When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
New security research shows that the smart TVs in our living rooms are more than just passive viewing devices. They’ve become part of the infrastructure behind AI scraping, allowing traffic to be routed through ordinary household internet connections instead of data centers.
These findings come from a June 5 report published by Include Security, which examined Bright Data’s software development kit, or SDK. The SDK can be embedded in partner apps and, with user consent, turn smart TVs and other consumer devices into residential proxy nodes.
That means third-party web-scraping requests can be routed through a user’s smart TV and household internet connection, helping them bypass blocks that websites use against data-center traffic.
Bright Data, the company that sells access to the residential proxy network at the center of Include Security’s investigation, pushed back on parts of the report’s framing in a statement to Techopedia.
“We have reviewed the findings and are engaging constructively rather than dismissively,” Bright Data said. “Technical observations accurately describe how the SDK functions, such as the fact that it uses a device’s internet connection to route traffic to whitelisted public web domains.”
Since Bright Data’s response confirms the basic routing function, the question is really whether users understand what they are agreeing to when they allow an app to use their smart TV’s resources and home IP address.
AI Scraping Needs Residential IP Addresses
The AI boom has created a seemingly endless demand for public web data. Companies are using scraped data to train models and power retrieval systems, search tools, monitoring products, and market research. As if that weren’t enough, AI agents also need access to the latest information from the open web, which just adds to the demand.
However, in their attempts to collect all of this data, AI companies are facing a roadblock: Many websites now block or throttle traffic from cloud providers and data centers, where large-scale automated scraping is easier to detect.
And that’s exactly what’s made residential proxies big business. Instead of sending a request from a cloud server, a company can route it through an IP address assigned to a real household connection. When a website receives the request, it looks like the traffic came from a regular internet user.
Residential proxy networks aren’t new, and in the past, concerns about them have focused on illegal supply, including botnets, trojanized apps, and compromised devices. In its report, Include Security points out that most coverage has focused on illegal proxy networks, while the legal side of the industry has received much less attention.
In its statement to Techopedia, Bright Data defended that model:
“Bright Data is providing necessary information from the public web to researchers and the business world,” the company said.
“Since 2014, we have collected data from public sources that are not gated and provide them to journalists, researchers, businesses (such as finance, ecommerce, real estate, to name a few), and companies building both digital and physical AI. We believe the open web is exactly that and should be accessible to anyone.”
Smart TVs Are Valuable Proxy Nodes
So much of Include Security’s report focuses on connected TVs because they have several traits that make them work well as residential proxy devices.
Unlike phones, smart TVs are almost always plugged in, connected to high-speed Wi-FI, left in standby mode, and rarely leave the home network. They also often don’t have the same level of corporate security oversight as many phones and laptops.
Include Security’s report points to these attributes when it describes connected TVs as “a near-perfect residential proxy.”
These things also make the consent experience especially important. A smart TV app may ask a user to agree to let Bright Data use their device resources or IP address in exchange for less ads or free access. Include Security says that type of disclosure is often more difficult for users to evaluate on a TV, where they have to navigate privacy policies and opt-in screens with the arrows on their remote control.
In the report, Include Security cited Petflix, a Roku app The Verge covered in February, as an example of how this consent language can appear to users. The opt-in screen said Bright Data could occasionally use a device’s free resources and IP address to download public web data. Include Security also pointed to a 200 GB monthly Wi-Fi figure in the SDK’s public configuration.
Bright Data told Techopedia that framing leaves out important context:
“In regard to the statement about the threshold, it would be incredibly rare for any device to ever come near the threshold,” the company said. “In the past 30 days, only 3 devices exceeded 100GB, which is less than .001% of user devices. Another item that is misrepresented is Roku, which has been deprecated for a long time.”
The company went on to say that the 200 GB figure “appears to reflect a published theoretical maximum limit, not what users typically experience.”
According to Bright Data, actual average usage is 50 MB per 24-hour period on Wi-Fi. The company said the gap between the theoretical maximum and typical usage exists because the SDK is designed to operate only when a device is idle, plugged in, and on Wi-Fi.
“We understand why a 200GB figure, taken without context, could raise concern, and we appreciate the opportunity to clarify it,” Bright Data said.
Bright Data Emphasizes Opt-In Policy for SDK
Bright Data says the key issue is consent, and it rejects the idea that users are quietly being enrolled into its proxy network.
“This is handled through a purpose-built, mandatory consent opt-in architecture, not an afterthought, and not buried in legal language,” Bright Data told Techopedia.
The company says its consent process is designed to allow users to make a clear choice before any of their devices are used.
“By default, users are opted-out,” Bright Data said. “The opt-in screen is a dedicated, standalone screen, completely separate from the app installation flow. Users encounter it as its own moment of decision, not as part of a long setup process they may click through without reading.”
Bright Data said the screen uses plain language, has two clearly labeled buttons for opting in or declining, identifies Bright Data, and links to its privacy policy and end-user license agreement. The company also said users can decline and still use the app.
“Users who decline can still use the app fully, opt-in is never a condition of access,” Bright Data said. “Opt-out is available at any time via a simple, two-step process in the app’s settings, with no friction or hidden menus.”
If a customer enables parental controls, the opt-in screen is never shown, and the device is never used as a proxy node, the company explained.
Bright Data also cited an external PwC audit, saying every user must opt in, users receive extra value in exchange for doing so, and “there is an internal compliance review before publication.”
As Bright Data’s response shows, this isn’t another case of security researchers finding a hidden behavior and a company denying it.
Bright Data has acknowledged the core function of the SDK while arguing that users have consented to use it, that it’s limited to public web requests, and that the system is designed to avoid accessing local data or personal communications.
Security Questions Are Bigger Than Just Bandwidth
The bandwidth issue is only one part of the story, however. Include Security’s report also describes device-state telemetry, idle checks, and web request instructions that can be executed through a user’s residential IP address.
One of the most significant parts of Bright Data’s response involved VPN behavior on iOS. Include Security said the SDK’s peer tunnel bypassed a configured VPN by binding traffic to the device’s physical network interface.
Bright Data told Techopedia this was not an intentional effort to hide the SDK’s presence.
“Regarding iOS behavior with active VPNs, this is not an intentional design to mask the SDK’s presence,” Bright Data said. “From a business perspective, VPN routes hold no value for our network, which relies strictly on standard residential routing.”
However, the company acknowledged that the behavior conflicts with what users expect from a VPN. “We recognize that when a VPN is enabled, users expect all device traffic to be fully routed through it,” the company said.
“The current behavior, where the SDK bypasses this route, is a bug.” Bright Data said it is actively fixing the issue and that the SDK will be updated to automatically detect an active VPN and “immediately drop the peer for the duration of the VPN connection.”
AI Scraping Is Turning Household Devices Into Infrastructure
The debate over Bright Data’s SDK highlights the growing tension between AI companies’ demands for data and the methods used to collect it.
As websites try to block automated scraping, residential IP addresses have become more valuable, creating a market for consumer devices that can make web requests look like ordinary household traffic.
Bright Data says its model is transparent, opt-in, and limited to public web data. Include Security argues that the technical architecture and smart TV consent experience deserve a closer look, especially when the device involved is a living-room screen that most people would never guess is part of the internet’s data-collection infrastructure.
From the consumer perspective, the question is whether they understand the trade-off. An app with fewer ads or none at all may come with a choice to share unused device resources, but making that choice could also mean allowing a company to route web-scraping requests through their home internet connection.
As AI companies search for more data and websites keep trying to block automated scraping, the next privacy debate may be less about whether the public web can be scraped and more about whose devices are helping make that scraping possible.
