Connected Devices: Smart TVs & IoT

The screen on your wall and the gadgets in your home are watching, listening, and quietly working for someone else

The Always-On Home

The average household now contains dozens of internet-connected devices: televisions, streaming boxes, voice assistants, doorbells, thermostats, and appliances. Two distinct but overlapping business models extract value from them. The first treats the device as a sensor: the smart TV that fingerprints every frame you watch, the speaker that records your voice, the doorbell that catalogs your street. The second treats the device as infrastructure, quietly reselling your bandwidth and your home IP address as a “residential proxy” that lets a paying customer (or a criminal) route their traffic through your house so it looks like it came from you.

Both models share a defining trait: the data flows whether you understand the bargain or not. ACR tracking is switched on by default; bandwidth-harvesting is buried in the terms of a free app or, increasingly, pre-installed on a cheap device before you ever open the box. This section maps the companies that watch what your devices see and the companies that turn your devices into someone else’s exit node.

Smart TV Surveillance: Automatic Content Recognition (ACR)

Nearly every smart TV sold since roughly 2015 ships with Automatic Content Recognition active by default. ACR captures snapshots of whatever is on the screen every few seconds (broadcast TV, streaming, a game console, even a USB slideshow), converts each into a digital fingerprint, and matches it against a reference database to identify exactly what you are watching. The result is a second-by-second log of household viewing, linked to your IP address and sold for cross-device ad targeting and measurement. Manufacturers brand the feature euphemistically: Samsung calls it “Viewing Information Services,” LG “Live Plus,” and Vizio simply “Viewing Data.”

Samba TV

What they are: The dominant independent ACR data broker. Rather than build its own televisions, Samba TV embeds its fingerprinting software at the chipset level in roughly two dozen smart TV brands sold in more than 100 countries, then licenses the resulting viewership data to advertisers and measurement firms.^[2]

Scale: Samba TV reports an addressable footprint of approximately 48 million smart TV devices supplying first-party viewing data, a projected reach of 111 million households, and stable identifiers for over 1 billion users derived from TV and connected-device interactions. It serves more than 1,000 customers across 50-plus countries.^[3]

2025–2026 expansion: Samba TV has moved aggressively to fuse its viewing data with the broader ad ecosystem, partnering in October 2025 with Aquila (an ANA subsidiary) to join its streaming viewership data to ad-exposure data from Google, Meta, Amazon, and TikTok for cross-media attribution, and in December 2025 with Index Exchange to launch a curated programmatic marketplace built on Samba’s behavioral and contextual TV data.^[3]

Vizio (Inscape)

What they are: A budget TV maker whose real business is data. Through its Inscape ACR unit, Vizio built the case that defined the entire category. Its SmartCast platform now anchors a fast-growing advertising and data-licensing operation.

The landmark FTC case: In February 2017, Vizio agreed to pay $2.2 million ($1.5 million to the FTC, $1 million to New Jersey) to settle charges that it collected viewing histories from 11 million televisions without consumers’ knowledge or consent. The complaint described ACR software capturing up to 100 billion data points each day from more than 10 million sets, stored indefinitely, with Vizio appending demographic details (sex, age, income, marital status, household size, education, home ownership, and home value) before selling the data to third parties. The settlement required affirmative express consent, deletion of pre-March 2016 data, and 20 years of biennial third-party privacy assessments.^[1]

Walmart acquisition: In December 2024, Walmart completed its $2.3 billion acquisition of Vizio, gaining the SmartCast operating system and its 18-plus million active accounts as the engine of its retail-media business (see Retail & Loyalty). The deal placed one of the largest ACR viewing-data troves under the same roof as one of the largest purchase-history datasets in the country.

The Manufacturers: Samsung, LG, Sony, Hisense, TCL, Roku

What they are: Every major TV brand runs its own ACR program and sells or monetizes the resulting viewing data through in-house ad platforms (Samsung Ads, LG Ad Solutions, Roku’s ad business). For these companies the operating system and its data have become more profitable than the hardware.

Texas enforcement (2025–2026): Texas Attorney General Ken Paxton sued five manufacturers (Sony, Samsung, LG, Hisense, and TCL) under the Texas Deceptive Trade Practices Act, alleging they secretly recorded what Texans watched and monetized it through ACR without meaningful consent.^[4] On February 26, 2026, Samsung became the first to settle, agreeing to halt ACR collection without express consent and to deploy clear disclosure and consent screens via software update.^[5] LG followed with its own settlement, agreeing to stop using Live Plus ACR without informed consent and to push a pop-up disclosure with a simple opt-out.^[6][7] The cases against Sony, Hisense, and TCL remain ongoing.^[4]

Residential Proxy Networks: Your Bandwidth for Sale

A residential proxy routes a paying customer’s web traffic through an ordinary consumer’s home internet connection, so the request appears to originate from a real household rather than a data center. This makes it invaluable for large-scale web scraping, ad verification, price monitoring, and sneaker/ticket botting, and equally useful for fraud and abuse, because the traffic is nearly impossible to distinguish from a genuine resident. The IP addresses come from millions of consumer devices whose owners have “opted in” through a free app or SDK, often without grasping that their connection is being leased to strangers.

Bright Data (formerly Luminati Networks)

What they are: The largest player in the industry, operating a network of more than 150 million residential proxy IPs and processing over 2 billion web requests daily for 20,000-plus enterprise customers. Its detailed scraping-litigation history (Meta and X both lost suits against it) is covered in Social Media Aggregators & Web Scrapers.^[8]

The device angle: Bright Data’s original IP pool came from Hola VPN, a free service that quietly enrolled its users’ devices into the Luminati commercial proxy network, the template the whole industry copied. Bright Data also operates EarnApp, which pays users to share idle bandwidth, feeding the same pool. The arrangement turns a free download into a perpetual revenue stream extracted from the user’s connection.^[8]

The Bandwidth-Sharing Ecosystem

What they are: A cluster of “passive income” apps and the proxy firms they feed. Honeygain and IPRoyal’s Pawns app pay users a few dollars a month to resell their bandwidth; larger proxy vendors then buy or aggregate those pools. Industry research describes Oxylabs (a network of roughly 175 million residential IPs) as sourcing heavily from Honeygain, and IPRoyal as building its pool directly through Pawns.^[9]

The consent problem: The same monetization SDKs are routinely bundled into unrelated free software (games, utilities, VPNs), so users become proxy exit nodes without ever installing a “passive income” app on purpose. This category, often called proxyware, sits on a spectrum that runs from disclosed-but-buried consent at one end to outright malware at the other, where the line between a paid bandwidth-sharing network and a criminal botnet effectively disappears.^[9]

When Your Devices Are Conscripted: Proxyware Botnets

At the criminal end of the spectrum, the same residential-proxy economics are run without consent at all. Cheap, off-brand smart TVs, streaming boxes, and IoT gadgets, the largest growth area, are infected before or shortly after purchase and silently sold as proxy capacity.

BADBOX 2.0

What it is: A botnet built primarily from Chinese-made Android smart TVs, streaming boxes, projectors, and tablets shipped with backdoor malware pre-installed, or infected during setup through malicious apps. Once online, the devices connect to command-and-control servers and are rented out as residential proxies, used for ad fraud, and harnessed for credential-stuffing attacks.

Scale and response: On June 5, 2025, the FBI warned that BADBOX 2.0 had compromised more than 1 million home devices; researchers at HUMAN Security estimated the full footprint at around 10 million devices across 222 countries, concentrated in Brazil (37.6%), the United States (18.2%), and Mexico.^[10][11] In July 2025, Google sued the botnet’s operators in federal court, and a coordinated takedown led by HUMAN’s Satori team with Google, Trend Micro, and the Shadowserver Foundation cut more than 500,000 infected devices off from their controllers.^[10]

911 S5

What it was: Described by the U.S. Department of Justice as “likely the world’s largest botnet ever,” 911 S5 was a residential proxy service assembled from 19 million infected Windows devices across more than 190 countries, including over 613,000 IP addresses in the United States. Victims were infected through free, malware-laced VPN programs (MaskVPN, DewVPN) and pirated software bundles, then resold as proxies that paying subscribers used to mask cybercrime, including billions of dollars in pandemic-relief fraud.^[12]

The takedown: In May 2024, a multinational operation dismantled the service and arrested administrator YunHe Wang in Singapore; prosecutors alleged he earned roughly $99 million leasing the compromised IPs. The Treasury Department’s OFAC sanctioned Wang and two associates along with three companies they controlled.^[13] The case is the clearest illustration of the pipeline that connects a “free” consumer download to a global criminal infrastructure built from ordinary people’s devices.

The Smart Home: Speakers, Doorbells & Sensors

Voice assistants, video doorbells, and connected sensors collect some of the most intimate data in the home: recordings of family conversations, footage of who comes and goes, and continuous logs of when a household is awake, asleep, or away. The dominant vendor, Amazon, has already paid for mishandling it.

Amazon (Alexa & Ring)

Alexa ($25 million, 2023): The FTC and DOJ charged that Amazon kept children’s Alexa voice recordings and geolocation data indefinitely, used them to train its algorithms, and ignored parents’ deletion requests, in violation of COPPA. Until September 2019, Alexa’s default was to store recordings and transcripts forever. Amazon paid a $25 million civil penalty and was ordered to delete the data and overhaul its retention practices.^[14]

Ring ($5.8 million, 2023): In a parallel action, the FTC charged that Ring gave employees and contractors unrestricted access to customers’ private videos. One employee viewed thousands of recordings from at least 81 female users over several months, including cameras placed in bedrooms and bathrooms, while lax security let outside hackers hijack two-way streams to harass and threaten families. Amazon paid $5.8 million in consumer refunds and was ordered to delete improperly obtained videos and face data.^[15]

Why it matters: The combined $30.8 million in penalties did not end the underlying business model. Smart-home devices remain a rich data source, and Ring’s expanding partnerships with law enforcement (covered under Surveillance & Government Contractors) show how household sensor data flows outward to government as well as to advertisers.

Beyond the Screen: Appliances, Vacuums, Bulbs, Cameras & Toys

The same logic extends to nearly every product now sold as “smart.” Independent testing repeatedly finds connected devices collecting far more than they need to function, shipping it to overseas servers and ad networks, and then exposing it through weak security. The device categories below are not data brokers themselves, but they are the raw feedstock, the sensors and breaches that fill broker databases and, increasingly, AI training sets.

Everyday Appliances

What was found: In November 2024, the UK consumer organisation Which? (the British equivalent of Consumer Reports) tested smart home devices and found air fryers from Xiaomi, Cosori, and Aigostar demanding the user’s precise location and permission to record audio through the paired phone. Xiaomi and Aigostar transmitted user data to servers in China, and Xiaomi’s companion app carried ad trackers from Facebook, TikTok’s Pangle network, and Tencent. Which? reported the same over-collection across smart TVs, speakers, and watches. Manufacturers, it concluded, gather data “with seemingly reckless abandon” and little transparency.^[16]

Robot Vacuums (iRobot Roomba, Ecovacs)

What they collect: Robot vacuums build a detailed floor plan of your home, and newer models add cameras and microphones. In December 2022, MIT Technology Review obtained 15 images captured by development-model Roombas (including a woman seated on a toilet) that iRobot had sent to data-labeling contractor Scale AI, where gig workers in Venezuela posted them to private Facebook and Discord groups.^[17]

Who wanted that map: In August 2022 Amazon agreed to buy iRobot for about $1.7 billion (later trimmed to roughly $1.4 billion), a deal that would have placed the company that maps the interiors of tens of millions of homes inside the same empire as Amazon’s retail and advertising business. The European Commission signaled it would veto the merger on competition grounds (citing Amazon’s dual role as marketplace and participant) and on January 29, 2024 the two companies abandoned it. Amazon paid a $94 million termination fee, and iRobot laid off about 31% of its staff as its CEO departed.^[27][28]

Hijacking: In 2024, security researchers showed that Ecovacs Deebot vacuums could be taken over to reach the camera and microphone with no indicator light; some owners reported their vacuums commandeered to roam the house shouting slurs and chasing pets, and the company was found to be collecting user photos, video, and audio to train its AI models.^[18]

WiFi Light Bulbs (LIFX, Tuya, Xiaomi)

The flaw: A WiFi bulb must store your network password to work, and many store it carelessly. Security researchers found that LIFX bulbs kept the owner’s WiFi name and password in plaintext in onboard memory, alongside hardcoded encryption keys and an RSA private key, all extractable from a discarded or resold bulb in under an hour.^[19] The same plaintext-credential weakness was documented in bulbs from Tuya and Xiaomi.^[20] A bulb thrown in the trash can hand your home network keys to a stranger, and a compromised bulb is a foothold onto everything else on that network.

