← Streaming
D

Apple TV 4K (3rd gen)

Serious concerns
Apple · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
FCC ID: BCGA2843
Chipset: Apple A15 Bionic
App: com.apple.atve.androidtv.appletv
Manufacturer: Apple Inc.

⚠️ The bottom line

Apple calls privacy a fundamental human right. A court approved a $95 million settlement because Apple was caught sending recordings of private conversations — picked up by accidental Siri activations on devices including Apple TV — to outside contractors who listened to them. This went on for over ten years before Apple was held accountable. Apple says its advertising does not share data with third parties. But Apple TV has three advertising endpoints baked into its firmware, and the EU is investigating whether Apple blocks other companies from tracking you while giving its own ad business a free pass. Apple's Android TV app also includes a Google advertising tracker, contradicting the "no third parties" claim.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
10Contradictions
1Critical
4High
5Medium
5Sources
Findings by concern
Spying 2/4 MODERATE 2 findings
⚡ highpolicy claims vs regulatory findings
Apple says Siri data is not linked to your account. But the $95 million lawsuit proved that Apple's contractors could hear private conversations with enough context to identify people — including medical details and intimate moments. If the recordings were truly anonymous, contractors would not have been able to tell whose conversations they were hearing.

What they claim: Apple Siri privacy page states "Data is not associated with your Apple Account" for Siri interactions

What we found: The Lopez v. Apple ($95M settlement) litigation revealed Apple retained Siri recordings with device identifiers and enough metadata to identify users. Third-party contractors (grading Siri accuracy) heard identifiable conversations including medical discussions, drug deals, and intimate encounters. If data were truly not associated with accounts, it could not have been routed to specific device types (including Apple TV) or linked to user contexts. The claim of non-association is contradicted by the settlement's own factual findings.

⚫ mediumregulatory findings vs policy claims
Apple markets itself as the privacy alternative to Google and Meta. Mozilla's independent review found Apple collects your contact lists, browsing history, search history, and purchase data, and shares it with partners for advertising. The data Apple collects looks remarkably similar to what the companies Apple criticises for privacy violations also collect.

What they claim: Mozilla Privacy Not Included review found Apple collects "contact lists, browsing and search history, purchases, and usage data" and "can share data with affiliates, partners, and third parties for advertising"

What we found: Apple's own privacy policy states data is shared with "trusted partners" including content providers and "strategic partners." The privacy policy analysis confirms collection of "information about your browsing, purchases, and searches" and usage for "advertising in the App Store, Apple News, and Stocks." Mozilla's independent review contradicts Apple's public positioning as the privacy-first alternative, finding data sharing practices similar in scope to competitors Apple publicly criticizes.

Data Sharing 3/4 HIGH 4 findings
⚠️ criticalpolicy claims vs regulatory findings
Apple calls privacy a fundamental human right. A court approved a $95 million settlement because Apple was caught sending recordings of private conversations — picked up by accidental Siri activations on devices including Apple TV — to outside contractors who listened to them. This went on for over ten years before Apple was held accountable.

What they claim: Apple states "Privacy is a fundamental human right" and "Our advertising platform doesn't share personal data with third parties"

What we found: Federal judge approved $95 million class action settlement (Lopez v. Apple) over Siri privacy violations. Plaintiffs proved Apple recorded private conversations through unintended Siri activations on all Siri-enabled devices including Apple TV, and shared recordings with third-party contractors who heard confidential conversations. Settlement covers September 2014 to December 2024 — over a decade of undisclosed recording. Apple TV 4K connects to guzzoni.apple.com (Siri backend).

⚡ highpolicy claims vs firmware analysis
Apple says its advertising does not share data with third parties. But Apple TV has three advertising endpoints baked into its firmware, and the EU is investigating whether Apple blocks other companies from tracking you while giving its own ad business a free pass. Apple's Android TV app also includes a Google advertising tracker, contradicting the "no third parties" claim.

What they claim: Apple Advertising & Privacy page states "Our advertising platform doesn't share personal data with third parties" and ads are "designed to protect your information"

What we found: Apple TV 4K firmware contains hardcoded endpoints for Apple's own advertising infrastructure: ads-display.apple.com, advertising.apple.com, and iad.apple.com. EU Digital Markets Act investigation found ATT (App Tracking Transparency) blocks third-party tracking across tvOS but exempts Apple's own advertising. Apple's own apps collect data for ad targeting while competing apps are restricted. The Apple TV Android app (v14.3.0) embeds Google Firebase Analytics and AD_ID.

⚡ highapp permissions vs policy claims
Apple says it does not share your personal data with third parties for advertising. The Apple TV app on Android sends your usage data to Google's analytics service and collects Google's advertising tracker ID. Google is literally a third party, and it is Apple's biggest competitor. Apple is sharing your Apple TV viewing behaviour with Google.

What they claim: Apple TV Android app (v14.3.0) embeds Google Firebase Analytics tracker and requests AD_ID (Google Advertising Identifier)

What we found: Apple's advertising privacy page states "Our advertising platform doesn't share personal data with third parties." The Apple TV app on Android sends analytics data to Google Firebase (a Google-owned analytics platform) and requests AD_ID, which provides Google's persistent advertising identifier. Firebase Analytics is a third-party data processor owned by Google — Apple's largest competitor. This directly contradicts the "no third parties" advertising claim.

