The TV That Watches You:
Privacy Concerns Involving TiVo
Kevin D. Williams
M.A., University of Georgia
B.A., University of Georgia
Address: Grady College of Journalism and Mass Communication
University of Georgia
Athens, GA 30602
Phone: 706-769-4822
Email: [log in to unmask]
The TV That Watches You
The TV That Watches You: Privacy Concerns Involving TiVo
With the advent of TiVo, television watchers are promised that their prior
way of viewing television is about to change. TiVo prophesizes that the
days of the blinking "12:00" on everyone's VCR are long gone, replaced by
TiVo's ease of use. Another marketable quality of TiVo is that the machine
can make guesses as to what programs you may want to record based on prior
use and will record these shows without the user ever touching a
button. In short, while you are watching television, TiVo is watching you
and collecting data as to your viewing preferences. Not only does TiVo
keep a log of your viewing preferences, but it also sends that information
back to TiVo's computing headquarters. This often forgotten-about fact has
resulted in many complaining that TiVo violates a viewer's privacy. The
current analysis focuses on 1) what is TiVo, what information does TiVo
collect, and why does TiVo collect it, 2) what privacy issues are raised
and argued because of this data collection, 3) what legislation might
similarly address privacy concerns regarding TiVo, and 4) the author's
opinion on how to legislate privacy concerns regarding TiVo.
1A. What is TiVo?
Hitting the market in mid 1999, TiVo emerged as one of the first digital
video recorders (DVR), also known as personal video recorders (PVR). The
concept of TiVo is similar to that of a VCR except that the program is
recorded to a hard drive instead of a cassette. TiVo connects to a
viewer's current television setup, be it cable, satellite, or broadcast,
and can digitally record several hours of programming. The fact that the
machine is hard-drive-based gives the machine added functionality: the
device downloads
The TV That Watches You
current television schedules which the user can browse and select future
shows they wish to record. A user can also perform a search operation
which will look for programs based on certain genres (sci-fi), actors (Tom
Hanks), program titles ("Friends"), director (Steven Spielberg), or
favorite team (Maple Leafs). This ability is expanded in the fact that the
user can enter one of these categories and the machine will continuously
look for these shows in the future and record them without the user having
to select individual shows. In other words, telling the wish list to
search for a Maple Leafs game will allow the machine to record any future
games played as they air.
Since the machine is computer based, it can keep a log of what programs
you watch and record. One of TiVo's main selling points is that this log
is utilized to make guesses regarding what type of shows one would like to
watch. For example, TiVo recognizes that in viewing Maple Leafs games the
viewer may also like other Toronto sports teams and will record any Blue
Jays games. Upon looking at the recorded shows list, a viewer can either
give the show a "thumbs-up" or "thumbs-down." This action tells TiVo that
either it made the right guess or wrong guess. Over time TiVo "learns" the
viewing preferences of its user.
One can already imagine the delights or the nightmares created by this
ability to guess and log programs. If one enjoys most sci-fi movies and
typically forgets to set the TiVo to record shows, then the ability is
highly advantageous. On the other hand, imagine watching a program that
may have a controversial subject (child abuse or homosexuality) and having
the TiVo log that as a preference. This, of course, would mean that in the
future TiVo would record programs that had some tie-in to child abuse or
homosexuality. If the viewer forgot to give the "thumbs-up" or
"thumbs-down" decision, the hard drive could literally fill up with shows
focused on homosexuality or child abuse. This in fact has been noted to
happen in the case of homosexuality. 1 Since TiVo's algorithms are not
perfect, it is safe to say that the machine could record programming that
an owner does not want taped and in fact be totally contrary to the owner's
preferences.
1B. What Data Does TiVo Collect?
Keeping track of such sensitive data as gay programming has many TiVo
users and those in the privacy area concerned. The information on programs
watched and recorded is not only logged by the device but is also sent to
TiVo's computing headquarters. The implications behind finding out such
sensitive information could be life-altering. Imagine a log becoming
public showing the titles of pornographic movies viewed by a
priest. Imagine discovering that a politician who espouses family values
has a long list of gay-themed shows on their TiVo. Discovering one's
personal viewing habits may seem far-fetched, but in fact the issue has
come up before. During Robert Bork's confirmation hearings for Supreme
Court Justice, a list of Bork's history of video rentals from a store he
and his family frequently visited was later published in the papers for
everyone to see.2 Bork's appointment was not confirmed (not because of his
rental history), but in the wake of this event the Video Privacy Protection
Act of 1988 was passed. With activists arguing that TiVo's collection of
viewing data violates privacy interests, it is important to understand how
and why TiVo collects the data and specifically what data it collects.
Upon the installation of TiVo, contact information pertaining to the user
is entered through the setup menu. This information contains such items as
name, address, telephone number, credit card information, and email
address. Once setup is complete, this information is sent to TiVo's
computing headquarters through a phone line that is connected to the back
of the box. The device also uses this phone line to dial up TiVo's
headquarters every night in order to obtain a program schedule particular
to that user's zip code. Along with downloading the current program
schedule, the device also uploads certain requested files. The files that
are uploaded are one of two types. The servers back at TiVo's headquarters
collect both diagnostic files and personal viewing information files.