Security Cameras (Eufy/Anker, Wyze)

Privacy promises broken: Even cameras marketed on privacy have failed. In late 2022, researchers showed that Anker’s Eufy cameras, advertised as local-storage with “no cloud,” uploaded thumbnails and facial data to the cloud and could be streamed unencrypted through VLC with no authentication; Anker eventually admitted the cameras were not end-to-end encrypted.^[22] In February 2024, roughly 13,000 Wyze customers were shown thumbnails from strangers’ cameras (and 1,504 tapped through to other people’s footage) when a caching bug surfaced as devices reconnected after an AWS outage.^[23]

Connected Toys (VTech, CloudPets)

The most sensitive data of all: A 2015 breach of toymaker VTech exposed data on roughly 6.4 million children: names, genders, birthdates, photos, and recorded voice and chat messages between children and parents. VTech paid a $650,000 FTC settlement in January 2018, the agency’s first connected-toy case, and accepted 20 years of independent audits.^[21] Separately, the CloudPets line of internet-connected plush toys left more than 2 million recorded messages between children and parents sitting on an unsecured database.^[21]

Printers

Hidden tracking: Most color laser printers secretly stamp every page with a near-invisible grid of yellow dots, a Machine Identification Code that encodes the printer’s serial number and a date-and-time stamp. The EFF decoded the pattern and documented how it has been used to trace anonymous or leaked documents back to a specific machine and, in turn, to the person who printed them.^[24]

Telemetry and subscriptions: Modern networked printers also report usage data back to the manufacturer. HP’s All-In Plan, launched in 2024, rents customers a printer for a monthly fee (tiers running up to roughly $36/month) and requires the printer to stay connected to the internet so HP can monitor ink levels and page counts.^[25] HP’s own data-collection notice lists what it gathers from connected printers (device model and serial number, remote-monitoring metrics, telemetry, analytics, and cookie data), and HP states that, unless users opt out, it shares personal information with advertising partners for targeted advertising.^[26]

How to Opt Out

Unlike most data brokers, connected devices put the controls partly in your hands. Most data collection here can be switched off at the device itself. The catch is that nearly all of it is on by default and buried in settings menus, so opting out means hunting down each toggle.

Turn Off Smart TV ACR (by brand)

The viewing-data setting is usually under Settings > Privacy, Settings > Terms & Policies, or Settings > System. Disable it by its brand name:

• Samsung – turn off “Viewing Information Services” (Settings > Terms & Privacy / Privacy Choices)

• LG – turn off “Live Plus” (Settings > General > About This TV > User Agreements; also disable Additional Ads)

• Vizio – turn off “Viewing Data” (Admin & Privacy > Viewing Data)

• Roku – enable “Limit ad tracking” and turn off “Use info from TV inputs / Smart TV Experience” (Settings > Privacy)

• Sony / Hisense / TCL (Android/Google TV & Fire TV) – turn off ACR/“Use of viewing data” and reset/limit the advertising ID (Settings > Privacy / Ads)

Opt Out of Samba TV Directly

Because Samba TV is embedded across many brands, disabling your TV’s ACR toggle does not always stop Samba. Submit a separate opt-out and data-deletion request through its Privacy Center.

Samba TV opt-out / “do not sell” → samba.tv/users/notice-of-right-to-opt-out

Samba TV Privacy Center (access, delete, restrict) → samba.tv/users/privacy-center

Cut Off the Network (the nuclear option)

A television does not need its own internet connection to display an external streaming stick, console, or cable box. Declining the smart-platform terms during setup, or blocking the TV’s MAC address at your router, stops all ACR uploads at the source, with no toggle to quietly re-enable later.

Stop Selling Your Bandwidth

• Uninstall “passive income” apps: Honeygain, IPRoyal Pawns, EarnApp, Pawns.app, and similar. The few dollars they pay come from leasing your connection (and home IP) to unknown third parties.

• Audit free apps and VPNs for bundled proxyware SDKs before installing; prefer reputable, paid software over free tools that monetize your bandwidth invisibly.

Avoid (and Check for) Infected Devices

• Buy streaming hardware only from established brands. Pre-loaded malware like BADBOX is concentrated in ultra-cheap, off-brand Android TV boxes and IoT gadgets sold through online marketplaces.

