Ask HN: Should it be legal to switch privacy policies after purchase?

52 points by notrealpersonq ↗ HN
Recently found that my LG Dryer & Washer are uploading/downloading 1GB of data per day. I looked into it after the LGThinQApp's privacy policy changed to gather information like personal information like DOB, gender, voice recordings, profile photos, network activity: "such as URL, ad block info, redirect URL, bookmark history etc.. Their privacy policy looks like it was meant for instagram..

This wasn't the case at all before when I purchased the product. The nice feature was that I could preload my clothes and trigger them to wash/dry before I'm about to get home. That's all I expected from this. I even called support and asked them to deactivate my account but they said this can only be done through the app. And I can't use the app unless I accept the new terms and services.

edit: added the privacy policy link here https://us.m.lgaccount.com/spx/customer/terms_detail?country=US&language=en-US&terms_type=A_ITG_PRV

73 comments

[ 2.7 ms ] story [ 145 ms ] thread
...and this is a perfect example of why I don't buy anything "smart" besides my phone.
I learned my lesson. It's a shame cause actual smart devices can be useful if they weren't so exploitive/deceptive.
Wow.

I do not believe changes to terms after purchase should be allowed unless required by law. We need a lemon-like law for consumer electronics.

Also, I believe it is important to not buy connected devices and appliances that are not entertainment purposes only.

I’d rather pay $200 extra for a dumb tv that will last be 10 years and guaranteed to not start showing me ads in the menu screen someday.

I really doubt that they're NOT already gathering data as if I accepted the policy. The guy I called said I'm the only person to complain about this. So I don't expect much to change.

Yeah I'm not sure what the solution is. Maybe, I'm naive but I never expected this. I know better now. Regarding the smart t thing, I 100% agree, my vizio smart tv started getting ads on startup that I need to manually exit out of.

>The guy I called said I'm the only person to complain about this.

You do understand that this is a standard corporate gaslight?

Probably is, but most of my friends who aren't in tech told me I'm too "extra/petty" for calling.
I’m in the market for a TV currently, and have found (in the US) that it doesn’t matter how much extra I’d be willing to pay for a dumb TV, there just aren’t any beyond super low-end ones.

Any pointers to some would be much appreciated!

It depends on how large you want your TV, but I know a couple of people who've purchased monitors instead of TVs and used them as TVs.
There are dumb TVs; they're for digital signage. My impression from investigating these is that you get a $100 TV quality panel for $10,000, so not really an option.

I have a smart TV and it's simply never been connected to the Internet. That makes it pretty dumb.

It took me way too long[1] to figure out that "digital signage" means physical signs, not that display manufacturers are now jacking up their rates for models that won't backdoor your system and exfiltrate your private keys.

---

1: As in I was halfway through writing a comment to ask how these were sufficiently different from regular monitors to justify that markup, before realizing that I'm an idiot.

Just never give your TV any network access, use it like a monitor.
Besides going with the common low-budget brands, like Sceptre, you might find some dumb commercial TVs.

However, commercial TVs leave a lot to be desired. They generally put the focus on other aspect, like higher brightness, instead of color accuracy because they are intended to be used as signage. Hotel TVs tend to have hidden and hard to navigate sub-menus so guests dont mess with the settings too much.

Realistically, its easier to get a smart TV and just not connect it to the internet.

Google TV is also coming with a Basic TV mode for their Sony and TCL models. Basic mode is supposed to reduce the menus to a few basic functions like input switching, etc. [0]

[0]https://arstechnica.com/gadgets/2021/02/the-best-feature-of-...

I don't think a google tv is the best way forward in terms of privacy.
I got a TV that wishes it were smart. I just refused to accept the ToS upon turning it on, never connected it to the wifi, and use an HDMI cable instead.

To this day if I accidentally click the wrong input button it asks me to accept the ToS. But since I haven't and won't accept them at least that's something.

Though I think it should be extremely illegal to change the terms of service for an appliance. Software maybe, a service maybe, but not a washing machine or TV! What are you supposed to do if you disagree, try to return it 3 years after purchase? Will the manufacturer pay for you to spend your time packing it up to send back to them for a full refund (of purchase price)?

Of course not. The warranty and return periods are up, you have no choices.

This is the heart of the question. My return period is long past. And it's a pretty expensive device.

In my mind: I purchased the washer/dryer with these specific features in mind. Now I no longer have access to what I bought and I'm being locked out of using these features unless I accept the new terms.