⚫ mediumfirmware analysis vs policy claims
Your Apple TV quietly talks to at least 12 different Apple servers covering analytics, advertising, Siri, iCloud metrics, and configuration. Apple's privacy notice for the TV app vaguely says data is used to "personalize your experience" without listing these specific connections or explaining what each one collects about your viewing habits.

What they claim: Apple TV 4K connects to metrics.icloud.com, xp.apple.com, gspe1-ssl.ls.apple.com, and configuration.apple.com in addition to content delivery endpoints

What we found: The device maintains persistent connections to 12+ Apple endpoints including mesu.apple.com (software updates), guzzoni.apple.com (Siri), bag.itunes.apple.com and init.itunes.apple.com (store), xp.apple.com (experience analytics), gateway.icloud.com and metrics.icloud.com (cloud telemetry), and configuration.apple.com (device config). Apple's TV App privacy disclosure mentions "personalize your experience" but does not itemize which endpoints receive what data or how many persistent connections the device maintains.

Security 2/4 MODERATE 2 findings
⚡ highfirmware analysis vs policy claims
Apple says it designs products to protect your information. Three serious vulnerabilities were found in Apple TV — one was being actively exploited by attackers before Apple fixed it, one let apps escape their security sandbox, and one let attackers run code on your TV through a crafted video file. Playing video is the one thing Apple TV is supposed to do safely.

What they claim: CVE-2025-24085: Use-after-free in Core Media framework actively exploited in the wild. CVE-2025-24243: Sandbox escape in tvOS. CVE-2025-24244: Arbitrary code execution via malicious media files

What we found: Apple TV 4K runs the A15 Bionic SoC with 16-core Neural Engine capable of 15.8 TOPS on-device ML. Despite this computing power, CVE-2025-24085 was actively exploited before being patched. CVE-2025-24243 allowed apps to break out of the tvOS sandbox. CVE-2025-24244 allowed arbitrary code execution through crafted media files — the core function of a media streaming device. Apple's privacy page states it "designs products to protect your information" but the device's primary function (playing media) was an active attack vector.

⚫ mediumfirmware analysis vs regulatory findings
A vulnerability let apps on Apple TV see what other apps you have installed. Because Apple TV also acts as your smart home hub, this means a malicious app could map out your entire home setup — which smart locks, cameras, lights, and thermostats you use. One privacy hole in the TV exposes your whole connected home.

What they claim: CVE-2025-43532: Privacy bypass allowing an app to identify what other apps a user has installed on Apple TV

What we found: Apple TV 4K acts as a Thread Border Router for Matter/HomeKit smart home devices (confirmed in FCC filing BCGA2843). An app that can enumerate installed apps (CVE-2025-43532) on an Apple TV that also serves as a smart home hub can map the user's entire smart home ecosystem — which devices they own, which services they use. This goes beyond the Apple TV itself to compromise the privacy of the entire connected home.

Honesty 3/4 HIGH 2 findings
⚫ mediumpolicy claims vs app permissions
Apple says its TV app is designed to let you choose what you share. But the app asks to scan for nearby Bluetooth devices and read files stored on your phone. A streaming video app needs internet access and screen display — not the ability to inventory your nearby wireless devices or browse your personal media files.

What they claim: Apple's privacy page states "we design our products and services to protect" privacy and the TV app is "designed to protect your information and enable you to choose what you share"

What we found: Apple TV app (v14.3.0) requests BLUETOOTH, BLUETOOTH_ADMIN, BLUETOOTH_CONNECT, BLUETOOTH_SCAN, READ_EXTERNAL_STORAGE, READ_MEDIA_IMAGES, and READ_MEDIA_VIDEO on Android. The Bluetooth permissions allow scanning nearby Bluetooth devices to build a local device inventory. READ_EXTERNAL_STORAGE and media permissions allow reading files and media on the user's phone beyond what is needed for a streaming remote control app. 19 permissions total for a TV remote/streaming app.

⚫ mediumfirmware analysis vs policy claims
Your Apple TV is not just a streaming box — it is the central hub that all your smart home devices talk through. Apple's privacy notice for the TV app only discusses your viewing habits. It says nothing about the fact that your smart locks, motion sensors, and other devices are all routing their data through this same box, giving Apple visibility into your entire home automation system.

What they claim: Apple TV 4K FCC filing BCGA2843 confirms Thread 802.15.4 radio for smart home mesh networking — device acts as Thread Border Router

What we found: The Apple TV 4K contains Wi-Fi 6, Bluetooth 5.0, and Thread 802.15.4 radios, acting as a Thread Border Router for Matter/HomeKit devices. This means all smart home device communication in the household passes through the Apple TV. Apple's TV App privacy disclosure focuses on viewing habits and content recommendations — it does not address the privacy implications of the device serving as the central router for all smart home traffic, which includes data from third-party devices (locks, sensors, cameras) from other manufacturers.

What happened to real people
Documented incidents involving Apple products and user data.
PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction. [source]
Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.' [source]
Government requests for push notification metadata rose from 158 (H1 2023) to 277 (H1 2024). Push tokens can identify devices and link to accounts. [source]
What your data is worth to governments
Apple complied with 12,043 government data requests in H1 2024. That's +621% over 10 years. Apple has been a confirmed PRISM participant since 2012. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction.
Documented: Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.'
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources