Roku is locking TV’s until you give personal data.

data real-lies
13 min readNov 20, 2019

--

Update your Roku? too bad it’s stuck on this screen until you give data and payment.

Disclaimer: by ‘’Lock’’ I mean soft-lock. They do technically allow you to continue without adding the payment, but the options are hidden and only available if you look for them. Dark patterns are absolutely at work here, and unless you factory reset your TV it’s a freaking brick for the majority of people. Your TV is what I will call ‘’BlueBricked’’

An earlier edition of this article read ‘’Crypto locked’’
I consider this crypto locked due to how it emulated ransomware that asks for money. However, that term is incorrect. There is no encryption going on here. The correct term here would be Blocked, or stopped. In effect, you will be stuck with the blue banner below.

Profanity was also removed.

This is a Roku Television set.
For most people a Roku would be a plugin you can connect or disconnect at will. in this case Roku IS the TV.

Want to read this story later? Save it in Journal.

https://support.roku.com/article/209403268-what-is-roku-tv-

We have all heard of cord-cutters, people who don’t want cable TV and are turning to fire stick or network streaming services instead of having to deal with the hundreds of crap-channels that come bundled with your local television package.

Roku, however, has taken some EXTREME MEASURES of flat out soft locking your television.

Directly after updating to the newest version, your Roku TV will show the above screen telling you to go to roku.com/link to set up your Roku.
This means a TV that was working will update and show the blue screen of death.

This will show up after an update, meaning as soon as it is connected to Wi-Fi.
In the case of this TV, Wi-fi is required to use any of its apps or channels.

You will not be able to skip it without blocking the update from your router. There is no continue anyway, set up later, or gimmie my TV button. Although you can still use the input selection and set up another box.

Pressing * gives you the customer service number.
Rebooting TV gives you the same screen.
It looks like Roku indeed generates a specific code per device, as putting random characters into the box does not continue.

I decided to contact Roku customer service, and the only step the advisor was able to give me was ‘’Press * then reset’’

So far this looks just like the linking that comes with setting up a Chromecast or Firestick. Pairing is a normal interaction between smart devices and Amazon has a similar screen during Wi-fi setup. They simply don’t do the next step and their screens can be canceled.

Navigating to the URL gets much worse where I am demanded to create an account.

When I say demanded I mean the screen on TV didn’t display a working television and the online interface at the link required a username and password.

at this point, I’m locked out of my TV, except instead of asking for payment it’s requiring an account.

Here I entered dummy information.

Can I skip the first and last name? Nope.
Alright My name is Mark Zuckerburg and the email is yourokuthisviolatesGRPR@example.com
Does it check the validity of the email? nope. so it is not collecting it for data security or to combat spam its just collecting it.
Next, it moves to..

PAYMENT?!

Now here Roku is very very careful about their wording.

it’s almost like they knew people would be looking for this…
But the fact that this required screen exists presents a large problem.

For those visiting this URL just wanting their TV to work, they may enter in their card details. Picture your mother or grandmother unboxing their new Television or encountering this screen after an update.

At this point, since the screen refuses to exit, change, let you back out or do anything other than showcasing a blue ‘’activate’’ screen it functions quite similar to ransomware.

By demanding payment to continue this television set (and any Roku devices that get this update) becomes a scam box.

I started searching again. in doing so I came across several scam sites indicating skipping activation, all asking for CC details. So to be clear, Roku is creating a niche market for these fraudsters, hand-delivering them people to fraud.

I knew there had to be an option to by-pass this. Refusing to continue without payment could get Roku in some serious hot water.

And on their support pages, Roku is VERY careful to mention the following
Notes:

  • There is NEVER a charge to create a Roku account.
  • Roku does NOT charge for device activation.

Ha-ha. no, they don’t. They do however sure make it easy to add your details on the screen and refuse to unlock your TV unless you call customer service (who will most likely give the link I’d imagine) or find their little webpage

and there it is.
Turns out Roku has a webpage
https://my.roku.com/signup/nocc

Here you are only required to enter
First name (required)
Last name (required)
Email (req.. seeing a pattern here?)
Password: (yup. you MUST create the account)
DAte Of BiRth?! (required)
GENDER?
Required!

Let’s get something straight here. Gender should ALWAYS be an optional choice.

Oh and you must also agree to the terms and conditions, Privacy policy Last Updated: November 8, 2019. Don’t worry friends we will get to that.

Then and only then will you finally get to use your T… NOPE!
it’s time to select a trial!

Remember the CC details that would have been entered earlier?
HBO, Showtime, Starz, Cinemax, ABC, You name it it’s there with an easy to press start trial button. only until you go aalllll the way down the end of the page, hit more options then go allllll the way down will you finally see a skip button.

All along the way, there are big, bright start trial buttons.

What a nightmare right?
Finally now you can.. select your viewing preferences.
The Roku page then demands (again, with no skip) to know what you enjoy watching.