Diagnostic files contain information regarding the hardware operation of
the actual TiVo device. This file includes the device's serial
number. Although the diagnostic file does not contain any personally
identifiable information (contact information), the information could be
linked with the device's serial number if TiVo so chose. This information
was already obtained when the subscriber set up the device. Information
contained in the diagnostic file informs TiVo of the device's memory
consumption, user interface response time, disk space, motherboard
temperature, fan speed, and system status reports. The diagnostic file is
not always requested when the TiVo service is dialed every night. TiVo's
computers randomly select subscribers and obtain their diagnostic
files. Every night around 3% of all machines actually send a diagnostic
file to TiVo headquarters.
An example of a diagnostic file would include the following lines of code3:
Jan 13 06:29:44 (none) fancontrol[54]: The current board temperature is 41
Jan 13 06:29:44 (none) fancontrol[54]: Setting the fan speed to 9
Jan 13 06:39:44 (none) fancontrol[54]: The current board temperature is 37
Jan 13 06:39:44 (none) fancontrol[54]: Setting the fan speed to 0
Jan 13 17:42:10 (none) LogTime[94]: WatchTV: change the channel: 0.015 sec
Jan 13 17:42:55 (none) LogTime[94]: Lineup: update the OSD: 0.949 sec
Jan 13 17:42:56 (none) LogTime[94]: Lineup: arrow up/down: 0.011 sec
Jan 13 17:42:57 (none) LogTime[94]: Lineup: arrow up/down: 0.009 sec
As one can see in the last few lines, the information also contains actions
caused by the user such as pressing buttons on the remote control; however,
this file does not contain any specific information regarding programs viewed.
The personal viewing information file does include such information as
programs viewed. A personal viewing file is broken down into two
categories: personally identifiable viewing information (PIVI) and
anonymous viewing information (AVI).4 In most cases these files are AVI
since by default TiVo subscribers are counted as anonymous viewers. Some
subscribers are asked through random surveys if they would like to
volunteer to take part in research which would link their viewing
preferences to their serial number; therefore, all PIVI files have been
consented to and are considered an opt-in decision. The extraction of
these files requires some explaining.
When the actual device is connected at night to TiVo's headquarters the
central server knows whether the subscriber has opted-in or not in regards
to PIVI. If a subscriber has opted-in, the file is sent straight to
headquarters without any renaming. The serial number of the device is
apparent in this file. If the subscriber has not opted-in then the
computer sends the command "Randomize" to the device. In this case a
random number is generated and replaces the actual serial code of the device.
The filenames requested by the central server look like the following: 5
/TiVoData/bprv/20010124/000000.RANDOMIZE.80208.bz2
/TiVoData/bpub/20010124/184023.00840336485942.log.bz2
The first file labeled "bprv" is the viewing information file. In this
case the subscriber has not opted-in and therefore the command reads
"Randomize." The file labeled "bpub" is the diagnostic file which clearly
indicates the device's serial number (in this case 0080336485942).
When the files are sent back to the main computer, they are deposited into
two different directories: the public ("bpub") and the private
("bprv"). The deposited files look like the following: 6
/TiVoData/bprv/20010124/000000.C41CF33D1DC7F401.80208.gz
/TiVoData/bpub/20010124/184023.00840336485942.log.gz
In this case the TiVo device has altered the "bprv" file, replacing the
text "Randomize" with the numbers "C41CF33D1DC7F401." Also, this file does
contain the zip code of the device, "80208," which is at the end of the
name. The date of the file generation is also noted with the number
"20010124," which stands for January 24th, 2001.
Of course, the content of the bprv file is the prize jewel to
TiVo. Within the file, lines of code describe what the viewer actually
watched and when. A sample line of code may look like the following: 7
980389559|WatchTV|recorded|KDVR|3134603|980127000
The numbers at the beginning of this string (the number starting in "980")
is a timestamp indicating when the viewer began watching a show. The
numbers at the end of the string (also starting "980") tell when the show
was originally recorded. These numbers represent how many second have
passed since January 1, 1970. KDVR is the station where the show
originally aired. The number "3134603" is a number given to a particular
program (in this case King of the Hill). This is why a zip code is
included in viewing information. Programming may vary over an area; thus,
tracking the zip code informs a reader as to what television schedule
should be referenced. After receiving the anonymous viewing information
the file is placed onto one of 10 different directories, essentially
scattering the AVI files. Every 30 seconds these files are re-scattered
and placed randomly in different directories. Every three hours, the
servers erase all time stamp information associated with the files and
deposits the files contained in the 10 directories into one single file and
sends the file to a restricted access server.
1C. Why Does TiVo Collect This Data?
From this description of what data is collected, the next question of why
the data is collected emerges. Matthew Zinn, Vice President, General
Counsel, and Chief Privacy Officer for TiVo states the following:
1) Anonymous viewing information is collected to determine what programming
subscribers like to watch, skip, or record. This information helps TiVo
make inferences on what future programs a viewer might enjoy. Anonymous
viewing information can be shared with third parties as long as it remains
anonymous.8
2) Diagnostic information is collected to evaluate technical problems with
the devices. This information is only shared with manufacturers attempting
to remedy the malfunctions.9
3) Personally identifiable information is collected to help TiVo conduct
audience surveys and measurements.10
4) Account Information is collected to help facilitate the providing of
services. TiVo does have contracts with other billing agencies and
manufacturers and shares this information with those groups in order to
provide the TiVo service.11
It is important to note that there are other service providers, such as
DIRECTV, that offer their own collaborative TiVo system (in other words, a
combination device that acts as both a satellite receiver and TiVo PVR).
