Fexyn
Fexyn
All posts

Smart TV, IoT, and your privacy: what's phoning home?

Fexyn Team··9 min read
smart-tviotprivacyrouter-vpn

Your TV watches you back. So does your doorbell, your speaker, your robot vacuum, your fitness tracker, and several appliances you forgot are connected to the internet. The data leaves your home network, goes to manufacturer servers, and from there typically to advertising and analytics partners.

Most VPN content treats this as an aside. It is the central privacy story of consumer electronics in 2026. Here is what is actually happening, who has been caught, and where a VPN (specifically router-level VPN) actually helps.

Smart TV: the canonical case

Smart TVs collect viewing data via Automatic Content Recognition (ACR). The TV captures snippets of what you are watching — frame samples, audio fingerprints — and sends them to manufacturer servers for identification. The manufacturer then sells the matched viewing data to advertisers, networks, and data brokers.

The pattern by manufacturer:

Samsung. ACR is on by default on all Samsung Smart TVs. Samsung markets the data via their advertising arm (Samsung Ads). Opt-out exists in settings (Privacy → ACR or "Viewing Information Services") but most users never find it.

Vizio. Got hit with a $17 million FTC settlement in 2017 for tracking 11 million TVs without disclosure. Settled by agreeing to disclose ACR more clearly. Still operates ACR; opt-out exists.

LG. WebOS analytics include viewing-pattern data. LG's data practices have been subject of multiple privacy investigations.

TCL. Uses Roku TV OS in many markets. Roku's privacy policy explicitly authorises sharing viewing data with third-party advertisers.

Hisense. Similar pattern, less-documented because Hisense has less Western-market scrutiny.

Sony Bravia. Runs Android TV / Google TV. Google's analytics apply.

Apple TV. No ACR. Apple's privacy positioning extends to their TV product. Notable exception in this list.

The legal status: ACR is generally legal under most privacy regimes if disclosed in the privacy policy. EU GDPR has been more aggressive about consent requirements; ACR opt-in is theoretically required under GDPR. Enforcement has been uneven.

Smart speakers and voice assistants

Always-listening devices in your home. Amazon Alexa, Google Assistant (on Nest devices), Apple HomePod (Siri), various third-party hubs.

The data picture:

  • Voice recordings of trigger-word interactions (typically uploaded for processing and retained)
  • Voice recordings of unintended activations (devices misidentify trigger words; resulting recordings have been used for human review at manufacturers)
  • Connected-device interactions (commands routed through assistants log device states and patterns)
  • Location, time, and frequency of use

Amazon's human-review program (revealed 2019) used contractors to review Alexa recordings. Apple did the same with Siri until pulling back after public reaction. Google did similar with Assistant. All three have since added user controls; the recording and processing continue at varying levels of opt-in.

What this means for typical users: the smart speaker is sending audio data to manufacturer servers. The manufacturer says they only retain the trigger-word interactions; in practice, "what counts as a trigger" has been imprecise enough that unintended audio has been retained and reviewed.

Connected cameras and doorbells

Ring (Amazon-owned). Nest (Google-owned). Eufy. Wyze. Various others.

The privacy story:

  • Video footage uploaded to manufacturer cloud (typically required for the service to work)
  • Audio captured continuously when motion is detected, sometimes more
  • Metadata about who comes and goes from your property
  • In Ring's case specifically, partnerships with police departments allowing law-enforcement access to footage without subpoena (varies by jurisdiction; Amazon has revised the program multiple times after public criticism)

Ring's police partnerships were the most documented case. As of 2024, Ring had revised the program to require subpoenas in most cases, but the framework persists. For users who consider their home video footage private, Ring's specific data practices are something to evaluate.

The Eufy case (2022) revealed unencrypted video uploads to AWS cloud despite "local-only" marketing claims. Reminded the industry that "local processing" claims are sometimes not fully accurate.

Robot vacuums and home-mapping devices

iRobot Roomba (Amazon-owned). Roborock. Eufy. Various.

The data: floor plans of your home, room dimensions, furniture placement, traffic patterns within your home. The 2017 controversy when iRobot's CEO discussed selling home maps to Amazon, Apple, or Google was the public reveal that this data has commercial value.

The current state: most premium robot vacuums upload mapping data to manufacturer cloud. The maps are detailed enough to identify room types (kitchen vs bedroom), entrance and exit points, square footage. This data has commercial value to insurance, real estate, and advertising.

Connected appliances

Smart fridges, smart washers, smart microwaves. Connected for "convenience features" that mostly add advertising opportunities and data collection rather than user value.

The Samsung Smart Fridge that ran ads on the door (2024 controversy) is the canonical example. Smart appliances that connect to the internet are typically generating telemetry about usage patterns, error states, and user interaction.

What router-level VPN does

A VPN running on individual devices (your laptop, your phone) does not affect your smart TV, your Alexa, or your Roomba. They have their own internet connections through your router; they do not run VPN clients.

