Community Discussions

Connect with other Roku users to learn more about streaming, cord-cutting, finding your favorite content, or talk about the latest entertainment happenings. It's all on Roku!
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7

Why is there no opt-out privacy options for buyers of new Roku devices?

We recently purchases our 3rd Roku device. The prior device was a Roku 3, and we purchased one before that, as well. The oldest one, from what I have been able to deduce, will no longer work next week. Smiley Sad

But, now we are forced to turn over person information that I don't recall being required when we installed our two older Roku devices.

Hey Roku: Please remind the marketing people, that a growing number of your customers care about privacy. For those customers, there should be an opt-out of all the marketing questions. How about adding a check box for those of us that don't want Roku storing/selling/sharing our personal data with others? How about adding a check box for those of us that know that Roku's network and their partners' networks are just as vulnerable to data breaches as Sony, Target, Home Depot, Yahoo, and many others are?

I know this: I will start looking to another streaming hardware/software company that is more in alignment with privacy, than Roku is.  It's worth it to me, to send a signal to the marketplace, and do business with those firms that don't just SAY they care about privacy, but actually those that TAKE ACTIONS to protect privacy.

15 Replies
Highlighted
Level 11

Re: Why is there no opt-out privacy options for buyers of new Roku devices?


@fredmack wrote:

How about adding a check box for those of us that know that Roku's network and their partners' networks are just as vulnerable to data breaches as Sony, Target, Home Depot, Yahoo, and many others are?

Other than credit card numbers (which you don't need to give to Roku if you're not buying anything), what data do you think is going to be exposed? Randomized information about your viewer habits? The names of the channels you've downloaded?

Highlighted
Level 7

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

That's a great question, @mikebdoss . What you struck upon is a simple privacy and security risk assessment question.

Let's look at the data that I and asked for when I set up a new Roku device this weekend:

1. Date of Birth and gender

2. If one has a cable account, if one is looking to become a cable cutter, or if one has no cable service.

3. If one answers yes, to having cable, then one MUST list a cable company in order to proceed.

4. Other preferences for the type of entertainment one prefers

What is the risk to Roku users in turning over this information?

Well, here are some of them:

1. Attackers can use DOB and gender to connect with other information to impersonate a user for other fraud, in a user's name. 

2. Attackers can use social engineering to hoodwink users in to schemes that rob users of other information

3. "We are from Roku and we are here to help you" scams, to induce users to install ransomware or other scams, by seeming to be from Roku

4. To "sell" users bogus entertainment products that the attackers suspect the user will respond to. And,

5. I am sure other scams that you and I cannot contemplate as we sit here today.

OK, so now we have identified the data, and some of the risks. From a standards-based risk assessment, we look at the likelihood of the data falling into the wrong hands, either via Roku directly, or third parties that have access to the data.   Using a simple, risk assessment model, that risk could be low, medium, or high. Based upon my experience in responding to data breaches, many times non-technical decision makers think that some other entity is more interesting to an attacker than they are.

For example: A tech services business thinks that since they are not a hospital, they are not high risk for a data breach. And many times a hospital thinks that since they are not in financial services, they are not at a high risk for a data breach. Many non-technical managers in financial services think, that since they are not a major money-center bank, they are not at high risk of a breach. These are wide spread perception. Indeed, you did something similar, in your response to my posting!

Let's say, that the risk of a breach by Roku, or it's partners, is moderate.

Now, let's look at the impact of a breach of this data. If, for example, a Roku users is tricked by an attacker, using Roku stolen data, into installing ransomware on their network, they may never get back their data. Even if they pay the ransom. I have seen that happen first hand. So in that case, the impact is high.

Using this simple, standards-based risk model, the combination of the likelihood and the impact, in this case, is that there is a high risk when turning over this data.

As a user of Roku, there should be an option for me to opt-out of activities involving data security that risk assessment determines is a moderate to high risk.

Does that answer your question?

 

Highlighted
Level 11

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

Let's look at the data that I and asked for when I set up a new Roku device this weekend:

1. Date of Birth and gender

Which you can lie about.

2. If one has a cable account, if one is looking to become a cable cutter, or if one has no cable service.

Which you can lie about.