Zinn is basically restating that AVI cannot be linked to any personally
identifiable information, and PIVI has to be consented to and
opted-in. What Zinn also states regarding anonymous viewing information is
that TiVo shares "top line" (we are not given a definition for "top line")
anonymous viewing information with third parties such as advertisers and
cable networks. This viewing by third parties, be it advertisers, cable
networks, or TiVo employees, is what has spurred privacy concerns over
TiVo's collection of data.
2. Privacy Arguments
In March of 2001, two years after the initial launch of TiVo, The Privacy
Foundation and the University of Denver Privacy Center published the
results of a 4-month independent investigation concerning the privacy
issues regarding TiVo. Among the initial findings were the following: 1)
TiVo gathers enough information to track individual users' home viewing
habits while apparently promising not to do so, 2) TiVo could identify the
personal viewing habits of subscribers at will, and 3) TiVo has a much more
explicit privacy policy disclosure on its website than in the printed
material that accompanies the purchase of the product.12
These three arguments are the basis for the concerns over privacy
regarding TiVo. This publication led Congressional members to write to the
Federal Trade Commission (FTC) and ask for an investigation into TiVo's
privacy policy.13 This letter to the FTC combined with the Privacy
Foundation's investigation caused TiVo to write a response14 to the FTC
addressing the issues brought up by the Foundation's report; thus, the
battle between the two groups began.
The Privacy Foundation argues that even though the viewing information
file may be called anonymous there is a way to re-identify the
information. If the subscriber's receiver is picked to include a
diagnostic file, the two files will be sent simultaneously back to TiVo
headquarters. While one of the files may not include the serial number of
the receiver, the diagnostic file will include that
information. Therefore, if anyone were to intercept this transmission of
data, they could link the viewing data with the serial number through the
diagnostic file. The foundation also argues that logging when the files
arrive (a.k.a. ftp logging) could lead to a time stamp that could used to
match files together.15 This activity constitutes the Foundation's first
two claims that TiVo gathers enough information to link viewing habits with
a specific person and could do so at will.
The third argument the Foundation poses is that there is no consistency
between privacy policies published by TiVo. The Foundation states that the
privacy policy on TiVo's website is more detailed than in the printed
manual that accompanies the actual receiver and that the privacy policy
overall misrepresents what data TiVo actually collects and how it collects
that information. The manual that the Foundation had acquired stated that,
"Personal viewing information which identifies you or your household's TV
viewing practices belong to you, and no one outside your home, not even the
TiVo staff or any of TiVo's computer systems, will have access to it
without your prior consent."16 When defining anonymous viewing information
the manual states, "(Anonymous viewing information) is not linked to you or
your household in any way."17
The Privacy Foundation argues that this statement misrepresents how TiVo's
file transfers actually occur. The Foundation argues that TiVo could at
any time use time stamping to correlate diagnostic and viewing information
files to determine who watched what and when. In this regard, the
Foundation argues that employees and computer systems do have access to
viewers' watching habits and that AVI can be linked to individual households.
The final policy argument by the Foundation regards the discrepancy
between the manual policy and the policy as stated on TiVo's website. The
Foundation claims, and rightly so, that the policy on the web is more
detailed than that of the manual. The website policy gives full
definitions of terms such as PIVI, AVI, contact information, and account
information. The manual obtained by the Foundation stated that, "Our
privacy policy may change over time. In addition to posting any changes on
our website, www.TiVo.com, we will provide or send a notice to each TiVo
customer before any changes are implemented."18 The Foundation argues that
it is unfair to expect a user to browse the Internet in order to be
informed of the latest privacy policy changes. In the closing of the
website privacy policy and in the manual privacy policy it is stated, "Use
of your Recorder with TiVo will signify your acceptance of the Privacy
Promise."19 This is another bone of contention with the Privacy Foundation
who claims, "It is hard to believe that users without Web access truly
signify their acceptance of this disclosure, which they have not read,
simply by using the device under the assumption that the privacy policy
included in its manual was complete."20
Of course, TiVo has a response to all of these claims and most are stated
in Zinn's response to the FTC.21 Zinn right off the bat mentions that the
Privacy Foundation's study was conducted with an older version of the
device, an "inescapable byproduct of retail distribution," and therefore
has long been outdated. Zinn goes on to say that the current manual
includes the same definitions and descriptions as the website and that TiVo
owners are told to regularly visit the website for any amendments to the
privacy policy.22
The Privacy Foundation contends that it is unfair for TiVo to expect users
to log on to the website to check for amendments to the privacy policy,
especially since not all users may have web access. Zinn points out that
not only does TiVo print its policy changes on the website and in current
manuals, but it also emails users new changes (Mr. Zinn seems to neglect
the fact that those without web access may not have email addresses) and
sends notices of changes in policy through messages via the TiVo system
itself. All TiVo systems have a message center where messages from TiVo
appear and can be viewed at any time. Zinn notes that the policy change in
September of 2000 (which caused the discrepancy between manual and
website), was broadcast on every user's message center.