In my case to get to the end I selected fake options. Marky likes politics, ABC, and Christian shows. yup, that sounds about right.
Finally. Finally, the TV updated and Woop. it’s a working television again.

After all this, I decided to give Roku customer service a call. Maybe there is a hidden menu to skip this after all.

So I did what any rational human being would do (hah!)
I factory reset the Hisense TV using the factory code.

Doing this will roll-back to the previous OS. That is until it tries to update.
Immidantly after connecting to Wifi, it did exactly this and I was back to the start of the problem.

Now to see if there is a fix. *dials*

Thank you for calling Roku. your call may be recorded for training purposes. Main Menu. To learn about Roku’s features, products and channels press 1.

For help with your Roku account, a recent charge or subscription billing press 2.

Yeaaaaaaahhh. When your second option in the IVR is ‘’for issues with your account or for a charge that just showed up press 2'’ right after what our products are you might have a problem.

I wasn’t feeling great waiting 12 mins for someone to answer the phone, although it’s not like changing some website settings and blue-blocking tv sets would make the lines any longer right? I can’t think of a reason /r

The rep I got on the line informed me of the following
press * then select reset.
What does this do?

You are resetting the TV.
okay…

We are back to the setup screen.
Yes Yes now go to a computer.

Holdup. resetting the TV brings me back to the same screen. My issue is this was a working TV set before. Now after this update it’s bricked until I complete activation. I am calling to bypass the activation screen

Silence on the line. I’m pretty sure they were trying to trick me into completing activation.

their control panel probably.

It seems for a good portion of the call they thought I meant a Roku stick not a Roku TV. After I said I will not be visiting a URL (remember I did all this and am simply looking to see if an override exists) they asked what TV it was.

You could hear the air deflate out of them when I patiently explained this is not a stick or box but the core TV. Roku is the OS running this system. .

They then told me to press * and reset
Again this brings you back to the same screen.

let me check with my manager...

I ended up getting transferred instead.
You do that. I’m sure there is no option in the script for ‘’My company is being a sleazebag’’

This person was a JOY.

‘’but it is so easy to visit the URL.. why don’t you just visit it? We just need to activate.. don’t you have a computer?
Don’t you have a computer? just visit the website.

Maybe you already activated this already…
these screens can be so quick. You must have already activated me, this isn’t a software update.

Finally when he realized I’m NOT a grandmother

He attempted to gaslight me.
Well, you see this isn’t a software update.
You probably already did the activation and this screen is just ..yeah.
it is nothing. We cannot remember everything we do all day right?

Now I was beyond annoyed aggravated and perturbed. I was PISSED OFF.

far be it for me to hot-hotheadedly yell at another human being, especially a worker in a call-center who is following a script.
Now to be clear I don’t know if this interaction was an isolated incident or the default response. But it is pretty clear They can’t do anything.

It’s not their fault that there is. not. an. option.

The name of the game in call-center work is to resolve the problem or get them off the phone. I know how this goes, buddy. I told this person to be quiet for a few moments while I brew some coffee because their inadequate answer was infuriating, and That their cowardly attempt at gas lighting was an incorrect response and while I understand they might be limited in their options I suggest you keep looking and kindly do not speak until I’m able to have a rational conversation.

I brewed a cup. Filled the water, added the beans, periodically saying ‘’Do not hang up, I am still on the line.’’ The entire time the guy didn’t say another word.

I had a feeling that if this was it, there was no other option he would refer me to the TV manufacture. After all, this is what would give me the factory reset code to revert the TV set back to its prior OS.

That is until the TV updates itself. But that’s an issue for another customer service agent right?

Finally, the cup brewed I turned my attention to the phone again.

All right what do you have as a solution aside from gaslighting me?
Okay, You can contact your TV manufacturer and they can fix this problem.

Look you and I both know that contacting that number will give a reset code for the TV. The tv will then update and I’ll be back to square one with a locked television set. But not your problem am I right?

Silence on the line. Ugh. I’m so done with this guy.
I told him I hope you have a great weekend when you are not working and hope your company quickly comes up with a bypass for this issue, hung up, jumped into my modem settings, Factory reset the TV, Blocked the Mac address for the TV(this prevents it from going online) and plugged in an HMDI cable to the computer.

There. Fixed.
For me anyway.

but think about the elderly folks, people in a rush or someone just trying to enjoy their darn television. Roku has a pretty good scam going on. Demanding people visit a URL, requiring payment on signup. Only people who LOOK for a solution are going to find one. The rest will just enter in what it asks.
Tricking people into starting subscriptions because not everyone is going to think about scrolling until their fingers bleed to skip the trial offers, and the start buttons are BIG! Meanwhile, Roku gets to say ‘’wow look at all these people who start offers on OUR system!’’

It’s time to check that privacy policy.

Their privacy policy opens in a small window that looks like you are reading it through a mail-slot.

It is readable once you click the purple print button though.

