Why would companies use a “fake” 404 page?

delia25

There was a recent post on Reddit about LG collecting personal user data from users of its “smart TVs”. The person who found it was in the UK, and by using his router for man in the middle sniffing, he found that the programs he was watching as well as the names of his personal video files (including his kid's names) were being sent to LG’s servers where they would be used for targed advertising, even though he expressly turned off the setting that allows collection of information. LG basically said, “Too bad, you agreed to the TOS, when you bought the TV, so if you have a problem it is with the store that sold it to you, not us.” Apparently the page where the data was directed returned a 404 message. During a discussion about this someone pointed out that it was common to send a 404 response, but the data still reaches the server. Why would this be common practice? Related: is it actually common practice to use a “fake” 404 response?

Topic: Security
Answer this Question

Answers

4 total
jimlynch
Vote Up (16)

The solution is to not buy LG products, or the products of any company that engages in similar sleazy tactics to gather information and violate user privacy. It's good that this is getting press attention, the more people that know about it the more pressure there will be on LG and other companies to stop doing this.

becker
Vote Up (15)

It doesn’t require much effort to put up process a request and put up a 404 response, and any data sent can still be processed by whatever service they have running. Plus if you are doing something a little shady, most people will see the 404 response and just think that it is an “empty” page that doesn't do anything.

 

BTW, I was interested in the story behind your post, so I did a little searching. Looks like LG is responding at a much higher level to this now, and since this happened in Britain, the Information Commissioner's Office is investigating it as a possible violation of British Data Protection Act. To be fair, LG has also issued a statement that they are issuing a firmware update that will disable this “feature.” The BBC has an article about it here, if you want to learn more about it.

jimlynch
Vote Up (15)

BTW, you can contact LG here and express your displeasure with their behavior:

http://www.lg.com/us/support/contact-customer-support

tswayne
Vote Up (14)

Just to follow up on LG’s data collection from its TVs, an LG “investigation,” (in other words, “Who screwed this up so we got busted?”) showed that they were in fact collecting customer’s data even if they opted out. LG says they are going to address it and make the disable feature actually work:

 

"We have verified that even when this function is turned off by the viewers, it continues to transmit viewing information although the data is not retained by the server. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted." - LG 

Ask a question

Join Now or Sign In to ask a question.
Apple users accessing Gmail on mobile devices could be at risk of having their data intercepted, a mobile security company said Thursday.
The source code for an impressively small but capable malware program that targets online bank accounts has been leaked, according to CSIS Security Group of Denmark.
Financial and business information was stolen from several shipping and logistics firms by sophisticated malware hiding in inventory scanners manufactured by a Chinese company.
In wake of psychological experiment, group challenges users to take a Facebook break and find out if it makes them happier.
The Department of Homeland Security mistakenly released details on an experiment in which a 27-ton generator was destroyed via a cyberattack.
Police from eight countries together with several private security companies disrupted the online infrastructure used by cybercriminals to control computers infected with a malware program called Shylock.
The scope of a recent security breach at a digital certificate authority (CA) controlled by the Indian government is bigger than initially thought and also targeted domain names owned by Yahoo, in addition to several owned by Google.
Hackers increasingly target small firms as a way to get to the big guys. Here's what companies need to do to step up their game.
Microsoft has reached a settlement with domain provider No-IP to disable some of its domains, after taking control of part of its network to shut down a botnet.
More than 40 privacy, civil rights and religious groups have called on President Barack Obama's administration to provide a "full public accounting" of long-time email surveillance of prominent Muslims living in the U.S., following a news report detailing the spying by the U.S. National Security Agency and FBI.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+