What I learned from Roku’s privacy policy

This may be old news to many but since there may be some, like myself, who know information is being collected but don’t know much about how it’s being done or what’s being done with it, here’s a little of what I learned. This post contains a lot of lengthy quotes so you can spot info I didn’t cover or didn’t see. By the way, this is a Roku device:

Roku

From Roku’s privacy policy:

We may also automatically collect information related to the use of Roku Sites – for example, we collect your computer’s operating system type and version, Internet Protocol (IP) address, access times, browser type and language, and the websites you visited before coming to a Roku Site. We also use cookies to better understand your needs. A cookie is a small text file that our Web server places on your computer hard drive that includes a unique identifier. Cookies enable Roku and others to track usage patterns and deliver customized content, marketing messages and advertising to you. We also collect information using Web beacons. Web beacons are electronic images that may be used on Roku Sites or in our emails. We use Web beacons, for example, to deliver cookies, count visits, understand usage of the Roku Sites, Roku Devices and Roku’s services, analyze the effectiveness of Roku Site features and campaigns, and tell if an email has been opened and acted upon.

It seems that “web beacon” is a nicer name for what’s called a “web bug.” According to Wikipedia:

A web bug is an object embedded in a web page or email, which unobtrusively (usually invisibly) allows checking that a user has accessed the content. Common uses are email tracking and page tagging for web analytics. Alternative names are web beacon, tracking bug, tag, or page tag. Common names for web bugs implemented through an embedded image include tracking pixel, pixel tag, 1×1 gif, and clear gif. When implemented using JavaScript, they may be called JavaScript tags

Web bugging is analogous to conventional bugging, but is not as invasive or intrusive. The term should not be confused with the more benign web spider, nor with the more malicious computer worms.

How web bugs are used on websites:

Companies or organisations, buttons or images of which are included on many sites, can thus track (part of) the browsing habits of a significant share of web users. Earlier, this included mainly ad- or counter-serving companies, but nowadays buttons of social media sites are becoming common.

How web bugs are used in email:

Through the use of unique identifiers contained in the URL of the web bugs, the sender of an email containing a web bug is able to record the exact time that a message was read, as well as the IP address of the computer used to read the mail or the proxy server that the user went through. In this way, the sender can gather detailed information about when and where each particular recipient reads email. Every subsequent time the email message is displayed can also send information back to the sender.

The Wikipedia article includes info on how to avoid web bugs.

Here is Roku’s disclosure about its devices:

We regularly and automatically collect information about your Roku Devices and your usage. The collected information about your Roku Devices includes, for example, the IP address associated with your Roku Devices, your device types and models, device identifiers, the retailer to whom your device was shipped, various quality measures, error logs, software version numbers, Wi-Fi network name (SSID – service set identifier) and strength. We also collect usage data such as your search history (including letters you key in for searches, and utterances provided in connection with your use of voice search), search results, content you select and view and content settings and preferences, channels you add and view, including time and duration in the channels, and other usage statistics. Usage information collected from Roku Devices may be associated with your Roku account or with product device identifiers (such as product serial numbers and other identifiers including those used for advertising and analytics). We associate device identifiers and usage data with your Roku accounts and other personally identifiable information for purposes described in this Policy.

Apparently, the newest Roku players have “voice search.” From CNET:

…touch the dedicated button [on the remote] and a dialog pops up to indicate that the mic is listening.

It seems Amazon Fire TV also has voice search. What are the chances that these devices cannot be remotely activated? I wonder whether the tyrannical globalist overlords ever dreamed we’d be so willing to pay for the devices they use to spy on us?

Users who use Roku’s mobile app lose even more privacy:

If you download Roku Mobile Apps to a mobile device, we also automatically log information related to your mobile device and network. We may log, for example, your device type, device identifiers, Wi-Fi networking connection data, information about connected Wi-Fi devices, the types and versions of mobile operating system you use, time-stamped logs of data exchanges associated with the Roku Mobile Apps, and usage statistics associated with the Roku Mobile Apps such as your search history (including letters you key in for searches, and utterances provided in connection with your use of voice search), search results, content you select and view, and channels you add and view. We also log whether you use Play on Roku to play content stored on your mobile device (such as music, photos, or videos) through the Roku Device connected with the Roku Mobile App. To let you play content on your mobile device through the Roku Device, the Roku Mobile App needs permissions to access content and other information stored on your mobile device.

It’s not only Roku that’s collecting data through its products:

Third parties who provide us with analytics services for the Roku Sites, Roku Devices and Roku Mobile Apps may also automatically collect some of the information described above, including, for example, IP address, access times, browser type and language, device type, device identifiers and Wi-Fi information.

