfts.lge.com is responsible for delivering ads. Even though the Smart features of LG’s Smart TV become useless if the privacy policies are declined, idle mode in PD state show domains that are associated with vendor’s advertisement services, seen in Table 4.24. The LG Smart TV was in a PD state only for the idle mode, which showed two differences. In the Idle mode section where the tables are nearly identical with vendor related domains, the first difference is observed for the no.ad.lgsmartad.com domain which is missing in the PD state. Second difference is the amount of advertisement traffic from ngfts.lge.com domain, which is drastically decreased. The Philips TV tested in this thesis, operates in similar ways to LG’s webOS as seen in the analysis chapter where Philips’ WhaleOS uses Web– application. Another similarity between the Philips Smart TV and older version of LG’s Smart TVs [24], is that they send data to vendors using HTTP. Newer version of LG’s Smart TVs uses TLS 1.2 for the majority of the time, while plain HTTP is only used to get pictures relevant to advertisement for display on the main menu. As seen in the analysis chapter, Philips’ OS

72 vendor Zeasn sets an advertisement–ID for each device–ID using cookie data seen in Figure 4.6. Samsung Smart TV Q65 with the samsungtifa.com domain also seem to create an advertisement–ID for each user as seen in the analysis chapter. GDPR requires TV vendors to specify what data is collected, how it is used and whether the data is further sent to third parties. Based on the analysis results, Philips Smart TV fails to inform the consumers about what Zeasn services are and what data is sent to this vendor. The Philips TV showed unusual behaviour in a PD state which goes against the GDPR. The TV does not give any information in the privacy policy about the PII relevant cookie data sent to a Chinese vendor, Zeasn. There were no domains that could directly be associated with Philips. The TV operated mostly with Zeasn services as seen in tables presented in the analysis chapter, where the cache.zeasn.tv domain seem to have most of the Smart TV content such as pictures for background, menu and search icons. The privacy issue for this TV lays mainly in how the TV sends PII cookies to Zeasn domains in PD states, this is seen in the analysis chapter Figure 4.5, especially to the cache.zeasn.tv domain. The TV frequently does GET requests to cache.zeasn.tv including a lot of cookie information that directly is related to the device, location of the user, and user log information as seen in Figure 4.5. The recent study mentioned in the background chapter [85], showed that PII data was leaked to third parties and platform–speciﬁc vendors, the tested Smart TVs were Roku TV and Amazon Fire TV. The analysis results of this thesis showed similar ﬁndings but for the Philips Smart TV, Samsung Smart TVs and LG’s Smart TV. Furthermore, we showed exact PII related domains contacted by each TV under privacy policy declined and accepted states.

5.2 Limitations

The limitations for this thesis were mainly three factors. Firstly, the time period for data gathering for each TV was under an hour. Testing the TV for a much longer period might reveal additional endpoints related to PII. It might also reveal exact ACR domains since this thesis under a short period was able to capture only Sony’s flingo.tv and Samsung’s acr0.samsungcloudsolution.com ACR related domains. Second limitation factor was that none of the TVs were tested after a fresh factory reset, all of the Smart TVs in this thesis were privately used. The third limitation was the inaccessible contents in TLS packets, since none of the TVs had the ability to install and accept third–party certiﬁcates, which is why we give PII assumptions for the domains based on the analysis results. The limitations described do not change the answer to proposed research questions for this study. Idle mode can be tested in a longer period, where the number of DNS lookups and the amount of HTTP and TLS trafﬁc is naturally increased, but the contacted server name remains the same. Factory reset does not play a central role when looking into how users

73 actually use the TV and how privacy of the user is taken into consideration. The TVs tested in this thesis were not brand–new TVs and were used privately.

5.3 Countermeasure

The current method consumers use to block the PII related domains, is the DNS–based blocklists. As mentioned in the background chapter, different DNS–blocklists have been tested in the research paper [85], this was done for Roku TV and Amazon Fire TV. In the paper they also address which of the DNS based blocklist solutions block relative ads without breaking the Smart TV functionality. One of the most popular DNS–based blocklist solutions is the Pi-hole. Pi–hole [81] is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole, intended for use on a private network. A blocklist also referred to as a blacklist, is a list with domains that will be blocked in the network. A DNS–blacklist for Smart TVs is available on a Github page [55] where some of the domains found in this thesis are also listed. It is essential not to break any functionality of the Smart TV while having a DNS–blocklist, therefore, Pi–hole lets the user to easily move domains that break the TV’s functionality into a whitelist. The ﬁndings of this thesis can be used in DNS–based blocklist solution. All of the research of Smart TVs was conducted in Norway, meaning that there are domains that need to be properly edited before listing these in a blacklist. For instance, there is a ”no” term (no.lgtvsdp.com domain) at start of the domain name indicating the country location of the user, for most of the Smart TVs from LG.

74 Chapter 6

Conclusion

6.1 Summary

The purpose of this study was to gain an overall understanding in relation to how Smart TVs operate while the privacy policy is accepted or declined. Based on the current research, vendor’s privacy policies and the analysis conducted on each Smart TV, show that a user who declined the privacy policy who also has a DNS–based blocklist will suffer in functionality loss of the Smart TV. Both factors affect how the Smart TV operates in the network. A Smart TV vendor who constantly monitors consumer’s behaviour is able to collect large quantity of metadata related to a specific person. As seen previously in the privacy section, metadata combined with an IP- address, reveals not only the location of the consumer but also interests and desires. Based on the analysed data for each Smart TV, many advertisement endpoints were seen with indications that TVs exfiltrate PII to third parties and platform–specific parties, mostly for advertising and tracking purposes. A consumer who disagrees with Smart TV’s privacy policies, naturally assumes that no PII will be collected. However, not only will the consumer lose Smart functionality, but the PII metadata is still collected and sent to the vendors. This research shows how Smart TV manufacturers are not necessarily aligned with their own policies. This thesis started with the following research questions: RQ 1: What threats to a user’s privacy do Smart TVs pose? In order to answer the first research question, we have to look at the types of PII related metadata collected by vendors. By examining the communication in each policy state, while in different usage modes, it is clear that Smart TVs do pose a threat to the privacy of the user. As we can see from the analysis chapter, most manufacturers send PII related metadata such as the location of the device, serial number, IP and MAC–addresses, user log information, ACR data and consumer IDs. These types of data can be used to track the user’s interests and has the implication of delivering targeted advertisements. Each Smart TV vendor collects a lot of information about the consumer, these types of personal metadata collected over a long period of time might reveal crucial PII data of the consumer. Some vendors do clarify how the

75 data is used and when the data is deleted, but even if the data is deleted, there is a good chance that third–parties still hold to all of the consumer data. For instance, ACR vendors who actively collect and make use of consumer’s viewing habits, which ultimately lead to gaining information about end–user’s interests and desires. RQ 2: Does declining the privacy policy have any impact on the user’s privacy? To answer this research question, we need to look at how the Smart TVs operate under a PD (Policy Declined) state and show what types of PII related metadata is sent to ATS (Advertisement and Tracking Services) or vendors. At the end of each TVs section in the analysis chapter, we showed what it means for the user’s privacy when the TV is under PD state where PII related domains occurred. From the relation between PA and PD states we could see two main differences. Firstly, there were domains that did not appear under PD state. Second difference shows a decreased trafﬁc to advertisement domains under PD states. This was seen in the Philips Smart TV and LG’s Smart TV. All of the tested Smart TVs showed PII related trafﬁc to vendors and some TVs also sent PII data to third–party advertisement services, this is seen with both Samsung TVs where osb.samsungqbe.com and tvx.adgrx.com domains consistently occur in PD states. In addition to these domains, Samsung Smart TV Q65 contacted the ACR related domain under PD state. This shows that Samsung TVs under declined policy send PII related metadata to Samsung. There is also a big concern about the Philips Smart TV using the WhaleOS. The WhaleOS, under a declined policy, sends a lot of personal information to Zeasn company. Which, over time, leads to a PII data cluster related to each user. The Philips Smart TV, under a declined privacy policy does not eliminate the user’s ability to opt out of personalized advertisements by resetting the advertising ID, since the ATS can simply link an old advertising ID to its new value by using the provided serial number. Policy makers and manufacturers need to respect the privacy of consumers in a much greater way and should recognize the importance of protecting metadata. The network analysis results showed PII related endpoints under policy declined states, this is seen in all of the TVs tested in this thesis.

6.2 Future work

The main analysis of this study was purely done on network trafﬁc of the TVs. It is known that if the privacy policy is declined, some of the smart features will be lost. This can be further tested by an examination of each domain using DNS–based blocklist to see what functions are lost by blacklisting a speciﬁc domain. At the beginning of this thesis, ACR technology was introduced. After testing the TVs, only Sony and Samsung TVs had domains which directly can be associated with ACR while LG and Philips did not show such domains. However, based on the privacy policies, we know that Philips and

76 Sony do use SambaTV ACR technology. This thesis’ data gathering from TVs was done in a short period of time, therefore, another research might include a much longer data gathering period. This might reveal additional PII related domains and ACR domains. In the data gathering stage, we attempted to root the Sony TV running an Android TV OS. Further research might show how the TV can be rooted to gain system access, there is very little information on the web regarding a successful rooting attempt on an Android TV. This gives users the ability to have full system privileges on their Android TV.

77 78 Bibliography

[1] Adgear. Terms and Conditions. en-US. https : / / adgear . com / en / termsandconditions/. [2] Iftikhar Alam, Shah Khusro and Muhammad Naeem. ‘A Review of Smart TV: Past, Present, and Future’. In: 2017 International Conference on Open Source Systems Technologies (ICOSST). Dec. 2017, pp. 35–41. DOI: 10.1109/ICOSST.2017.8279002. [3] Android Debug Bridge (Adb). en. https://developer.android.com/studio/ command-line/adb. [4] Noah Apthorpe, Dillon Reisman and Nick Feamster. ‘A Smart Home Is No Castle: Privacy Vulnerabilities of Encrypted IoT Trafﬁc’. In: arXiv:1705.06805 [cs] (May 2017). arXiv: 1705.06805 [cs]. [5] Art. 4 GDPR – Deﬁnitions. en-US. https://eur-lex.europa.eu/eli/reg/ 2016/679/oj. [6] Art. 9 GDPR – Processing of Special Categories of Personal Data. en-US. https://eur-lex.europa.eu/eli/reg/2016/679/oj. [7] Article 7 - Respect for Private and Family Life. en. https://fra.europa.eu/en/eu- charter/article/7-respect-private-and-family-life. Apr. 2015. [8] Bettercap :: Usage. https://www.bettercap.org/usage/. [9] Stephane Bortzmeyer . DNS Privacy Con- siderations. en. https://tools.ietf.org/html/rfc7626. [10] Thomas Brewster. Here’s How The CIA Allegedly Hacked Samsung Smart TVs – And How To Protect Yourself. en. https://www.forbes.com/sites/ thomasbrewster/2017/03/07/cia- wikileaks- samsung- smart- tv- hack- security/. [11] Bundeskartellamt. Bundeskartellamt - Homepage - Smart TV Sector In- vestigation - Final Report. https://www.bundeskartellamt.de/SharedDocs/ Publikation / DE / Sektoruntersuchungen / Sektoruntersuchung _ SmartTVs_Bericht.html. [12] Bundeskartellamt - Homepage - Smart TV Sector Inquiry - Final Report. https : / / www . bundeskartellamt . de / SharedDocs / Publikation / DE / Sektoruntersuchungen/Sektoruntersuchung_SmartTVs_Bericht.html.