Regarding the re-identification of viewing information, Zinn attacks on
multiple points. Zinn points to the fact that the Privacy Foundation
arguments are based on what TiVo "could" do, not on what TiVo "actually"
does. Not every transfer contains both diagnostic and viewing information
files. Zinn argues that TiVo has gone to great lengths to design a system
that protects anonymity as closely as possible except where a subscriber
has opted-in to having their PIVI noted. He also brings up another point:
the privacy policy states that any user can call TiVo's toll free number
and opt-out of any data collection whatsoever. A TiVo subscriber can call
TiVo and ask that no information (including diagnostic, AVI, or PIVI files)
be collected. This, of course, excludes the initial contact information
needed to activate the system; but this option keeps all viewing
information on the hard drive and does not allow it to be collected by TiVo
headquarters.
Regarding the time stamp of ftp logging, Zinn's response is simple: the
time stamp is erased from the files every 3 hours. This becomes a sticky
situation because for 3 hours starting from the initial deposit the files
actually could be correlated if a deviant employee decided to do
so. Again, this is assuming that there is a corresponding diagnostic
file. TiVo states that it has always been and will always be committed to
the privacy of its users. For now, it seems that TiVo has resolved itself
not to share any identifying information beyond those third parties with
whom they have contracted. Zinn is quoted in USA Today as saying, "We
don't disclose personally identifiable information as a matter of policy,
and we won't as a matter of policy."23 The next quote in that article is
by Jim Barton, TiVo technology officer, who claims, "We could modify our
systems to do so, but we're not."24
Barton's statement seems to let the cat out of the bag. TiVo repeatedly
promises that it does not, and even cannot, access any personally
identifiable information without the user's consent. Barton's claim
refutes the "does not" promise in the prior statement and sheds light that
TiVo can, in fact, modify the system to do so. This future promise of
privacy has been made before by other companies, such as Amazon.com25 and
Toysmart,26 and not held its weight. These companies promised never to
divulge personal data to third parties without customer consent but later
re-defined "personal data" in such a way that they saw fit to sell that
information. If this is a routine path for companies who collect such
personal data, it seems unavoidable that TiVo will eventually attempt to
sell the data it has collected. Richard Smith, Privacy Foundation
technology officer, agrees, "Right off the bat, we have a trust problem
here. There's no laws around this to cover it; they're (TiVo) free to do
whatever they choose."27
3. Existing Relevant Legislation
While Mr. Smith is correct in saying that there are no laws which
specifically address TiVo, there are laws that could be considered relevant
to the current privacy concerns, most notably those that relate to cable
privacy and computer privacy. If one thinks about it, TiVo essentially is
just a channel (or device) through which already established programming
flows through and is also a computer in the fact that it has a hard drive
that stores information. Likewise most of the laws written for cable and
for computers are analogous to TiVo's operations. The main laws pertaining
to TiVo can be found in the Cable Privacy Act of 1984, the Stored Wire and
Electronic Communications and Transactional Records Access Section of the
Electronic Communications Privacy Act of 1986, and the Video Privacy
Protection Act of 1988.
The Cable Privacy Act of 198428 places protections on the privacy of cable
subscribers. It is important to note that TiVo's privacy policy reads very
closely to that of most cable operators.29 The Cable Privacy Act covers a
myriad of topics but specifically legislates the following:
• The privacy policy must tell the user of the nature of the personally
identifiable information collected and the nature of the use of such
information.
• The privacy policy must identify the types of third parties that may be
privileged to such information.
• The privacy policy must tell the user the time and place in which the
user may obtain access to the their own personal information.
• The disclosure of personally identifiable information such as viewing
habits must be consented to by the subscriber.
• A disclosure of personally identifiable information can be made without
consent if it is necessary to the operation of the subscription (in other
words, to repairmen, billing agents, and installers). In this case no
information regarding viewing can be disclosed.
• "Personally identifiable information" does not include any record of
aggregate data which does not identify individual persons.
• The cable operator must destroy all personally identifiable information
once the information is no longer needed to render a service (in other
words, once the subscriber has terminated their service).
As can be seen by comparing this statute and TiVo's privacy plan, it
appears that TiVo does not violate any laws regarding the Cable Privacy
Act. TiVo tells the user in its privacy policy what information is
collected, defines terms such as "personally identifiable information" and
"anonymous viewing information," tells why the information is being
collected, and tells the user that PIVI may be shared with third
parties. Furthermore, the policy states that viewers must consent and
opt-in in order to have their PIVI tracked. There is no violation caused
by the collecting of AVI because consent rules, like those regarding PIVI,
do not pertain to aggregate information that does not identify individual
persons. TiVo also says in its policy that a user "may make a request by
telephone, mail, or via the web (when available) to review your Account
Information and we will mail you a printout of your Account
Information."30 It appears that the fact that users can opt-out of any
data collection whatsoever is just icing on the cake.
