Update! Roku has asked TechCrunch to remove an inaccurate statement and tells us: “Roku does not collect data from a customer’s WiFi network nor collect data from any other devices on a customer’s WiFi network.” Move along on, folks! Original story follows:
Assuming neither TechCrunch nor Roku misspoke, our streaming boxes (and sticks) will soon begin snooping on us. As Roku looks to generate revenue beyond meager hardware margins, they’re getting serious with measurement and advertising. And I get the need to monetize. However, the incoming ad platform piloted on Crackle is all sorts of creepy:
These interactive ads can also be personalized using data like a user’s location, as well as by tracking information collected on devices running on a household’s Wi-Fi network using traditional means.
Geo-targeting is a generally accepted practice to fine-tune offers, but sniffing my network to see what other devices I might be running is well out of bounds. Further, what other data will be passed along? For example, as Roku ramps up their analytics business, how might folks linking a Plex library or having installed an “adult” channel feel?
If TC’s nugget holds true, Roku will clearly need to update their privacy policy. It was last revised in March, to accomodate Nuance’s voice search, but makes absolutely no mention of identifying my location or scanning my network — something I imagine privacy groups, the EFF, and others would want to be aware of.
Roku… Unplugged! Haha
Well, undeniably creepy, and a serious blow to trust in Roku, but one technical question:
“These interactive ads can also be personalized using data like a user’s location, as well as by tracking information collected on devices running on a household’s Wi-Fi network using traditional means.”
Since my Roku is plugged into Ethernet, and doesn’t have the credentials to access my WiFi network, I’m not sure how on earth they can sniff any kind of data from me, at least, other than addresses of other devices on the LAN. Unless I have a profound misunderstanding of how the underlying tech functions, of course.
Further, again, unless I have a profound misunderstanding of how the underlying tech functions, I’m baffled at what kind of “traditional means” any WiFi device on the LAN can employ to sniff anything beyond the basic specs of what other devices exist on the LAN. A WiFi device can ‘track information collected on other devices’? WTF?
If my understanding is flawed, it would mean that any WiFi device on your LAN can compromise the security of every device on that LAN, which is a concept I’ve never run across before.
So color me massively befuddled on that short, and highly non-specific passage. (Unless it’s purely about seeing if you have a Nest thermostat hooked up, and the Roku can somehow sniff its existence.)
—–
“For example, as Roku ramps up their analytics business, how might folks linking a Plex library or having installed an “adult” channel feel?”
Yeah, that’s more of a concern that actually makes sense to me…
Again, assuming the intentions are what we think they are yet having no idea what “traditional” refers to, scanning would depend how your network is configured and how wireless/wifi bridge. If your Ethernet is provided by the same wireless router, versus a second router or subnet, it’d likely be traversed or at least identified by router in any sort of scan. A possibly easy way to test *in the other direction* is load up Net Analyzer or iNet app on an iOS device and see if any of your hardwired devices pop. I do assume they mean Wf-Fi in the generic “network” sense and suspect most Rokus are wireless.
I could be wrong, but I interpretted the statement differently. I interpretted it as if innovid has information acquired from other devices coming from your network, that will be rolled into the algorithm used to serve ads to your Roku. I didn’t interpret it as the Roku itself gathering the information.
For example, they use CBS as an example. Lets say you use the cbs app on your smartphone/tablet to watch NCIS from your house. When you use the CBS app on you Roku, it will see that the same IP was used to watch NCIS on another device so it may serve you up an Ad based on that information.
At least that is how I interpretted the statement. Could be wrong though…
That’s an interesting angle. But still not referenced by the privacy policy. Definitely could use some clarification on what exactly this means and why I hedged in my presentation in case it’s mostly a matter of poor communication. I’ve reached out to Roku’s PR firm for comment.
“Again, assuming it means what we think it means and having no idea what “traditional” is, scanning would depend how your network is configured and how wireless/wifi bridge. If your Ethernet is provided by the same wireless router, versus a second router or subnet, it’d likely be traversed in any sort of scan.”