79 [13] Levente Buttyán and Jean-Pierre Hubaux. Security and Cooperation in Wireless Networks: Thwarting Malicious and Selfish Behavior in the Age of Ubiquitous Computing. en. Cambridge University Press, Nov. 2007. ISBN: 978-1-139-46660-8. [14] K. Chinetha, J. Daphney Joann and A. Shalini. ‘An Evolution of Android Operating System and Its Version’. en. In: International Journal of Engineering and Applied Sciences 2.2 (Feb. 2015), p. 257997. ISSN: 2394- 3661. [15] Geoffrey A. Fowler closeGeoffrey A. FowlerTechnology columnist based in San FranciscoEmailEmailBioBioFollowFollowTechnology columnist. Perspective | You Watch TV. Your TV Watches Back. en. https://www.washingtonpost.com/technology/2019/09/18/you-watch- tv-your-tv-watches-back/. [16] Communication-from-the-Commission-to-the-European-Parliament-and-the- Council. en. DOI: 10.1163/2210-7975_HRD-4679-0058. [17] Concept of Privacy: Introduction to Privacy and the GDPR (Open). https: //kau.instructure.com/courses/5331/pages/concept-of-privacy?module_ item_id=55857. [18] Customer Service FAQ for Smart TV Voice Recognition Concern. en-419. https://www.samsung.com/latin_en/support/newsalert/60765/. [19] CVE - Search Results. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword= ffmpeg. [20] Data Protection in the EU. en. https://ec.europa.eu/info/law/law- topic/data-protection/data-protection-eu_en. Text. [21] Detailed Notes Regarding Samsung F8000 Smart TV Networking. https: //wikileaks.org/ciav7p1/cms/page_13205592.html. [22] Tim Dierks. The Transport Layer Security (TLS) Protocol Version 1.2. en. https://tools.ietf.org/html/rfc5246. [23] DNS over TLS vs. DNS over HTTPS | Secure DNS. en-us. https://www. cloudflare.com/learning/dns/dns-over-tls/. [24] Doctorbeet. DoctorBeet’s Blog: LG Smart TVs Logging USB Filenames and Viewing Info to LG Servers. Nov. 2013. [25] Fines / Penalties. en-US. [26] FireBounty Netflix Vulnerability Disclosure Program. https://firebounty. com/104-netflix/. [27] Margalit Fox. ‘Alan F. Westin, Who Transformed Privacy Debate Before the Web Era, Dies at 83’. en-US. In: The New York Times (Feb. 2013). ISSN: 0362-4331. [28] John Breeden II and Josh Fruhlinger. What Is OSINT? 8 Top Open Source Intelligence Tools. en. https://www.csoonline.com/article/3445357/what- is-osint-top-open-source-intelligence-tools.html. Sept. 2020.

80 [29] Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016. en. https://www.gartner.com/en/newsroom/press- releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in- use-in-2017-up-31-percent-from-2016. [30] Global Smart TV Operating System Share 2018. en. https://www.statista. com/statistics/882062/worldwide-smart-tv-operating-system-share/. [31] Google. Åpenhet Om Data | Google Sikkerhetssenter. https : / / safety. google/privacy/data/. [32] Google. Understanding PII in Google’s Contracts and Policies - Analytics Help. https://support.google.com/analytics/answer/7686480?hl=en. [33] Gerrit Hornung and Christoph Schnabel. ‘Data Protection in Germany I: The Population Census Decision and the Right to Informational Self-Determination’. en. In: Computer Law & Security Review 25.1 (Jan. 2009), pp. 84–88. ISSN: 0267-3649. DOI: 10.1016/j.clsr.2008.11.002. [34] IESG. TLS.1.3. https://mailarchive.ietf.org/arch/msg/ietf-announce/ IhM9JJHVs_ZeK-_1eaVZrqxbnL8/. [35] iotinspector. Frequently Asked Questions. https://iotinspector.org/blog/ post/faq/. [36] Kaspersky Blog. The Smart TV That Watches You! en-US. https://www. kaspersky.com/blog/the-smart-tv-that-watches-you/3295/. [37] Paul J. Leach et al. Hypertext Transfer Protocol – HTTP/1.1. en. https: //tools.ietf.org/html/rfc2616. [38] Sunil Lee and Chang D. Yoo. ‘Robust Video Fingerprinting for Content- Based Video Identification’. In: IEEE Transactions on Circuits and Systems for Video Technology 18.7 (July 2008), pp. 983–988. ISSN: 1558- 2205. DOI: 10.1109/TCSVT.2008.920739. [39] LG Product Registration | Register Your Product. en. https://www.lg.com/ us/mylg/product-registration. [40] Xiaofeng Lu et al. ‘Privacy Information Security Classification Study in Internet of Things’. In: 2014 International Conference on Identification, Information and Knowledge in the Internet of Things. Oct. 2014, pp. 162– 165. DOI: 10.1109/IIKI.2014.40. [41] Sapna Maheshwari. ‘How Smart TVs in Millions of U.S. Homes Track More Than What’s On Tonight (Published 2018)’. en-US. In: The New York Times (July 2018). ISSN: 0362-4331. [42] Joemar Matulac. Case Study of Tizen Operating System. Jan. 2016. DOI: 10.13140/RG.2.1.1805.1606. [43] Chris Matyszczyk. Samsung’s Warning: Our Smart TVs Record Your Living Room Chatter. en. https://www.cnet.com/news/samsungs-warning- our-smart-tvs-record-your-living-room-chatter/. [44] E McCallister, T Grance and K A Scarfone. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). en. Tech. rep. NIST SP 800-122. Gaithersburg, MD: National Institute of Standards and Technology, 2010, NIST SP 800-122. DOI: 10.6028/NIST.SP.800-122.

81 [45] Rudy Mens. How to Block Ads on Your Samsung, LG, Sony, or Roku Smart TV. en-US. https://lazyadmin.nl/home-network/how-to-block-ads-on- your-smart-tv/. Oct. 2020. [46] Benjamin Michéle. ‘Security & Privacy Implications’. en. In: Smart TV Security: Media Playback and Digital Video Broadcast. Ed. by Benjamin Michéle. SpringerBriefs in Computer Science. Cham: Springer International Publishing, 2015, pp. 81–92. ISBN: 978-3-319- 20994-4. DOI: 10.1007/978-3-319-20994-4_4. [47] Benjamin Michéle. Smart TV Security: Media Playback and Digital Video Broadcast. en. SpringerBriefs in Computer Science. Cham: Springer International Publishing, 2015. ISBN: 978-3-319-20993-7 978-3-319- 20994-4. DOI: 10.1007/978-3-319-20994-4. [48] Benjamin Michele and Andrew Karpow. ‘Watch and Be Watched: Compromising All Smart TV Generations’. en. In: 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC). Las Vegas, NV: IEEE, Jan. 2014, pp. 351–356. ISBN: 978-1-4799-2355-7. DOI: 10.1109/CCNC.2014.6866594. [49] Mitmproxy - an Interactive HTTPS Proxy. https://mitmproxy.org/. [50] Hooman Mohajeri Moghaddam et al. ‘Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices’. en. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London United Kingdom: ACM, Nov. 2019, pp. 131–147. ISBN: 978-1-4503-6747-9. DOI: 10.1145/3319535.3354198. [51] ‘Multiple Case Study’. In: The SAGE Encyclopedia of Social Sci- ence Research Methods. 2455 Teller Road, Thousand Oaks Califor- nia 91320 United States of America: Sage Publications, Inc., 2004. ISBN: 978-0-7619-2363-3 978-1-4129-5058-9. DOI: 10.4135/9781412950589. n596. [52] OECD Privacy Principles. http://www.oecdprivacy.org/. [53] Opera TV Is Now Vewd. en-US. [54] Oregon FBI Tech Tuesday: Securing Smart TVs — FBI. en-us. https:// www.fbi.gov/contact-us/field-offices/portland/news/press-releases/tech- tuesdaysmart-tvs. Press Release. [55] Perflyst. Perflyst/PiHoleBlocklist. Oct. 2020. [56] Personally Identifiable Information: What Is PII, Non-PII & Personal Data? en-US. https://piwik.pro/blog/what-is-pii-personal-data/. Jan. 2018. [57] Philips TV - Deviceportal.Nettvservices.Com, Epg.Corio.Com, Ad.Nettvservices.Com · Issue #31 · Perflyst/PiHoleBlocklist. en. https://github.com/Perflyst/ PiHoleBlocklist/issues/31. [58] Pawani Porambage et al. ‘The Quest for Privacy in the Internet of Things’. In: IEEE Cloud Computing 3.2 (Mar. 2016), pp. 36–45. ISSN: 2325-6095. DOI: 10.1109/MCC.2016.28. [59] Princeton IoT Inspector. en. https://iot-inspector.lpages.co/iot-inspector- project-at-princeton/.

82 [60] Privacy LG. https://gb.lgappstv.com/main/terms. [61] Privacy Philips. no-no. https://www.philips.no/a- w/merknad- om- personvern.html. [62] Privacy SambaTV. en-US. https://samba.tv/users/privacy-policy/. [63] Privacy Samsung. en-SG. https://www.samsung.com/sg/info/privacy/. [64] Privacy Shield. en. https://www.ftc.gov/tips-advice/business-center/ privacy-and-security/privacy-shield. [65] Privacy Shield Invalidated: EU Data Transfers to the U.S. under Siege (Again. . . ) en-US. https://www.retailconsumerproductslaw.com/2020/ 07/privacy-shield-invalidated-eu-data-transfers-to-the-u-s-under-siege- again/. July 2020. [66] Privacy Sony. https://www.sony.no/eu/pages/privacy/no_NO/privacy_ policy.html. [67] Raygun - Application Monitoring For Web & Mobile Apps. en. https : //raygun.com. [68] Recital 30 - Online Identifiers for Profiling and Identification. en-US. [69] Jingjing Ren et al. ‘Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach’. en. In: Proceedings of the Internet Measurement Conference. Amsterdam Netherlands: ACM, Oct. 2019, pp. 267–279. ISBN: 978-1-4503-6948-0. DOI: 10.1145/3355369.3355577. [70] Consumer Reports. Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds. en-US. https://www.consumerreports.org/ televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumerreports-finds/. [71] Richard L. Rutledge, Aaron K. Massey and Annie I. Anton. ‘Privacy Impacts of IoT Devices: A SmartTV Case Study’. en. In: 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW). Beijing, China: IEEE, Sept. 2016, pp. 261–270. ISBN: 978-1-5090-3694-3. DOI: 10.1109/REW.2016.050. [72] SamsungBlog. Server under Maintenance. en. https://us.community. samsung.com/t5/4k-8k-and-Other-TVs/Server-under-maintenance/m- p/1320254#M24117. July 2020. [73] SamyGO - Index Page. http://forum.samygo.tv/. [74] Selectively Blocking Samsung TVs’ Network Access. en-GB. Mar. 2017. [75] Smart TVs, Subscription Services Leak Data to Facebook, Google. en. https: //threatpost.com/smart-tvs-leak-data/148482/. [76] Some Smart TVs Watch What You Watch - Consumer Reports. en-US. https://www.consumerreports.org/cro/news/2015/02/samsung-lg-vizio- smart-tvs-watch-everything-you-watch/index.htm. [77] Sony. Reset an Android TV | Sony USA. en. https://www.sony.com/ electronics/support/articles/00159487.

