Samsung – in breach of its own privacy policy?

It turns out that it really is worth reading beyond the “agree to our Terms of Service” button that most people so blindly click. Samsung has recently been the subject of much media controversy over fears that its Privacy Policy and its smart TV can record personal conversations and transmit this information to third parties.

For some clarity, here is the clause:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

Whilst a Samsung spokesman has, however, stressed that “our TV’s don’t passively record conversations. You must press the mic button on the remote to ask a question – just like on a smartphone”, it has nonetheless, caused some panic worldwide.

In response to the media attention and consumer consternation, Samsung quickly amended its Privacy Policy on 10 February 2015 to, we suppose, quell the panic. The new clause reads as follows:

If you enable Voice Recognition, you can interact with your Smart TV using your voice.

To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you.

In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.

Samsung will collect your interactive voice commands only when you make a specific search request to the Smart TV by clicking the activation button either on the remote control or on your screen and speaking into the microphone on the remote control.

One thing is certain – there is an attempt to clarify what information Samsung collects, to whom the information is distributed to, and the purpose for which the information is collected.

More pertinent, from a South African perspective, is whether this clause is compliant with the Protection of Personal Information Act 4 of 2013 (“the Act”). In a nutshell, section 18 of the Act requires, at the very least, in a context such as this, the following:

  1. What information is being collected
  2. The purpose for which the information is being collected
  3. The recipient of such information

The EZterms team is of the opinion that requirements 2 and 3 have been met, as Samsung has stated that it collects voice commands in order that they may 1) “provide you with Voice Recognition features and evaluate and improve the features” and 2) transmit the recorded voice commands to Nuance Communications, Inc. (“Nuance”).

Thus, both the purpose and recipients requirement requirements have been met, assuming of course that this is the only entity to whom Samsung discloses the personal information.

Samsung has not defined exactly which voice commands may be collected, and hence, even the amended Privacy Policy may fall foul of section 18 of the Act.

Another point of concern lies in the fact that Samsung has now stipulated in its amended Privacy Policy that voice commands, potentially containing personal information, are shared with Nuance.

Samsung’s Privacy Policy states that it may disclose some of your information to its service providers, but that the service providers “are limited in their ability to use your information for purposes other than providing services for [Samsung]”.

Thus, Samsung provides Nuance with voice commands made through the Samsung smart TV, but alleges that Nuance’s use of your personal information is limited to providing voice command services to the user of the smart TV.

This clause appears to contradict the original Samsung Privacy Policy, in that voice commands may consist of “spoken words include[ing] personal or other sensitive information, [which] will be among the data captured”.

There exists a clear conflict, in that personal or sensitive information which may have been recorded during a voice command may allow Nuance access to such personal information, for purposes beyond merely providing voice command services to smart TV users.

Samsung cannot warrant to users of its smart TV, on behalf of a third party service provider over which it has no control, that voice commands will only be used for the purposes of voice command services, with the result that Samsung may be in breach of its own Privacy Policy.

Even where the quality of the consent is sufficient and the disclosure is lawful (since Samsung discloses that voice commands are shared with Nuance) the fact remains that the third party service provider makes no such assurances as to the integrity of your personal information.

And this is where things start to get a bit concerning.

Why? Because, while Samsung has warranted that it only shares the voice commands with Nuance in a manner that has “limited their ability to use your information for purposes other than providing services for [Samsung]”, it is the Privacy Policy of Nuance that ought to be reviewed, to determine how they treat the information in their possession.

For example, Nuance explicitly states that “[b]y using… Nuance Products, you consent to the collection and use of your personal information by Nuance”.

By virtue of a Samsung smart TV using voice recognition software provided by Nuance, a user of the smart TV is by definition using a ‘Nuance product’, and is hence consenting to Nuance’s Privacy Policy, despite not having been presented with, or having seen the policy, let alone being given the opportunity to consent to it.

We would suggest that this falls foul of the very objects of the Consumer Protection Act 68 of 2008, which has at its heart the goal of giving effect to the international law obligations of the Republic, including, to “improve access to, and the quality of information that is necessary so that consumers are able to make informed choices according to their individual wishes and needs; etc…”

By virtue of Nuance’s Privacy Policy not being made readily available to Samsung smart TV users, it cannot be said that Samsung has complied with the requirements of the Consumer Protection Act, and thus, cannot be regarded as having garnered the necessary consent from a Samsung smart TV user, within a South African legislative context.

That being said, the question to be asked at this juncture, is what does Nuance do with the voice commands that it has in its possession, which, even by Nuance’s own account “may include personal information”?

Well, again, Nuance’s Privacy Policy states that your personal information may be further shared to its “Affiliates, Vendors and Suppliers… to the extent it is necessary for these groups to provide their products and services to us and provide products and services you have requested”.

The virtual information rabbit hole deepens as your personal information is shared with new third party service providers, via your Samsung smart TV.

A cursory examination of Spiderbook.com, reveals that the list of suppliers, vendors and affiliates of Nuance, to whom a user’s personal information may be shared with, is extensive… totaling at least 37. These include:

  1. Silver Peak
  2. OnStar
  3. Conexant
  4. IBM
  5. Oracle
  6. AutoNavi
  7. Juice Mobile
  8. Spansion
  9. Toyota
  10. Montage
  11. Vesta
  12. Diebold
  13. Varolii Interact
  14. ITA Software Inc
  15. SpeechTrans
  16. Apple Inc
  17. Swype
  18. Webmedx
  19. VoiceSignal Technologies
  20. Transcend
  21. Spinvox
  22. Dragon
  23. Svox
  24. Accentus
  25. Vesta
  26. Quantum
  27. Accelerad
  28. Vlingo
  29. Philips Speech
  30. Jata
  31. Viecore
  32. Commisure
  33. PerSay
  34. ShapeWriter
  35. MacSpeech
  36. Focus Infomatics
  37. SnapIn

The above vendors, suppliers and affiliates are not, however, independently verified by the EZterms Team.

It appears that Samsung may, inadvertently, and despite it having amended the provisions of its Privacy Policy on 10 February 2015, be sharing your personal information, through your voice recordings, with a multitude of third party service providers without the consent of the user.

Under the current legislative framework, the only conceivable, albeit undesirable and impractical, solution would be for Samsung’s Privacy Policy to include a provision calling for a warranty from a smart TV user.

The user would have to warrant that personal information may be shared with third party Service providers (and their third party service providers), all of whom are listed by name, together with links to their individual privacy policies, thereby shifting the onus onto the user to ensure that there are no offending provisions in any of the privacy policies which may apply.

Practically speaking, this constitutes a call for legislative intervention to regulate the use of the personal information, the balancing of commercial interests and utility, and the need to safeguard sensitive personal information.

This article was written by EZterms

More security news

US launches new cyber security agency

Don’t talk in front of your smart TV – it may be listening

Adobe Flash Zero-Day exploit

Latest news

Partner Content

Show comments

Recommended

Share this article
Samsung – in breach of its own privacy policy?