Each year when Tivo reminds people they gather anonymized viewing data on Tivo usage by reporting superbowl stats, a debate arises. A common view is that it's OK because they go to a lot of work (which indeed they do) to strip the data of the identity of the user.
As noted, I've read Tivo's reports and talked to Tivo's programmers, and they did work hard to try to keep the data secure and anonymised.
So why worry? A number of principles are at stake. Privacy is an
unusual issue. You only care about privacy invasions _after_ your
privacy is violated. To avoid invasions some people have to be a
little paranoid, and justifiably argue against building the infrastructure
of a massive surveillance system, even if the people who build it
have good intentions. They might not always run it.
This is not simply an Orwellian fear of the TV watching you (though that
does play a part.) Recently, Studios sued SonicBlue over the Replay TV,
a competitor to Tivo. To gather data, they sought a court order for
Replay to modify their code to monitor their users to gather data for
the court. Replay doesn't do even the anonymous monitoring Tivo does.
There was great outcry, and the order was reversed. Sadly, that's a
lesson that will cause the next such order to be done in secret.
And unfortunately, Tivo has done 90% of the work needed to allow such
an order to be easy. Yes, they anonymize the data, but they do it
by choice, not natural law. They can undo that choice, either because
they change their minds, or a court or police agency changes their minds
How paranoid is it to be worried about something that is not just
hypothetical, but has already taken place at least once?Or they need do nothing. Should a court order, or thief, seek to seize
your Tivo from your home, its record of every click on your remote
control in the day since it last phoned home is there on the disk.
Your husband's divorce lawyer says, "You claim you were alone watching TV
that afternoon, but your Tivo logged otherwise..."
What you watch and when you watch it, is private data, like what you
read. Feeling private while you read and watch is essential to the
exercise of free speech, which is why we protect it so hard. It's
why there was outrage and new legislation when Justice Bork's video
rental records were scrounged to find information against him.
Congress cared enough to pass a law to make that illegal.
We do have to ask ourselves if we want to build the infrastructure
for a surveillance state. Perhaps we fear the risk of such a
draconian system is slight. Even if it's 1%, that still multiplies
out to a lot of evil.
Last of all, there is no need for this. For decades, survey organizations
have gotten useful data through opt-in procedures. Neilsen randomly
selects families, then bribes them to have special set-top boxes to
record their every TV viewing habit, and a 100 billion dollar
advertising industry is based on these numbers. There are a variety
of techniques to avoid self-selection in the sample set. It is
a little harder to do, costs a little more, but it is what Tivo should
In bold face in Tivo's white paper on their privacy system, they write:
"Except where the subscriber opts in, viewing information is kept
separate from, and Tivo cannot link it to these other categories
of information [personal ID]" (Top of page 13)
It is the use of the word "cannot" here which is contentious. In
the white paper, they describe the detailed steps they have taken
to disassociate the viewing record from the personal identity.
It's good that they do that, but the key is that they have to do
such a disassociation. All these steps are taken only by choice, and
that choice can be undone. Even though it is reported that the
Tivo sends the ID related streams to one server and the viewing-log
(without ID) to another server, I have not been informed of anything --
other than the good will of Tivo staff or those with legitimate or
illegitimate access to their machines -- that would prevent the system
from being modified to retain associations, to note that data came from
specific IP addresses at different times and to correlate it.
Furthermore, the Tivo is an "automatic upgrade" machine. At any time
those Tivo staff in posession of the appropriate singing keys and
access can download new software into your machine which can change
anything about its behaviour, including removal of all these anonymization
steps. Unlike most (but not all) PC software packages, the Tivo will
download and upgrade the software wihout asking for the consent of the
user. (It is Tivo's practice to announce the upgrades and a skilled
person can see them happen, but I don't believe this announcement is
It is possible for an agent with a warrant and gag order forcing Tivo to
download new software to a particular user's machine, to turn it into
a surveillance device. (LE Agents today are known to install spyware
onto suspects PCs by sneaking into their homes. Automatic update allows
this without the physical access.)
Tivo's people are well-meaning, they would probaby fight such an order
within their means to do so, but that does not alter.
Tivo should not promise that the "cannot" associate the data. They can
only say that they will not and currently do not, and that data collect
in the past, once the association has been removed, cannot be associated.
As noted, not only warrants or a change of mind by Tivo can alter this.
It's very hard to find a company with perfect computer security, so hard
that I would be skeptical of such a claim at any highly networked company.
My own personal low security hygine makes this worse. My Tivo is present on
my home network, inside the firewall. Tivo's agents could do more than
alter my Tivo, they could alter it so that it then gave them inside-the-
firewall access to all my other machines.