1.72 billion TV households exist worldwide, and on average, each viewer spends around three hours per day watching TV. In recent years, innovations in technology have redefined the ecosystem, with new technologies broadening user interactions with the devices. One such transformative innovation is the Hybrid Broadcast Broadband TV (HbbTV) protocol – which is now under scrutiny.

HbbTV was introduced in 2009 and combines traditional TV broadcasts with dynamic digital content delivery. It facilitates a variety of Internet-based applications, where users gain access to on-demand programs, social networks, games, apps, and more. As of 2022, HbbTV has been adopted across European countries with Germany leading the way: over 90% of German Smart TVs support the HbbTV standard. In Austria, 1.4 million out of 3.6 million TV households have HbbTV-enabled devices, which is close to 40%.

However, recent studies suggest that HbbTV poses significant risks to users’ privacy. Combined with tracking and data analytics, people’s viewing behavior registered through the HbbTV protocol provides sensitive insights into their daily lives, their beliefs, and knowledge. Carlotta Tagliaro and Martina Lindorfer from our Research Unit for Security and Privacy conducted an in-depth study on HbbTV’s insecurities including 36 TV channels in five European countries.

Tracking without consent, security loopholes

Out of all the channels analyzed, more than 70% start tracking and profiling the consumer before receiving their consent to the data treatment policy. In Austria, all channels contact track.tvping.com – a domain for collecting user data – every second, even before receiving consent. Some channels do not present any privacy policy at all. Both practices violate the GDPR.

Moreover, 20 of 36 channels deploy tracking pixels, a highly problematic technique for user profiling. Tracking pixels are embedded 1×1 pixel images, frequently used for websites. Invisible to the naked eye, they collect data about users, which can include details about your device, the specific pages you’ve visited, the length of your visit, and more.

But the problems go further: A German shopping channel still handles users’ personal information and credit card data in plaintext, allowing attackers to steal and misuse this highly sensitive data — even though this issue has been known since 2014.

Consumers unaware of TVs security risks

Users do not usually associate TVs with the notorious dangers of the web, thus making them an easy target for attacks. Carlotta Tagliaro and her team conducted a consumer awareness survey, showing that a mentality shift has yet to be seen: “The results of our survey showed a notable knowledge gap,” Tagliaro explains, “out of 132 participants, over two-thirds could not articulate any specific security risks related to Smart TV and HbbTV usage. In addition, the vast majority stated they never read privacy policies presented by digital services. This highlights the urgent need for increased consumer education and transparency from service providers regarding risks and available protections.”

The importance of corporate responsibility is apparent. Nonetheless, the industry goes even further with plans to exploit HbbTV for targeted advertising. “While representing a new possibility for monetization, this introduces security and privacy risk for consumers, such as profiling and targeting – privacy issues that users currently only experienced in the web and mobile apps,” Tagliaro points out. Given these privacy threats, the team is planning to delve into further studies ensuring transparency of HbbTV-based profiling.

Here you can find the original paper and an interview for Ö1 Digital.Leben (in German).

About the Researchers

Carlotta Tagliaro is a second-year Ph.D. student at TU Wien Informatics’ Research Unit for Security and Privacy. She has a great interest in Internet of Things security, especially in what concerns application-layer messaging protocols adopted by everyday users. IoT devices are well-known for their security and privacy issues – hence she tries to understand how such vulnerabilities impact users and what is the best way to secure them.

Martina Lindorfer is an Assistant Professor at TU Wien Informatics’ Research Unit for Security and Privacy. Her research focuses on applied systems security and privacy, with a special interest in automated static and dynamic analysis techniques for the large-scale analysis of applications for malicious behavior, security vulnerabilities, and privacy leaks. Building on her background in malware analysis, she currently focuses on the analysis of mobile apps to enable transparency and accountability in the way they process and share private information. The resulting tools help uncover new and unexpected ways in which apps are violating users’ privacy expectations.

Curious about our other news? Subscribe to our news feed, calendar, or newsletter, or follow us on social media.