Boy do I have some bad news for you: Automated Content Recognition [0, 1, 2]. If your Smart TV is connected to the Internet, it can also track what you're watching or doing, even if you're using it as an external monitor [3] (in Dutch).
TL;DR: I'm of the opinion that the answer is probably "not yet", "it's in the works", or "it's already here, but not yet widely known".
In short, I couldn't find strong conclusive evidence for "yes" or "no".
The Wikipedia article on ACR [0] seems to be quoting CIO-Wiki [1] --- or vice-versa. The statement would imply "yes":
> Real-time audience measurement metrics are now achievable by applying ACR technology into smart TVs, set top boxes and mobile devices such as smart phones and tablets. This measurement data is essential to quantify audience consumption to set advertising pricing policies.
On the other hand, a paper on ACR [2] implies it only occurs on TV's (so, this points us towards "no"):
> [...] Unlike traditional online tracking in the web and mobile ecosystems that is typically implemented by third-party libraries/SDKs included in websites/apps, ACR is typically directly integrated in the smart TV’s operating system. [...]
... but then, in its conclusion one could make the case for "not yet" as they reference Microsoft's Recall (this, to me, makes me lean on "not yet"):
> [...] Finally, although different than ACR, our auditing approach can be adopted to assess privacy risks of Recall (Microsoft, 2024) – which analyzes snapshots of the screen using generative AI (Warren, 2024). [...]
Collecting my thoughts on this paper, I'm a bit disappointed that we seem to have a double-standard for the nomenclature: if the content recognition happens on a PC, then it's labeled as "generative AI" (should've probably been called LLM by the authors) and if it takes place on a TV-shaped computer (they're mostly Android TV's, after all, right?) then it's called ACR. I think that it has not been properly articulated that what people are worried about [3] is that Microsoft's Windows Recall is (or will become) "ACR with extra steps".
To conclude (and extend this to the mobile phone domain), I'll leave a "thought experiment": is all the AI processing power on new mobile phones going to be used exclusively by the users, and for the users?
-----
Some nuanced notes...
I'm conflicted about whether to demonize ACR entirely or not. To me, "ACR" means something that is running all the time listening to user's surroundings or screenshotting a user's displayed information for the purposes of improving targeting or tracking their behavior (this seems to match Wikipedia's definition at first glance). I am in part validated by [2] as well:
> [...] At a high level, ACR works by periodically capturing the content displayed on a TV’s screen and matching it against a content library to detect the content being viewed on the TV. It is essentially a Shazam-like technology for audio/video content on the smart TV (Mohamed Al Elew, 2023).
However, after doing some research, I discovered that a particular knowledge field may be misusing the term (or using the ACR term for lack of a better term like "reverse image search" or "content-based image retrieval" --- CBIR, CBVIR, QBIC --- in their vocabulary), and perhaps in the process inadvertently "whitewashing" the term.
Take, for example, the European Union's Intellectual Property Office's (EUIPO's) discussion paper titled "Automated Content Recognition: Discussion Paper – Phase 2 ‘IP enforcement and management use cases’" [4] (PDF). I think that they are conflating some terms like hashing, fingerprinting, watermarking and labeling it under the ACR term, then they're making valid-sounding use-cases like "smartphone solutions to detect genuine or counterfeit products" (products, by definition, are not content,... so I fail to see how ACR ties in). Perhaps someone more knowledgeable can correct me if I'm misreading the paper (I am no IP lawyer, but have worked as an Information Security Officer).
I think the EUIPO paper also glosses over some possible privacy implications: e.g., they link to an article called "Are 3D printed watermarks a “grave and growing” threat to people’s privacy?" [5], but in the context of using "RFID tags or serial numbers" to protect IP on 3D printed objects ... they do not discuss the possible privacy implications of, for example, being tracked by a possible "RFID-tag-cloud" of such objects. I know that this is beyond the scope of "is there ACR running on mobile phones", but I wanted to showcase what I think is the misuse of the ACR term to expand into the physical --- "offline" --- world, in the process losing its more "academic" meaning.
To answer your question directly: I'm pointing out unexpected privacy pitfalls of using a smart TV's full set of features (i.e. running apps and using it ... as a monitor).
Although I agree with the point of your solution... I disagree with minimizing the danger of such anti-features.
To elaborate, try thinking of your average reasonable person and think of their journey into learning how to preserve their privacy without losing access to the features of the services and products they have paid for. Without a massive effort it is ultimately an oxymoron.
A reasonable person would expect that your (internet connected) smart TV would collect info to help them tailor future products based on their customer's usage (app usage frequency, standard or cable usage frequency, frequency of usage as external monitor). You would not expect to have to watch what you say in front of the such a device because they're literally listening to you [0] (in 2015, you needed to use the remote to use the voice detection service).
Additionally, reasonable user's of smart TV's (and other IoT devices) might feel like they are no longer tracked with their uniquely identifiable information because they turned off "targeted advertising" (if the service allows for setting that option), but that only prevents their advertising ID from being tracked [1].
Moreover, a reasonable person might expect that using a DNS-based blocklist would be a sort of "revocation of consent" to being tracked, but tracking services are savvy when it comes to PII exfiltration [2]:
> [...] We find that personally identifiable information (PII) is exfiltrated to platform-related Internet endpoints and third parties, and that blocklists are generally better at preventing exposure of PII to third parties than to platform-related endpoints. [...]
Finally, there have also been studies that show a lack of transparency when it comes to GDPR requests about the data collected through Automatic Content Recognition (ACR) [3].
So, my point is that "just don't use your product for most of its intended use" might be a thought-terminating cliche that prevents us from taking a step forward in stopping the normalization of unreasonable privacy transgressions (PII exfiltration, audio spying by third-party service providers, monitoring of external devices' screens).
Or are you saying this is built into phones too?