83 [78] Sony 1000XM3 Headphones Spying on Their Customers? en-US. https: //www.reddit.com/r/headphones/comments/c1fttr/sony_1000xm3_ headphones_spying_on_their_customers/. [79] Iain Sutherland, Huw Read and Konstantinos Xynos. ‘Forensic Analysis of Smart TV: A Current Issue and Call to Arms’. en. In: Digital Investigation. Special Issue: Embedded Forensics 11.3 (Sept. 2014), pp. 175–178. ISSN: 1742-2876. DOI: 10.1016/j.diin.2014.05.019. [80] Iain Sutherland et al. ‘A Forensic Overview of the LG Smart TV’. In: Australian Digital Forensics Conference (Jan. 2014). DOI: 10.4225/75/ 57b3e69dfb881. [81] telekrmor. Pi-Hole. en-US. https://pi-hole.net/. [82] The Difference between PII and Personal Data - Blog. en. https://techgdpr. com/blog/difference-between-pii-and-personal-data/. June 2019. [83] Bill Tolson. Privacy Shield Has Been Invalidated, and SCCs Are Next. . . Now What? en-us. https://www.archive360.com/blog/privacy-shield-has- been-invalidated-and-sccs-are-next-now-what. [84] Universal Declaration of Human Rights. en. https://www.un.org/en/ universal-declaration-human-rights/index.html. Oct. 2015. [85] Janus Varmarken et al. ‘The TV Is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking’. en. In: Proceedings on Privacy Enhancing Technologies 2020.2 (Apr. 2020), pp. 129–154. DOI: 10.2478/popets-2020-0021. [86] Petr Velan et al. ‘A Survey of Methods for Encrypted Traffic Classification and Analysis’. en. In: International Journal of Network Management 25.5 (2015), pp. 355–374. ISSN: 1099-1190. DOI: 10.1002/ nem.1901. [87] VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent. en. https://www.ftc.gov/news-events/press-releases/2017/02/ vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it. Feb. 2017. [88] Sarah Sluis // Wednesday, June 26th and 2019-12:20 Pm. The Marketer’s Guide To ACR Tech In Smart TVs. en-US. https : / / www . adexchanger.com/ad-exchange-news/the-marketers-guide-to-acr-tech-in- smart-tvs/. June 2019. [89] What Are Advertising Cookies and Targeting Cookies? en-US. https://www. cookiepro.com/knowledge/what-are-targeting-advertising-cookies/. [90] What Is Google Tag Manager and Why Use It? The Truth about Google Tag Manager. en-US. Mar. 2017. [91] What Is Proportionality? en. https://privacyproficient.com/what- is- proportionality/. June 2019. [92] What Is SNI? How TLS Server Name Indication Works. en-us. https : //www.cloudflare.com/learning/ssl/what-is-sni/.

84 [93] What Is Transport Layer Security? | TLS Protocol. en-us. https://www. cloudﬂare.com/learning/ssl/transport-layer-security-tls/. [94] Wireshark · Go Deep. https://www.wireshark.org/. [95] Alan Wolk. Why ACR Data Is Poised To Become The Future Of TV Measurement. en. https://www.forbes.com/sites/alanwolk/2018/02/19/ why-acr-data-is-poised-to-become-the-future-of-tv-measurement/. [96] Daniel Wood, Noah Apthorpe and Nick Feamster. ‘Cleartext Data Transmissions in Consumer IoT Medical Devices’. In: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy - IoTS&P ’17 (2017), pp. 7–12. DOI: 10.1145/3139937.3139939. arXiv: 1803.10147. [97] zeasn. Privacy Policy. https://www.zeasn.com/about?id=29. [98] Fangming Zhao, Yoshiaki Hori and Kouichi Sakurai. ‘Analysis of Privacy Disclosure in DNS Query’. In: 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE’07). Seoul, Korea: IEEE, 2007, pp. 952–957. ISBN: 978-0-7695-2777-2. DOI: 10.1109/MUE.2007.84.

85 86 Appendix A

All of the captured domains

A.1 Sony Smart TV

87 IDLE PA SONY Domain HTTP || TLS clients3.google.com connectivitycheck.gstatic.com 32 cert-cdn.meta.ndmdhs.com www.sony.net 4 cdn.meta.ndmdhs.com www.sony.net bdcore-apr-lb.bda.ndmdhs.com 3 clients4.google.com mtalk.google.com 3 bdcore-apr-lb.bda.ndmdhs.com clients3.google.com 1 connectivitycheck.gstatic.com cert-cdn.meta.ndmdhs.com 1 mtalk.google.com cdn.meta.ndmdhs.com 3 clients4.google.com 1

IDLE PD SONY sa.sde.sony.com www.sony.net 10 bdcore-apr-lb.bda.ndmdhs.com sa.sde.sony.com 1 ssm3.internet.sony.tv connectivitycheck.gstatic.com 37 reg.biv.sony.tv mtalk.google.com 3 clients3.google.com ssm3.internet.sony.tv 1 www.googleapis.com reg.biv.sony.tv 1 mtalk.google.com clients3.google.com 2 www.sony.net www.googleapis.com 2 connectivitycheck.gstatic.com

SERVICES SONY PA sa.sde.sony.com www.sony.net 17 ws.playmemoriesonline.com connectivitycheck.gstatic.com 45 r6---sn-5goeen7k.googlevideo.com sa.sde.sony.com 1 r2---sn-5go7ynez.googlevideo.com ssm3.internet.sony.tv 3 securepubads.g.doubleclick.net reg.biv.sony.tv 3 www.googleapis.com service.biv.sony.tv 3 lh3.googleusercontent.com update.biv.sony.tv 3 cert-cdn.meta.ndmdhs.com ws.playmemoriesonline.com 1 playmoviesdfe-pa.googleapis.com cdn.meta.ndmdhs.com 12 redirector.googlevideo.com www.youtube.com 2 r4---sn-5goeen76.googlevideo.com s.ytimg.com 2 lh5.googleusercontent.com bdcore-apr-lb.bda.ndmdhs.com 5 s.youtube.com www.gstatic.com 4 eligibility- log.core.cloud.vewd.com panelresearch.googlevideo.com 2 isrg.trustid.ocsp.identrust.com static.doubleclick.net 2 ocsp.int-x3.letsencrypt.org r6---sn-5goeen7k.googlevideo.com 2 android.clients.google.com tpc.googlesyndication.com 2 r2---sn-5goeen7y.googlevideo.com r2---sn-5go7ynez.googlevideo.com 2 r1---sn-5go7yne6.googlevideo.com pagead2.googlesyndication.com 2 mtalk.google.com yt3.ggpht.com 2 r3---sn-5go7yne6.googlevideo.com i.ytimg.com 23 r5---sn-5goeen7y.googlevideo.com clients3.google.com 3 r6---sn-5go7yne6.googlevideo.com securepubads.g.doubleclick.net 1 r4---sn-5goeen7d.googlevideo.com www.google.com 3 r3---sn-5goeen7y.googlevideo.com www.google.no 4 ssm3.internet.sony.tv youtubei.googleapis.com 4 reg.biv.sony.tv www.googleapis.com 3 service.biv.sony.tv play.googleapis.com 6 update.biv.sony.tv lh3.googleusercontent.com 5 play-lh.googleusercontent.com cert-cdn.meta.ndmdhs.com 2 www.youtube.com playmoviesdfe-pa.googleapis.com 8 s.ytimg.com redirector.googlevideo.com 4 www.gstatic.com r4---sn-5goeen76.googlevideo.com 2 eligibility-panelresearch.googlevideo.com lh5.googleusercontent.com 1 static.doubleclick.net s.youtube.com 2 tpc.googlesyndication.com log.core.cloud.vewd.com 1 pagead2.googlesyndication.com isrg.trustid.ocsp.identrust.com 1 yt3.ggpht.com ocsp.int-x3.letsencrypt.org 1 clients3.google.com r2---sn-5goeen7y.googlevideo.com 2 www.google.com 1 googleads.g.doubleclick.net r1---sn-5go7yne6.googlevideo.com 2 www.google.no mtalk.google.com 1 browserjs-legacy.core.cloud.vewd.com r3---sn-5go7yne6.googlevideo.com 2 ssm1.internet.sony.tv r5---sn-5goeen7y.googlevideo.com 2 i.ytimg.com r6---sn-5go7yne6.googlevideo.com 2 play.googleapis.com r4---sn-5goeen7d.googlevideo.com 2 youtubei.googleapis.com r3---sn-5goeen7y.googlevideo.com 3 cdn.meta.ndmdhs.com browserjs-legacy.core.cloud.vewd.com 2 bdcore-apr-lb.bda.ndmdhs.com www.sony.net connectivitycheck.gstatic.com

SERVICES SONY PD flingo.tv www.sony.net 7 decide.mixpanel.com sa.sde.sony.com 1 r5---sn-5goeen7r.gvt1.com connectivitycheck.gstatic.com 34 firebaseinstallations.googleapis.com www.youtube.com 2 sa.sde.sony.com s.ytimg.com 2 i.ytimg.com i.ytimg.com 14 eligibility- r2---sn-5goeen7y.googlevideo.com panelresearch.googlevideo.com 2 r4---sn-5goeen7d.googlevideo.com www.gstatic.com 7 pagead2.googlesyndication.com static.doubleclick.net 3 yt3.ggpht.com r2---sn-5goeen7y.googlevideo.com 2 ad.doubleclick.net tpc.googlesyndication.com 1 ade.googlesyndication.com r4---sn-5goeen7d.googlevideo.com 2 bdcore-apr-lb.bda.ndmdhs.com pagead2.googlesyndication.com 1 r3---sn-5goeen7d.googlevideo.com yt3.ggpht.com 1 r4---sn-5goeen7k.googlevideo.com ade.googlesyndication.com 2 googleads.g.doubleclick.net r5---sn-5goeen76.googlevideo.com 2 r6---sn-5goeen7k.googlevideo.com bdcore-apr-lb.bda.ndmdhs.com 1 isrg.trustid.ocsp.identrust.com www.google.com 3 ocsp.int-x3.letsencrypt.org r3---sn-5goeen7d.googlevideo.com 2 r4---sn-5go7yne6.googlevideo.com youtubei.googleapis.com 5 lh6.googleusercontent.com r4---sn-5goeen7k.googlevideo.com 2 s.youtube.com googleads.g.doubleclick.net 1 ws.playmemoriesonline.com www.google.no 2 r5---sn-5goeen7y.googlevideo.com clients3.google.com 4 lh5.googleusercontent.com r6---sn-5goeen7k.googlevideo.com 2 lh3.googleusercontent.com cdn.meta.ndmdhs.com 7 r2---sn-5goeen76.googlevideo.com log.core.cloud.vewd.com 5 clients4.google.com isrg.trustid.ocsp.identrust.com 1 r4---sn-5go7yner.googlevideo.com ocsp.int-x3.letsencrypt.org 1 r2---sn-5go7yne6.googlevideo.com www.googleapis.com 4 www.youtube.com playmoviesdfe-pa.googleapis.com 14 s.ytimg.com play.googleapis.com 5 eligibility-panelresearch.googlevideo.com redirector.googlevideo.com 8 tpc.googlesyndication.com r1---sn-5go7yne6.googlevideo.com 2 www.google.com r4---sn-5go7yne6.googlevideo.com 2 www.google.no lh6.googleusercontent.com 1 cdn.meta.ndmdhs.com s.youtube.com 2 android.clients.google.com ws.playmemoriesonline.com 1 play-lh.googleusercontent.com r5---sn-5goeen7y.googlevideo.com 2 playmoviesdfe-pa.googleapis.com lh5.googleusercontent.com 1 r1---sn-5go7yne6.googlevideo.com lh3.googleusercontent.com 1 www.sony.net r2---sn-5goeen76.googlevideo.com 2 www.gstatic.com clients4.google.com 1 static.doubleclick.net r4---sn-5go7yner.googlevideo.com 2 youtubei.googleapis.com r2---sn-5go7yne6.googlevideo.com 2 clients3.google.com log.core.cloud.vewd.com www.googleapis.com play.googleapis.com redirector.googlevideo.com connectivitycheck.gstatic.com ______

A.2 Samsung A Smart TV

92 Samsung_2 idle PA HTTP || TLS nrdp.nccp.netflix.com osb.samsungqbe.com 2 customerevents.netflix.com tvx.adgrx.com 3 secure.netflix.com cdn.samsungcloudsolution.com 3 uiboot.netflix.com lcprd1.samsungcloudsolution.net 2 api-global.netflix.com cdn-0.nflximg.com nrdp51-appboot.netflix.com ichnaea.netflix.com osb.samsungqbe.com lcprd1.samsungcloudsolution.net device-metrics-us-2.amazon.com tvx.adgrx.com cdn.samsungcloudsolution.com unagi-na.amazon.com unagi-eu.amazon.com ocfconnect-shard-eu02-euwest1.samsungiotcloud.com api.eu-west-1.aiv-delivery.net