3. If one answers yes, to having cable, then one MUST list a cable company in order to proceed.

Or you can go back and choose "no".

4. Other preferences for the type of entertainment one prefers

Which you can lie about.

None of these questions require you to answer truthfully. No one is checking. Yes, they're there to market to you. You can lie to them, or be an adult and ignore being marketed to. 

What is the risk to Roku users in turning over this information?

Well, here are some of them:

1. Attackers can use DOB and gender to connect with other information to impersonate a user for other fraud, in a user's name. 

Your name and DOB are public records in a host of documents, and neither is private. And again, you can lie about them.

2. Attackers can use social engineering to hoodwink users in to schemes that rob users of other information

That's on you. Be smarter than them. Also, that's going to be true for everything, everywhere. It's FAR easier to use public information from other sources (mortgage or property records, for example) than worry about a hypothetical Roku data breach. 

3. "We are from Roku and we are here to help you" scams, to induce users to install ransomware or other scams, by seeming to be from Roku

Again, we're all adults who've been using the internet for many years. Given that scammers rarely even get simple stuff like emails right, them tricking you, again using a hypothetical Roku data breach that may or may not have a HUGE amount of junk data (from all the people who lie on these things) seems amazingly unlikely. 

4. To "sell" users bogus entertainment products that the attackers suspect the user will respond to. And,

So a scammer who has something to sell is going to seek out dirty data to cold-email Roku users in an attempt to sell them something that they don't have to buy?

5. I am sure other scams that you and I cannot contemplate as we sit here today.

I'm sure. 

I've been in the information business for a long time. When you're talking to someone paranoid to security, they're going to throw out all sorts of possible situations that really exist only in their head, "justified" because someone, somewhere, once did something kinda like it, to someone kinda similar, a while ago. When we're doing a risk assessment, we not only have to look at random weird possibilities, we have to look at the quality of the data, the fact that they haven't been compromised yet, and a thousand other things that determine how threatening something is. Given that you don't have to provide any actual information, that the given information is more easily obtained other places legitimately, and that there's no privileged or secure information to be had at all, I'm not going to worry if Roku knows I have both Amazon AND Netflix installed, and that I'm in my 40s and a male. 

Roku HAS given you an opt-out - lying. Nothing is being confirmed, nothing has to be linked to you, and you can enjoy all the same benefits of using your Roku with none of your perceived risks. It really sounds like you just want something to complain about. 

Highlighted
Level 17

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

I have many personas, Email addresses and phony everythings long since setup for these instances.

I use Lastpass on the web which saves it all and makes it easy. I only use Genuine info when I have to.

And only on highly encrypted sites.

I avoid nosey web sites like Facebook.

But for Roku I gave them my real name boogernose, but I dont  do it often.

Roku Ultra ---Ethernet rules---

From now on if people dont upvote me and do as I say I will consider holding my breath and selling my Roku's.
Highlighted
Level 8

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

But that's too many ifs involved....what about all those who used their personal info there should be a kill switch or something :/

0 Kudos
Highlighted
Level 8

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

To kill off the unwanted channels, I'd try a Factory Reset of the device.
0 Kudos
Highlighted
Level 15

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

Just to ask: How was the Premiere activated? Did it activate cleanly, or did you end up paying some 'subscription' fee? That often involves giving them info that lets them access your account and then add/remove channels.

0 Kudos
Highlighted
Level 13

Re: Why is there no opt-out privacy options for buyers of new Roku devices?


@fredmack wrote:

I know this: I will start looking to another streaming hardware/software company that is more in alignment with privacy, than Roku is.

Were you able to locate such an device?  The other major players are Amazon, Apple and Google in this market space.  Certainly you know that nothing meets your requirements for privacy from any of these companies.

Please let us know if you run across something which is not lifting your personal info for advertising purposes and still allows you to view content from all of the major streaming providers.

Highlighted
Level 8

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

Activation went perfectly fine. No dollars exchanged and I'm the only one who's ever added/deleted channels. I was recently talking with my boss who's father just got a Roku device and apparently fat fingered going to Roku.com to set it up and instead went to a similarly named "service" that was more than happy to set up his device for a non-trivial $$$ charge. Be VERY careful when you are typing in URLs, otherwise you get what you pay for.
0 Kudos