C. Böttger, N. Demir, M. Große-Kampmann, H. Hosseini, J. Hörnemann, T. Hupperich, Prof. Norbert Pohlmann (Institut für Internet-Sicherheit), T. Urban, C. Utz, C. Wressnegger:
“Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem”.
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
2025
Abstract
Hybrid broadcast broadband television (HbbTV) is an evolving technology that connects linear TV with modern HTML5 applications, delivering extras like games, videos, and online shopping. However, its bidirectional transmission functionality raises privacy concerns, as it introduces new tracking methods for TV channels. While previous studies focused on security issues or user awareness of HbbTV privacy challenges, a detailed examination of the tracking and transparency mechanisms of the HbbTV ecosystem is still missing. This study fills this gap by extensively analyzing these features within the European HbbTV ecosystem, and in particular within German-language TV channels. We monitored more than 350 TV channels for over 400 hours, evaluating 1) prevalent HbbTV tracking methods, 2) consent notice prevalence and user interactions, and 3) privacy policy disclosures. Our findings indicate that the HbbTV tracking system operates independently of the Web, consent notices exploit system constraints to influence users, and privacy policies often do not align with actual data practices.
Index Terms—HbbTV, smart TV, privacy, privacy policies I. INTRODUCTION
Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem
Television is a vital medium for mass communication and entertainment. The number of European households with TVs [70] and the number of TV viewers [69] are still growing despite modern alternatives like Internet streaming platforms (e.g., Netflix). In contrast to Internet-based alternatives, a TV channel is broadcast linearly, binding watchers to a fixed programming schedule without any options to interact with the program. To overcome this limitation and to offer content more flexibly, the Hybrid Broadcast Broadband TV (HbbTV) [24] standard was introduced in 2006.
HbbTV is a technology that extends linear television to include on-demand HTML5 content to enrich the user experience. Examples are background information on popular shows or entire media centers offering on-demand video content. HbbTV differs from smart TVs or streaming platforms (e.g., Disney+) as it is dependent on the current linear programming and content that is distributed by the channel operator. TV channels provide this additional HbbTV content via HTTP(S), requiring the TV to be connected to the Internet. If the TV is not connected to the Internet, the linear program is shown to users without HbbTV content. The main difference between streaming and other over-the-top applications run on a smart TV is that HbbTV enhances traditional TV with Internet-based features, while over-the-top and streaming services operate independently of traditional TV and rely solely on the Internet for content delivery. The HbbTV standard has been widely adopted in Europe and other regions like Australia. Most households in these countries have a TV that supports HbbTV [23]. Germany has the highest HbbTV adoption rate in households (38 million) and HbbTV channels [18].
While HbbTV offers new opportunities for broadcasters and users, it comes with security and privacy threats [10], [17], [35], [71]. HbbTV is bidirectional [31], enabling channel operators to collect and process information about users and their devices by utilizing standard Web technology and associated tracking methods. If channels collect personal data of viewers in the European Union (i.e., the channel is aired in the EU), the providers must comply with EU privacy legislation, in particular with the General Data Protection Regulation (GDPR) [28] and the ePrivacy Directive [26].
Prior work covered security aspects of the HbbTV standard [10] and privacy issues originating from security is-
sues [33]. Most recently, Tagliaro et al. [71], [72] conducted a high-level analysis of the privacy implications of 36 HbbTV channels by counting trackers and the presence of privacy policies, performing off-TV interactions with consent notices in HbbTV applications, and surveying users’ awareness of privacy threats in the HbbTV landscape. We extend these studies by analyzing HbbTV channels available in Germany along the following three dimensions: (I) an analysis of collected personal data and the tracking ecosystem, (II) an analysis of the consent notices shown to TV viewers, and (III) an analysis of the privacy policies presented to TV viewers.
In summary, we produce the following findings: - Insights into the HbbTV tracking ecosystem. We show
that the HbbTV tracking ecosystem is independent of the
Web tracking ecosystem, as implied by the involvement of different entities, and demonstrate the limited effectiveness
of available protection mechanisms (see Section V). - Analyzing privacy policies. We assess the disclosures of
2,656 privacy policies in the HbbTV ecosystem and compare
them with the channels’ observed traffic (see Section VII). - Investigation of consent notices. We provide insights into
the landscape of consent notices for HbbTV. They are less
common than on the Web, originate from few issuers, and
use HbbTV input constraints for nudging (see Section VI).
II. HYBRID BROADCAST BROADBAND TV
Hybrid Broadcast Broadband TV (HbbTV) is a standard developed by the European Telecommunications Standards Institute to unite the delivery of Internet-based content and linear TV programs. HbbTV is designed for devices equipped with a decoder to show digital television (broadcast) and Internet connectivity (broadband) to run interactive applications. In this context, interactive applications refer to content delivered in addition to the TV program. Examples of such applications include video-on-demand services, electronic program guides, or ads. Such content is often presented as an overlay on the running TV program or replaces the program entirely so that the program is not visible or audible anymore. Figure 1a provides an example of HbbTV content delivered by the German channel ZDF. The latest HbbTV major version (2.0) was published in 2015 and made substantial changes to the HbbTV ecosystem, including options to display HTML5 content on TVs. …
kostenlos downloaden
Weitere Informationen zum Thema “Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem”
„Im Netz Verfolgt – Wie UbiTrans das Internet sicherer macht“
„Trust Media – ISCC-Zertifikate – Stärkung des Vertrauens in digitale Medien“ „HBBTV und die Datensammelwut – Wie Sender Tracking und Cookies einsetzen“ „Spielerisch gegen Cyberbedrohungen – IT-Sicherheitstrainings mit Serious Games“
„Lehrbuch Cyber-Sicherheit“
„Übungsaufgaben und Ergebnisse zum Lehrbuch Cyber-Sicherheit“ „Bücher im Bereich Cyber-Sicherheit und IT-Sicherheit zum kostenlosen Download“ „Trusted Computing – Ein Weg zu neuen IT-Sicherheitsarchitekturen“
„Vorlesungen zum Lehrbuch Cyber-Sicherheit“
„Cybernation – Gemeinsam für mehr IT-Sicherheit“ „Only Regulators in the Building – EU AI Act, Compliance, Trust and AI“ „Aktuelle Cybersicherheitslage und Cyber-Sicherheitsstrategien zur Reduzierung der Risiken“
„Forschungsinstitut für Internet-Sicherheit (IT-Sicherheit, Cyber-Sicherheit)“
„Master-Studiengang Internet-Sicherheit (IT-Sicherheit, Cyber-Sicherheit)“ „Marktplatz IT-Sicherheit“ „Marktplatz IT-Sicherheit: IT-Notfall“ „Marktplatz IT-Sicherheit: IT-Sicherheitstools“ „Marktplatz IT-Sicherheit: Selbstlernangebot“ „Marktplatz IT-Sicherheit: Köpfe der IT-Sicherheit“ „Vertrauenswürdigkeits-Plattform“
„TeleTrusT-Positionspapier Cyber-Nation“
„Investitionen aus Sondervermögen in Cyber-Sicherheit“
„eco-Studie: Security und digitale Identitäten“
„Gaia-X-sichere und vertrauenswürdige Ökosysteme mit souveränen Identitäten“
„Cyber-Sicherheit braucht mehr Fokus“
„IT-Sicherheitsstrategie für Deutschland“
„Human-Centered Systems Security – IT Security by People for People“
„IT-Sicherheit“
„Cyber-Sicherheit“ | 
