Nov 20, 2013

Why would companies use a “fake” 404 page?

There was a recent post on Reddit about LG collecting personal user data from users of its “smart TVs”. The person who found it was in the UK, and by using his router for man in the middle sniffing, he found that the programs he was watching as well as the names of his personal video files (including his kid's names) were being sent to LG’s servers where they would be used for targed advertising, even though he expressly turned off the setting that allows collection of information. LG basically said, “Too bad, you agreed to the TOS, when you bought the TV, so if you have a problem it is with the store that sold it to you, not us.”

Apparently the page where the data was directed returned a 404 message. During a discussion about this someone pointed out that it was common to send a 404 response, but the data still reaches the server. Why would this be common practice? Related: is it actually common practice to use a “fake” 404 response?


Just to follow up on LG’s data collection from its TVs, an LG “investigation,” (in other words, “Who screwed this up so we got busted?”) showed that they were in fact collecting customer’s data even if they opted out. LG says they are going to address it and make the disable feature actually work:


"We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted." - LG 


It doesn’t require much effort to put up process a request and put up a 404 response, and any data sent can still be processed by whatever service they have running. Plus if you are doing something a little shady, most people will see the 404 response and just think that it is an “empty” page that doesn't do anything.


BTW, I was interested in the story behind your post, so I did a little searching. Looks like LG is responding at a much higher level to this now, and since this happened in Britain, the Information Commissioner's Office is investigating it as a possible violation of British Data Protection Act. To be fair, LG has also issued a statement that they are issuing a firmware update that will disable this “feature.” The BBC has an article about it here, if you want to learn more about it.

BTW, you can contact LG here and express your displeasure with their behavior:

The solution is to not buy LG products, or the products of any company that engages in similar sleazy tactics to gather information and violate user privacy. It's good that this is getting press attention, the more people that know about it the more pressure there will be on LG and other companies to stop doing this.
Answer this