A VPN running on your router encrypts ALL traffic leaving your home network. Your TV's connection to Samsung's servers is encrypted between your router and the VPN exit. From the VPN exit, it continues to Samsung — but your home ISP does not see what your TV is sending.

What this changes:

  • Your ISP cannot see what your IoT devices are doing. Your ISP knows your TV connects to internet; they do not see that it connects to Samsung's ad-tech endpoints versus a Netflix CDN.
  • Devices see VPN exit IP, not your real IP. Some manufacturer analytics aggregate by IP; this disrupts that aggregation.
  • You can route specific destinations through specific paths. With router-level VPN plus DNS-based blocking, you can null-route specific telemetry endpoints. Block samsungads.com at your router; the TV cannot phone home for ACR even if ACR is enabled.

What router-level VPN does not change:

  • Manufacturer cloud receives the data anyway. The TV uploads to Samsung's servers; Samsung knows what you watched. The encryption only hides this from your ISP, not from the destination.
  • Devices that need to authenticate continue to identify themselves. Your Alexa account is signed into Amazon; voice commands are tied to that account regardless of network IP.
  • App-level tracking continues. Whatever the device's OS or apps log, they continue to log.

Router-level VPN setup

The practical paths:

1. Router that natively supports WireGuard or OpenVPN. Modern ASUS routers (with stock or Merlin firmware), GL.iNet routers, some TP-Link and Netgear models. Configure VPN client on router; all traffic routes through it.

2. Custom firmware (OpenWrt, DD-WRT, Tomato). Replaces stock firmware on supported routers. Provides full VPN configurability and additional networking features. More technical setup; more capability.

3. Dedicated VPN router. Devices like GL.iNet Slate, Privacy Hero, or similar. Often easier to set up than custom firmware; designed specifically for whole-home VPN.

4. VPN-aware DNS server (Pi-hole + DNSCrypt). Different approach. Pi-hole on a Raspberry Pi blocks telemetry domains at the DNS layer. Combined with VPN at the router level, this blocks telemetry destinations AND encrypts the rest of traffic.

The Fexyn position: we ship configuration profiles for ASUS Merlin, OpenWrt, and several other router platforms. Setup is documented in our router VPN blog post. The protocol options are WireGuard (Bolt, recommended) or OpenVPN (Secure, for routers without WireGuard support).

What does NOT need a VPN

Worth being honest. Some IoT privacy concerns are best handled by other tools:

Per-device telemetry blocking. A Pi-hole at the DNS level blocks specific telemetry domains and is cheaper, lower-overhead, and more targeted than VPN.

Disabling ACR. Settings → Privacy → ACR opt-out on your TV. Free. Stops the data collection at source rather than encrypting it after collection.

Network segmentation. Putting IoT devices on a separate VLAN that cannot reach the rest of your network limits the lateral risk if a device is compromised. Many modern routers support this.

Choosing devices with better privacy. Apple TV instead of Samsung Smart TV. Wired security cameras (no cloud) instead of cloud-uploading ones. Older "dumb" appliances instead of "smart" ones.

VPN is a network-layer encryption tool. It does not solve every IoT privacy problem; it solves some of them, and is part of a layered approach for users who care about this.

Frequently asked

Will a VPN stop my TV from collecting viewing data?

No. A VPN encrypts the path between your router and the VPN exit. The TV still uploads to its manufacturer; the manufacturer still receives the data. The VPN only changes what your ISP sees about what your TV is doing.

Can I block ACR completely?

Yes, by combining VPN + DNS-blocking. Block samsungcloudsolution.com (Samsung's ACR endpoint), tvinfo.lgsmartad.com (LG's), tvtelemetry.cdn-apple.com (Apple TV — minimal ACR but exists), at the DNS level. The TV cannot phone home; ACR data accumulates locally on the TV but never reaches the manufacturer.

Does my smart speaker work behind a VPN?

Mostly yes. Voice processing requires manufacturer cloud connectivity, and VPN-routed connections work to most manufacturer endpoints. Some smart-home integrations break under VPN routing because the device-pairing flow expects same-LAN discovery; this varies by setup.

Is it worth it for casual users?

Honestly, mixed. For users who care about ISP visibility into their IoT activity, yes. For users who do not, the manufacturer-side data collection is the bigger concern and a VPN does not solve it. Disabling ACR, choosing privacy-respecting devices, and blocking telemetry endpoints at DNS level are higher-leverage measures.

What about Apple's HomeKit?

Apple's HomeKit framework is end-to-end encrypted between your devices and Apple-ID-tied accounts. Apple does not collect the same depth of IoT data as Amazon or Google. For users in the Apple ecosystem, HomeKit-compatible devices have a meaningful privacy advantage at the platform level. VPN adds network-level privacy on top.

Try Fexyn free for 7 days — router-level VPN configuration profiles available for ASUS Merlin, OpenWrt, and others. Router setup guide, What your ISP sees, Data brokers piece cover adjacent privacy topics.

Last reviewed 2026-05-09.

Smart TV, IoT, and your privacy: what's phoning home? | Fexyn VPN