Samsung

Overview

Samsung Electronics Co., Ltd. is the world's largest smartphone manufacturer by unit volume and one of the largest technology conglomerates globally. A subsidiary of the Samsung Group chaebol, Samsung Electronics is headquartered in Suwon, South Korea, employs over 270,000 people worldwide, and reported revenue of approximately $200 billion in 2023. The company holds the number one or two position in global smartphone market share, alternating with Apple depending on the quarter.

Samsung's product portfolio spans an enormous range of consumer and enterprise technology:

• Smartphones and tablets: Galaxy S, Galaxy Z (foldable), Galaxy A series
• Wearables: Galaxy Watch, Galaxy Buds, Galaxy Ring
• Smart TVs: The world's largest smart TV manufacturer, with Tizen OS-based displays in hundreds of millions of homes
• Home appliances: Refrigerators, washing machines, and other SmartThings-connected devices
• Semiconductors: World's largest memory chip manufacturer, also producing mobile processors (Exynos) and foundry services
• Displays: Leading manufacturer of OLED and LCD panels used by other companies including Apple

Samsung's privacy profile is shaped by two key factors: its use of Android (meaning Samsung devices run both Google's telemetry and Samsung's own), and the breadth of its IoT ecosystem through the SmartThings platform. Unlike Apple, which controls both hardware and a privacy-focused software ecosystem, Samsung layers its own data collection on top of Google's Android baseline.

Dual Telemetry Architecture

A foundational privacy concern with Samsung devices is what researchers have termed "dual telemetry", Samsung Galaxy phones transmit data to both Google (through Android and Google Play Services) and Samsung (through Samsung's own services, analytics, and customization layer).

A 2021 study by Professor Douglas Leith at Trinity College Dublin quantified this: Samsung handsets sent substantial telemetry data to both Google and Samsung servers, effectively doubling the data collection compared to a hypothetical single-vendor device. Samsung's data collection included device identifiers, app usage, and system telemetry transmitted to Samsung's analytics infrastructure in addition to all standard Google/Android data flows.

Data Collection Practices

Samsung's data collection operates across smartphones, smart TVs, wearables, and IoT devices, creating a multi-device surveillance profile layered on top of Google's Android data collection.

Smartphone Telemetry

Samsung Galaxy devices collect and transmit data through multiple channels:

• Samsung Account services: Device registration, cloud backup, Find My Mobile location tracking
• Samsung Analytics: App usage data, device performance metrics, crash reports
• Samsung Customization Service: Behavioral data used for personalized advertising and recommendations
• Samsung Push Service: Maintains persistent connections to Samsung servers
• Bixby: Samsung's voice assistant processes voice commands, with associated data retention
• Samsung Health: Fitness, health metrics, and wellness data from Galaxy Watch, Galaxy Ring, and phone sensors
• Samsung Pay: Transaction data and merchant information

The Trinity College Dublin study found Samsung devices transmitting hardware serial numbers, IMEI, SIM serial numbers, and other persistent identifiers to Samsung servers, identifiers that cannot be reset by users and enable long-term device tracking.

Smart TV Surveillance

Samsung smart TVs, running the Tizen operating system, collect viewing data through Automatic Content Recognition (ACR):

• ACR identifies what content is displayed on screen by periodically capturing and fingerprinting screen content, whether the source is cable TV, streaming apps, gaming consoles, or even connected laptops via HDMI
• This viewing data is used for advertising targeting through Samsung Ads, the company's growing advertising business
• In 2015, Samsung drew widespread criticism when its smart TV privacy policy disclosed that the TV's voice recognition feature could capture and transmit "personal or other sensitive information" spoken near the TV, comparing it to an "always-on" microphone

Samsung's advertising business, built primarily on smart TV data, has grown rapidly. The company launched Samsung Ads as a dedicated advertising platform, monetizing the viewing behavior of hundreds of millions of smart TV users, making Samsung one of the largest TV advertising data providers globally.

SmartThings IoT Platform

Samsung's SmartThings platform connects smart home devices including:

• Door locks and security systems
• Cameras and motion sensors
• Appliances (refrigerators, ovens, washing machines)
• Lighting, thermostats, and environmental controls

SmartThings collects device state data, automation patterns, and occupancy information that collectively model household behavior. The platform's integration with third-party devices extends Samsung's data collection to non-Samsung hardware connected through the SmartThings hub.