Makes perfect sense. So yeah, even without scanning, I assume my wired Roku can likely see the names of all the devices on my LAN. (Guess it’s time to browse through my router manual and use teh google on DD-WRT to see how to isolate various devices.)
But still doesn’t clear up all of my befuddlement on the “as well as by tracking information collected on devices running on a household’s Wi-Fi network using traditional means.” (my bolding).
Upon reflection, my strong guess is that this just means ‘information about what devices exist’, rather than ‘information existing on those devices’, but the thing is phrased maddeningly vaguely enough to have merited a Trigger Warning™ at the top of the post on your part…
I hope they respond to your request because I’ve admired Roku for a while now and their product is awesome. I would recommend it to everyone I know as long as their privacy policy isn’t too invasive.
Roku’s PR rep is out until Monday, so unless someone else in the agency or Roku itself reaches out (to me or other sites), we may not know more until next week.
Chucky, my assumption from the get go was ‘devices’ versus ‘data on devices’ — which is still inappropriate, info can be gleaned from that. Will they pitch Apple households or homes with X devices something or determine what competitive devices I’m running?
“For example, they use CBS as an example. Lets say you use the cbs app on your smartphone/tablet to watch NCIS from your house. When you use the CBS app on you Roku, it will see that the same IP was used to watch NCIS on another device so it may serve you up an Ad based on that information.”
Well, assuming your interpretation is correct, oddly, I actually have far less of a problem with the whole thing. That’s something I’ve assumed is already widely going on with other devices, if apparently not with the Roku until now. (Your interpretation would also make the “traditional means” finally make sense to me.)
“Chucky, my assumption from the get go was ‘devices’ versus ‘data on devices’ — which is still inappropriate, info can be gleaned from that.”
Agree it’s massively inappropriate. But not particularly surprised, if that’s the case. A fair amount of the already existing tracking that goes on strikes me as massively inappropriate. Like I say, time to browse through my router manual and use teh google on DD-WRT to see how to isolate various devices that don’t need to communicate with other devices on the LAN. I never use the Roku smartphone app anyway. And perhaps even finer-grained tools are available to me.
“Will they pitch Apple households or homes with X devices something or determine what competitive devices I’m running?”
Sure. For example, they’ll know you’ve got Arlo cameras, and either pitch you complementary products, or competitive products.
(And as a special bonus, one Roku’s database inevitably gets hacked, bad guys will know what devices you’ve got, and thus target the inevitable unpatched vulnerabilities. IoT FTW!)
They can’t get me, I don’t run Wemo… ;)
http://www.kb.cert.org/vuls/id/656302
“They can’t get me, I don’t run Wemo… ;)”
Indubitably true. It’s widely accepted that not running Wemo is an impregnable Maginot Line. 4 out 5 French dentists surveyed agree.
(However, you should be aware that the deer are rapidly learning to code, and that’s your real vulnerability.)
I think it’s just poorly worded. My guess is they mean the Roku device will scan all available Wifi networks and use that information to determine your location. This is likely the “traditional means” they are referring to. It’s common practice for devices without GPS, like wifi only iPads for example, to cross-reference all the SSID names they can pickup with a database and get a surprisingly accurate estimation of the device’s physical location. This is why your smartphone, even though it has GPS, will ask you to enable wifi to improve location accuracy. The name of all the wifi connections in any given area acts as a fingerprint-of-sorts to identify the location.
Roku reached out to me. They’ve asked Techcrunch to remove that statement from their post as it’s inaccurate and state:
“Roku does not collect data from a customer’s WiFi network nor collect data from any other devices on a customer’s WiFi network.”
Roku further went on to tell me that no changes are needed to their privacy policy, that it’s completely up to date. So the data collected is already known to us and much anonymized. I was offered a briefing by the head of advertising, but passed – ads are bad, right? ;)
I’ve updated the post title and added Roku’s statement to the top.
I’m confident that you guys know more about network security than I do. Where can a non-techie find good information about home network security? I would like to learn more about it. It probably should have been required learning before people got internet access. Like a driver’s license. Is anything actually safe from intrusion? If the White House can get hacked, can my personal computer really be protected?