• Never sideload apps from unofficial stores on a TV box, and be suspicious of any device that asks you to disable Google Play Protect.

• Watch for warning signs the FBI flags: a generic/unknown brand, an unofficial app marketplace, or unexplained internet traffic. If in doubt, disconnect the device from your network.

Smart Speakers & Doorbells

Amazon Alexa – set voice recordings to auto-delete and review history → amazon.com/alexaprivacysettings; request full data deletion → amazon.com/privacy/data-deletion

Amazon Ring – in Control Center, turn off data-sharing for ads, enable end-to-end encryption, and review/limit law-enforcement requests

General – disable indefinite voice-recording retention, turn off “help improve” / data-sharing options, and restrict camera and video sharing on every connected device

Other Connected Devices (appliances, vacuums, bulbs, cameras, toys)

• Decline app permissions you can, especially precise location, microphone, and contacts for an appliance that has no need for them. Many devices work fully without their cloud account.

• Prefer local-only and end-to-end encryption. For cameras, choose models with genuine on-device storage and E2E encryption enabled; do not assume “local” marketing claims are true.

• Keep firmware updated and buy from established brands that issue security patches; abandoned no-name devices never get fixed.

• Factory-reset before discarding or reselling any smart device. Bulbs, cameras, and hubs can retain your WiFi credentials in memory.

• Segment your network. Put IoT gadgets on a separate guest WiFi or VLAN so a compromised device cannot reach your computers and phones.

• For children’s toys, avoid internet-connected models that record audio or video; if used, delete stored recordings regularly and keep the companion account locked down.

For broader removal across the wider data broker ecosystem (and, for California residents, a single deletion request to all registered brokers via the DROP platform), see How to Fight Back on the directory home page.

Sources & References

[1] FTC: VIZIO to Pay $2.2 Million to Settle Charges It Collected Viewing Histories on 11 Million Smart TVs (February 2017) – ACR on 11M sets without consent; up to 100B data points/day; appended demographics; $1.5M FTC + $1M New Jersey; 20-year biennial assessments.

[2] Wikipedia: Samba TV – ACR embedded at chipset level in ~24 smart TV brands sold in 100+ countries; licenses viewership data to advertisers and measurement firms.

[3] Samba TV: TV Viewership Data – ~48M first-party smart TV devices; 111M-household projected reach; 1B+ stable identifiers; 1,000+ customers across 50+ countries; 2025–2026 Aquila/ANA and Index Exchange partnerships.

[4] Texas Attorney General: Paxton Sues Five Major TV Companies for Spying on Texans – Sony, Samsung, LG, Hisense, and TCL sued under the Texas Deceptive Trade Practices Act over ACR viewing-data collection.

[5] Texas Attorney General: Major Agreement with Samsung (February 26, 2026) – First settlement; Samsung must halt ACR collection without express consent and add clear disclosure/consent screens via update.

[6] Texas Attorney General: Major Agreement with LG – LG to stop using Live Plus ACR without informed consent; pop-up disclosure and simple opt-out required.

[7] National Law Review: Texas Obtains Smart TV Privacy Settlement With LG – Analysis of the LG settlement terms and consent/disclosure requirements.

[8] Wikipedia: Bright Data – 150M+ residential proxy IPs; 2B+ requests/day; originated from Hola VPN’s peer-to-peer device network; EarnApp bandwidth-sharing.

[9] Proxyway: Proxy Market Research 2025 – Oxylabs ~175M residential IPs sourced heavily from Honeygain; IPRoyal pool built via the Pawns app; proxyware/SDK bandwidth-sharing market overview.

[10] Krebs on Security: Is Your Android TV Streaming Box Part of a Botnet? (November 2025) – BADBOX 2.0 on Android TVs/streaming boxes/IoT; ~10M devices across 222 countries; Google’s July 2025 lawsuit; HUMAN/Google/Trend Micro/Shadowserver takedown.

[11] FBI IC3 Public Service Announcement (June 5, 2025) – Home internet-connected devices facilitating criminal activity; BADBOX 2.0 converting 1M+ consumer devices into residential proxies for ad fraud and credential stuffing.