Galaxy Store and Pre-installed Apps

Samsung devices ship with a parallel app ecosystem alongside Google Play, including the Galaxy Store, Samsung Browser, Samsung Internet, and Samsung Health. These pre-installed apps, many of which cannot be uninstalled without ADB commands, maintain independent data collection channels to Samsung's servers.

Samsung's partnerships with third-party app developers for pre-installation deals, where apps are bundled onto new devices in exchange for revenue sharing, have drawn criticism for adding additional tracking software that users did not choose to install.

Known Clients & Government Contracts

Samsung's government relationships are primarily enterprise-focused through its Knox security platform, distinct from the surveillance-oriented contracts associated with companies ranked higher in this database.

Samsung Knox Enterprise

Samsung Knox is a defense-grade mobile security platform used by governments, military organizations, and enterprises worldwide:

• U.S. Department of Defense: Knox is approved for use on DoD networks, with Samsung devices certified under the Defense Information Systems Agency (DISA) Security Technical Implementation Guide
• NATO: Samsung Knox-secured devices are used by multiple NATO member military forces
• Enterprise: Knox manages device fleets for corporations and government agencies, providing containerization, remote management, and security policy enforcement

Knox's government adoption is based on its security capabilities rather than surveillance. However, Samsung's centralized management infrastructure means the company maintains the technical capability to push updates, modify device behavior, and access device management data for Knox-enrolled devices.

South Korean Government

Samsung has a complex relationship with the South Korean government, shaped by the chaebol structure's historical entanglement with political power:

• Samsung Electronics provides technology infrastructure and services to South Korean government agencies
• The company's semiconductor foundry business serves national security interests
• Samsung's vice chairman Lee Jae-yong was convicted of bribery in connection with the 2016-2017 political scandal that led to the impeachment of President Park Geun-hye, though he was later pardoned in 2022

Telecommunications Partnerships

Samsung's partnerships with major carriers globally (AT&T, Verizon, T-Mobile, Vodafone, etc.) include carrier-customized devices with pre-installed apps and data-sharing arrangements that add carrier telemetry on top of Samsung's and Google's existing data collection.

Privacy Incidents & Litigation

Lapsus$ Source Code Breach (March 2022)

The Lapsus$ hacking group breached Samsung's internal systems and leaked approximately 190GB of confidential data including:

• Source code for Galaxy device firmware and bootloaders
• Source code for Samsung's TrustZone trusted execution environment
• Biometric unlock algorithms
• Source code for Samsung Account authentication
• Confidential Samsung-Qualcomm agreements

The breach exposed critical security infrastructure. The leaked TrustZone and bootloader source code potentially enables attackers to develop exploits targeting Samsung device security foundations. The biometric algorithm exposure raised concerns about the integrity of Samsung's fingerprint and facial recognition systems.

Customer Data Breach (July-August 2022)

Samsung disclosed in September 2022 that an unauthorized party accessed personal information of U.S. customers in a breach occurring in late July. Exposed data included names, contact information, demographic information, dates of birth, and product registration data. Samsung stated that Social Security numbers and payment card numbers were not affected.

The company did not disclose the number of affected customers, and the notification was criticized for its lack of specificity and delayed timing.

Smart TV ACR Privacy Concerns (2015-ongoing)

Samsung's Automatic Content Recognition technology on smart TVs has faced sustained criticism:

• The 2015 privacy policy revelation that Samsung TVs could transmit voice data from the room drew comparisons to Orwell's "telescreen" and generated widespread media coverage
• FTC and state attorney general scrutiny of ACR data collection practices, particularly regarding disclosure adequacy and opt-out mechanisms
• A 2018 Princeton/University of Chicago study found Samsung smart TVs transmitted ACR data even after users opted out in certain configurations
• Vizio, Samsung's competitor, paid $17 million in 2017 to settle FTC charges over similar ACR practices, establishing regulatory precedent

Pre-installed Bloatware Controversies

Samsung devices have been criticized for shipping with pre-installed apps that collect data and cannot be easily removed:

• Facebook (now Meta) was pre-installed as a system app on Samsung devices, meaning it could not be fully uninstalled, users could only "disable" it while the underlying package remained on the device with system-level permissions
• Pre-installed apps from carriers and Samsung partners added additional data collection that users did not consent to
• In 2020, Samsung's Galaxy Store was found distributing apps that contained malware, including cryptocurrency-related scam apps

Samsung Health Data Concerns

Samsung Health collects sensitive biometric and health data including heart rate, blood oxygen, body composition, sleep patterns, stress levels, and menstrual cycle tracking. Following the Dobbs v. Jackson ruling on reproductive rights in the U.S., privacy advocates raised concerns about the security of menstrual cycle data collected by Samsung Health and similar apps, particularly regarding potential law enforcement access.