“I think it’s just poorly worded. My guess is they mean the Roku device will scan all available Wifi networks and use that information to determine your location.”
While it is indeed poorly worded, which makes multiple guesses plausible, your guess is definitely not the correct one.
If you read the article, they are saying that this involves location and some additional other kind of tracking, the nature of which is not entirely clear.
My guess is that Matt’s guess upthread is the most likely answer, but who knows? I only know the article says it’s something more than just location.
“Roku does not collect data from a customer’s WiFi network nor collect data from any other devices on a customer’s WiFi network.”
Oddly enough, that’s still an evasive statement. (Or at least a non-definitive statement.)
If one has been following the NSA fallout of the past few years, one has become familiar with the distinction between “data” and “metadata”. So that statement can be literally true, while Roku still harvests metadata from your WiFi network to establish location, and harvests other metadata from your WiFi network to establish what devices are hooked up. None of that is “data”.
I’m certainly not saying that they’re doing that. But I am saying that that statement doesn’t mean they’re not doing that.
Still think Matt’s guess is most likely, which wouldn’t involve any of that, but especially given the centrality of location tracking in the article, Roku still needs to clarify a bit more…
I feel like it’s more benign and location is presumed given our account registration and network address (in the way BBC iPlayer can’t be generally added to a U.S. Roku box/account). Although I do wonder what exactly Techcrunch was trying to convey and what led them to that thought. But not enough to get on the phone with PR. Will the real tech bloggers please stand up?
“I was offered a briefing by the head of advertising, but passed – ads are bad, right? ;)”
Hell, I would’ve taken that briefing, were I you. That’d be the guy who could explain on the record what the hell this new thing actually is. I’d have asked:
– Is Matt’s theory essentially correct?
– Are they collecting anything from home networks?
“I feel like it’s more benign and location is presumed given our account registration and network address”
One would assume, but the whole thrust of that article certainly calls that into question.
“Although I do wonder what exactly Techcrunch was trying to convey and what led them to that thought.”
Yeah, that’s why the head of advertising would’ve been an interesting person to talk to. He’d have known.
“But not enough to get on the phone with PR. Will the real tech bloggers please stand up?”
ZNF! Best Fake Tech Blogger on the internet! (I do strongly sympathize with your desire to avoid the phone call, though. Obviously, it’s time to quit your day job and do a ZNF! IPO.)
“I’m confident that you guys know more about network security than I do. Where can a non-techie find good information about home network security? … Is anything actually safe from intrusion? If the White House can get hacked, can my personal computer really be protected?”
R U serious? (Yes, I know you are.) You actually have a far easier task than a public-facing website like the White House!
Strongly consider employing Best Practices™.
Get an well-regarded open-source DD-WRT router. Lock it down. Do some minimal research. Check your router’s logs from time to time. If you need to punch holes into the lock-down, make damn sure your know what you’re doing. If you use a WiFi source you don’t control, act as if it is compromised by MiTM.
Strongly consider valuing Privacy and Security Over Convenience™.
Even once your LAN is locked down, still consider it insecure.
Lock down each one of your clients as if your LAN is insecure™.
Remove all internet plug-ins, (can’t emphasize that one enough), and disable all unnecessary client sharing features. Consider surfing without JavaScript and cookies the vast bulk of the time. Obviously, encrypt all personal data on your clients.
Again, beware any client ‘convenience’ tools that you don’t solely hold the keys for. Make your keys complex enough to defeat formidable adversaries. Remember that things transited over the web are forever. Remember that formidable adversaries will see and store all those transmissions. Remember all of that when considering key possession and complexity.
Always keep each of your clients securely in your possession, 24/7.
0-days are a real-world phenomenon in both routers and clients. Adopting Best Practices™ can reduce your risk surface.
If you think you’re targeted by a formidable adversary, such as the US, Chinese, or Russian government, abandon hope all ye who enter here. Air gap and Tails, or go home. And even then, pray.
This is an incredibly rudimentary primer. The topic is complex. But, yes, even though the topic is dark and deep, you can still considerably decrease your risk surface by adopting Best Practices™.