Of course, the natural response to this argument would be that this statute
was intended for cable operators and is therefore not relatable to PVR's
such as TiVo. The history behind the statute strikes at the same concerns
that are being raised now by TiVo. In Scofield v. Telecable, Judge
Anderson notes:
The section (551) was included in the Act in response to Congress's
observation that: "Cable systems, particularly those with a two-way
capability, have an enormous capacity to collect and store personally
identifiable information about each cable subscriber."31
This argument would lead one to believe that Congress was not so much
concerned with what particular broadcast method (cable, satellite,
broadcast, or even TiVo-like set-top boxes) was collecting the data, but
rather was concerned about technological advances could affect privacy rights.
Scofield is also important in that it addresses the Privacy Foundation's
concerns that the first privacy policy of TiVo was not as extensive as
later versions. Judge Anderson found in the case that a policy does not
have to be perfect; it simply needs to be clear, conspicuous, and inform
the public as to what it is legally responsible for telling them.32
The Stored Wire and Electronic Communications and Transactional Records
Access section (a.k.a. the Stored Communications Act) of the Electronic
Communications Privacy Act of 198633 looks at TiVo in a very different
light: that of a computer instead of a cable provider. In this regard the
Act legislates transmitting the files over the telephone back to TiVo's
headquarters. Many privacy advocates argue that storing these files
containing personally sensitive information on the hard drive of the TiVo
violates personal privacy and the Stored Communications Act.
Much of the discussion treats TiVo like a computer in that the collection
of data by TiVo is similar to the concept of "cookies"34 on a
computer. This is the same concept behind tracking viewing behavior on
TiVo. TiVo is tracking what I watch so that it may suggest and record
similar programming for me. This information may also be distributed to
third-party advertisers if I consent to the distribution.
This tracking ability, either by a website or by TiVo, however does not
violate any laws regarding the Stored Communications Act. Many cases
involving cookies claim that such tracking violates the statute because
stored electronic information is gathered by an intercepting force. These
cases are rarely won in court and are frequently dismissed. The Stored
Communications Act basically states that:
1) whoever intentionally accesses without authorization a facility through
which an electronic communication service is provided; or
2) intentionally exceeds an authorization to access that facility; and
thereby obtains, alters, or prevents authorized access to a wire or
electronic communication while it is in electronic storage in such system
shall be punished.35
This is to say that privacy advocates believe cookies violate the Stored
Communications Act because a user has an agreement with their Service
Provider (such as BellSouth) to browse the Internet. These advocates argue
that a website tracking your activity acts as an interceptor in that it
accesses your stored surfing preferences from your computer. If this
argument seems obfuscated, then it is easy to understand why most of these
cases are dismissed.
A shining example of this argument is brought about by Judnick v.
Doubleclick, Inc.36 Doubleclick, a large Internet advertising service, is
affiliated with several websites (Alta Vista and Macromedia to name a few)
and has an agreement with those sites that information obtained through
those sites be gathered by Doubleclick. This information helps Doubleclick
tailor advertising to a user when they visit another affiliated
website. Judnick, on behalf of the General Public of the State of
California, contended that Doubleclick had no right to gather information
on her personal browsing habits. Judnick argued that Doubleclick acted as
an interceptor because she was having a communication with a particular
website (maybe a Macromedia site for example) and Doubleclick was a third
party collecting the data from that action. In this case the argument is
not that cookies acted as interceptors between a surfer and the service
provider but rather that Doubleclick's cookies acted as an interceptor
between a surfer and a specific website they were browsing. The court saw
differently.
Doubleclick argued that its behavior was exempt from the Electronic
Communications Privacy Act (ECPA) because it was authorized by its clients
(one of whom was the website that Judnick was visiting) to collect that
information. The court believed that Doubleclick's actions constituted an
interception of electronic communications between plaintiffs and
Doubleclick's clients (a website affiliated with
Doubleclick). Unfortunately for Ms. Judnick, the court, referencing the
ECPA, 37 noted that the website Ms. Judnick was viewing was a client of
Doubleclick which had consented to such interception. The judge eventually
dismissed the case on several grounds, one of which was that the suit
lacked merit because Doubleclick's actions did not violate the ECPA.
The relation of this case to TiVo is simple. Tracking websites is similar
to tracking programming. A privacy advocate could argue that a television
viewer is a participant in a communicative transaction between themselves
and their cable, satellite, or broadcast provider and that TiVo effectually
intercepts these transactions by tracking them, logging them, and storing
them on the hard drive. As seen in this case, however, this argument would
unlikely succeed in court since all TiVo users consent, upon using the
service, to have viewing information gathered either anonymously or as
personally identifiable. Again, the user also has the ability to opt-out
altogether of any data being collected. Doubleclick as well had an opt-out
option in which the cookie could be eliminated by visiting a website and
signing up for the opt-out. This point as well was brought up by the court.
