Each year when Tivo reminds people they gather anonymized viewing data on Tivo usage by reporting superbowl stats, a debate arises. A common view is that it's OK because they go to a lot of work (which indeed they do) to strip the data of the identity of the user.

As noted, I've read Tivo's reports and talked to Tivo's programmers, and they did work hard to try to keep the data secure and anonymised.

So why worry? A number of principles are at stake. Privacy is an
unusual issue. You only care about privacy invasions _after_ your
privacy is violated. To avoid invasions some people have to be a
little paranoid, and justifiably argue against building the infrastructure
of a massive surveillance system, even if the people who build it
have good intentions. They might not always run it.

This is not simply an Orwellian fear of the TV watching you (though that
does play a part.) Recently, Studios sued SonicBlue over the Replay TV,
a competitor to Tivo. To gather data, they sought a court order for
Replay to modify their code to monitor their users to gather data for
the court. Replay doesn't do even the anonymous monitoring Tivo does.
There was great outcry, and the order was reversed. Sadly, that's a
lesson that will cause the next such order to be done in secret.

And unfortunately, Tivo has done 90% of the work needed to allow such
an order to be easy. Yes, they anonymize the data, but they do it
by choice, not natural law. They can undo that choice, either because
they change their minds, or a court or police agency changes their minds
for them.

How paranoid is it to be worried about something that is not just
hypothetical, but has already taken place at least once?  read more »