Roku Forums

[KlaasV]

Good evening to all forum members,

most of us, I presume, would agree that the Soundbridges are fantastic devices - and that they have even become more valuable since Radio Roku was introduced.

Having enjoyed my Pinnacle branded HomeMusic for some time now I however was curious how Rokulabs managed to have such a large collection of stations. So - as I have a router that allows me to monitor all outgoing and incoming packets - I took a closer look at the communication the Soundbridges have with www.radioroku.com when the "Data upload" option is enabled (this is the default setting introduced with firmware version 2.7).

To put it frankly: The results alarmed me!

Here is what is uploaded to www.radioroku.com (IP address 209.200.236.41):

1. After having been switched on, the Soundbridge first contacts the configured time server and then the update server of Rokulabs without uploading anything. Immediately after that it uploads its individual device data to the Rokulabs server, including MAC address, local IP, serial number, WiFi strength, WiFi quality and country code as well as some other information. This upload is effected even if the upload function is disabled in the Soundbridges settings.

2. Every time a preset is selected the Soundbridge uploads the complete stream URL and the station's name (I'll come back on this later as it has very unsettling side effects).

3. Every time "Top stations", "Browse" or "Search" is selected the Soundbridge downloads the list of live stations from Radio Roku. To do that it uploads its MAC address as well as the configured country code and language (obviously this is not for technical reasons as the request returns the same result if this information is omitted).

4. Every time a specific station is selected to play the Soundbridge contacts the Rokulabs server again - once more uploading the MAC address (this again is not for technical reasons as this request, too, functions properly without this information).

5. On certain occasions the Soundbridge uploads the complete set of (locally saved) presets - including once more its MAC address. This upload is done independently from playing a preset.

6. From time to time the Soundbridge uploads "performance data" concerning the played stations, for example playing time, reliability and quality of the streams, again including its MAC address and serial number.

While this manner of collecting data is at least very questionable, the consequences of point #2 are highly worrying. If the upload function of the Soundbridges is enabled (remember: this is the default setting), even individualized stream URLs get uploaded to the Rokulabs server and eventually show up in Radio Roku.

Here's a scenario illustrating why this behaviour of the Soundbridges can be dangerous. Registered "VIP members" of Live365 - for example - have access to higher quality streams and stations which are not publicly available. One can play these stations on Soundbridges by putting the respective URLs into the presets. These URLs include authentication data like the user's name and (in one way or another) password as well as certain tokens. If a user plays such a preset all this information gets uploaded to the Rokulabs server and might show up in Radio Roku! This not only violates the Terms of Use of Live365 but also exposes personal data thus to a world wide public! In some countries the implementation of such an upload feature could constitute a criminal act.

All users of streaming services that require registration should therefore IMO think of disabling the upload function of their Soundbridges.

Besides that I would like to ask Rokulabs in general and Chairman Anthony Wood in particular to answer the following questions:

(a) Why are the Soundbridges uploading data that is obviously not needed to ensure the functionality of the devices and the service?

(b) In which manner do Rokulabs intend to make use of the collected data (other than improving Radio Roku, which can certainly be done without uploads containing specific device information)?

(c) Why have Rokulabs never comprehensively informed their users and the public that the Soundbridges are uploading such a massive amount of data? Up to now there does not even exist a manual covering the firmware versions 2.7 or 3.0 - the latest version is covering 2.5 which has no upload functionality.

(d) When and how will Rokulabs ensure that no personal authentication data of Soundbridge users is uploaded and published any more?

I am sure many users would like to have the answers to these questions as soon as possible.

Regards
KlaasV

[dude_2020]

WoW !!

I suppose thats why I have sometimes seen the words 'source=radiofeeds' at the end of some RadioRoku urls.. depicting they were found at the file list of www.radiofeeds.co.uk

[nite]

Do they have a privacy statement anywhere? If not then I would be worried.

[dupondt]

Do they have a privacy statement anywhere? If not then I would be worried.

Hi nite,

you'll find a privacy statement here: http://www.radioroku.com/lang/14/privacy.php

Greeetings from Germany
dupondt

[nite]

Do they have a privacy statement anywhere? If not then I would be worried.

Hi nite,

you'll find a privacy statement here: http://www.radioroku.com/lang/14/privacy.php

Greeetings from Germany
dupondt

Thanks for finding that. If im not mistaken it seems to relate to web site use and personal information rather than information being sent automatically without your knowledge as found out by the OP.

Any other privacy notices regarding the hardware itself? Ill have a poke around at some point.

[wideasleep1]

Do they have a privacy statement anywhere? If not then I would be worried.

