On Roku and Amazon Fire TV, Channels Are Watching You

By this point hopefully you're at least generally aware that the digital ad ecosystem tracks you across the web, building a composite profile to more effectively target and deliver ads your way. But new research shows that the tentacles of that octopus extend farther than ever—all the way into the most popular streaming video services and devices.

On Wednesday, researchers from Princeton University and the University of Chicago detailed the tracking that happens behind the scenes in over 2,000 channels on Roku and Amazon Fire TV streaming devices. The researchers bought different models of the streaming sticks and built a tool to monitor and analyze their network traffic to see the data coming to—and more importantly, going from—the devices. They found that 89 percent of Amazon Fire TV channels and 69 percent of Roku channels contained easily spottable trackers that collected information about a viewing habits and preferences, along with unique identifiers like device serial numbers and IDs, Wi-Fi network names, and the Wi-Fi identifiers known as MAC addresses.
"We knew just from reading news articles that Roku made more money from advertising than from selling hardware last year, but it was still really surprising when we found all the different trackers," says Gunes Acar, a digital privacy researcher at KU Leuven, formerly with Princeton. "On some channels we found there are more than 64 different trackers collecting data about what you view and for how long. And unlike with browsers or mobile apps you really have no tools or extensions to look into this traffic or block ads. So transparency-wise it’s really bad for the user. You have no way to know what data is being collected and you have no recourse."The ad-tracking mechanisms on regular computers don't translate perfectly to streaming devices, but the researchers suspect based on their observations that there isn't a totally separate, streaming-based ad ecosystem. Instead, they believe that streaming dongle data simply plugs into the larger user tracking and analysis for established ad networks. For example, Google Analytics and DoubleClick trackers are extremely prevalent in channels on both devices. Amazon's AdSystem is, not surprisingly, the most common tracker the researchers saw on Fire TV channels, and other recognizable names like Facebook and Scorecard Research show up frequently too.
The overlaps are particularly unsurprising when you think of these devices as small pieces of the larger industry; for example, the Fire TV operating system is built off an Android fork.Tech companies, and particularly mobile operating system makers like Apple and Google, have increasingly worked to offer changeable identifiers for ad tracking, which make it harder to associate online activity with a specific person in the long run. The privacy researchers, by contrast, found that Roku and Fire TV channels hoarded static identifiers, which make it virtually impossible for you to exercise choice about what data is associated with you and for how long. If involved in a breach, the information could also pose a security risk.
"The fact that they detected identifier collection, specifically the persistent ones like device IDs and MAC addresses, is surprising," says Lukasz Olejnik, an independent cybersecurity adviser and research associate at Oxford University's Center for Technology and Global Affairs. "It looks like an overly invasive measure."Both Roku and Fire TV devices offer an anti-tracking feature meant to give some control over the amount of data that gets used for ads. Roku's is called Limit Ad Tracking and shows up in Settings > Privacy > Advertising, while Fire TV's is called Disable Interest based ads and comes up under Settings > Preferences > Advertising ID. The wording of the settings indicates, these aren't comprehensive protections. The researchers found that while there were some noticeable decreases in certain types of outgoing data with the features turned on, a lot of information still got passed along.