Their official return window may have passed, but that doesn't mean you can't return now that they have changed the terms of the sale.
Nonsense. Sale of goods act 1979, and the consumer rights act 2015. If the terms of service are acceptable to you at the time you buy, but then they are changed to be unacceptable, then the device is not fit for purpose by design, and you can claim a full refund. There is no set time limit on this. Take them to the small claims court if they refuse.
... have you ever tried to actually do this?

On top of having to deal with, at minimum, going out and buying a new washer drier on my own dime until I win said court case, there's no guarantee you'd win (it's the app ToS, not literally the appliance, correct?) nor that it would ever compensate for your time spent dealing with it.

Sure, you might have a good case, but when you're working full time and have a family this is not a good use of your time. It requires a level of committment that I shouldn't have to have in order to fix a unilateral change to the terms I agree to when actually making a literally $2k+ purchase. I can't just float them a loan for $2k to buy replacement equipment while suing them.

I have no idea but my TV has service menus which seems very advanced. Google your TV brand + service manual and you may find something.
We need a lemon-like law for consumer electronics.

I wonder how this should apply to planned obsolescence of devices like smartphones.

On one hand, it's obscene that manufacturers expect us to routinely spend ~$1k on a device that will in the best case scenario last for three years. There's no inherent reason that a flagship Samsung from 2017 shouldn't be perfectly serviceable today, and likewise for a Pixel 6 or iPhone 13 in 2030. However, the discontinuation of security updates makes it so that for all practical purposes they are not.

On the other hand, we can't exactly compel speech or labor. It would be one thing if there were a kill switch triggered after N years, but in this case the obsolescence isn't caused by an active update, rather a lack thereof.

Here's a possible middle ground:

1. Block device manufacturers from arbitrarily deprecating hardware. We can't compel the release of new software, but we can block the release of new software. Require manufacturers to submit a filing with request for approval before the release of any new mobile OS update, which must include an exhaustive list of all supported devices. In the event that a device is dropped from the list in a subsequent filing, it must be explained to the satisfaction of regulators that a specific hardware limitation makes continued support for the device problematic or impractical. Given approval to drop support for a device from an OS release, there would be no obligation on the manufacturer to backport security updates to prior releases.

2. Block component manufacturers from arbitrarily deprecating hardware. Any hardware included in a publicly available consumer electronic device must have its manufacturer commit to providing up-to-date driver software with support for the latest OS for the lifetime of the device. Failure to provide this within a certain time frame (say, three months) following the request of a device manufacturer would open them up to a lawsuit, wherein they could be compelled to publish the most recent release of the driver as open source / public domain. #1 would provide the incentive for each device manufacturer to proactively enforce this, as their entire product roadmap would be effectively frozen if they allowed component manufacturers to drag their feet.

3. Ban irreversible bootloader locking in new devices. Maybe an initial bootloader lock would be acceptable, but power users should have some way to override the lock and install a custom ROM without relying on vulnerabilities in the software.

Your phone still works fine. Those security patches not being installed means probably very little.
They mean quite a lot to me personally, but for the sake of argument let's assume you're talking about the "average person".

Sure, on some level that's arguably not wrong. Most individuals are unlikely to be personally targeted by hackers, and even if so might have less to lose from a hack than the cost of a new phone.

Even taking that for granted, I would suggest that it's in the interest of the federal government to use its regulatory power for the purpose of improving our national cybersecurity at scale. Letting millions of people continue to run unpatched devices because the alternative is prohibitively expensive is a disaster waiting to happen.

I think we are at a point where legislation will be needed and there should be a clear list of what kind of data will be collected by the device throughout this lifespan akin to nutrition facts for food. That list should not be possible to alter at all (because otherwise they would lock the app lest you approve the new requirements).

Something like:

This device will share:

- Age

- Gender

- Voice commands

- Wifi name

- Location

If a manufacturer wants more data they have to change the tag at the store and only the newer device will have the additional data collection. If the manufacturer pushes an update to get more data on users that have the older tag they get a $X fine per affected user, where X is ideally a real cost-prohibiting amount like 25-50% of the price of the device.

Is there any reason why we can't have something like that?

Technology moves faster than law. I agree that we need to do something about it. It's getting ridiculous.
I mean corporation are just optimizing to make money which (at least to me) is not an issue, but we must set rules to make sure that this gross overreach stops otherwise we'll have mics in every room and any shred of privacy that might've remained will be gone.
It's way past the point it's ridiculous. It's starting to get dangerous, and if we don't take action now, this is going to be a systemic problem, not unlike ethnic/racial biases in justice systems throughout the world.
I don't think it should just be a fine. If I sold you a couch and then broke into your house and spied on you, I'd face some sort of criminal charge, even if I emailed you a fifty page document with a "privacy policy" first. So why not the people responsible for this?
My bigger thing is: will my hardware stop working if i dont agree to the latest changes?
1GB of data per day? That's incredible. Have you tried to inspect the data? I'm curious to know what a washer and dryer could possibly send home per day to total that. If what you're saying is true, it smells like you're getting spied on.
It definitely is 1GB per day. Any insight/links on how I can do that? I'll admit I have no idea where to begin when it comes to this.
Send an email to kodah@pull.dev and I'll see if I can help.
In Canada that would be outrageous. Many lower cost internet plans here are limited to 30-50gb per month.

