I have a Roku streaming stick at home. It’s a convenient way of hooking Netflix, Amazon Video and NowTV up to the telly in the living room without having a mass of boxes, cables and so on.
As a streaming device, it’s great and works really well. But, as is so often the case these days, it turns out there may well be a sting in the tail.
See, I recently decided to set up pi-hole on my home network. It’s a great tool, and super-helpful in the never-ending battle to keep Internet nasties, creepies and snoops away from my kids. And it revealed something that I didn’t know.
The Roku phones home. Like, a lot. A host called “cooper.logs.roku.com” shot straight to the top of the most queried domains in the pi-hole. Seems the Roku tries to hit it twice per minute, every minute. It seems that it is, by a country mile, the chattiest thing on my home network. Which, when I tell you that we have multiple Amazon Echos, IP telephony and every games console under the sun, you will appreciate takes some doing.
I get that the device would need to phone home periodically to check for software updates and stuff. That’s pretty normal; sensible, actually. But, every 30 seconds? What on earth is it doing?
I got curious. So, I went and had a look at Roku’s privacy notice.
Reading between the lines, it looks to me like the Roku stick is basically sending all of our viewing habits back to HQ. The privacy notice doesn’t say why, or on what legal basis. It looks like it might also have mapped my home network and sent all of that info back to Roku too (although some Wireshark sniffing didn’t capture anything interesting other than SSDP traffic, which you would expect from a home media device).
Either way, it’s sufficiently concerning that I’ve submitted a subject access request (which, despite being a tech lawyer, I’ve actually never done on my own account before). Assuming Roku honours it, hopefully it will tell me what they’re up to.