Smart TVs implement a unique tracking approach called Automatic Content Recognition (ACR) to profile viewing activity of their users. ACR is a Shazam-like technology that works by periodically capturing the content displayed on a TV's screen and matching it against a content library to detect what content is being displayed at any given point in time. While prior research has investigated third-party tracking in the smart TV ecosystem, it has not looked into second-party ACR tracking that is directly conducted by the smart TV platform. In this work, we conduct a black-box audit of ACR network traffic between ACR clients on the smart TV and ACR servers. We use our auditing approach to systematically investigate whether (1) ACR tracking is agnostic to how a user watches TV (e.g., linear vs. streaming vs. HDMI), (2) privacy controls offered by smart TVs have an impact on ACR tracking, and (3) there are any differences in ACR tracking between the UK and the US. We perform a series of experiments on two major smart TV platforms: Samsung and LG. Our results show that ACR works even when the smart TV is used as a "dumb" external display, opting-out stops network traffic to ACR servers, and there are differences in how ACR works across the UK and the US.

翻译：智能电视采用一种独特的追踪技术，称为自动内容识别（ACR），用于分析用户的观看行为。ACR是一种类似Shazam的技术，通过定期捕获电视屏幕上显示的内容，并与内容库进行匹配，以检测任意时间点正在播放的内容。尽管先前的研究已调查过智能电视生态系统中的第三方追踪，但尚未关注由智能电视平台直接实施的第二方ACR追踪。在本研究中，我们对智能电视上ACR客户端与ACR服务器之间的网络流量进行了黑盒审计。我们运用该审计方法，系统性地探究了以下问题：(1) ACR追踪是否与用户观看电视的方式无关（例如线性电视、流媒体或HDMI输入），(2) 智能电视提供的隐私控制是否影响ACR追踪，以及(3) 英国与美国在ACR追踪方面是否存在差异。我们在两大主流智能电视平台（三星和LG）上进行了一系列实验。结果表明：即使将智能电视用作"非智能"外接显示器时ACR仍可工作，选择退出设置会停止向ACR服务器发送网络流量，且英国与美国的ACR运行机制存在差异。