If my washer started using 1 gb per day without notice, and I received a bill for extra data, I woukd be pissed.

I do own an LG washer, but thabkfully a lower end model without internet connectivity.

It will likely be encrypted. If they are lucky, then the vendor won't validate certs and you could MITM with a proxy. Super simple with Charles or Squid, but this assumes the device doesn't validate certs. Some IoT don't.
I don't regret sticking to dumb appliances. I hate Smart TVs with a passion, but they are all you can get nowadays. But I can just throw the TV out the window if it stops working when I unplug it and continue living just fine. Not so much with my washer, dryer, stove, car and fridge/freezer.

I do not look forward to the day you CAN'T buy a non-smart appliance like a fridge or water heater.

People here regularly recommend a brand of dumb tv that is very reasonable in terms of image quality.
Thank you, I'll keep an eye out!
Would you mind mentioning the name of that brand? I'm currently looking for a TV.
Sceptre tvs are recommended alot, I have one of their moniters personally,it's really good
(comment deleted)
You can also just not connect it to the internet.
That is my current strategy. However, don't be surprised if dark patterns start to appear like error messages, warnings, reduced functionality, and outright failure. Sometimes our TV will do pop-ups about needing to update while using the Roku. I wouldn't be surprised to see Ad-Supported appliances that fail after too long without internet.

Also, be aware that repairing a purely electrical appliance is fairly simple for most small appliance repair businesses. However smart appliances can be setup to only allow "Authorized" repairs. I've seen this for some electric bikes like Bosch bottom bracket motors where you need specific USB keys to work on or modify them that are VERY expensive.

> Also, be aware that repairing a purely electrical appliance is fairly simple for most small appliance repair businesses. However smart appliances can be setup to only allow "Authorized" repairs. I've seen this for some electric bikes like Bosch bottom bracket motors where you need specific USB keys to work on or modify them that are VERY expensive.

This is an entirely different issue. Even if it's a dumb tv, the manufacturer will probably not prioritize repairability.

I'm guilty of treating most items as disposable, I assume whenever my $300 TV blows out I'll just need to walk on down to Best Buy and buy a new one.

That will be harder in the near future. There are already youtubers showing the dozens of methods devices are using to talk to one another out of band and without user interaction. This guy covers some of the methods in a few of his videos [1].

[1] - https://www.youtube.com/c/BraxMe/videos [video list]

1GB of data does not pass a reality check for me. What on Earth can they be collecting about your washing and drying that is so much data? Can you tell us what it comprises?
For real, does the device have a camera or microphone? I don't know what else could be using that much data.

A quick Google seems to show they don't have built in voice control. That's just a huge amount of data if it's not sending some sort of media back home. Could always be poor programming for logging or something, but that wouldn't be my first suspect.

If you live in California, use the CCPA to figure out what they have on you and then submit a deletion request.
Not in CA. I did ask for the data and for my account to be deactivated. Haven't received an email from them yet.
Not sure about the US but in Europe and UK, GDPR would not permit them to collect anything that is not strictly needed without explicit consent.

The Data Minimisation principle says you should only collect what you need.

They can soft-opt you in to certain things if you have a business relationship (news letter) but this should be opt-outable, I think even at purchase time.

It would also not permit the extension of data collection without consent (or another acceptable basis, but that would be unlikely). In the case of a service online, I guess you could potentially say if you don't like it, don't use the service but with hardware, I don't think this would fly.

I think the real issue here is not whether it should be legal to switch privacy policy after purchase. LG shouldn't be allowed to collect more info than it requires. It seems absurd to me that a washer-dryer needs to access bookmark history etc. to function.

I would contact my local data protection authority and alert them of this practice. I guess LG would get in some trouble :). My initial instinct is that this collecting this info from a washer-dryer is wildly illegal.

Yes this is a clear GDPR violation. But depends on which jurisdiction, of course
They are not legal in Spain, and probably neither in most of the civilized world (YMMV!). Over here a contract change needs to be approved by both parties at the time and with the specifics of the change, so a blanket "we might change this at any time" prior to it would also not be valid.

