A study by Northeastern University and The Imperial College of London, to be presented at the ACM Internet Measurement Conference in Amsterdam in October, found that smart TVs (and IoT devices) from a variety of trusted vendors are pre-programmed to send private user information to the vendors and to partnered online video providers without knowledge of the consumer; sometimes as plaintext.
What it means
In an ideal world, any information collection process used by device makers should comply with local or regional regulation, such as GDPR. In addition, the vendors and their partners should ensure that the information is kept private and communicated as encrypted data through private channels. They also should make sure that consumer bulletins are available or even packaged with the affected products as part of the standard documention.
When this kind of information is distributed via open channels, it may be intercepted by pirates, who can use it to target phishing and malware attacks against consumers. Private information can also conceivably give pirates a way to access end user accounts to cause financial damage to consumers. This is a complicated situation because it requires consumer awareness at a time when consumer awareness is at a premium. And then, who provides the awareness?