Hi nite,

you'll find a privacy statement here: http://www.radioroku.com/lang/14/privacy.php

Greeetings from Germany
dupondt

Thanks for finding that. If im not mistaken it seems to relate to web site use and personal information rather than information being sent automatically without your knowledge as found out by the OP.

Any other privacy notices regarding the hardware itself? Ill have a poke around at some point.

Nite- you might have missed this part:
"We collect usage information from Roku audio devices on your network to build a database of reliable Internet audio streams. The collected information includes the specific URLs of streams played, duration played, and various quality measures. The collected information from many users is aggregated and then made available to users of Roku audio devices and Roku web services in an anonymous fashion. You may opt out of this data collection on each of the Roku audio devices on your network. "

[nite]

So I did! Thanks for pointing that out.

So klaasv it seems u agreed to it beforehand.You can opt out though if it bothers you, so that might be a good thing for you to do.

How can you be sure that passwords dont get propogated to RadioRoku? Email support and ask them directly is what I would do. It doesnt effect me so im not really worried - I was curious though and since they have a privacy statement thats good enough for me.

[KlaasV]

Good evening,

nite, I'm not bothered personally. You can be quite sure that my Soundbridge doesn't upload anything I don't want it to upload.

But what about probably the majority of Soundbridge listeners all over the world? The privacy statement wideasleep1 cited only applies to www.radioroku.com and is very vague. To be able to know what data is uploaded, Soundbridge owners should find this in the manual. And if they opt out there should be no more uploads of data like MAC addresses or serial numbers any more.

Besides that: Where does a Soundbridge owner find the information what he has to do to opt out? The actual manual reflects firmware version 2.5 which had no upload function at all!

I believe that Roku (and Pinnacle) have the duty to actively inform their customers and should not hope that every Soundbridge owner visits www.radioroku.com right after he bought the device and before starting to use it (and even then the information would IMO not be sufficient).

Regards
KlaasV

[diannabill]

So how can we check to adjust these settings if that's what we want to do?

[wideasleep1]

IIRC (at work), System Config->Settings->Data Upload. If it's not that, it's similar, in the settings menu somewhere.

[alanmc]

I personally believe that the developers of firmware 2.7 had every good intention as to what the upload function would achieve for the benefit of the whole community who listen to SoundBridges -

However, there are also the very serious downsides to this function about which I have both written and spoken with the Administrator of Radio Roku, who I believe has every intention of 'fixing' such issues.

I see all to frequently the scenario of incorrect streams being auto uploaded into the wrong stations which causes many hours of work, and personally being subject to European laws and associated standards of morality I thus view the issues expressed by KlaasV as being both sincere and well intended. In respect of all my own SoundBridges, you can be sure that the data from my units does not get uploaded.

[wideasleep1]

I personally believe that the developers of firmware 2.7 had every good intention as to what the upload function would achieve for the benefit of the whole community who listen to SoundBridges -

However, there are also the very serious downsides to this function about which I have both written and spoken with the Administrator of Radio Roku, who I believe has every intention of 'fixing' such issues.

I see all to frequently the scenario of incorrect streams being auto uploaded into the wrong stations which causes many hours of work, and personally being subject to European laws and associated standards of morality I thus view the issues expressed by KlaasV as being both sincere and well intended. In respect of all my own SoundBridges, you can be sure that the data from my units does not get uploaded.

I suspect the sheer volume of these streams, coupled with the fact that they have to 'manually' tuned and listened to for verification and accuracy, is simply overwhelming. I seriously doubt Roku will invest time, money and personnel to do such tasks, and have left it to us volunteers. With the volunteers waning, Roku must come up with a new method to accomplish correct entries in RadioRoku, if they want to preserve RadioRoku as the valuable service it had become. The question is, do they have the will?

Alan, do you think the time has been reached to recommend users turn off data upload entirely? How will this impact legitimate new stations, quality stats,etc. What if...the data came to a dead halt? My initial impression is that RadioRoku may be 'big enough' in that it has one of the largest collections of streams on the net, and stations can already be found to satisfy the needs of almost all users. IOW, I think it's already a success, but do we want to stop it in it's tracks when we aren't sure exactly of it's destination/capabilities?

[alanmc]

Wideasleep1

As you are aware I am not in favour of the use of the Auto-Upload function for the following reasons:

1. Ongoing problems associated with the automated sorting of such stations . . . . until this is fully resolved this function causes more problems than it is worth. It ‘breaks’ stations!

2. As Roku have not released a user-manual for either 2.7 or 3.x firmware, and do not have an appropriate cautionary statement as regards the auto-upload function in the various languages where their products are sold, I do not believe that the SoundBridge should have data uploading enabled as the default setting. This should only be at the sole choice of the registered user following an on-screen prompt. Meanwhile I feel that Roku should post an “Announcementâ€