“I’m confident that you guys know more about network security than I do. Where can a non-techie find good information about home network security? … Is anything actually safe from intrusion? If the White House can get hacked, can my personal computer really be protected?”
Also, if you’re on OS X, buy and use Little Snitch. Won’t solve nearly everything, but it helps. And strongly consider being strict with its rules, at the cost of convenience…
Yeah, as Chucky said, if nation-states want access it seems there’s not much we can do. So it’s more about preventing drivebys – just massive scans where folks are looking for openings. Max safety, probably means closing off the outside world to the best of your ability. Turn off remote management of your router for sure. VPN, ssh, etc can be convenient, but if you enabled them, you’ve provided a vector of attack.
If your provider supplies the router, like FiOS or sometimes Comcast, they’re managing the security. Pros and cons to that approach. I’d assume they do more to keep it updated and patched than the average consumer, but not the most vigilant consumer and who knows what data they collect. Also, you give up a certain amount of router control. In Chucky’s case, he replaced his Verizon router with his own (running open source router software). In my case, I run another router behind Verizon’s router. One of my work pals has something of a DMZ (as he does require remote Microsoft terminal services) and all his “computers” are VMs that he regularly replaces (he also downloads a lot of Korean movies via questionable avenues) – so you can take this as far as you want…
For wireless, run WPA2 (and there’s no point in hiding your SSID – you don’t slow bad guys down, just inconvenience yourself).
These days, and as this article alluded to, I think the bigger threat is internal client devices or services behaving badly and shipping data off. Or poorly constructed protocols in/out from client devices that could leave you vulnerable. For the most part, we have to hope they’re doing the right thing. (One of my Twitter followers put his Roku on a “guest” WiFi network, when the TC story first hit, to isolate it.)
Beyond the home network, use two factor wherever possible to protect your accounts and data. Usually it’s something like a RSA key fob or app, Google Authenticator app, or code delivered via text message.
By the by, TC removed the offending sentence and offered this by way of explanation:
“Correction: Article updated to reflect that Innovid was discussing how its advertisers could take advantage of retargeting campaigns. Roku is not tracking devices.”
Thanks Chuck and Dave for the information.
“Thanks Chuck and Dave for the information.”
Uh-oh. By gravely insulting me by calling me “Chuck”, I’ve been forced to explore your LAN, and I’ve identified 17 severe vulnerabilities that I must now exploit.
Similarly, Dave vaguely slighted me a while ago, and I responded by taking advantage of known vulnerability in his Verizon router to take control of its IoA feature to botnet the wildlife around his home. I’ve already got the rabbits trained to ride the deer as cavalry, and now I just need to get them coordinated with the spider-trapped insects I’m using as an air force before I launch the assault.
Damn. I can see that my comment prompted Dave to disable the IoA feature in his Actiontec. Me and my big mouth. Now, I’ve go no admin capabilities over his wildlife. Won’t anyone think of his poor neighbors, now faced by a horde of militarized wildlife running around amok with no command and control?
My only hope is that he someday reactivates his Kinnect, which is the only other device with an IoA feature that I know how to backdoor…
So if you weren’t the one who just sent this tree frog onto the window…?
“So if you weren’t the one who just sent this tree frog onto the window…?”
Like I said, just you’ve irresponsibly taken away my admin capabilities doesn’t mean all my hard work getting them militarized has suddenly vaporized. The only thing worse than an army of wildlife under my command and control is an army of wildlife under no human’s control. At least I follow the Geneva Conventions. I’d guess badgers are now acting as crazed warlords…
Achievement unlocked! I live in a FIOS-heavy neighborhood, and I’ve managed to get into enough Actiontecs to get a chorus of my neighbors’ dogs to coordinately bark out Bohemian Rhapsody on command. My SO is delighted.
Don’t worry, Dave. After the wildlife mount their successful invasion under my remote admin generalship, I’ll give orders to make sure they dutifully schedule all Showtime Original Programming on your TiVo. Like I said, I do observe the Geneva Conventions.