Part I. Information Collection

A variety of information is collected from or about you from various sources, as described below.

Yeah, no kidding Sherlock!

1. Registration Information

When you sign up for a Roku account, we ask you for your name, email address, postal address, telephone number, birth date, and demographic information. If you sign up using a social media account, we will also receive information from those social networking services, for example, your name or user name.

you don’t ask you DEMAND and blue-brick my television until the information is given. Your options are not voluntary they are required.

B. Information We Collect as You Use the Roku Services

1. Apps, Browser and Device Information

When you use the Roku Services, we may receive information about the apps, browser and devices you use to access our services, such as device types and models, unique identifiers (including, for Roku Devices, the Advertising Identifier associated with that device), IP address, operating system type and version, browser type and language, Wi-Fi network name and connection data, and information about other devices connected to the same network. For Roku Devices, we may also collect the name of the retailer to whom your Roku Device was shipped, various quality measures, error logs, and software version numbers.

This is all common. But you DEMAND someone visits your website, and then collect their information. You turn my television set into a useless decoration advertising ‘’to link’’ until I visit your website. it’s one thing to collect info about devices used and services visited, and this is normal for analytics. however, you go above by REQUIRING me to visit your website.

We receive information about your interactions with the Roku Services, such as when you access the Roku Services, your search history, search results, audio information when you use voice-enabled features, channels you access (including usage statistics such as what channels you access, the time you access them, and how long you spend viewing them), interactions with content and advertisements, and settings and preferences.

I will be very interested to see what happens to those audio recordings.

Who are their partners?
Who is getting this very detailed user profile of name, gender, CC, viewing preferences?

generic corporate speak with no answer at all.

Using technology such as Automatic Content Recognition (ACR) technology…
Always opt-out of Smart features readers.

B 3. Your Activity and Other Usage Information
When you use a Roku TV with the Smart TV experience enabled, we also receive information about what you watch via the Roku’s TV’s antenna, and devices connected to your Roku TV, including cable and satellite set top boxes.
If I’m reading this correctly they watch what you watch.

H. Do Not Track
At this time, there is no accepted standard for how to respond to Do Not Track signals, and we do not respond to such signals.
Sidenote: see https://spreadprivacy.com/do-not-track/

Okay. it’s fine. I’m cool.

So to sum this up.
ROKU LOCKS YOUR TELEVISION, DEMANDS USER PROFILE INFO, ‘’Requests’’ as in oh it is mandatory on THIS page, but you can visit a whole other secret webpage we might tell you about if you call us... URL that DEMANDS your viewing preferences, TRIES to trick you into a trial before finally unlocking your TV...

may share some or all of your information with our current or future “affiliates” no info on who this is.

and my favourite.
A. General Requests
If you otherwise wish to ask for access, correction, or deletion of any of your personal information held by us or a change in the way we use your information (for which we reserve the right to charge you a fee, as permitted by applicable law), or (if you are a resident of Alberta, Canada), to obtain information about our policies and practices with respect to foreign service providers, please contact our Data Privacy Officer at: privacy@roku.com. However, Roku may decline requests that are unreasonable, prohibited by law, or are not required to be honored by applicable law.

HAS THE GALL TO CHARGE FOR DATA REQUESTS.

What are your thoughts?
Are you perfectly fine with the locking of a personal device until the information is siphoned from a user? Are you okay with a separate URL that needs to be visited instead of a skip button for CC details? Are you okay with DEMANDING you visit their website and requiring your gender?

If not pay attention to

Part VIII. Contact Information

For individuals residing in any country outside of the European Economic Area, contact here: https://privacy.roku.com/contact and our Data Protection Officer at privacy@roku.com.

For individuals residing in a country in the European Economic Area, contact Roku Europe Limited (the data controller) here: https://privacy.roku.com/contact and our Data Protection Officer at privacyUK@roku.co.uk.

As for me, I’ve got an email to write.

Enjoy what you read?
#1: contact Roku and bug them. This needs to be fixed!

#2: consider clapping for this story /following me on Medium. I write about privacy and security in a world quickly losing those concepts.

Since writing this Roku has overhauled their privacy policy. Maybe the realized that it would be wort adding a few lines about what happens to the audi recordings because they also also jabber on for nine freaking paragraphs about their retention of data, transfers and Information Access and Choices policies while never explaining who they are.

“We work with advertising partners to show you ads that we think may interest you for Roku’s products and services on Roku Services and on other companies’ websites, apps, and devices. We also work with advertising partners in order to show you ads from advertisers on Roku Services and on other companies’ websites, apps, and devices.”

Huh neat. Who? That question is never answered.
One thing I do like to see is the verbage about paying to see your data has been completely removed.
it’s almost like that was a really stupid thing to say in the first place.

📝 Save this story in Journal.

--

--

data real-lies
data real-lies

Written by data real-lies

One day I will write my story, and drop it as a fictional novel.

Responses (3)