Threat Score Analysis

Samsung receives a composite threat score of 55/100, reflecting its dual-telemetry architecture and broad device ecosystem, moderated by South Korean rule-of-law jurisdiction and enterprise security focus:

• Data Collection (70/100): Samsung's dual-telemetry model means Galaxy devices transmit data to both Google and Samsung, creating a layered surveillance profile. Smart TV ACR technology captures viewing behavior across all input sources in hundreds of millions of households. The SmartThings IoT platform, Samsung Health wearables, and Galaxy ecosystem collectively span communications, entertainment, home environment, and health data. Pre-installed apps and carrier partnerships add additional data collection beyond Samsung's own services.

• Third-Party Sharing (55/100): Samsung's advertising business (Samsung Ads) monetizes smart TV viewing data at scale. Pre-installation deals with third-party app developers (including Meta) involve data-sharing arrangements. However, Samsung has not been involved in data broker-scale third-party sharing or a Cambridge Analytica-type scandal.

• Breach History (60/100): The Lapsus$ breach exposed critical security source code including TrustZone and biometric algorithms, a foundational compromise of Samsung's device security architecture. The 2022 customer data breach affected an undisclosed number of U.S. customers. Smart TV privacy violations and bloatware controversies represent ongoing systemic issues.

• Government Contracts (35/100): Samsung's government relationships center on Knox enterprise security rather than surveillance capabilities. South Korea's rule-of-law democratic system provides stronger privacy protections than the Chinese or Israeli jurisdictions of higher-ranked companies. Samsung has not been documented providing surveillance tools to government intelligence agencies.

• Transparency (50/100): Samsung publishes a transparency report covering law enforcement data requests, though with less detail than Apple or Google. The company's smart TV privacy policy disclosures were inadequate until public pressure forced improvements. The delayed and vague notification of the 2022 customer data breach demonstrated reactive rather than proactive transparency. Samsung's Knox security documentation is comprehensive for enterprise customers.

Weighted calculation: (70 * 0.25) + (55 * 0.25) + (60 * 0.20) + (35 * 0.15) + (50 * 0.15) = 17.5 + 13.75 + 12 + 5.25 + 7.5 = 56, adjusted to 55 reflecting the mitigating factor of South Korean democratic jurisdiction and Samsung's focus on enterprise security rather than surveillance.

Transparency & Accountability

Samsung's transparency record falls in the middle range of major device manufacturers, more forthcoming than Chinese competitors but less transparent than Apple.

Transparency Reporting

Samsung publishes a transparency report that covers law enforcement requests for user data. However, the report provides less granularity than those published by Apple, Google, or Microsoft, with limited breakdown by jurisdiction and request type.

Security Response

Samsung's response to the Lapsus$ breach was criticized for its speed and completeness. The company confirmed the breach only after the data was already publicly leaked, and provided limited detail about the scope of compromise or remediation steps.

Samsung's monthly security patch cadence for supported Galaxy devices is generally well-regarded in the Android ecosystem, though the duration of security update support varies by device tier and has historically been shorter than Apple's iOS support window. Samsung has improved update commitments in recent years, promising four years of OS updates and five years of security patches for flagship devices.

Advertising Transparency

Samsung's growing advertising business, built primarily on smart TV ACR data, operates with limited transparency about data collection practices and advertiser data access. The company has not published detailed information about how ACR data is processed, who has access, or how behavioral advertising profiles are constructed from viewing data.

Structural Considerations

Samsung's chaebol structure creates governance complexities. The Samsung Group's cross-ownership and the historical entanglement between Samsung leadership and South Korean political power (exemplified by the Lee Jae-yong bribery conviction and subsequent pardon) raise questions about the independence of privacy governance from political and commercial pressures.

However, South Korea's Personal Information Protection Act (PIPA), modeled partly on GDPR, provides a regulatory framework significantly stronger than what exists in many jurisdictions where Samsung operates. The Korean Personal Information Protection Commission (PIPC) has enforcement authority and has taken action against technology companies, though Samsung's economic importance to South Korea creates potential regulatory capture concerns.