Samsung_2 idle pd osbstg-apps.samsungqbe.com osb.samsungqbe.com 1 osb.samsungqbe.com osbstg-apps.samsungqbe.com 1 status.thawte.com ocsp.digicert.com 5 ocsp.digicert.com mediaservices.cdn-apple.com 7 eu-auth2.samsungosp.com eu-auth2.samsungosp.com 1 api.samsungcloud.com api.samsungcloud.com 1 tvx.adgrx.com osb-auth-eusvc.samsungqbe.com 6 cdn.samsungcloudsolution.com vdterms.samsungcloudsolution.com 3 nrdp.prod.ftl.netflix.com api-global.netflix.com 2 lcprd1.samsungcloudsolution.net occ-0-2706-2705.1.nflxso.net 18 mediaservices.cdn-apple.com cdn.samsungcloudsolution.com 1 secure.netflix.com tvx.adgrx.com 1 codex.nflxext.com secure.netflix.com 2 vdterms.samsungcloudsolution.com nrdp51-appboot.netflix.com 13 nrdp.nccp.netflix.com nrdp.prod.ftl.netflix.com 4 customerevents.netflix.com codex.nflxext.com 1 api-global.netflix.com push.prod.netflix.com 1 nrdp51-appboot.netflix.com ichnaea.netflix.com 2 uiboot.netflix.com ichnaea.netflix.com push.prod.netflix.com osb-auth-eusvc.samsungqbe.com cdn-0.nflximg.com ocfconnect-shard-eu02-euwest1.samsungiotcloud.com occ-0-2706-2705.1.nflxso.net

Samsung_2 services pa anycast.ftl.netflix.com tvx.adgrx.com 7 ipv4-c015-nyc005-ix.ftl.nflxvideo.net cdn.samsungcloudsolution.com 7 connected-devices.viaplay.tv api-global.netflix.com 8 www.googletagmanager.com nrdp.prod.ftl.netflix.com 11 content.viaplay.se ichnaea.netflix.com 6 viaplay.mtg-api.com anycast.ftl.netflix.com 2 content.viaplay.no oca-api.netflix.com 2 tnfailover.akamaized.net cfpyclyk7nmc3d5jp4g5y-euw1.r.nflxso.net 2 i-viaplay-com.akamaized.net ipv4-c015-nyc005-ix.ftl.nflxvideo.net 2 cms-service.viaplay.no ipv4-c035-nyc005-ix.1.oca.nflxvideo.net 25 images-cdn2-vp.cdn.viaplay.tv occ-0-513-38.1.nflxso.net 6 ocsp.usertrust.com push.prod.netflix.com 1 is3-ssl.mzstatic.com ipv4-c025-nyc005-ix.1.oca.nflxvideo.net 3 is5-ssl.mzstatic.com occ-0-2706-2705.1.nflxso.net 14 is2-ssl.mzstatic.com ipv4-c033-nyc005-ix.1.oca.nflxvideo.net 5 is1-ssl.mzstatic.com ipv4-c030-nyc005-ix.1.oca.nflxvideo.net 3 is4-ssl.mzstatic.com ipv4-c010-nyc005-ix.1.oca.nflxvideo.net 8 prod-tizen-ui40-app.rakuten.tv ipv4-c026-nyc005-ix.1.oca.nflxvideo.net 13 unpkg.com tp-s.nflximg.net 3 prod-ui40-cloudfront.rakuten.tv ipv4-c036-nyc005-ix.1.oca.nflxvideo.net 4 cdn.rollbar.com ipv4-c041-nyc005-ix.1.oca.nflxvideo.net 3 gizmo.rakuten.tv ipv4-c048-nyc005-ix.1.oca.nflxvideo.net 1 stats.g.doubleclick.net ipv4-c027-nyc005-ix.1.oca.nflxvideo.net 1 images-0.wuaki.tv ipv4-c031-nyc005-ix.1.oca.nflxvideo.net 5 images-1.wuaki.tv ipv4-c006-nyc005-ix.1.oca.nflxvideo.net 1 images-2.wuaki.tv ipv4-c037-nyc005-ix.1.oca.nflxvideo.net 5 images-3.wuaki.tv ecx.images-amazon.com 21 yb.rakuten.tv m.media-amazon.com 1 a.zxcvads.com connected-devices.viaplay.tv 6 prod-kami.wuaki.tv ocsp.rootca1.amazontrust.com 2 infinity-c8.youboranqs01.com www.googletagmanager.com 1 prod-magazine-pmd.verizon.cdn.rakuten.tv ocsp.pki.goog 11 ocsp.godaddy.com content.viaplay.se 1 prod-thewire.rakuten.tv viaplay.mtg-api.com 2 m.media-amazon.com content.viaplay.no 1 ocsp.rootca1.amazontrust.com www.google-analytics.com 2 ocsp.pki.goog tnfailover.akamaized.net 1 crl.pki.goog i-viaplay-com.akamaized.net 6 www.google-analytics.com ocsp.digicert.com 9 ocsp.digicert.com cms-service.viaplay.no 1 mediaservices.cdn-apple.com images-cdn2-vp.cdn.viaplay.tv 1 bag.itunes.apple.com ocsp.usertrust.com 2 xp.apple.com mediaservices.cdn-apple.com 1 www.youtube.com bag.itunes.apple.com 1 s.ytimg.com uts-api.itunes.apple.com 5 www.gstatic.com is3-ssl.mzstatic.com 6 eligibility-panelresearch.googlevideo.com is5-ssl.mzstatic.com 9 static.doubleclick.net is2-ssl.mzstatic.com 8 r2---sn-5goeen7y.googlevideo.com is1-ssl.mzstatic.com 12 tpc.googlesyndication.com is4-ssl.mzstatic.com 1 r4---sn-5go7ynez.googlevideo.com prod-tizen-ui40-app.rakuten.tv 1 pagead2.googlesyndication.com unpkg.com 1 yt3.ggpht.com prod-ui40-cloudfront.rakuten.tv 8 www.googleadservices.com cdn.rollbar.com 1 r5---sn-5go7yner.googlevideo.com stats.g.doubleclick.net 1 r1---sn-5go7yne6.googlevideo.com gizmo.rakuten.tv 2 googleads.g.doubleclick.net www.google.com 2 r1---sn-5goeen7k.googlevideo.com www.google.no 2 r3---sn-5go7yne6.googlevideo.com images-1.wuaki.tv 6 r2---sn-5goeen7r.googlevideo.com images-2.wuaki.tv 6 r2---sn-5go7yner.googlevideo.com images-0.wuaki.tv 6 www.google.com images-3.wuaki.tv 6 www.google.no a.zxcvads.com 1 nrdp.prod.ftl.netflix.com yb.rakuten.tv 1 eu.api.amazonvideo.com prod-kami.wuaki.tv 1 r3---sn-5goeen7r.googlevideo.com infinity-c8.youboranqs01.com 4 oca-api.netflix.com prod-magazine-pmd.verizon.cdn.rakuten.tv 2 push.prod.netflix.com xp.apple.com 1 api-global.netflix.com prod-thewire.rakuten.tv 1 uts-api.itunes.apple.com www.youtube.com 7 occ-0-513-38.1.nflxso.net s.ytimg.com 1 device-metrics-us-2.amazon.com i.ytimg.com 11 i.ytimg.com eligibility-panelresearch.googlevideo.com 1 ichnaea.netflix.com www.gstatic.com 5 tvx.adgrx.com static.doubleclick.net 1 cdn.samsungcloudsolution.com r2---sn-5goeen7y.googlevideo.com 2 tp-s.nflximg.net tpc.googlesyndication.com 1 unagi-eu.amazon.com r4---sn-5go7ynez.googlevideo.com 2 unagi-na.amazon.com pagead2.googlesyndication.com 1 cfpyclyk7nmc3d5jp4g5y-euw1.r.nflxso.net yt3.ggpht.com 1 ecx.images-amazon.com www.googleadservices.com 1 atv-ext-eu.amazon.com r3---sn-5goeen7r.googlevideo.com 4 occ-0-2706-2705.1.nflxso.net r5---sn-5go7yner.googlevideo.com 2 api.eu-west-1.aiv-delivery.net r1---sn-5go7yne6.googlevideo.com 3 googleads.g.doubleclick.net 1 r1---sn-5goeen7k.googlevideo.com 2 r3---sn-5go7yne6.googlevideo.com 2 r2---sn-5goeen7r.googlevideo.com 2 r2---sn-5go7yner.googlevideo.com 2 Samsung_2 services pd ipv4-c012-nyc005-ix.ftl.nflxvideo.net osb.samsungqbe.com 1 anycast.ftl.netflix.com cdn.samsungcloudsolution.com 9 connected-devices.viaplay.tv tvx.adgrx.com 9 tnfailover.akamaized.net api-global.netflix.com 6 viaplay.mtg-api.com nrdp.prod.ftl.netflix.com 9 i-viaplay-com.akamaized.net ichnaea.netflix.com 7 www.google-analytics.com anycast.ftl.netflix.com 2 is4-ssl.mzstatic.com cfpwimf5aa2o3zwhrjetq-euw1.r.nflxso.net 2 is3-ssl.mzstatic.com oca-api.netflix.com 2 is5-ssl.mzstatic.com ipv4-c012-nyc005-ix.ftl.nflxvideo.net 3 is1-ssl.mzstatic.com ipv4-c034-nyc005-ix.1.oca.nflxvideo.net 8 gizmo.rakuten.tv ipv4-c035-nyc005-ix.1.oca.nflxvideo.net 1 infinity-c8.youboranqs01.com ipv4-c033-nyc005-ix.1.oca.nflxvideo.net 4 prod-kami.wuaki.tv occ-0-2706-2705.1.nflxso.net 8 prod-magazine-pmd.verizon.cdn.rakuten.tv ipv4-c031-nyc005-ix.1.oca.nflxvideo.net 2 images-3.wuaki.tv ipv4-c032-nyc005-ix.1.oca.nflxvideo.net 2 images-0.wuaki.tv ipv4-c040-nyc005-ix.1.oca.nflxvideo.net 7 images-1.wuaki.tv ipv4-c037-nyc005-ix.1.oca.nflxvideo.net 12 images-2.wuaki.tv ipv4-c041-nyc005-ix.1.oca.nflxvideo.net 4 prod-thewire.rakuten.tv ipv4-c038-nyc005-ix.1.oca.nflxvideo.net 2 osb.samsungqbe.com ipv4-c028-nyc005-ix.1.oca.nflxvideo.net 9 nrdp.prod.ftl.netflix.com ipv4-c046-nyc005-ix.1.oca.nflxvideo.net 3 api.amazon.com tp-s.nflximg.net 3 ipv4-c042-nyc005-ix.1.oca.nflxvideo.net 4 atv-ext-eu.amazon.com api.amazon.com 1 cloudfront.xp-assets.aiv-cdn.net eu.api.amazonvideo.com 5 ipv6.unagi-na.amazon.com atv-ext-eu.amazon.com 1 unagi-na.amazon.com d184dfn36gombl.cloudfront.net 2 unagi-eu.amazon.com www.youtube.com cloudfront.xp-assets.aiv-cdn.net 1 i.ytimg.com m.media-amazon.com 7 www.gstatic.com ecx.images-amazon.com 27 r6---sn-5go7ynez.googlevideo.com tpc.googlesyndication.com ipv6.unagi-na.amazon.com 1 r6---sn-5goeen7d.googlevideo.com api.eu-west-1.aiv-delivery.net 5 pagead2.googlesyndication.com images-eu.ssl-images-amazon.com 16 yt3.ggpht.com connected-devices.viaplay.tv 1 ad.doubleclick.net tnfailover.akamaized.net 1 ade.googlesyndication.com viaplay.mtg-api.com 1 r3---sn-5go7yne6.googlevideo.com unagi-na.amazon.com 1 googleads.g.doubleclick.net d37ju0xanoz6gh.cloudfront.net 2 www.google.com i-viaplay-com.akamaized.net 1 www.google.no www.google-analytics.com 1 eu.api.amazonvideo.com events.samsungads.com 2 d184dfn36gombl.cloudfront.net unagi-eu.amazon.com 1 fls-eu.amazon.com 2 d37ju0xanoz6gh.cloudfront.net is4-ssl.mzstatic.com 1 events.samsungads.com is3-ssl.mzstatic.com 2 fls-eu.amazon.com is5-ssl.mzstatic.com 4 xp.apple.com uts-api.itunes.apple.com 3 ichnaea.netflix.com is1-ssl.mzstatic.com 2 api-global.netflix.com xp.apple.com 2 m.media-amazon.com gizmo.rakuten.tv 2 uts-api.itunes.apple.com infinity-c8.youboranqs01.com 3 oca-api.netflix.com prod-kami.wuaki.tv 1 api.eu-west-1.aiv-delivery.net prod-magazine-pmd.verizon.cdn.rakuten.tv 1 occ-0-2706-2705.1.nflxso.net images-1.wuaki.tv 5 images-eu.ssl-images-amazon.com images-2.wuaki.tv 3 tp-s.nflximg.net images-0.wuaki.tv 5 cfpwimf5aa2o3zwhrjetq-euw1.r.nflxso.net images-3.wuaki.tv 5 ocfconnect-shard-eu02- euwest1.samsungiotcloud.com prod-thewire.rakuten.tv 1 tvx.adgrx.com www.youtube.com 7 cdn.samsungcloudsolution.com www.gstatic.com 2 ecx.images-amazon.com i.ytimg.com 6 r6---sn-5go7ynez.googlevideo.com 2 tpc.googlesyndication.com 1 r6---sn-5goeen7d.googlevideo.com 2 pagead2.googlesyndication.com 1 yt3.ggpht.com 1 ade.googlesyndication.com 4 ad.doubleclick.net 1 r3---sn-5go7yne6.googlevideo.com 2 googleads.g.doubleclick.net 1 www.google.com 1