I'm pretty sure (again in Spain) you could sue them and win, but you'd have to carry the cost of suing them AND the benefit would probably be small so not many individuals do. Some nice consumer defense groups do sue these companies and win again and again, which is amazing IMHO. Specially with the last ~10 years new data protection laws these shady practices are more and more illegal.

> And I can't use the app unless I accept the new terms and services.

For example Whatsapp keeps asking me to accept the new terms and I keep closing the popup, and still can use the app. We'll see how things end up, but for now they do not "force you" to accept them (though I'd say asking for it N times/day everyday might be considered harassment).

That's what I did for a while.

Until I had to take my phone in for repairs and I wiped it beforehand (because I always wipe my devices before handing them in).

Upon restoring backup, I couldn't get past the "accept terms" screen so I was effectively locked out of my WhatsApp account.

Begrudgingly, I accepted them but gave no permissions (contacts, camera, mic, etc) and immediately requested deletion of my account.

Definitely not ideal as they had some of that information on their servers already.

I don't think it should be legal, but Congress unfortunately doesn't give me a whole lot of say in what becomes law.

Your best bet is probably to just not use the app from now on. Go ahead and accept the new terms, then disenroll in however you need to. I have an LG dryer/washer pair, but never downloaded the app, didn't register the equipment, and it's not on my network but still works fine. You can't remotely trigger a wash, but you can set a delayed start from the onboard control panel, and as long as you're reasonably accurate in your prediction of when you'll be coming home, it'll have the same effect as what you're doing with a remote trigger.

Thanks for the suggestion.

I think the only thing would get people to act is to say Russians/Chinese are spying on people with microwaves/tvs.. Otherwise media won't report on this.

There are just enough edge cases that they need that ability. Laws change, and they need to update to account for that. Sometimes the previous policy was wrong and they can't work at all without adding something that should have been there all along.

Of course most of the time changes are not needed at all to get the job done, just to violate your privacy.

I understand if the previous policy is wrong by a few words/legalese terms. But in this case they either oh we forgot to include that we're mining all this data or they recently found out they can and started doing so.

If a device was bought with privacy as a feature and then it flips 180 and you're locked out of using it with no recourse for returning it. To me it that seems as a clear violation of a consumer's rights.

I agree. That is the downside. There are just enough reasonable cases where a privacy policy must be change that it cannot be banned. That creates loopholes large enough to drive whole planets through.
Most policies/contracts for B2C products (and employer to employee) are next to worthless for the consumer. Most have some sort of language saying they alone make the rules and they can change them at any time with or without notice.

As a consumer and employee, I feel it would be great to get rid of that language. I doubt congress will do anything about it since that would require a massive change to contract law.

Thanks for the warning, I just bought a pair of these last week. I had planned to never in a million years pair it with a phone or connect it to wireless, and this just makes it obvious what the repercussions would have been.

Paying ~$2k for appliances that then try to extract extra money out of you with targeted advertising (for what! you already bought the equipment!).

Bookmark history! Dear god.

No.

I was recently incredibly annoyed with my TV "threatening" me that if I didn't accept the regular new privacy policies, I would lose functionality (of course, with the 50 pages of on-screen legalese that you're supposed to read before accepting).

LG ... I'm looking at you and your mafia tactics. Good topic to bring up, it's getting ridiculous.

Signed: A previous LG fan

Yes. Serious: connected devices should be legally forced to use owner-controllable open protocols. I see no other way to guarantee that the costumer can't be abused.
So... Why did you give permission for a washer/dryer to talk online?

And, since you did the bad thing, have you revoked/changed passwords/locked this piece of shit hardware out from the internet?

Rather than begging HN or yelling at a cloud (LG), what have YOU done to remedy this on your side?

I mentioned that being able to trigger the wash/dryer remotely was about the only thing I found useful.

Yes all of that's already been done immediately after finding this out.

I'm new to HN, so I apologize in advance if this isn't the right place to post this.

I don't have the answer to your legal question, but if your router supports it, you might consider putting rate limits on the machines IP so they are slowed to a crawl. Maybe 10kb/s. Enough to make it think it is working but not enough to upload all the things. This assumes your appliance will still work as designed when their spooler/buffer is full. Or another trick is to drop any packets above 600 bytes. Most API calls will work but data transfers won't unless their device is clever.
I think that the solution moving on forward would be purchasing dumb devices and doing automation yourself and connecting them to your own smart home network.
I think it should not be allowed to change after purchase because it is open for any changes and once you don't accept you will not be able to use the product. Forcing you to accept any change