[12] U.S. Department of Justice: 911 S5 Botnet Dismantled and Administrator Arrested (May 2024) – “Likely the world’s largest botnet”; 19M infected Windows devices; MaskVPN/DewVPN distribution; YunHe Wang arrested in Singapore; ~$99M in revenue.

[13] U.S. Treasury: Sanctions on the 911 S5 Cybercrime Network (May 2024) – OFAC designated YunHe Wang, Jingping Liu, and Yanni Zheng plus three entities tied to the residential-proxy botnet.

[14] FTC: Amazon Charged With Violating Children’s Privacy Law Over Alexa Recordings (May 2023) – $25M penalty; indefinite retention of children’s voice and geolocation data; deletion requests ignored; COPPA violations.

[15] NPR: Amazon to Pay Over $30 Million to Settle Ring and Alexa Privacy Claims (June 2023) – Ring $5.8M; employee viewed 81 female users’ cameras incl. bedrooms/bathrooms; hackers hijacked two-way streams; combined $30.8M with the Alexa penalty.

[16] The Register: Your Air Fryer Might Be Spying on You for China, Says Which? (November 2024) – Xiaomi/Cosori/Aigostar air fryers demanded precise location and phone audio-recording permission; Xiaomi and Aigostar sent data to servers in China; Xiaomi app carried Facebook/Pangle/Tencent trackers.

[17] MIT Technology Review: A Roomba Recorded a Woman on the Toilet (December 2022) – 15 development-Roomba images, incl. a woman on a toilet, sent by iRobot to Scale AI and posted to private Facebook/Discord groups by labelers in Venezuela.

[18] Techdirt: Ecovacs Robot Vacuum Remote-Access Flaw (October 2024) – Deebot vacuums hijacked to access camera/mic with no indicator light; some shouted slurs and chased pets; photos/video/audio collected to train Ecovacs AI models.

[19] Schneier on Security: Security Analysis of the LIFX Smart Light Bulb (January 2019) – LIFX bulbs stored WiFi SSID and password in plaintext, plus hardcoded encryption keys and RSA private key extractable from the bulb’s chip.

[20] AppleInsider: LIFX HomeKit Bulbs Storing WiFi Passwords Unencrypted (January 2019) – Confirms plaintext WiFi credential storage; same weakness documented in Tuya- and Xiaomi-made bulbs.

[21] FTC: Electronic Toy Maker VTech Settles Children’s Privacy Charges (January 2018) – 2015 breach exposed ~6.4M children’s names/genders/birthdates/photos and parent-child voice and chat messages; $650K penalty (first connected-toy case); 20-year audits.

[22] 9to5Google: Eufy Caught Sending “Local-Only” Footage to the Cloud (December 2022) – Anker Eufy cameras uploaded thumbnails/facial data to the cloud despite local-storage claims; streams accessible unencrypted via VLC; Anker admitted no native end-to-end encryption.

[23] Engadget: Wyze Security Issue Showed 13,000 Users Other Owners’ Homes (February 2024) – ~13,000 customers shown thumbnails from strangers’ cameras; 1,504 tapped through to others’ footage; caching bug during AWS-outage recovery.

[24] EFF: Printer Tracking (Machine Identification Code) – Color laser printers stamp near-invisible yellow dots encoding serial number and timestamp on every page; decoded by EFF; used to trace documents back to specific machines and identify leakers.

[25] Ars Technica: HP Wants You to Pay up to $36/Month to Rent a Printer That It Monitors (February 2024) – HP All-In Plan rental subscription requires the printer to stay internet-connected so HP can monitor ink levels and page counts.

[26] HP: Printer Data Collection Notice – Lists device model/serial, remote-monitoring metrics, telemetry, analytics, and cookie data collected from connected printers; personal data shared with advertising partners for targeted advertising unless the user opts out.

[27] iRobot: Amazon and iRobot Agree to Terminate Pending Acquisition (January 29, 2024) – Deal abandoned amid EU competition objections; Amazon paid a $94M termination fee; iRobot announced restructuring and CEO transition.

[28] Fortune: Amazon Scraps $1.7 Billion Deal to Buy Roomba Maker iRobot After EU Antitrust Resistance (January 2024) – ~$1.7B (later ~$1.4B) deal; European Commission found risk Amazon could foreclose iRobot rivals; iRobot laid off ~31% of staff.