A.3 Samsung B Smart TV

99 Samsung 12 idle pa Domain HTTP || TLS nrdp51-appboot.netflix.com osb.samsungqbe.com 4 nrdp50-appboot.netflix.com tvx.adgrx.com 4 customerevents.netflix.com cdn.samsungcloudsolution.com 4 uiboot.netflix.com fc.samsungcloud.tv 2 cdn-0.nflximg.com api-global.netflix.com 1 lcprd1.samsungcloudsolution.net ichnaea.netflix.com 1 occ-0-2705-2706.1.nflxso.net lcprd1.samsungcloudsolution.net 1 fc.samsungcloud.tv osb.samsungqbe.com api-global.netflix.com tvx.adgrx.com cdn.samsungcloudsolution.com ichnaea.netflix.com

Samsung idle pd www.worldtimeserver.com tvx.adgrx.com 8 secure.netflix.com cdn.samsungcloudsolution.com 6 nrdp.prod.ftl.netflix.com d37ju0xanoz6gh.cloudfront.net 4 edition.cnn.com occ-0-2705-2706.1.nflxso.net 18 vimeo.com ichnaea.netflix.com 8 samsungtifa.com osb.samsungqbe.com 8 www.amazon.com osb-apps.samsungqbe.com 12 www.facebook.com oempprd.samsungcloudsolution.com 1 www.imdb.com play.google.com 1 www.msn.com osb-auth-eusvc.samsungqbe.com 8 www.yahoo.com musicid.samsungcloud.tv 1 ipv4-c032-nyc005-ix.1.oca.nflxvideo.net osb-eusvc.samsungqbe.com 1 ipv4-c025-nyc005-ix.1.oca.nflxvideo.net d1oxlq5h9kq8q5.cloudfront.net 28 ipv4-c039-nyc005-ix.1.oca.nflxvideo.net occ-0-1070-41.1.nflxso.net 22 osbstg-apps.samsungqbe.com gpm.samsungqbe.com 1 status.thawte.com config.sbixby.com 1 oempprd.samsungcloudsolution.com selfsigned.ueiwsp.com 4 play.google.com configprd.samsungcloudsolution.net 1 config.sbixby.com www.google.com 1 musicid.samsungcloud.tv gld.push.samsungosp.com 2 osb-eusvc.samsungqbe.com config.samsungads.com 4 gpm.samsungqbe.com lh3.googleusercontent.com 104 configprd.samsungcloudsolution.net playapi.viafree.tv 4 gld.push.samsungosp.com 52.30.116.206 3 lh3.googleusercontent.com go.microsoft.com 1 playapi.viafree.tv api.samsungcloud.com 3 go.microsoft.com www.youtube.com 3 eu-auth2.samsungosp.com eu-auth2.samsungosp.com 1 s.ytimg.com secureclock.playready.microsoft.com 3 is3-ssl.mzstatic.com s.ytimg.com 1 is1-ssl.mzstatic.com 54.39.158.232 1 is2-ssl.mzstatic.com is3-ssl.mzstatic.com 4 notice.samsungcloudsolution.com is1-ssl.mzstatic.com 4 acr0.samsungcloudsolution.com is2-ssl.mzstatic.com 3 is5-ssl.mzstatic.com notice.samsungcloudsolution.com 1 www.gstatic.com uimetadata.samsungiotcloud.com 4 noticecdn.samsungcloudsolution.com www.gstatic.com 2 i.scdn.co noticecdn.samsungcloudsolution.com 1 dailymix-images.scdn.co secure.netflix.com 1 yt3.ggpht.com is5-ssl.mzstatic.com 2 lineup-images.scdn.co 52.210.197.136 1 static.doubleclick.net 52.210.197.137 1 eligibility-panelresearch.googlevideo.com 52.210.197.138 1 ecx.images-amazon.com 52.210.197.139 1 invitation.samsungiotcloud.com 52.210.197.140 1 images-1.wuaki.tv 52.210.197.141 1 lcprd1.samsungcloudsolution.net 52.210.197.142 1 is4-ssl.mzstatic.com 52.210.197.143 1 ocsp.digicert.com 52.210.197.144 1 ipv4-c002-was001-ix.1.oca.nflxvideo.net 52.210.197.145 1 www.google.com 52.210.197.146 1 www.youtube.com 52.210.197.147 1 customerevents.netflix.com i.scdn.co 28 secureclock.playready.microsoft.com dailymix-images.scdn.co 8 nrdp51-appboot.netflix.com yt3.ggpht.com 1 nrdp.nccp.netflix.com acr0.samsungcloudsolution.com 1 images-2.wuaki.tv api-global.netflix.com 6 images-0.wuaki.tv lineup-images.scdn.co 2 images-3.wuaki.tv i.ytimg.com 16 uiboot.netflix.com static.doubleclick.net 1 nrdp50-appboot.netflix.com eligibility-panelresearch.googlevideo.com 1 mediaservices.cdn-apple.com ecx.images-amazon.com 11 ocfconnect-shard-eu02- euwest1.samsungiotcloud.com invitation.samsungiotcloud.com 1 api.samsungcloud.com images-2.wuaki.tv 3 i.ytimg.com images-0.wuaki.tv 6 push.prod.netflix.com push.prod.netflix.com 1 sumo.cdn.tv2.no images-1.wuaki.tv 7 vdterms.samsungcloudsolution.com images-3.wuaki.tv 5 api-global.netflix.com i-viaplay-com.akamaized.net 17 d37ju0xanoz6gh.cloudfront.net 52.213.45.205 2 ichnaea.netflix.com lcprd1.samsungcloudsolution.net 1 selfsigned.ueiwsp.com sumo.cdn.tv2.no 5 config.samsungads.com is4-ssl.mzstatic.com 3 uimetadata.samsungiotcloud.com 52.48.16.138 1 cdn-0.nflximg.com ipv4-c032-nyc005-ix.1.oca.nflxvideo.net 12 i-viaplay-com.akamaized.net ipv4-c025-nyc005-ix.1.oca.nflxvideo.net 4 osb.samsungqbe.com mediaservices.cdn-apple.com 8 cdn.samsungcloudsolution.com ocsp.digicert.com 5 occ-0-1070-41.1.nflxso.net ipv4-c039-nyc005-ix.1.oca.nflxvideo.net 1 tvx.adgrx.com ipv4-c002-was001-ix.1.oca.nflxvideo.net 1 osb-auth-eusvc.samsungqbe.com osbstg-apps.samsungqbe.com 1 occ-0-2705-2706.1.nflxso.net vdterms.samsungcloudsolution.com 3 osb-apps.samsungqbe.com d1oxlq5h9kq8q5.cloudfront.net

Samsung services pa customerevents.netflix.com tvx.adgrx.com 14 osb.samsungqbe.com cdn.samsungcloudsolution.com 16 nrdp.nccp.netflix.com osb.samsungqbe.com 1 uiboot.netflix.com api-global.netflix.com 13 nrdp.prod.ftl.netflix.com 54.172.117.134 2 ipv4-c034-nyc005-ix.1.oca.nflxvideo.net osb-eusvc.samsungqbe.com 1 www.google-analytics.com lcprd1.samsungcloudsolution.net 1 tv.scdn.co ichnaea.netflix.com 6 ssl.gstatic.com ipv4-c034-nyc005-ix.1.oca.nflxvideo.net 11 clients1.google.com push.prod.netflix.com 1 vg.no www.youtube.com 6 www.vg.no www.google.com 7 isrg.trustid.ocsp.identrust.com www.gstatic.com 4 id.vg.no yt3.ggpht.com 2 akamai.vgc.no i.ytimg.com 6 api.vg.no api-partner.spotify.com 2 direkte.vg.no ocsp.digicert.com 20 jssdk.privacy.schibsted.com tv.scdn.co 6 api.privacy.schibsted.com www.google-analytics.com 1 vgc.no ocsp.pki.goog 13 cdn.svp.schibsted.io apresolve.spotify.com 2 collector.schibsted.io spclient.wg.spotify.com 3 ib.adnxs.com gew-spclient.spotify.com 2 cdn.adnxs.com osb-apps.samsungqbe.com 1 direktehub.vg.no eu-auth2.samsungosp.com 1 cis.schibsted.com api.samsungcloud.com 9 entitlements.jwplayer.com ssl.gstatic.com 1 click.vgnett.no clients1.google.com 1 ssl.p.jwpcdn.com vg.no 2 user-permissions.smp.schibsted.com isrg.trustid.ocsp.identrust.com 1 cdn.stream.schibsted.media jssdk.privacy.schibsted.com 1 s1.adform.net api.privacy.schibsted.com 1 track.adform.net akamai.vgc.no 2 sb.scorecardresearch.com id.vg.no 1 cookie.norstatsurveys.com direkte.vg.no 1 pp.lp4.io api.vg.no 2 ocsp.globalsign.com vgc.no 1 ocsp.godaddy.com cdn.adnxs.com 1 redutv-api.vg.no direktehub.vg.no 1 session-service.payment.schibsted.no cdn.svp.schibsted.io 1 acdn.adnxs.com collector.schibsted.io 1 secure.adnxs.com cis.schibsted.com 2 fra1-ib.adnxs.com ib.adnxs.com 4 securepubads.g.doubleclick.net click.vgnett.no 1 adservice.google.no entitlements.jwplayer.com 1 040999aa7cd7868fd8a03dc6b03be340.safe frame.googlesyndication.com sb.scorecardresearch.com 1 tpc.googlesyndication.com user-permissions.smp.schibsted.com 1 advert.vg.no cdn.stream.schibsted.media 1 www.googletagservices.com ssl.p.jwpcdn.com 1 pagead2.googlesyndication.com track.adform.net 1 s407.mxcdn.net s1.adform.net 1 crcdn01.adnxs.com ocsp.int-x3.letsencrypt.org 3 b12.s407.meetrics.net ocsp.rootca1.amazontrust.com 5 api.raygun.io pp.lp4.io 2 api-hbon.hbo.clearleap.com cookie.norstatsurveys.com 1 status.rapidssl.com ocsp.sca1b.amazontrust.com 2 production-captions.hbonordic.com ocsp.globalsign.com 1 static.hbonordic.com ocsp.godaddy.com 1 ocsp.usertrust.com svpvodps-vh.akamaized.net 6 ocsp.sectigo.com redutv-api.vg.no 1 ipv4-c025-nyc005-ix.1.oca.nflxvideo.net acdn.adnxs.com 1 ipv4-c043-nyc005-ix.1.oca.nflxvideo.net secure.adnxs.com 1 ipv4-c030-nyc005-ix.1.oca.nflxvideo.net fra1-ib.adnxs.com 3 ipv4-c041-nyc005-ix.1.oca.nflxvideo.net securepubads.g.doubleclick.net 1 ipv4-c037-nyc005-ix.1.oca.nflxvideo.net adservice.google.no 1 ipv4-c049-nyc005-ix.1.oca.nflxvideo.net tpc.googlesyndication.com 1 040999aa7cd7868fd8a03dc6b03be340.safe ipv4-c027-nyc005-ix.1.oca.nflxvideo.net frame.googlesyndication.com 1 gew1-accesspoint-b-1llg.ap.spotify.com advert.vg.no 1 dealer.spotify.com www.googletagservices.com 2 api.spotify.com pagead2.googlesyndication.com 1 accounts.spotify.com s407.mxcdn.net 1 scontent-amt2-1.xx.fbcdn.net crcdn01.adnxs.com 1 i.scdn.co b12.s407.meetrics.net 3 seeded-session-images.scdn.co api-hbon.hbo.clearleap.com 6 cdn-0.nflximg.com api.raygun.io 2 nrdp51-appboot.netflix.com static.hbonordic.com 6 svoice-vd-op.samsung-svoice.com production-captions.hbonordic.com 83 osb-eusvc.samsungqbe.com ocsp.usertrust.com 2 lcprd1.samsungcloudsolution.net occ-0-1070-41.1.nflxso.net 3 i.ytimg.com occ-0-2705-2706.1.nflxso.net 4 api-partner.spotify.com ipv4-c025-nyc005-ix.1.oca.nflxvideo.net 5 ocsp.pki.goog ipv4-c043-nyc005-ix.1.oca.nflxvideo.net 4 crl.pki.goog ipv4-c030-nyc005-ix.1.oca.nflxvideo.net 9 apresolve.spotify.com ipv4-c037-nyc005-ix.1.oca.nflxvideo.net 3 spclient.wg.spotify.com ipv4-c041-nyc005-ix.1.oca.nflxvideo.net 1 gew-spclient.spotify.com ipv4-c049-nyc005-ix.1.oca.nflxvideo.net 6 osb-apps.samsungqbe.com ipv4-c027-nyc005-ix.1.oca.nflxvideo.net 2 eu-auth2.samsungosp.com dealer.spotify.com 1 ocsp.rootca1.amazontrust.com api.spotify.com 1 ocsp.int-x3.letsencrypt.org accounts.spotify.com 1 ocsp.sca1b.amazontrust.com scontent-amt2-1.xx.fbcdn.net 1 mediaservices.cdn-apple.com seeded-session-images.scdn.co 1 www.google.com i.scdn.co 6 www.youtube.com mediaservices.cdn-apple.com 1 www.gstatic.com yt3.ggpht.com ocsp.digicert.com occ-0-1070-41.1.nflxso.net push.prod.netflix.com occ-0-2705-2706.1.nflxso.net ichnaea.netflix.com svpvodps-vh.akamaized.net api-global.netflix.com api.samsungcloud.com tvx.adgrx.com cdn.samsungcloudsolution.com

Samsung services pd ipv4-c039-nyc005-ix.1.oca.nflxvideo.net occ-0-2705-2706.1.nflxso.net 12 ipv4-c035-nyc005-ix.1.oca.nflxvideo.net tvx.adgrx.com 19 ipv4-c032-nyc005-ix.1.oca.nflxvideo.net cdn.samsungcloudsolution.com 16 ipv4-c004-nyc005-ix.1.oca.nflxvideo.net ichnaea.netflix.com 12 ipv4-c051-nyc005-ix.1.oca.nflxvideo.net api-global.netflix.com 12 ipv4-c028-nyc005-ix.1.oca.nflxvideo.net ipv4-c039-nyc005-ix.1.oca.nflxvideo.net 3 gew1-accesspoint-b-tv0g.ap.spotify.com ipv4-c035-nyc005-ix.1.oca.nflxvideo.net 6 dealer.spotify.com ipv4-c004-nyc005-ix.1.oca.nflxvideo.net 2 api.spotify.com ipv4-c032-nyc005-ix.1.oca.nflxvideo.net 7 i.scdn.co ipv4-c037-nyc005-ix.1.oca.nflxvideo.net 11 tv.scdn.co ipv4-c051-nyc005-ix.1.oca.nflxvideo.net 2 api-partner.spotify.com ipv4-c028-nyc005-ix.1.oca.nflxvideo.net 18 gew-spclient.spotify.com yt3.ggpht.com 4 ssl.gstatic.com www.youtube.com 11 clients1.google.com www.gstatic.com 4 vg.no i.ytimg.com 12 www.vg.no osb.samsungqbe.com 2 akamai.vgc.no osbstg-apps.samsungqbe.com 2 id.vg.no ocsp.digicert.com 22 direkte.vg.no dealer.spotify.com 1 api.vg.no api.spotify.com 1 jssdk.privacy.schibsted.com i.scdn.co 6 api.privacy.schibsted.com tv.scdn.co 2 vgc.no api-partner.spotify.com 1 cdn.svp.schibsted.io gew-spclient.spotify.com 1 collector.schibsted.io api-hbon.hbo.clearleap.com 2 ib.adnxs.com production-captions.hbonordic.com 44 cdn.adnxs.com static.hbonordic.com 7 direktehub.vg.no www.google.com 11 cis.schibsted.com ssl.gstatic.com 1 entitlements.jwplayer.com clients1.google.com 1 click.vgnett.no www.vg.no 2 ssl.p.jwpcdn.com id.vg.no 1 user-permissions.smp.schibsted.com akamai.vgc.no 5 cdn.stream.schibsted.media jssdk.privacy.schibsted.com 1 s1.adform.net vgc.no 3 track.adform.net api.privacy.schibsted.com 1 sb.scorecardresearch.com direkte.vg.no 1 cookie.norstatsurveys.com api.vg.no 2 pp.lp4.io cdn.adnxs.com 1 redutv-api.vg.no direktehub.vg.no 2 session-service.payment.schibsted.no cdn.svp.schibsted.io 1 acdn.adnxs.com cis.schibsted.com 2 fra1-ib.adnxs.com collector.schibsted.io 1 secure.adnxs.com ib.adnxs.com 6 b12.s407.meetrics.net entitlements.jwplayer.com 2 securepubads.g.doubleclick.net click.vgnett.no 1 adservice.google.no user-permissions.smp.schibsted.com 2 43db872d5b5f3a845ba4bedd183fd83b.safe frame.googlesyndication.com cdn.stream.schibsted.media 2 tpc.googlesyndication.com ssl.p.jwpcdn.com 2 advertisement.vg.no s1.adform.net 1 www.googletagservices.com track.adform.net 2 pagead2.googlesyndication.com sb.scorecardresearch.com 1 crcdn01.adnxs.com pp.lp4.io 2 advert.vg.no cookie.norstatsurveys.com 1 78dc07ea98b0117845f29472069d6d81.safe frame.googlesyndication.com svpvodps-vh.akamaized.net 6 googleads.g.doubleclick.net redutv-api.vg.no 1 cm.g.doubleclick.net acdn.adnxs.com 1 rtb-csync.smartadserver.com fra1-ib.adnxs.com 7 s0.2mdn.net secure.adnxs.com 1 sync.mathtag.com b12.s407.meetrics.net 2 match.adsrvr.org securepubads.g.doubleclick.net 1 match.adsby.bidtheatre.com adservice.google.no 1 d5p.de17a.com advertisement.vg.no 1 c1.adform.net tpc.googlesyndication.com 1 43db872d5b5f3a845ba4bedd183fd83b.safe sync.1rx.io frame.googlesyndication.com 1 ssbsync.smartadserver.com www.googletagservices.com 2 ocsp.trustwave.com pagead2.googlesyndication.com 2 ad.atdmt.com crcdn01.adnxs.com 1 ocsp.sectigo.com advert.vg.no 1 googleads4.g.doubleclick.net googleads.g.doubleclick.net 2 sync.targeting.unrulymedia.com cm.g.doubleclick.net 2 fonts.googleapis.com rtb-csync.smartadserver.com 2 fonts.gstatic.com s0.2mdn.net 2 ade.googlesyndication.com ocsp.pki.goog 4 d28gxew657ep4x.cloudfront.net sync.mathtag.com 1 edition.cnn.com d5p.de17a.com 1 samsungtifa.com c1.adform.net 1 vimeo.com sync.1rx.io 1 www.amazon.com match.adsrvr.org 1 www.facebook.com match.adsby.bidtheatre.com 1 www.imdb.com ssbsync.smartadserver.com 1 www.msn.com ocsp.usertrust.com 2 www.yahoo.com ocsp.trustwave.com 2 ipv4-c015-nyc005-ix.1.oca.nflxvideo.net ocsp.godaddy.com 3 ipv4-c046-nyc005-ix.1.oca.nflxvideo.net ad.atdmt.com 1 ipv4-c014-nyc005-ix.1.oca.nflxvideo.net ocsp.sectigo.com 2 ipv4-c052-nyc005-ix.1.oca.nflxvideo.net sync.targeting.unrulymedia.com 1 ipv4-c013-nyc005-ix.1.oca.nflxvideo.net fonts.googleapis.com 1 ipv4-c020-nyc005-ix.1.oca.nflxvideo.net fonts.gstatic.com 1 tizen30.wuaki.tv ade.googlesyndication.com 1 appstv-static-content-prod.wuaki.tv d28gxew657ep4x.cloudfront.net 10 payvault.global.rakuten.com ipv4-c015-nyc005-ix.1.oca.nflxvideo.net 5 cdnjs.cloudflare.com ipv4-c046-nyc005-ix.1.oca.nflxvideo.net 2 sslcheck.wuaki.tv ipv4-c014-nyc005-ix.1.oca.nflxvideo.net 1 gizmo.rakuten.tv ipv4-c052-nyc005-ix.1.oca.nflxvideo.net 1 www.google-analytics.com ipv4-c041-nyc005-ix.1.oca.nflxvideo.net 4 crl.pki.goog push.prod.netflix.com 1 a-fds.youborafds01.com ipv4-c013-nyc005-ix.1.oca.nflxvideo.net 4 a.zxcvads.com ipv4-c020-nyc005-ix.1.oca.nflxvideo.net 2 radar.cedexis.com r3---sn-5go7yner.googlevideo.com 2 stats.g.doubleclick.net r1---sn-5go7yne6.googlevideo.com 2 i2- jwckkuytwnsklcyjskwfoutqesajpf.init.cedexi s-radar.net d1oxlq5h9kq8q5.cloudfront.net 72 rpt.cedexis.com osb-apps.samsungqbe.com 1 prod-stpeter-pmd.verizon.cdn.rakuten.tv apps-pub.samsungcloudcdn.com 24 prod-stpeter- pmd.centurylink.cdn.rakuten.tv tizen30.wuaki.tv 1 prod-stpeter-pmd.akamai.cdn.rakuten.tv samsung-eden.wuaki.tv 1 prod-stpeter-pmd.limelight.cdn.rakuten.tv appstv-static-content-prod.wuaki.tv 7 prod-thewire.rakuten.tv payvault.global.rakuten.com 1 osb.samsungqbe.com images-1.wuaki.tv 7 osbstg-apps.samsungqbe.com images-3.wuaki.tv 4 status.thawte.com images-0.wuaki.tv 4 api-hbon.hbo.clearleap.com images-2.wuaki.tv 75 production-captions.hbonordic.com cdnjs.cloudflare.com 1 static.hbonordic.com sslcheck.wuaki.tv 1 www.google.com gizmo.rakuten.tv 2 ocsp.pki.goog www.google-analytics.com 1 ocsp.usertrust.com a.zxcvads.com 1 ocsp.godaddy.com crl.pki.goog 3 r3---sn-5go7yner.googlevideo.com a-fds.youborafds01.com 1 r1---sn-5go7yne6.googlevideo.com radar.cedexis.com 1 osb-apps.samsungqbe.com stats.g.doubleclick.net 1 i2- jwckkuytwnsklcyjskwfoutqesajpf.init.cedexi samsung-eden.wuaki.tv s-radar.net 1 images-2.wuaki.tv rpt.cedexis.com 3 i.ytimg.com prod-stpeter-pmd.verizon.cdn.rakuten.tv 1 prod-stpeter- yt3.ggpht.com pmd.centurylink.cdn.rakuten.tv 1 www.gstatic.com prod-stpeter-pmd.akamai.cdn.rakuten.tv 1 prod-stpeter-pmd.limelight.cdn.rakuten.tv ocsp.digicert.com 1 www.youtube.com prod-thewire.rakuten.tv 1 push.prod.netflix.com images-3.wuaki.tv images-0.wuaki.tv svpvodps-vh.akamaized.net api-global.netflix.com ichnaea.netflix.com images-1.wuaki.tv apps-pub.samsungcloudcdn.com occ-0-2705-2706.1.nflxso.net cdn.samsungcloudsolution.com tvx.adgrx.com d1oxlq5h9kq8q5.cloudfront.net