Tracking viewing preferences has also become a behavior which is
legislatively regulated. It seems that the major worry of the Privacy
Foundation is that the information containing an individual's viewing
habits would become public knowledge. This fear has already surfaced. As
mentioned before, Judge Robert Bork's list of video rentals was released to
the public when he was undergoing confirmation for the Supreme Court. This
release of information spurred the Video Privacy Protection Act (VPPA) of
1988.38 Among several of the limitations of the Act, the VPPA includes:
• A video tape service provider who knowingly discloses, to any person,
personally identifiable information concerning any consumer of such
provider shall be liable to the aggrieved person…;
• A video tape service provider may disclose personally identifiable
information concerning any consumer;
• To the consumer;
• To any person with the informed, written consent of the consumer given at
the time the disclosure is sought;
• A video tape service provider must destroy rental records no longer than
one year after the account is terminated
This statute has been presented in court before. In Camfield v. City of
Oklahoma City, 39 a resident of Oklahoma complained that the movie The Tin
Drum contained child pornography and violated Oklahoma law. A judge agreed
that it was child pornography and ordered the police, who did not have a
warrant, to collect from local video stores the names of people currently
renting the film. Police went to Mr. Camfield's house and seized the
video. The court later found that this action violated Mr. Camfield's
rights under the VPPA.
It could be argued that TiVo has nothing to do with this law in that it is
not a video service provider. The Act's definition of "video tape service
provider" could be construed, however, to include TiVo. As defined by the
statute, a video tape service provider "means any person, engaged in the
business, in or affecting interstate commerce, of rental, sale, or delivery
of prerecorded video cassette tapes or similar audio visual
materials…"40 The question then becomes: Is TiVo engaged in the business
of delivering prerecorded audio visual materials? This question has not
yet come before the courts.
One sticky point of the Act is that it allows video tape service providers
to disclose without consent, as long as the consumer has the option to
opt-out, genres or subject matter of audio visual materials to third
parties for the "exclusive use of marketing goods and services directly to
the consumer."41 The question here is whether or not TiVo as a video
service provider could legally tell marketers that a viewer likes to watch
pornography in order for a marketer to sell products to that user. The
question has already been answered, however, in TiVo's privacy
policy. Again, TiVo warns clients that it does collect personally
identifiable viewing information and discloses it to third-party marketers,
but the user has to consent or opt-in for the information to be
collected. In short, according to TiVo's policy even materials given to
third-party marketers must be consented to by the user.
Having looked at these three statutes (the Cable Privacy Act, the Stored
Communications Act, and the Video Privacy Protection Act), it is hard to
find evidence that TiVo violates any privacy laws currently enacted by the
U. S. Government. TiVo's privacy policy seems to meet all the standards
under these statutes much the same way that cable operators' privacy
policies appear to be legal as well; therefore Richard Smith's claims that
TiVo could do anything it wishes may not have merit.
4. The Future Path to Legislating Privacy Concerns Regarding TiVo.
While there may be similarities, TiVo is not a cable operator. It is
neither a conventional computer nor a video store such as
Blockbuster. TiVo is a new device that watches the viewer at the same time
that a viewer watches television. There are current statutes that regulate
devices and industries that are analogous to TiVo, but there is no single
statute that specifically is tailored to answer TiVo's privacy issues. As
devices like TiVo evolve, so to will privacy questions that have not been
previously considered in the courts. One thing is for certain: subscribers
to such devices as TiVo are gathering in numbers; 42 and, therefore, one
can only say that with such growth new questions will eventually be brought
forward.
The rise of these questions brings one to ponder how such legislation will
be constructed to deal with the privacy issues that a device like TiVo will
invite. Although the previously mentioned statutes address mediums,
devices, and industries similar to TiVo, there are no specific laws
regulating how TiVo must handle privacy concerns. In my opinion, a
specific law will have to be tailored to deal with TiVo's privacy
concerns. It would be ideal to think that a law could be constructed to
adequately address privacy issues for both TiVo and for whatever technology
evolves as an offshoot from TiVo; however, it is important to realize this
task will almost be impossible without the help of a crystal ball that will
tell us exactly what will develop from the technology. As Daniel Solove,
information privacy expert, notes, "In a world constantly being transformed
by technology, how can we erect a robust and effective law of privacy when
the ground is constantly shifting?"43 Solove argues that trying to
generalize and conceptualize privacy into overarching terms in order to
construct omnibus privacy laws is only self-defeating. Instead he argues,
as do I, that privacy concerns are best addressed in the specific contexts
in which they are raised.44 This is essentially the basis for my argument
that any law enacted to address TiVo's privacy concerns will have to be
specifically tailored to address TiVo's particular technology, that of
logging a person's video content. Such a law would have to be tailored to
discourage and punish those interested in obtaining a person's television
viewing habits.
This is not to say that we cannot take the statutes of the past and modify
them to fit the current situation. Indeed, laws such as the Video Privacy
Protection Act regulate a comparative situation that the Privacy Foundation
is chiefly worried about: someone obtaining personal information about
one's viewing habits. Also, I believe that it will take a violation
similar to that brought against Robert Bork to act as a catalyst in
creating any new law. It is not hard to imagine that some computer hacker
could illegally obtain a list of television shows watched by someone of
importance and then give the list to someone to publish. While the hacker
may be charged with violating the ECPA, a specifically tailored privacy
statute could punish someone who published information relating to a
person's television viewing habits.
