[{"content":" What Your Samsung TV Sees: Inside the S90D\u0026rsquo;s Always-On Content Recognition # Every frame on the screen, from Netflix, your console, broadcast TV, to even a screen-mirrored phone, is fingerprinted and sent to Samsung roughly once a minute, on a schedule Samsung can change remotely. Here\u0026rsquo;s the evidence, pulled straight from the firmware of a 2024/2025 Samsung S90D.\nTL;DR # The S90D runs Automatic Content Recognition (ACR): it samples the picture ~2× per second and uploads perceptual fingerprints to Samsung\u0026rsquo;s cloud about every 60 seconds. Capture happens at the display compositor inside TrustZone, before HDCP, so it is source-agnostic and captures DRM-protected streaming (Netflix included) in the clear. Confirmed in-scope sources: Samsung TV+, third-party streaming apps, HDMI inputs, antenna/broadcast (tuner); screen mirroring has its own recognition path too. The one exemption: no fingerprinting at power-on. The upload engine is on-boot=\u0026quot;false\u0026quot; and wakes when a source becomes active. Fingerprints upload to acr-us-prd.samsungcloud.tv, an address the TV is handed at runtime by the control plane osb-v2.samsungqbe.com/service/acr/v2, so Samsung controls where the data goes, not just what\u0026rsquo;s collected. The query interval is server-controlled. The binary literally logs Query Int from server(60 is set). Samsung can dial the cadence up or down without a firmware update. Fingerprints are uploaded whether or not the server recognizes the content. Samsung receives the data either way. The same process holds your Samsung Account identity, ad PSID, and ad targeting group, so viewing data can be joined to who you are. ACR ain\u0026rsquo;t anything new # ACR turns your TV into a measurement device. It periodically samples what\u0026rsquo;s on screen, reduces each frame to a compact fingerprint, and sends those fingerprints to a cloud service that matches them against a reference database to identify the show, channel, or ad. The result feeds viewing analytics and ad targeting.\nThis isn\u0026rsquo;t hypothetical. In 2017 the FTC and New Jersey settled with Vizio for $2.2M over ACR that tracked viewing without clear consent. The question for any given TV is no longer whether it has ACR, but exactly what it captures, where it sends it, how often, and how it\u0026rsquo;s tied to your identity. This post answers those four questions for the Samsung S90D with firmware-level evidence.\n1. Every source is in scope # The capture itself is source-agnostic: the S90D grabs the final composited image at the display compositor through a TrustZone (TEE) secure call (TZCAPTURE_Capture_screen in libtzcapturec.so), at 960×540 YUV. Because this happens after rendering but before HDCP output encryption, it sees whatever is on the panel, regardless of source and regardless of DRM. Separate logic then labels what produced that image, and the firmware has explicit handling for each input type:\nSource In scope? What the firmware shows Samsung TV+ (first-party) Yes org.tizen.tv-viewer in the binary; live source_APP_Id of org.tizen.tv-viewer(tvplus) with a 7-stream match Streaming apps (Netflix, Max, Peacock, YouTube…) Yes captured live during Netflix playback (labeled ACR_SOURCE_EXT_1); IACR ships per-app metadata (e.g. YouTube) HDMI inputs (console, PC, cable box) Yes IsHDMISource, IsHDMIPort, HDMIport : %d DeviceName : %s Device Type : %d Antenna / broadcast (tuner, STB) Yes IsCUDSSTBAvailable, IsStateSTBContent, tuner libraries Screen mirroring / cast Likely dedicated mirroring-recognition-manager (boot-resident service) At power-on (boot) No upload service manifest on-boot=\u0026quot;false\u0026quot;; nothing is fingerprinted until a source is active It tracks up to six concurrent external-source slots (ACR_SOURCE_EXT_1…6). During testing, a third-party streaming app showed up as ACR_SOURCE_EXT_1, confirming these slots cover external apps and HDMI inputs alike.