A.4 LG Smart TV

109 LG idle pa Domain HTTP || TLS www.google.com ngfts.lge.com 30 tv.filimo.com NO.lgtvsdp.com 2 www.googletagmanager.com NO.info.lgsmartad.com 1 www.filimo.com tv.filimo.com 6 www.google-analytics.com NO.ad.lgsmartad.com 1 static.cdn.asset.filimo.com www.googletagmanager.com 1 ssl.gstatic.com www.filimo.com 2 ichnaea.netflix.com www.google-analytics.com 1 api-global.netflix.com static.cdn.asset.filimo.com 6 secure.netflix.com ssl.gstatic.com 1 nrdp.nccp.netflix.com nrdp51-appboot.netflix.com uiboot.netflix.com customerevents.netflix.com NO.info.lgsmartad.com NO.ad.lgsmartad.com cdn-0.nflximg.com NO.lgtvsdp.com

LG idle pd www.google.com NO.lgtvsdp.com 2 tv.filimo.com NO.info.lgsmartad.com 1 www.googletagmanager.com tv.filimo.com 6 www.filimo.com www.googletagmanager.com 1 www.google-analytics.com www.filimo.com 2 static.cdn.asset.filimo.com www.google-analytics.com 1 ssl.gstatic.com static.cdn.asset.filimo.com 6 safebrowsing.google.com ssl.gstatic.com 1 NO.info.lgsmartad.com ngfts.lge.com 10 alt2-safebrowsing.google.com safebrowsing.google.com 2 NO.lgtvsdp.com alt2-safebrowsing.google.com 2

LG services pa occ-0-2706-2705.1.nflxso.net ngfts.lge.com 66 api-global.netflix.com www.youtube.com 7 ichnaea.netflix.com www.gstatic.com 1 cdn-0.nflximg.com i.ytimg.com 6 customerevents.netflix.com no.rdx2.lgtvsdp.com 1 nrdp51-appboot.netflix.com api-global.netflix.com 7 nrdp50-appboot.netflix.com nrdp.prod.ftl.netflix.com 14 nrdp.nccp.netflix.com ipv4-c017-nyc005-ix.1.oca.nflxvideo.net 1 push.prod.netflix.com ipv4-c038-nyc005-ix.1.oca.nflxvideo.net 6 uiboot.netflix.com ipv4-c036-nyc005-ix.1.oca.nflxvideo.net 6 r10---sn-uxap5nvoxg5- svpvodps-vh.akamaized.net j2is.googlevideo.com 3 NO.ad.lgsmartad.com tpc.googlesyndication.com 1 r3---sn-uxap5nvoxg5-j2is.googlevideo.com nrk-nrk2.akamaized.net 2 ipv4-c038-nyc005-ix.1.oca.nflxvideo.net pagead2.googlesyndication.com 5 nrdp.prod.ftl.netflix.com www.google.com 1 NO.info.lgsmartad.com www.google.no 1 ngfts.lge.com www.googleadservices.com 1 r13---sn-uxap5nvoxg5- no.rdx2.lgtvsdp.com j2is.googlevideo.com 2 secure.netflix.com r2---sn-5go7yner.googlevideo.com 2 ipv4-c017-nyc005-ix.1.oca.nflxvideo.net r2---sn-4g5ednsr.googlevideo.com 3 ipv4-c036-nyc005-ix.1.oca.nflxvideo.net ichnaea.netflix.com 6 r10---sn-uxap5nvoxg5- r12---sn-uxap5nvoxg5- j2is.googlevideo.com j2is.googlevideo.com 2 www.google.com ade.googlesyndication.com 3 akamai.vgc.no ad.doubleclick.net 1 ipv4-c026-nyc005-ix.1.oca.nflxvideo.net redirector.googlevideo.com 2 r11---sn-uxap5nvoxg5- ipv4-c033-nyc005-ix.1.oca.nflxvideo.net j2is.googlevideo.com 2 r14---sn-uxap5nvoxg5- ipv4-c032-nyc005-ix.1.oca.nflxvideo.net j2is.googlevideo.com 2 ipv4-c034-nyc005-ix.1.oca.nflxvideo.net r3---sn-5goeen7d.googlevideo.com 2 r7---sn-uxap5nvoxg5-j2is.googlevideo.com ipv4-c040-nyc005-ix.1.oca.nflxvideo.net 2 ipv4-c023-nyc005-ix.1.oca.nflxvideo.net NO.info.lgsmartad.com 2 ipv4-c042-nyc005-ix.1.oca.nflxvideo.net tv.filimo.com 6 ipv4-c047-nyc005-ix.1.oca.nflxvideo.net www.vg.no 7 ipv4-c025-nyc005-ix.1.oca.nflxvideo.net NO.ad.lgsmartad.com 3 ipv4-c031-nyc005-ix.1.oca.nflxvideo.net vgc.no 1 ipv4-c006-nyc005-ix.1.oca.nflxvideo.net www.googletagmanager.com 1 ipv4-c030-nyc005-ix.1.oca.nflxvideo.net sb.scorecardresearch.com 1 ipv4-c045-nyc005-ix.1.oca.nflxvideo.net akamai.vgc.no 6 NO.lgtvsdp.com www.filimo.com 2 no.ad.lgsmartad.com jssdk.privacy.schibsted.com 1 i.ytimg.com api.vg.no 1 tpc.googlesyndication.com www.google-analytics.com 2 r3---sn-uxap5nvoxg5- j2is.googlevideo.com id.vg.no 1 pagead2.googlesyndication.com ib.adnxs.com 3 www.google.no svpvodps-vh.akamaized.net 19 www.googleadservices.com static.cdn.asset.filimo.com 6 r13---sn-uxap5nvoxg5- j2is.googlevideo.com cis.schibsted.com 2 r2---sn-5go7yner.googlevideo.com ams1-ib.adnxs.com 3 r2---sn-4g5ednsr.googlevideo.com cdn.adnxs.com 1 r12---sn-uxap5nvoxg5- j2is.googlevideo.com secure.adnxs.com 1 ad.doubleclick.net pp.lp4.io 3 ade.googlesyndication.com safebrowsing.google.com 1 www.youtube.com acdn.adnxs.com 3 redirector.googlevideo.com sch-map.norstatsurveys.com 1 r11---sn-uxap5nvoxg5- j2is.googlevideo.com smp.vgc.no 2 r14---sn-uxap5nvoxg5- j2is.googlevideo.com collector.schibsted.io 1 r3---sn-5goeen7d.googlevideo.com s407.mxcdn.net 2 r7---sn-uxap5nvoxg5- j2is.googlevideo.com track.adform.net 2 www.vg.no s1.adform.net 9 vgc.no visitanalytics.userreport.com 2 www.googletagmanager.com b179.s407.meetrics.net 2 sb.scorecardresearch.com b129.s407.meetrics.net 2 api.vg.no crcdn01.adnxs.com 1 jssdk.privacy.schibsted.com b183.s407.meetrics.net 2 www.google-analytics.com api.privacy.schibsted.com 1 id.vg.no cdn.brandmetrics.com 1 ib.adnxs.com cogwheel.inventory.schibsted.io 1 cis.schibsted.com click.vgnett.no 1 ams1-ib.adnxs.com cookie.norstatsurveys.com 1 cdn.adnxs.com user-permissions.smp.schibsted.com 1 secure.adnxs.com advertisement.vg.no 1 pp.lp4.io collector.brandmetrics.com 1 safebrowsing.google.com occ-0-2706-2705.1.nflxso.net 8 sch-map.norstatsurveys.com ipv4-c026-nyc005-ix.1.oca.nflxvideo.net 1 acdn.adnxs.com ipv4-c033-nyc005-ix.1.oca.nflxvideo.net 4 smp.vgc.no ipv4-c032-nyc005-ix.1.oca.nflxvideo.net 6 collector.schibsted.io ipv4-c040-nyc005-ix.1.oca.nflxvideo.net 3 track.adform.net ipv4-c034-nyc005-ix.1.oca.nflxvideo.net 5 s407.mxcdn.net ipv4-c042-nyc005-ix.1.oca.nflxvideo.net 4 s1.adform.net ipv4-c023-nyc005-ix.1.oca.nflxvideo.net 2 visitanalytics.userreport.com ipv4-c047-nyc005-ix.1.oca.nflxvideo.net 1 b179.s407.meetrics.net ipv4-c025-nyc005-ix.1.oca.nflxvideo.net 4 b129.s407.meetrics.net ipv4-c031-nyc005-ix.1.oca.nflxvideo.net 16 crcdn01.adnxs.com ipv4-c030-nyc005-ix.1.oca.nflxvideo.net 3 b183.s407.meetrics.net ipv4-c006-nyc005-ix.1.oca.nflxvideo.net 1 api.privacy.schibsted.com ipv4-c045-nyc005-ix.1.oca.nflxvideo.net 1 cogwheel.inventory.schibsted.io no.lgrecommends.lgappstv.com 6 cdn.brandmetrics.com no.tvsdp.lgeapi.com 3 cookie.norstatsurveys.com NO.lgtvsdp.com 1 click.vgnett.no no.ad.lgsmartad.com 1 user-permissions.smp.schibsted.com api-partner.spotify.com 1 advertisement.vg.no tv.scdn.co 6 collector.brandmetrics.com apresolve.spotify.com 1 no.lgrecommends.lgappstv.com gew-spclient.spotify.com 1 no.tvsdp.lgeapi.com spclient.wg.spotify.com 1 api-partner.spotify.com nrk-prd.ecs.accedo.tv 7 tv.scdn.co cdn.polyfill.io 1 apresolve.spotify.com api.one.accedo.tv 2 gew-spclient.spotify.com psapi.nrk.no 5 spclient.wg.spotify.com ssl-nrk.tns-cs.net 1 nrk-prd.ecs.accedo.tv nrk-nrk2.akamaized.net 17 cdn.polyfill.io ma93-r.analytics.edgekey.net 2 api.one.accedo.tv ssl-nrkstream.tns-cs.net 1 ma93-r.analytics.edgekey.net apps.hbonordic.com 6 ssl-nrkstream.tns-cs.net api-hbon.hbo.clearleap.com 6 apps.hbonordic.com api.raygun.io 2 api-hbon.hbo.clearleap.com static.hbonordic.com 6 api.raygun.io static.hbonordic.com

