Consumer Reports dragged a bunch of its top-rated smart TVs back into its labs to re-evaluate them, this time checking them for hard-to-evaluate information security risks and defects, which are not normally factored into its ratings.

But Consumer Union, the organization that publishes Consumer Reports, is building out its information security capacity, working with partner orgs to evaluate and expose the security risks and collateral damage from bad information security design and policy.

The re-evaluation of smart TVs revealed that while these devices worked beautifully, they failed miserably: they can be remote-controlled by malicious parties and they harvest and transmit mountains of data about you and your viewing habits back to their manufacturers, who arrogate to themselves the right to do pretty much anything they want with that data, all on the basis of obscure permissions granted deep in the unreadable pastebomb of terms and conditions that you have to click through to use your device.

Worse: the manufacturers can’t even succeed at failing. When notified of the issues with their devices, Roku shrugged its shoulders and insisted that there was no problem. And it turns out that if you dig deep into the preferences screen for your TV and turn off all the data-harvesting, the TVs also disable all the useful features that distinguish them from dumb TVs, features that could function perfectly well without all the surveillant activities.

Consumer Reports notes that non-smart TVs are becoming a rarity, especially high-quality/large-format sets, which are now almost universally smeared with fecal matter from the Internet of Shit. I recently experienced a microcosm of this, when I bought a large-format LG monitor, only to discover that buying a set without networking capabilities (and an insecure system-on-a-chip with a web-server, etc) was $100 more than buying one that shipped with a bunch of useless, easily exploited anti-features.

One ray of hope: virtually all of these practices will be radioactively illegal under the EU’s forthcoming General Data Protection Regulation; it may be that rather than risking titanic fines, the manufacturers will participate in a race to the top to make their devices more secure and less surveillant.

You could just buy an old-fashioned “dumb” TV, without built-in streaming capabilities, but these are becoming harder to find. Of the nearly 200 midsized and large sets in Consumer Reports’ ratings, only 16 aren’t smart TVs. And those are 2017 models—in 2018 we expect to see even fewer internet-free televisions.

If you do buy a new smart TV, decide whether you want to block the collection of viewing data. If so, pay close attention during setup. There, you can agree to the basic privacy policy and terms of service—which still triggers a significant amount of data collection—while declining ACR.

Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds [Consumer Reports]