On Roku and Amazon Fire TV, Channels Are Watching You

Credit to Author: Lily Hay Newman| Date: Wed, 18 Sep 2019 21:41:59 +0000

New research shows that over 2,000 streaming apps track information about your devices—even when you tell them not to.

By this point hopefully you're at least generally aware that the digital ad ecosystem tracks you across the web, building a composite profile to more effectively target and deliver ads your way. But new research shows that the tentacles of that octopus extend farther than ever—all the way into the most popular streaming video services and devices.

On Wednesday, researchers from Princeton University and the University of Chicago detailed the tracking that happens behind the scenes in over 2,000 channels on Roku and Amazon Fire TV streaming devices. The researchers bought different models of the streaming sticks and built a tool to monitor and analyze their network traffic to see the data coming to—and more importantly, going from—the devices. They found that 89 percent of Amazon Fire TV channels and 69 percent of Roku channels contained easily spottable trackers that collected information about a viewing habits and preferences, along with unique identifiers like device serial numbers and IDs, Wi-Fi network names, and the Wi-Fi identifiers known as MAC addresses.

"We knew just from reading news articles that Roku made more money from advertising than from selling hardware last year, but it was still really surprising when we found all the different trackers," says Gunes Acar, a digital privacy researcher at KU Leuven, formerly with Princeton. "On some channels we found there are more than 64 different trackers collecting data about what you view and for how long. And unlike with browsers or mobile apps you really have no tools or extensions to look into this traffic or block ads. So transparency-wise it’s really bad for the user. You have no way to know what data is being collected and you have no recourse."

"It looks like an overly invasive measure."

Lukasz Olejnik, security researcher

The ad-tracking mechanisms on regular computers don't translate perfectly to streaming devices, but the researchers suspect based on their observations that there isn't a totally separate, streaming-based ad ecosystem. Instead, they believe that streaming dongle data simply plugs into the larger user tracking and analysis for established ad networks. For example, Google Analytics and DoubleClick trackers are extremely prevalent in channels on both devices. Amazon's AdSystem is, not surprisingly, the most common tracker the researchers saw on Fire TV channels, and other recognizable names like Facebook and Scorecard Research show up frequently too.

The overlaps are particularly unsurprising when you think of these devices as small pieces of the larger industry; for example, the Fire TV operating system is built off an Android fork.

Tech companies, and particularly mobile operating system makers like Apple and Google, have increasingly worked to offer changeable identifiers for ad tracking, which make it harder to associate online activity with a specific person in the long run. The privacy researchers, by contrast, found that Roku and Fire TV channels hoarded static identifiers, which make it virtually impossible for you to exercise choice about what data is associated with you and for how long. If involved in a breach, the information could also pose a security risk.

"The fact that they detected identifier collection, specifically the persistent ones like device IDs and MAC addresses, is surprising," says Lukasz Olejnik, an independent cybersecurity adviser and research associate at Oxford University's Center for Technology and Global Affairs. "It looks like an overly invasive measure."

Both Roku and Fire TV devices offer an anti-tracking feature meant to give some control over the amount of data that gets used for ads. Roku's is called Limit Ad Tracking and shows up in Settings > Privacy > Advertising, while Fire TV's is called Disable Interest based ads and comes up under Settings > Preferences > Advertising ID. The wording of the settings indicates, these aren't comprehensive protections. The researchers found that while there were some noticeable decreases in certain types of outgoing data with the features turned on, a lot of information still got passed along.

For example, switching on Limit Ad Tracking stopped all Roku channels from sending a user's "AD ID," but almost as many channels still sent device serial numbers out regardless of the setting. The researchers also found that Roku channels actually contacted more tracker domains, not less, when the privacy protections were on. The researchers observed Roku channels contacting 96 tracker domains when the setting was off, and 128 when it was on.

On Fire TVs, the protection only slightly cut down on the number of channels sending out IDs like AD ID, Android ID, serial numbers, and Wi-Fi MAC addresses. That's likely because the documentation for the two features from Roku and Amazon leave it to each channel to implement a version of the protections themselves, instead of establishing universal requirements.

Roku did not return requests for comment from WIRED. An Amazon spokesperson told WIRED, “When customers opt-out of interest based ads, we require app developers to not use the advertising ID to build user profiles for advertising purposes or show interest based ads. We also require all third party apps that collect personal information from Fire TV users to provide a privacy notice that discloses what information they collect from the customer and how they use it.”

Not all ID collection is inherently ad-related, given that services need to differentiate users to serve content and offer customizations. But the researchers point out that legitimate use cases create a gray area for ad tracking to persist in.

"The main things that we realized about these devices is that the countermeasures fall short of doing what they’re supposed to do, because there are all of these other identifiers that exist on these devices even if one isn't being sent," says Hooman Mohajeri Moghaddam, a researcher from Princeton who worked on the study. "So even if you enable the privacy option there are still other IDs that can be used to uniquely ID the user or device."

Without curtailing ID collection, user activity data like what people are watching and for how long can still potentially be associated with them and used to fuel targeted advertising.



Given the pervasiveness of ad tracking around the web and past revelations about tracking in smart TVs, it's not necessarily surprising that the practices exist in streaming sticks and set-top boxes. Just this week, researchers from Northeastern University and Imperial College London had similar findings in a survey of smart TVs. But given how small and innocuous streaming devices seem, it's important for consumers to understand what's going on behind the scenes.

"We know that the pure web and mobile ad ecosystems are based on tracking and profiling, and internet of Things devices like smart TVs and streaming devices heavily depend on that larger structure," independent cybersecurity adviser Olejnik says. "So unfortunately you need to expect that devices like these won't miraculously behave differently."

At this point, it might take a miracle to rein in all of this inveterate tracking. Though US consumers might settle for decisive action from Congress if they can get it.

Updated September 18, 2019 at 9:20pm ET to include comment from Amazon.

https://www.wired.com/category/security/feed/