Although there seems to be no legal improprieties taking place within
TiVo's privacy policy, I feel that there could arise situations outside of
the company's control that violate one's personal privacy (the
aforementioned hacker is one example). Being that this is a possibility,
it is unforeseeable to me how a statute protecting the privacy of one's
television viewing habits could harm the legal arena. It is hard to
predict the future but it is easier to recognize that the change in
technology will evoke new considerations in privacy laws. As Warren and
Brandeis state:
That the individual shall have full protection in person and in property is
a principle as old as the common law; but it has been found necessary from
time to time to define anew the exact nature and extent of such protection.
Political, social, and economic changes entail the recognition of new
rights, and the common law, in its eternal youth, grows to meet the demands
of society.45
The TV That Watches You
2
Endnotes
1. See Jeffrey Zaslow, If TiVo Thinks You Are Gay, Here's How to Set it
Straight, available at
<http://online.wsj.com/article_email/0,,SB1038261936872356908,00.html>
(last visited December 12, 2002). As reported in the Wall Street Journal,
actor Mike Binder (of the HBO show, The Mind of the Married Man) recorded a
movie he had starred in called The Sex Monster, which was about a man whose
wife decides to become bisexual. After the recording, TiVo decided to
start recording gay programming for Mr. Binder. The article goes on to
mention other wrongly-guessed users such as Lukas Karlsson who gave the
"thumbs-down" on religious programming and was thus bombarded with programs
focusing on serial killers and homicides.
2. See Electronic Privacy Information Center, EPIC Video Privacy Protection
Act Page, available at <http://www.epic.org/privacy/vppa/> (last visited
December 12, 2002).
3. See Privacy Foundation, TiVo's Data Collection and Privacy Practices,
available at
<http://www.privacyfoundation.org/privacywatch/report.asp?id=62&action=0>
(last visited December 3, 2002).
4. Id.
5. Id.
6. Id.
7. Id.
8. TiVo, Inc., White paper Submitted to the Federal Trade Commission,
available at <http://www.TiVo.com/pdfs/ ftc_letter.pdf > (last visited
December 03, 2002). at 16. "As described in its privacy policy, TiVo staff
members use Anonymous Viewing Information to analyze what programs,
advertisements, and types of programming subscribers watch, skip, or
time-shift for later viewing. For example, TiVo uses Anonymous Viewing
Information to develop inferences that people who watch show X are likely
to watch show Y. TiVo shares certain "top line" Anonymous Viewing
Information with advertisers, cable networks, and other third parties. This
information is not identified with any particular subscriber. TiVo has no
other plans for future uses of Anonymous Viewing Information. Whatever
such future uses may be, they will comport with TiVo's core promise:
viewing information will remain anonymous unless subscribers consent before
such information has left the Receiver."
9. Id. "TiVo uses Diagnostic Information to assess technical problems both
with the hardware on individual receivers and with the software, which may
affect large numbers of receivers. This detailed information is not shared
with third parties, except that the overall results may be shared with
manufacturers to determine the source of and corrective action needed for
specific hardware and/or software problems. Diagnostic Information log
files must include the receiver serial numbers in order for TiVo to
identify and correct faulty receivers."
10. Id. "Personally identifiable viewing information resides in the
receiver. Without a subscriber's prior consent, no "tag" is added to
viewing files transmitted from receivers to TiVo Broadcast Center's servers
that would enable TiVo to identify the receiver from which it came. For
those subscribers who have opted in to the collection of personally
identifiable viewing information, TiVo may use this information for surveys
of particular subscribers and audience measurement. TiVo has committed to
notify subscribers who have opted in if TiVo plans to change the current
uses of personally identifiable viewing information, and will give
subscribers an opportunity to opt in to any such new uses."
11. Id. at 16, 17. "Account Information is disclosed to the appropriate
service provider (e.g., DIRECTV), where operationally necessary to
facilitate the provision of service. TiVo also uses contractors and
third-party service providers (e.g., billing agents), who may have
temporary access to Account Information and other Subscriber Information
for specific purposes. TiVo's contracts bind these contractors and
third-party service providers (e.g., DIRECTV) to TiVo's privacy policies;
specifically, contractors and third parties may collect and use Account
Information only for the specific and limited purposes designated in those
contracts (e.g., bill collection)."
12. Privacy Foundation, supra.
13. U.S. House of Representatives, Letter to FTC Regarding Privacy
Policies, available at <http://www.house.gov/
commerce_democrats/press/107ltr30.htm> (last visited December 03, 2002).
at ¶2. "The simple fact is that most consumers are not comfortable with
having someone or something watch them while they watch
television. Privacy of the individual's viewing habits is an issue that
Congress has already addressed in the context of cable television and video
rentals. And, as in these cases, people clearly do not want their personal
viewing choices to be known to others or involved in a criminal
investigation or a civil proceeding."
14. See TiVo Inc., supra.
15. In other words a diagnostic file received on December 13th at 5:04:25pm
could be matched with a viewing file received at the same time. Matching
the serial number of the diagnostic file with the contact information that
TiVo has already stored would give someone a complete record of viewing
activity linked to a person's name.
16. Privacy Foundation, supra.
17. Id. at Second Disclosure Section.
18. Id.
19. TiVo, Inc., TiVo Digital Video Recorder-Privacy Policy, available at
<http://a423.g.akamai.net/7/423/1788/3c5a51df7e75f5/www.TiVo.com/pdfs/privacy_policy_9_2002.pdf
> (last visited December 12, 2002). at ¶2.