A.5 Philips Smart TV

114 philips 2 idle pa Domain HTTP || TLS deviceportal.zeasn.tv ssp.zeasn.tv 4 imasdk.googleapis.com optimized-by.rubiconproject.com 2 cache.zeasn.tv wuakimarketing.s3-eu-west-1.amazonaws.com 2 s0.2mdn.net des.smartclip.net 3 ping.zeasn.tv ad.sxp.smartclip.net 3 pubads.g.doubleclick.net smarttv.zeasn.tv 4 isrg.trustid.ocsp.identrust.com deviceportal.zeasn.tv 1 ocsp.int-x3.letsencrypt.org epg.corio.com 2 ssp.zeasn.tv deviceportal.nettvservices.com 3 optimized-by.rubiconproject.com meteo.dotscreen.com 2 wuakimarketing.s3-eu-west-1.amazonaws.com ichnaea-nrdp-future-dradis.prod.ftl.netflix.com 3 des.smartclip.net secure.netflix.com 1 ad.sxp.smartclip.net appboot.netflix.com 1 smarttv.zeasn.tv uiboot.netflix.com 1 epg.corio.com occ-0-2706-2705.1.nflxso.net 20 meteo.dotscreen.com codex.nflxext.com 1 authorize.nettvservices.com nrdp-future-dradis.prod.ftl.netflix.com 4 secure.netflix.com authorize.nettvservices.com 2 deviceportal.nettvservices.com imasdk.googleapis.com 1 www.google.com cache.zeasn.tv 96 sdklog.tvstore.opera.com s0.2mdn.net 1 api-global.netflix.com ping.zeasn.tv 1 nrdp.nccp.netflix.com pubads.g.doubleclick.net 1 appboot.netflix.com nrdp-future-aws-dradis.prod.ftl.netflix.com 1 codex.nflxext.com sdklog.tvstore.opera.com 8 uiboot.netflix.com isrg.trustid.ocsp.identrust.com 1 nrdp-future-dradis.prod.ftl.netflix.com ocsp.int-x3.letsencrypt.org 1 nrdp-future-aws-dradis.prod.ftl.netflix.com ichnaea-nrdp-future-dradis.prod.ftl.netflix.com occ-0-2706-2705.1.nflxso.net

philips idle_PD deviceportal.zeasn.tv deviceportal.zeasn.tv 1 tou.zeasn.tv tou.zeasn.tv 1 ocsp.digicert.com cache.zeasn.tv 102 media.sfanytime.com epg.corio.com 2 img.l.zeasn.tv deviceportal.nettvservices.com 3 imasdk.googleapis.com ocsp.digicert.com 2 s0.2mdn.net smarttv.zeasn.tv 2 wuakimarketing.s3-eu-west-1.amazonaws.com ssp.zeasn.tv 4 isrg.trustid.ocsp.identrust.com ping.zeasn.tv 2 ocsp.int-x3.letsencrypt.org media.sfanytime.com 1 cache.zeasn.tv img.l.zeasn.tv 2 epg.corio.com ichnaea-nrdp-future-dradis.prod.ftl.netflix.com 4 smarttv.zeasn.tv uiboot.netflix.com 1 ssp.zeasn.tv occ-0-2706-2705.1.nflxso.net 23 ping.zeasn.tv codex.nflxext.com 1 authorize.nettvservices.com nrdp-future-dradis.prod.ftl.netflix.com 3 secure.netflix.com authorize.nettvservices.com 2 deviceportal.nettvservices.com imasdk.googleapis.com 1 www.google.com s0.2mdn.net 1 sdklog.tvstore.opera.com wuakimarketing.s3-eu-west-1.amazonaws.com 1 nrdp.nccp.netflix.com sdklog.tvstore.opera.com 9 appboot.netflix.com isrg.trustid.ocsp.identrust.com 1 codex.nflxext.com ocsp.int-x3.letsencrypt.org 1 api-global.netflix.com nrdp-future-aws-dradis.prod.ftl.netflix.com 1 nrdp-future-aws-dradis.prod.ftl.netflix.com uiboot.netflix.com nrdp-future-dradis.prod.ftl.netflix.com ichnaea-nrdp-future-dradis.prod.ftl.netflix.com occ-0-2706-2705.1.nflxso.net

philips services_PA occ-0-2706-2705.1.nflxso.net deviceportal.zeasn.tv 1 cdn-0.nflximg.com tou.zeasn.tv 1 cfptkzszlr5jwdu52l4fi-euw1.r.nflxso.net cache.zeasn.tv 6 nrdp-future-aws-dradis.prod.ftl.netflix.com epg.corio.com 1 ichnaea-nrdp-future-dradis.prod.ftl.netflix.com deviceportal.nettvservices.com 3 api-global.netflix.com ocsp.digicert.com 2 nrdp-future-dradis.prod.ftl.netflix.com ichnaea-nrdp-future-dradis.prod.ftl.netflix.com 2 customerevents.netflix.com smarttv.zeasn.tv 5 nrdp.prod.cloud.netflix.com imasdk.googleapis.com 1 ichnaea.netflix.com s0.2mdn.net 1 crossroads.us-west-2.prodaa.netflix.com ssp.zeasn.tv 2 crossroads.eu-west-1.prodaa.netflix.com ping.zeasn.tv 2 crossroads.us-east-1.prodaa.netflix.com des.smartclip.net 2 uiboot.netflix.com media.sfanytime.com 1 crossroads.geo.netflix.com ad.sxp.smartclip.net 2 assets.nflxext.com optimized-by.rubiconproject.com 2 nrdp51-appboot.netflix.com meteo.dotscreen.com 2 nrdp.nccp.netflix.com pubads.g.doubleclick.net 1 www.google.com www.youtube.com 6 smarttv.zeasn.tv googleads.g.doubleclick.net 1 des.smartclip.net i.ytimg.com 6 ping.zeasn.tv r4---sn-5go7yner.googlevideo.com 3 ad.sxp.smartclip.net r6---sn-5goeen7d.googlevideo.com 2 optimized-by.rubiconproject.com pagead2.googlesyndication.com 1 media.kanalsport.dk yt3.ggpht.com 1 aga.test.netflix.net www.google.com 1 secure.netflix.com www.google.no 2 deviceportal.zeasn.tv smarttv-5.sfanytime.com 1 tou.zeasn.tv player.sfanytime.com 2 cache.zeasn.tv www.google-analytics.com 2 epg.corio.com stats.g.doubleclick.net 3 deviceportal.nettvservices.com www.filmboxliveapp.net 6 ocsp.digicert.com api.invideous.com 1 imasdk.googleapis.com smarttv.megogo.net 3 s0.2mdn.net api.megogo.net 6 ssp.zeasn.tv log.cnt.re:7080 7 media.sfanytime.com et.megogo.net 5 meteo.dotscreen.com s4.vcdn.biz 2 pubads.g.doubleclick.net nettv.foreca.com 5 www.youtube.com nrdp-future-aws-dradis.prod.ftl.netflix.com 1 googleads.g.doubleclick.net assets.nflxext.com 2 i.ytimg.com occ-0-2706-2705.1.nflxso.net 95 r4---sn-5go7yner.googlevideo.com nrdp-future-dradis.prod.ftl.netflix.com 4 r6---sn-5goeen7d.googlevideo.com 45.57.68.132 22 pagead2.googlesyndication.com 45.57.68.145 5 yt3.ggpht.com uiboot.netflix.com 1 www.google.no 45.57.69.143 27 smarttv-5.sfanytime.com 45.57.69.150 7 player.sfanytime.com 45.57.69.144 1 www.google-analytics.com 45.57.69.146 36 stats.g.doubleclick.net 45.57.68.154 5 www.filmboxliveapp.net 45.57.68.150 1 api.invideous.com img.l.zeasn.tv 2 smarttv.megogo.net api.megogo.net log.cnt.re s6.vcdn.biz s4.vcdn.biz et.megogo.net nettv.foreca.com img.l.zeasn.tv

philips services_PD sdklog.tvstore.opera.com sdklog.tvstore.opera.com 1 smarttv.zeasn.tv smarttv.zeasn.tv 1 www.youtube.com www.youtube.com 9 googleads.g.doubleclick.net googleads.g.doubleclick.net 1 www.gstatic.com www.gstatic.com 5 i.ytimg.com i.ytimg.com 6 static.doubleclick.net static.doubleclick.net 1 r2---sn-5goeen7y.googlevideo.com r2---sn-5goeen7y.googlevideo.com 4 tpc.googlesyndication.com tpc.googlesyndication.com 1 r5---sn-5goeen7d.googlevideo.com r5---sn-5goeen7d.googlevideo.com 2 pagead2.googlesyndication.com pagead2.googlesyndication.com 1 ad.doubleclick.net ad.doubleclick.net 1 securepubads.g.doubleclick.net ade.googlesyndication.com 2 ade.googlesyndication.com securepubads.g.doubleclick.net 1 yt3.ggpht.com yt3.ggpht.com 1 www.google.no www.google.com 3 smarttv-5.sfanytime.com www.google.no 1 www.google-analytics.com smarttv-5.sfanytime.com 4 player.sfanytime.com www.google-analytics.com 2 stats.g.doubleclick.net player.sfanytime.com 2 sfanytime-images-prod.secure.footprint.net stats.g.doubleclick.net 3 www.filmboxliveapp.net sfanytime-images-prod.secure.footprint.net 6 www.googletagmanager.com www.filmboxliveapp.net 40 api.invideous.com www.googletagmanager.com 2 smarttv.megogo.net api.invideous.com 1 api.megogo.net smarttv.megogo.net 8 log.cnt.re api.megogo.net 6 s5.vcdn.biz log.cnt.re:7080 7 s4.vcdn.biz s2.vcdn.biz 1 s3.vcdn.biz s5.vcdn.biz 2 s2.vcdn.biz s3.vcdn.biz 1 et.megogo.net s4.vcdn.biz 1 nettv.foreca.com et.megogo.net 5 www.google.com nettv.foreca.com 21 media.kanalsport.dk api-global.netflix.com 1 nrdp51-appboot.netflix.com nrdp-future-aws-dradis.prod.ftl.netflix.com 3 nrdp.nccp.netflix.com occ-0-2706-2705.1.nflxso.net 151 secure.netflix.com ichnaea-nrdp-future-dradis.prod.ftl.netflix.com 2 uiboot.netflix.com nrdp-future-dradis.prod.ftl.netflix.com 5 crossroads.geo.netflix.com aga.test.netflix.net 2 crossroads.us-east-1.prodaa.netflix.com cfptkzszlr5jwdu52l4fi-euw1.r.nflxso.net 2 aga.test.netflix.net crossroads.geo.netflix.com 2 crossroads.us-west-2.prodaa.netflix.com crossroads.us-east-1.prodaa.netflix.com 2 crossroads.eu-west-1.prodaa.netflix.com crossroads.eu-west-1.prodaa.netflix.com 2 customerevents.netflix.com crossroads.us-west-2.prodaa.netflix.com 2 ichnaea.netflix.com 45.57.69.142 101 nrdp.prod.cloud.netflix.com 45.57.68.145 21 nrdp-future-dradis.prod.ftl.netflix.com 45.57.68.151 7 assets.nflxext.com 45.57.69.140 2 api-global.netflix.com assets.nflxext.com 1 nrdp-future-aws-dradis.prod.ftl.netflix.com 45.57.68.132 14 cdn-0.nflximg.com 45.57.68.138 25 cfptkzszlr5jwdu52l4fi-euw1.r.nflxso.net occ-0-2706-2705.1.nflxso.net ichnaea-nrdp-future-dradis.prod.ftl.netflix.com

menu button pa s0.2mdn.net ichnaea-nrdp-future-dradis.prod.ftl.netflix.com 2 ssp.zeasn.tv occ-0-2706-2705.1.nflxso.net 32 optimized-by.rubiconproject.com deviceportal.nettvservices.com 4 wuakimarketing.s3-eu-west-1.amazonaws.com authorize.nettvservices.com 2 ping.zeasn.tv epg.corio.com 2 des.smartclip.net smarttv.zeasn.tv 3 ad.sxp.smartclip.net cache.zeasn.tv 98 pubads.g.doubleclick.net imasdk.googleapis.com 2 meteo.dotscreen.com uiboot.netflix.com 1 authorize.nettvservices.com codex.nflxext.com 1 epg.corio.com nrdp-future-dradis.prod.ftl.netflix.com 3 smarttv.zeasn.tv s0.2mdn.net 1 imasdk.googleapis.com ssp.zeasn.tv 2 cache.zeasn.tv optimized-by.rubiconproject.com 1 uiboot.netflix.com wuakimarketing.s3-eu-west-1.amazonaws.com 1 ichnaea-nrdp-future-dradis.prod.ftl.netflix.com ping.zeasn.tv 1 deviceportal.nettvservices.com des.smartclip.net 1 occ-0-2706-2705.1.nflxso.net ad.sxp.smartclip.net 1 codex.nflxext.com pubads.g.doubleclick.net 1 nrdp-future-dradis.prod.ftl.netflix.com meteo.dotscreen.com 1