Smart TVs from major manufacturers like Samsung and LG use a Shazam-like tracking technology called Automatic Content Recognition (ACR) to monitor what you watch — and opting out can be a painful process for end users.

According to a new study from researchers at the University College London, University of California, Davis, and Universidad Carlos III de Madrid, the tracker operates even when Smart TVs are used as ‘dumb’ external displays via HDMI, potentially capturing content from gaming consoles or laptops.

The ACR technology, which has roots in the popular Shazam song-identification tool, is designed to profile viewing activity of users, periodically capturing the content displayed on a TV’s screen and matching it against a content library to detect what content is being displayed at any given point in time. 

This type of so-called “second party tracking” is directly integrated into the Smart TV’s operating system, the researchers explained, noting that a black-box audit of ACR network traffic between ACR clients on the smart TV and ACR servers found a major difference in how the technology works across the US and the UK.

In the US, the researchers found that ACR is active during free ad-supported streaming TV (FAST) viewing, while in the UK it is turned off. This suggests the default behavious is influenced by jurisdictional regulations and data privacy laws.

The research team found that opting out of tracking features does appear to stop ACR-related network traffic, suggesting privacy controls are effective but notes that user-login status on Smart TVs does not impact ACR tracking behavior.

Since its inception in 2011, the researchers note that ACR tracking has been adapted to identify other modalities of content with companies like DirecTV and Viggle integrating ACR into the TV ecosystem, while Samsung partnered with a content recognition tech company to integrate ACR into their smart TVs. LG, another major player in the Smart TV business, incorporated ACR in 2013 with a partnership with Cognitive Networks 

“ACR tracking has raised privacy concerns. Most notably, Vizio was sued by the FTC for selling customer data to third parties, who then used it for personalized ads. This lawsuit was settled in 2017 with Vizio agreeing to provide clearer disclosures and opt-out mechanisms,” the research team said. 

Even though opt-outs are available, the researchers warn that opting out is typically not straightforward, often requiring navigation through various settings in multiple subsections, with no universal off-switch. 

“It is also unknown whether these privacy controls actually work as intended,” the group said.

The team found different behaviors between Samsung and LG regarding their use of ACR domains. “When ACR is enabled on LG TVs, a single domain is contacted (eu-acrX.alphonso.tv, where X is an arbitrary number that changes periodically). This domain belongs to Alphonso, a technology company that manages LG Ad Solutions,” according to the research paper.

“On the other hand, Samsung contacts multiple ACR domains (acr-eu-prd.samsungcloud.tv, acr0.samsungcloudsolution. com, log-config.samsungacr.com, log-ingestion-eu.samsungacr.com).”

The researchers say they plan to explore more advanced man-in-the-middle (MITM) techniques to understand the payload of ACR network traffic and the link between ACR tracking and ad personalization in smart TVs. 

The researchers have released code and data on the black-box audit.  

Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Related: WikiLeaks Details Samsung Smart TV Hacking Tool

Related: Backdoors Infiltrate Android-powered Smart TVs

Related: Thousands of LG TVs Possibly Exposed to Remote Hacking