Netflix Fails Privacy Test
- August 31, 2021
- Clayton Rice, Q.C.
Streaming is the method of viewing video or listening to audio content on an internet-connected device without downloading the media file. It is the continuous transmission of a video or audio file from a server to a subscriber. Anyone with an internet connection can watch movies or make a video call over the internet. Streaming is attractive to many consumers because it functions in real time and is more efficient than downloading. If a video is streamed, rather than downloaded, the browser can play it without copying and saving it. The recipient does not have to wait for the entire file to download before accessing it. Streaming, then, refers to the method of delivering content, not the content itself. But, like everything else on the internet, the user leaves digital footprints that implicate the right to privacy.
1. Streaming Media
The distinction between delivery method and media content is specifically applicable to telecommunications networks. Most traditional delivery systems are inherently streaming or inherently non-streaming. Radio and television are examples of the former, and videotape and compact discs are examples of the latter. It is also important to clarify the term livestreaming. Livestreaming is generally understood to mean online streaming media that is simultaneously recorded and broadcast in real time. It is often simply referred to as streaming which can be misleading because the term streaming may refer to any media that is delivered and played simultaneously without downloading. Various non-live media may be technically streamed but are not live-streamed such as YouTube and vlogs.
Streaming television, which is the main topic of this post, may be described as the digital distribution of television content over the internet as contrasted with over-the-air aerial systems such as cable television and satellite systems. Streaming is most prevalent in video on demand platforms and streaming television services such as Netflix, HBO Max and Amazon Prime Video. Several factors have been identified by analysts that make live streams risky, particularly for children who may be exposed to age inappropriate content when viewing other people’s live streams. (here) There can be thousands of people viewing a live stream at any given time which heightens the need to protect young people from potential exploitation and manipulation.
2. Common Sense Media Report
Since 2003, Common Sense Media has been a source of entertainment and technology advice for families and educational institutions. “With more and more of life happening online, what catches kids’ attention isn’t always what’s best for them, and what companies do with their personal information isn’t always clear,” the organization states on its website. (here) In a report published this month titled Privacy of Streaming Apps and Devices: Watching TV That Watches Us, researchers found that most of the popular streaming services and television streaming services failed to meet the organization’s minimum requirements for privacy and security practices. (here) The report evaluated the privacy policies of the top ten streaming apps: Apple TV+, YouTube TV, Disney+, Paramount+, HBO Max, Peacock, Amazon Prime Video, Discovery+, Hulu and Netflix. Due to the limited number of electronic devices in many households, children may use an adult’s device that results in the collection of “behavioral information about their viewing habits and interactions with content that could lead to privacy risks”. Here are four extracts from the report’s key findings:
- […] YouTube TV received our highest overall score, but Apple TV+ was the only product to earn a “pass” rating for better privacy practices that protect everyone. Netflix received the lowest overall score with a “warning” rating. Specifically, Apple did better than Netflix in every category. YouTube TV received the highest overall score, even with a “warning” rating, because YouTube TV had the most comprehensive policy, despite engaging in some worse privacy practices which earned them a “warning” rating. How did this split occur? We give points for transparency.
- YouTube TV’s comparatively higher score, in other words, speaks to their transparency in telling us that they use our data and share it for advertising. Apple is less comprehensive and transparent in its policies (and could raise their score if they addressed more issues in their policies), but the fact that Apple’s policy says that they do not share or use personal data for any advertising, marketing, or tracking earns them our highest “pass” rating.
- […] Hulu and Netflix did not have better practices than most other streaming apps in the category of Data Rights, which includes the user’s ability to access, edit, delete, and export data. However, Apple TV+, YouTube TV, Amazon Prime Video, and Netflix were the only streaming apps that say they don’t sell users’ data.
- YouTube TV and Disney+ also have the best practices in the category of Data Safety that includes interactions and privacy controls, but Apple has the best practices in the category of Ads and Tracking than all of the other streaming apps. Also, most streaming apps including Peacock and Discover+ have either fair or average data collection and security practices.
In a tech newsletter titled A Thumbs Down for Streaming Privacy published in The New York Times edition of August 24, 2021, Shira Ovide emphasized that not all collection or uses of consumer data is necessarily harmful. Streaming companies, for example, will use personal information to help a user reset a forgotten password. “The problem that Common Sense Media highlighted,” Ms. Ovide wrote, “is that Americans, with limited exceptions, simply cannot know what companies do with all the information they gather about us. Mostly we have to rely on legal documents that offer an illusion of control and think through the hypothetical risks of what could go wrong with our personal information out in the wild.” (here) Common Sense Media made a similar observation in a post to its website that the findings of the report “serve as a reminder to parents to make smart choices around the apps they allow their kids to use and how to better protect their privacy while streaming.” (here)
3. Every Click You Make
It may not have surprised you that Netflix received the overall lowest score in the Common Sense Media report. The company has been previously caught in the cross hairs of critics. There is no way to opt out of the data collection if you are a Netflix user. (here) In a post to the Forbes blog titled What Your Netflix Data Reveals About You dated August 28, 2021, tech columnist Barry Collins described Netflix as “a data-driven business, analyzing every click you make on its service.” (here) Mr. Collins went on to describe how user data can be accessed and obtained from Netflix. Here is a sample of the personal data that Netflix maintains on its customers:
- There are several documents stored in a Netflix account relating to viewing tastes. This data can be downloaded from the Netflix site. In the CONTENT_INTERACTION folder, ViewingActivity.csv gives you a spreadsheet showing every title you’ve watched, which device you used to watch it, whose profile was used to view the show, the date and duration of the session, and how far you got through the show in each sitting.
- Every single click you’ve made in a Netflix app is captured and stored by the company. You’ll find this data in the CLICKSTREAM folder, which includes a spreadsheet logging every interaction you’ve had with the service on your phone, tablet, computer or television. It even includes the precise order in which you typed search terms.
- A deeper search history spreadsheet is available in the CONTENT_INTERACTION folder, where at least five years of your Netflix searches are logged. This document not only logs the search queries you and your family used, but the search results and what you did with them. The logs include the profile user, the device used, and the precise date and time. Children who were searching for something they shouldn’t maybe have the most to worry about here.
- Netflix comes into its own on business trips, train journeys or holidays. It keeps a careful eye on where users are streaming from. The IP_ADDRESSES folder includes three different documents, with IPAddressesStreaming.csv being the most interesting. Netflix’s cover sheet claims this “table contains information associated with the last time a particular device was used to stream from a particular IP address”. This sheet also includes a region code, which gives a rough location for the IP address.
A full data file that also includes social media interactions, billing history and parental control restrictions can be obtained by sending a request to Netflix. Go to Netflix.com, select the profile of the account holder, click on the icon in the top right corner of the screen and choose “Account”. Under the settings, click “Download” and press “Submit Request”. (here) Netflix will email the account owner when the file is ready for download. It may take thirty days for the request to be verified. If you are not the account owner, but share the account, you may also request a copy of your personal information.
The latest Common Sense Media report is not the only research that raises privacy concerns about streaming media – nor the first to address the data harvesting practices of popular services like Netflix. In a previous report titled Standard Privacy Report for Netflix dated March 9, 2021, Common Sense Media stated that the terms of Netflix “do not disclose whether any social interactions are available between users, or whether any personal information or content may be made publicly visible to others.” The information Netflix collects includes behavioural data and biometric or health data. It is unclear whether information categorized as “sensitive” is also collected. It was also unclear whether Netflix “collects personal information online from children under 13 years of age.” (here)
In addition to data collection, streaming represents another opportunity for third parties to access private information. “Encryption may hide content, but it does not hide traffic patterns, and traffic analysis can reveal important secrets without breaking encryption,” said Professor Vitaly Shmatikov of Cornell Tech in 2019. “As video systems become more adaptive and interactive, traffic analysis will reveal more information about users’ private choices.” (here) Professor Shmatikov’s comments foreshadowed the latest report by Common Sense Media that Ms. Ovide described as “cleverly comprehensive” in her tech newsletter. Not only did Common Sense Media examine the privacy policies of major online video services, but it “also set up computer systems to follow where the digital information leaving the streaming video apps or devices went.” Many of the streaming companies transitioned data to Amazon and Google – two of the most avaricious data harvesters in the digital universe.