20. Privacy Foundation, supra.
21. TiVo, Inc., White paper Submitted to the Federal Trade Commission, supra.
22. Id. at 4. "outdated manuals are an inescapable byproduct of retail
distribution of a new technology that is undergoing revisions to improve
the service. Even (outdated) privacy policy in the user manual the Privacy
Foundation used for its analysis was consistent with the updated version of
the privacy policy on TiVo's website. Indeed, TiVo's privacy policy has
consistently stated that the privacy policy is subject to amendment, and
TiVo took steps to inform consumers of expansions of and clarifications to
its privacy policy."
23. Privacy Group Slams TiVo, available at
<http://www.usatoday.com/life/cyber/tech/2001-03-26-TiVo.htm> (last visited
December 11, 2002). at ¶6.
24. Id.
25. See Eric J. Sinrod, Amazon.com's Privacy Policy Comes Under Fire,
available at <http://www.usatoday.com/tech/
columnist/ericjsinrod/2002-10-24sinrod_x.htm> (last visited December 12,
2002). Amazon.com used the same procedure as TiVo in that it collected
information on particular users' preferences by taking note of what
information the user browsed for on their search tool and by taking note of
what items users purchased. Amazon had a privacy policy that said its
personally identifiable data would not be sold to a third-party without the
user's consent; however, Amazon later said that personal data may be
transferred to another company if those assets were acquired by other
business entities.
26. See D. Ian Hopper, Toysmart Database to be Destroyed: Dot-com Tried to
Sell Customer Information after Business Failed, available at
<http://abcnews.go.com/sections/scitech/DailyNews/toysmart010110.html>
(last visited December 12, 2002). This is another case in which the
company re-defined the personal information it collected as company
assets. Toysmart was an online toy retailer that had a similar agreement
with its user much like that of Amazon. When Toysmart went bankrupt it was
ordered to sell off all assets or pay off its creditors. Toysmart realized
that it could sell the personal data it had collected on its users and
avoid paying the $50,000 it owed to its creditors. A furor developed over
this issue and it as well was brought before the FTC. Eventually Disney,
which was the majority owner of Toysmart, paid the $50,000 owed to the
creditors and promised to destroy the personal data.
27. Privacy Group Slams TiVo, supra. at ¶16.
28. 47 U.S.C. §551 (2002).
29. See Charter Communications, Inc., Charter Cable Television and Internet
Service Privacy Statement (version 2.3), available at
<http://www.charter.com/site/rules.asp#privacy> (last visited December 4,
2002).
30. TiVo, Inc., TiVo Digital Video Recorder-Privacy Policy, supra. at 6.
31. Scofield v. Telecable of Overland Park, Inc., 751 F. Supp. 1499 (D.
Kan. 1990), rev'd 973 F.2d 874 (10th Cir. 1992). at 5.
32. Id. at 20. "A disclosure does not fail to be 'clear and conspicuous'
or 'meaningful' simply because a superior or more detailed statement could
have been provided; the question is whether the disclosure offered is
sufficiently clear.
33. 47 U.S.C. §2701-2711 (2002).
34. Cookies are used to track what websites an Internet surfer has
visited. These cookies are generally placed on a user's computer by
another website. The personal surfing behavior is stored on the computer
and later sent back to the original website in hopes that the information
will be used to tailor advertising to the user's preferences when that user
returns to an affiliated website. In other words, a website employs a
cookie on my machine which tracks my surfing and recognizes that I visit a
lot of automotive sites. When I return to an affiliated website,
advertising pertaining to cars may be displayed on that site.
35. 47 U.S.C. §2701-2711 (2002). at §2701.
36. Judnick v. Doubleclick, Inc., 154 F. Supp.2d 497 (S.D.N.Y., 2001).
37. In re Doubleclick Inc. Privacy Litigation, 00 Civ. 0641, 154 F. Supp.2d
497 (S.D.N.Y., 2001). at ¶8. The judge referenced the Electronic
Communications Privacy Act stating that it is a violation "to access
without authorization a facility through which an electronic information
service is provided…and thereby obtain… access to a wire or electronic
communication while it is in electronic storage in such system…; the
statute contains an express exception, however, exempting from its coverage
"conduct authorized…by a user of that service with respect to a
communication of or intended for that user."
38. 18 U.S.C. §2710 (2002).
39. Camfield v. City of Oklahoma City, 248 F.3d 1214 (10th Cir. 2001).
40. 18 U.S.C. §2710 (2002). at definitions, item 4.
41. Id. at Video Tape Rental and Sale Records, item 2, subsection D2.
42. There are currently over 460,000 TiVo Subscribers.
43. Daniel J. Solove, Conceptualizing Privacy, 90 Calif. L. Rev. 1087
(2002). at 1089-1090.
44. Id. at 1092. "My approach diverges from traditional accounts of
privacy that seek to conceptualize it in general terms as an overarching
category with necessary and sufficient conditions. In other words, I
suggest an approach to conceptualize privacy from the bottom up rather than
the top down, from particular contexts rather than in the abstract."
45. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L.
Rev. 193, 193 (1890).
|