There’s also this:

Other third parties, including channel providers, advertisers and ad networks, may also automatically collect information about you through the Roku Sites, Roku Devices, the Roku Mobile Apps or our services, including personally identifiable information about your online activities over time and across different websites, devices, online channels and applications when you use our services.

How do you like strangers having all that info about your kids?

There’s more:

This Privacy Policy does not apply to the activities of these third parties when they are collecting or using data for their own purpose or on behalf of others. Please consult the respective privacy policies and statements of such third parties for more information, including how Google uses data when you use its partner’s sites or apps.

Who has the time to find out who’s partnering with Google? At the same time, who trusts Google with their personal information?

The Roku privacy policy continues, addressing how third party advertisers are also collecting data:

Each Roku Device has unique identifiers, including a unique, non-permanent identifier called Roku Identifiers for Advertisers (RIDAs)…We supplement that information with information collected from Roku Sites, Roku Mobile Apps or third party data sources to further personalize the advertising you see on your Roku Devices. We use third party service providers, such as Google, to help deliver, personalize and target this advertising.

Channel providers, third party advertisers and ad networks may also use RIDAs and other information they collect about you from your Roku Devices, for their own advertising purposes…

This Privacy Policy does not apply to, and we are not responsible for, the data collection, data usage, advertising, and other activities of channel providers, third party advertisers and ad networks.

RIDA stands for “Roku Identifiers for Advertisers.” From February of this year:

Courts Continue To Find That Unique Device Identifiers Are Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA)

On January 20, 2015, a district court judge in New Jersey dismissed with prejudice a VPPA action against Viacom, Inc. (“Viacom”), holding that disclosure of anonymous user information to Google, Inc. (“Google”) was not actionable because such information did not constitute “personally identifiable information” (“PII”) as defined under the VPPA…

The court found that nothing in the VPPA or its legislative history suggested that PII included anonymous user IDs, gender and age, or data about a user’s computer. Plaintiffs argued that Google, because it already had so much general information at its disposal, could use the information garnered from Viacom to ascertain personal identities.

There’s Google again. They seem to have access to all the data that’s collected on everybody.

Roku’s privacy policy lists how it uses the data it collects. Most are seemingly nice things such as providing customer support and tailoring the Roku experience to users’ preferences. Then there are these:

to enforce our terms and conditions or protect our business or users; and
to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.

Can they detect such things by collecting data on our electronic devices and operating systems, our SSIDs (the name you’ve given to your local network), and who sold you your Roku?

I love this part. It’s advising users who post comments on the Roku website:

Please be mindful of your own privacy needs as you choose what to share and make public.

The privacy policy then mentions those with whom Roku shares its users’ private information. These include third party contractors they hire to sell additional Roku “products and services” and anyone else Roku uses to provide customer support and perform analytics. In addition:

Roku may also share your information to (i) comply with laws or to respond to lawful requests and legal process, (ii) to protect the rights and property of Roku, our agents, customers, and others, including to enforce our agreements, policies, and terms of use, or (iii) in an emergency to protect the personal safety of Roku, its customers, or any person.

Could it happen that Roku data could be turned over by, say, anti-gun types who work for Roku? Could Roku’s “voice search” record the sounds of you cleaning your firearm and give that data to the Feds? That would be covered under iii above. Let’s take it a step further and consider that someone who doesn’t like you might have a friend who works for one of Roku’s third party vendors. There’s also the possibility that a pedophile in your neighborhood knows someone with the same type of access. Also, everyone should be aware of the fact that human beings look at information about people they know.

The Roku privacy notice includes a section on disabling some of the spy devices and how to request to opt out of third party tracking, which is useful even if you don’t own a Roku. It ends with a warning:

Roku uses industry-standard methods of securing its electronic databases of personal information. However, you should know that no company, including Roku, can fully eliminate security risks associated with personal information…

Information collected by Roku or on our behalf may be stored on your Roku Devices, on your mobile device if you use the Roku Mobile App, or on our servers, and may be transferred to, accessed from, or stored and processed in, the United States, EU member state countries, India, the Philippines and Costa Rica, and any other country where Roku or its service providers maintain facilities or call centers, including jurisdictions that may not have data privacy laws that provide protections equivalent to those provided in your home country.

If you have questions about Roku’s use of personal information you can contact them. However, don’t expect a quick response:

We will use commercially reasonable efforts to respond to your request in a timely manner.

“Commercially reasonable”? What the heck is that? From USlegal:

Commercially reasonable efforts is a term incapable of a precise definition and will vary depending on the context in which it is used.

It means they’ll get back to you when they get back to you, i.e., it means nothing.

Surely, Roku isn’t alone in its spying and data collection. I hope this look at their privacy policy helps us understand what we’re losing by using such products.

UPDATE: If interested, please see my comments on Roku’s 2016 privacy policy.

2 thoughts on “What I learned from Roku’s privacy policy”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s