Community Discussions

Connect with other Roku users to learn more about streaming, cord-cutting, finding your favorite content, or talk about the latest entertainment happenings. It's all on Roku!
cancel
Showing results for 
Search instead for 
Did you mean: 
fredmack
Level 7

Why is there no opt-out privacy options for buyers of new Roku devices?

We recently purchases our 3rd Roku device. The prior device was a Roku 3, and we purchased one before that, as well. The oldest one, from what I have been able to deduce, will no longer work next week. Smiley Sad

But, now we are forced to turn over person information that I don't recall being required when we installed our two older Roku devices.

Hey Roku: Please remind the marketing people, that a growing number of your customers care about privacy. For those customers, there should be an opt-out of all the marketing questions. How about adding a check box for those of us that don't want Roku storing/selling/sharing our personal data with others? How about adding a check box for those of us that know that Roku's network and their partners' networks are just as vulnerable to data breaches as Sony, Target, Home Depot, Yahoo, and many others are?

I know this: I will start looking to another streaming hardware/software company that is more in alignment with privacy, than Roku is.  It's worth it to me, to send a signal to the marketplace, and do business with those firms that don't just SAY they care about privacy, but actually those that TAKE ACTIONS to protect privacy.

5 Replies
mikebdoss
Level 10

Re: Why is there no opt-out privacy options for buyers of new Roku devices?


@fredmack wrote:

How about adding a check box for those of us that know that Roku's network and their partners' networks are just as vulnerable to data breaches as Sony, Target, Home Depot, Yahoo, and many others are?

Other than credit card numbers (which you don't need to give to Roku if you're not buying anything), what data do you think is going to be exposed? Randomized information about your viewer habits? The names of the channels you've downloaded?

fredmack
Level 7

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

That's a great question, @mikebdoss . What you struck upon is a simple privacy and security risk assessment question.

Let's look at the data that I and asked for when I set up a new Roku device this weekend:

1. Date of Birth and gender

2. If one has a cable account, if one is looking to become a cable cutter, or if one has no cable service.

3. If one answers yes, to having cable, then one MUST list a cable company in order to proceed.

4. Other preferences for the type of entertainment one prefers

What is the risk to Roku users in turning over this information?

Well, here are some of them:

1. Attackers can use DOB and gender to connect with other information to impersonate a user for other fraud, in a user's name. 

2. Attackers can use social engineering to hoodwink users in to schemes that rob users of other information

3. "We are from Roku and we are here to help you" scams, to induce users to install ransomware or other scams, by seeming to be from Roku

4. To "sell" users bogus entertainment products that the attackers suspect the user will respond to. And,

5. I am sure other scams that you and I cannot contemplate as we sit here today.

OK, so now we have identified the data, and some of the risks. From a standards-based risk assessment, we look at the likelihood of the data falling into the wrong hands, either via Roku directly, or third parties that have access to the data.   Using a simple, risk assessment model, that risk could be low, medium, or high. Based upon my experience in responding to data breaches, many times non-technical decision makers think that some other entity is more interesting to an attacker than they are.

For example: A tech services business thinks that since they are not a hospital, they are not high risk for a data breach. And many times a hospital thinks that since they are not in financial services, they are not at a high risk for a data breach. Many non-technical managers in financial services think, that since they are not a major money-center bank, they are not at high risk of a breach. These are wide spread perception. Indeed, you did something similar, in your response to my posting!

Let's say, that the risk of a breach by Roku, or it's partners, is moderate.

Now, let's look at the impact of a breach of this data. If, for example, a Roku users is tricked by an attacker, using Roku stolen data, into installing ransomware on their network, they may never get back their data. Even if they pay the ransom. I have seen that happen first hand. So in that case, the impact is high.

Using this simple, standards-based risk model, the combination of the likelihood and the impact, in this case, is that there is a high risk when turning over this data.

As a user of Roku, there should be an option for me to opt-out of activities involving data security that risk assessment determines is a moderate to high risk.

Does that answer your question?

 

mikebdoss
Level 10

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

Let's look at the data that I and asked for when I set up a new Roku device this weekend:

1. Date of Birth and gender

Which you can lie about.

2. If one has a cable account, if one is looking to become a cable cutter, or if one has no cable service.

Which you can lie about.

3. If one answers yes, to having cable, then one MUST list a cable company in order to proceed.

Or you can go back and choose "no".

4. Other preferences for the type of entertainment one prefers

Which you can lie about.

None of these questions require you to answer truthfully. No one is checking. Yes, they're there to market to you. You can lie to them, or be an adult and ignore being marketed to. 

What is the risk to Roku users in turning over this information?

Well, here are some of them:

1. Attackers can use DOB and gender to connect with other information to impersonate a user for other fraud, in a user's name. 

Your name and DOB are public records in a host of documents, and neither is private. And again, you can lie about them.

2. Attackers can use social engineering to hoodwink users in to schemes that rob users of other information

That's on you. Be smarter than them. Also, that's going to be true for everything, everywhere. It's FAR easier to use public information from other sources (mortgage or property records, for example) than worry about a hypothetical Roku data breach. 

3. "We are from Roku and we are here to help you" scams, to induce users to install ransomware or other scams, by seeming to be from Roku

Again, we're all adults who've been using the internet for many years. Given that scammers rarely even get simple stuff like emails right, them tricking you, again using a hypothetical Roku data breach that may or may not have a HUGE amount of junk data (from all the people who lie on these things) seems amazingly unlikely. 

4. To "sell" users bogus entertainment products that the attackers suspect the user will respond to. And,

So a scammer who has something to sell is going to seek out dirty data to cold-email Roku users in an attempt to sell them something that they don't have to buy?

5. I am sure other scams that you and I cannot contemplate as we sit here today.

I'm sure. 

I've been in the information business for a long time. When you're talking to someone paranoid to security, they're going to throw out all sorts of possible situations that really exist only in their head, "justified" because someone, somewhere, once did something kinda like it, to someone kinda similar, a while ago. When we're doing a risk assessment, we not only have to look at random weird possibilities, we have to look at the quality of the data, the fact that they haven't been compromised yet, and a thousand other things that determine how threatening something is. Given that you don't have to provide any actual information, that the given information is more easily obtained other places legitimately, and that there's no privileged or secure information to be had at all, I'm not going to worry if Roku knows I have both Amazon AND Netflix installed, and that I'm in my 40s and a male. 

Roku HAS given you an opt-out - lying. Nothing is being confirmed, nothing has to be linked to you, and you can enjoy all the same benefits of using your Roku with none of your perceived risks. It really sounds like you just want something to complain about. 

0 Kudos
boogernose
Level 10

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

I have many personas, Email addresses and phony everythings long since setup for these instances.

I use Lastpass on the web which saves it all and makes it easy. I only use Genuine info when I have to.

And only on highly encrypted sites.

I avoid nosey web sites like Facebook.

But for Roku I gave them my real name boogernose, but I dont  do it often.

elzkonax
Level 7

Re: Why is there no opt-out privacy options for buyers of new Roku devices?

But that's too many ifs involved....what about all those who used their personal info there should be a kill switch or something :/

0 Kudos