\n2. Where does it phone home? # The acr binary doesn\u0026rsquo;t fix the server it ultimately uploads to. It asks a control server at runtime and is handed the target. The binary contains the bootstrap endpoint and the machinery for this (GetAcrInfo, GetControlServerAddress, MatchingServerURL / IAMatchingServerURL, m_RequestDataToControlServer). On the live device, the hosts actually in use were:\nEndpoint Role Where it was found acr-us-stg.internetat.tv/getacrinfo Bootstrap \u0026ldquo;GetAcrInfo\u0026rdquo; endpoint Hardcoded in the acr binary osb-v2.samsungqbe.com/service/acr/v2 Control plane: config, app list, server URLs, query intervals Live process memory acr0.samsungcloudsolution.com Control/status server (ControlServer) Live process memory acr-us-prd.samsungcloud.tv:443 Production fingerprint upload / matching server Live process memory (delivered as IAMatchingServerURL) The control-plane request identifies the exact device and turns the pipeline on:\nhttps://osb-v2.samsungqbe.com/service/acr/v2 ?countryCode=US\u0026amp;modelid=24_PTM_QD_T09 \u0026amp;infolink=T-PTMDAKUC-0090-2123.9\u0026amp;internalacr=on Because the upload target is delivered by the control server rather than fixed in firmware, Samsung can change where fingerprints go, just as it can change how often (next section). The acr-us-* / countryCode=US naming indicates US-region servers.\n3. Frequency and Control Granularity # The TEE captures frames frequently, as often as ~every half-second (the analyzer logs Waiting for 480.333 ms and 497.181 ms; the interval varies). Fingerprints are bundled (2-3+ frames) and uploaded on a main query interval of 60 s by default. Two more pipelines run in parallel: an ad query (120 s) and a broadcast query (300 s). Crucially, these intervals are server-controlled. The binary\u0026rsquo;s own log line is Query Int from server(60 is set), and the control-plane response carries queryIntervalSec, adQueryIntervalSec, and minQueryCount/maxQueryCount. Samsung can change how aggressively your TV fingerprints remotely, without a firmware update.\n4. Anatomy of a query # Each frame is reduced to 4 Regions of Interest, each a set of four 32-bit integers (512 bits/frame), and every frame is stamped with millisecond UTC plus your timezone offset:\n{ \u0026#34;fps\u0026#34;: [ {\u0026#34;raws\u0026#34;: [u32,u32,u32,u32], \u0026#34;roi\u0026#34;: 0}, … {\u0026#34;roi\u0026#34;: 3} ], \u0026#34;tvt\u0026#34;: {\u0026#34;utc\u0026#34;: \u0026#34;1779224946340\u0026#34;, \u0026#34;tz\u0026#34;: -300} } Two outcomes, both observed live:\nNetflix (Arrested Development): every frame came back matching:false. Samsung\u0026rsquo;s database didn\u0026rsquo;t recognize it. The fingerprints were uploaded anyway. The engine does not stop on unrecognized content. Samsung TV+ (live news): a single query matched seven streams at once, each with channel, program title, genre, and a contentOffset, e.g. an offset of ~68m55s, which combined with the program\u0026rsquo;s start time reveals exactly when you tuned in and how long you\u0026rsquo;d been watching. So matching is a server-side step. Whether or not your content is in Samsung\u0026rsquo;s database, Samsung receives the fingerprints.\n5. It captures DRM-protected content # Because capture is pre-HDCP, at the compositor, inside TrustZone, content protection doesn\u0026rsquo;t stop it. The live Netflix fingerprints are the proof: a Widevine-DRM stream was sampled and uploaded in cleartext YUV, invisible to the Netflix app. ACR sees what the panel shows, not what the app \u0026ldquo;allows.\u0026rdquo;\n6. Tied to who you are # ACR isn\u0026rsquo;t anonymous telemetry. The recognition process reads, and holds in memory alongside the upload logic:\nyour ad identifier (db/adagent/psid) and ad targeting group (db/comss/targetgrouptag), your Samsung Account state and a live SSO token (the same token also appears in the TV+ daemon, it\u0026rsquo;s reused across subsystems), your country, device ID, timezone, and entered ZIP code. That means a viewing fingerprint can be joined to your account and your advertising profile. The viewing record and the identity that makes it targetable live in the same place.\n7. Consent is one checkbox # All of this is gated behind a single binary disclaimer flag (HOMEDATACONTROL_DISCLAIMERAGREES). There\u0026rsquo;s no separate control for the three pipelines (content / ad / broadcast). You can\u0026rsquo;t, for example, allow program-recognition while refusing ad-break measurement. It\u0026rsquo;s all-or-nothing, and the availability of ACR per app is decided by the server/scenario logic, not a per-app user setting.\n8. Why it matters # Scope vs. expectation. Most people expect ACR (if they know it exists) to watch broadcast TV. Here it watches everything on the panel, including third-party DRM streaming and HDMI devices. Remote-tunable surveillance. A server-controlled cadence means the data-collection rate isn\u0026rsquo;t a fixed, auditable property of the device. Regulatory exposure. Continuous, identity-linked viewing capture with a single coarse consent raises questions under GDPR (specific, informed consent; right to object) and CCPA/CPRA (sharing/sale of personal information). The Vizio precedent is directly on point. How this was observed # These findings come from static analysis of the extracted firmware and memory forensics on a device under my control. The fingerprint structure, match results, and the production upload/control hosts were read directly from the live ACR process; the bootstrap control endpoint and the server-controlled query-interval logic are present as strings in the shipped acr binary, which fetches its actual upload target from a control server at runtime. Security-specific details of how device access was obtained are deliberately withheld pending coordinated disclosure and are out of scope for this privacy write-up.\nWhat you can do # On current Samsung TVs, the ACR-related consent typically lives under Settings → General \u0026amp; Privacy → Terms \u0026amp; Privacy (look for Viewing Information Services / Customization Service). Disabling it withdraws consent for use of the data. One caveat here is that toggling consent is not the same as proving capture has stopped; there could be a situation where samsung still stores the content in a SQlite DB on the TV and then siphons all significant identifiers if the user were to re-enable ACR agreement.\nThis is independent security/privacy research on a device the author owns. No user data other than the author\u0026rsquo;s own was accessed. Live credentials and identifiers have been redacted. Citation and contact: Sagar Mohan.","date":"May 30, 2026","summary":" What Your Samsung TV Sees: Inside the S90D\u0026rsquo;s Always-On Content Recognition # Every frame on the screen, from Netflix, your console, broadcast TV, to even a screen-mirrored phone, is fingerprinted and sent to Samsung roughly once a minute, on a schedule Samsung can change remotely. Here\u0026rsquo;s the evidence, pulled straight from the firmware of a 2024/2025 Samsung S90D.\nTL;DR # The S90D runs Automatic Content Recognition (ACR): it samples the picture ~2× per second and uploads perceptual fingerprints to Samsung\u0026rsquo;s cloud about every 60 seconds. Capture happens at the display compositor inside TrustZone, before HDCP, so it is source-agnostic and captures DRM-protected streaming (Netflix included) in the clear. Confirmed in-scope sources: Samsung TV+, third-party streaming apps, HDMI inputs, antenna/broadcast (tuner); screen mirroring has its own recognition path too. The one exemption: no fingerprinting at power-on. The upload engine is on-boot=\u0026quot;false\u0026quot; and wakes when a source becomes active. Fingerprints upload to acr-us-prd.samsungcloud.tv, an address the TV is handed at runtime by the control plane osb-v2.samsungqbe.com/service/acr/v2, so Samsung controls where the data goes, not just what\u0026rsquo;s collected. The query interval is server-controlled. The binary literally logs Query Int from server(60 is set). Samsung can dial the cadence up or down without a firmware update. Fingerprints are uploaded whether or not the server recognizes the content. Samsung receives the data either way. The same process holds your Samsung Account identity, ad PSID, and ad targeting group, so viewing data can be joined to who you are. ACR ain\u0026rsquo;t anything new # ACR turns your TV into a measurement device. It periodically samples what\u0026rsquo;s on screen, reduces each frame to a compact fingerprint, and sends those fingerprints to a cloud service that matches them against a reference database to identify the show, channel, or ad. The result feeds viewing analytics and ad targeting.","tags":["acr","samsung","privacy"],"title":"Unravelling ACR on Samsung TVs","url":"/blog/acr/"},{"content":" Kagi: The New Kid on the Block # I recently switched to using Kagi as my main search engine. As of when this blog post is written, their charge for individual accounts is $10 per month. Considering how we\u0026rsquo;ve been spoilt by the likes of Google and DuckDuckGo: is paying so much for search actually worth it? I\u0026rsquo;ve not made up my mind about this; however, I do have to say that Kagi is slowly growing on me. In this post, I will list the stuff about Kagi I\u0026rsquo;ve observed over the course of using it.\nSearch Results # Kagi has been quite good at giving me the results I want. In fact, it gave me quite interesting links that Google and DuckDuckGo did not give me. For example, I was searching for the background behind \u0026ldquo;What Andy Giveth, Bill Taketh Away\u0026rdquo; and Kagi gave me the wiki link first, but within the relevant links, it put Wirth\u0026rsquo;s Law right there where I could see it. Other search engines also included it but not at the same rank. This is of course just one example, but there have been multiple instances where Kagi has ranked relevent pages far better than others. Search Lens # Now this is an interesting feature I have not observed on other services before. Kagi give you the option of searching for something under a specific Lens. For example, I can search for a topic, say \u0026ldquo;How do Prions start folding incorrectly\u0026rdquo; and make it so that it gives me results from academic sources. Currently, it gives the options to use Fediverse Forums, News 360, Usenet/Archive, Kagi Documentation, Academic, Forums, Programming, PDFs by default. The best part is: You can create your own! Utility Features # Now since Google, and to some extent DuckDuckGo, offer features which directly answer your questions (like currency converion, time at place, etc), does Kagi do the same? I mean, kinda? It does somethings since Kagi recently integrated WolframAlpha into their platform so we get complex math features like so: Wolfram Alpha covers most similar stuff like Currency Conversion as well, but what about temperature? Nope, a pretty basic feature which is still not present. Probably some other features like this are lacking, you can find out based on features you use on other search engines.\nMisc Features # Kagi has some security feature which scans each search result. This can be accessed by clicking the shield icon after each search result. Most other services offer similar service so nothing special here. Maybe they offer a bit more in-depth analysis of each site? I don\u0026rsquo;t know, I use my own wits to see if a website is worth clicking on. Hey, it\u0026rsquo;s worked for me so far.\nThings about Kagi I don\u0026rsquo;t like # Well, the product alone is fine. It has a few rough edges but that\u0026rsquo;s a given considering it\u0026rsquo;s relatively new. However, the people behind them have done some \u0026ldquo;interesting\u0026rdquo; stuff. They raised $670k through multiple small investors and then proceeded to utilize one-thirds of that to giving away free tshirts to their first 20000 customers? I mean, I get they are appreciating their customers but spending so much money so early on for just that? It has raised some eyebrows for sure.\nThey have their own browser in the Apple ecosystem which is pretty buggy. I assume the reasoning behind it is that Safari does not include Kagi as a Search enginer choice (yet) and their extension whichs works around this issue is not really privacy friendly. Building and maintaining a good browser is not easy, and it is not cheap. If Apple decided to include Kagi as a Search Engine choice, maybe Kagi should let go of their own browser and focus on their search engine.\nConclusion # Kagi is a good product. However, given the rise of LLMs like ChatGPT, Claude and search focused products like Perplexity.ai, it is only a test of time if Kagi will survive the onslaught of the AI arms race. It is unfortunate timing for Kagi to have set up shop during but I think they are doing the right things so hopefully it all works out for them.","date":"Mar 30, 2024","summary":" Kagi: The New Kid on the Block # I recently switched to using Kagi as my main search engine. As of when this blog post is written, their charge for individual accounts is $10 per month. Considering how we\u0026rsquo;ve been spoilt by the likes of Google and DuckDuckGo: is paying so much for search actually worth it? I\u0026rsquo;ve not made up my mind about this; however, I do have to say that Kagi is slowly growing on me. In this post, I will list the stuff about Kagi I\u0026rsquo;ve observed over the course of using it.","tags":["kagi","search","privacy"],"title":"Kagi: The New Kid on the Block?","url":"/blog/kagi/"}]