Opting out of tracking - GDPR rules

I want to understand if every time I select a track to play my Roon core contacts the Roon servers.

If so, I want to be able to opt out of this.

If anything that would be a privacy issue covered by GDPR regulation.

Thank you.

Take a look at this post. It should answer your question.

https://roonlabs.com/privacypolicy

Start there. Anything you disagree with in that policy and you should stop using Roon. As it pertains to GDRP specifically…

I’ll also add my vote that Roon shouldn’t need to fundamentally change because of “privacy concerns”. I just encourage those with privacy concerns stop using Roon. There is lots of software I won’t use for this reason and lots of other software I’ve gotten comfortable with giving up a bit of privacy because that benefits me.

I’m not Roon so I hope they continue to chime in on these topics but a quick search will probably answer your question. You can’t opt-out of it you’ll just have to decide to uninstall and use something else.

3 Likes

Not necessarily.

It is partly privacy as well. I don’t want Roon registering my every click.

But they only register your every click as part of analytical data, as far as I understand. You cannot be identified by this and it therefore falls outside of GDPR.

1 Like

I’m not sure I understand this, Roon forms part of a streaming service that delivers content from the internet and that data is required to pay artist. It needs to communicate with its own services or streaming service to deliver your content.

If you don’t want this use your local files only with a streamer not connect to a network.

I’m not sure where you are going with this is it a privacy issue or a performance issue?
If performance what is the impact of the issue?

Do they actually register every click?
If they did why would they request the upload of logs when you have issues or advise they will enable logging on your account?

This in its self indicate to me they are not logging my every click.

16 posts were split to a new topic: When I want to play a local file, it can take 30 secs to a few minutes to play

I would like clarity from the Roon team regarding:

1- What information exactly is logged and sent off my premises;

2- When does this happen?;

3- Does local file playback require access to the Roon servers - if so why and what information is sent over;

4- Is there some more comprehensive logging that was inadvertedly left on in my setup whenever I requested help in the past (I have been a lifetime subscriber since July 2015)?

@miguelito,

I’ve split out the posts related to the performance issue into a new topic in the #support section.

Let’s keep this one about your original feature suggestion.

Just got pulled into this by a moderator.

I’ve explained 1 and 2 in the post linked above and it’s also covered in the privacy policy.

#3 realtime access? No, but using Roon does require access to Roon servers for license checks and other reporting.

#4 No, it doesn’t work like that.

[Moderator Edit]
For the performance issue, see …

2 posts were merged into an existing topic: When I want to play a local file, it can take 30 secs to a few minutes to play

In one of the other threads you mentioned (What other information is Roon server collecting on me?) that contains part of your reply re 1 and 2, @Pepe_A gave you a bullet list of GDPR rules and asked how Roonlabs complied with them.

With respect to this GDPR requirement,

you replied:

That answer may have pre-dated the radio feature in roon. Can you provide an updated explanation of how Roonlabs complies with this GDPR requirement now? If possible, perhaps you can amend that older thread.

Thanks,
- Eric

No change in answer. Looking at the place where he took that list from, I followed the link to where the EU digs deeper into this very broad point and got this.

the important parts:

Profiling is done when your personal aspects are being evaluated in order to make predictions about you, even if no decision is taken. For example, if a company or organisation assesses your characteristics (such as your age, sex, height) or classifies you in a category, this means you are being profiled.

We are not profiling you. We use the stream of songs, and never use your personal data in this way. But if we move on, this is moot because…

The data protection law establishes that you have the right not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way. A decision produces legal effects when your legal rights are impacted (such as your right to vote). In addition, processing can significantly affect you if it influences your circumstances, behaviour or choices. For example automatic processing may lead to the refusal of your online credit application.

Even if we were using your height or age, picking your next song would not result in such legal effects.

It goes on to talk about decisions based on automated means, but those are all in the context of the above definitions.

Ok. Sounds reasonable about radio. I won’t stretch the point about radio.

However, in the US, we’ve all been sensitized to the confluence of profiling, race, illiberalism regarding speech, and cancel culture. I’ve recently been doing my first deep dive into this, trying to grok critical race theory in action via a concrete example. I’ve been studying the conflagration that began in late 2019 that is currently in court. It’s in regard to the Austrian/German jew Heinrich Schenker’s theory of tonal music analysis that he developed a century ago. One Professor Philip Ewell delivered a plenary paper criticizing the theory as a “White Racial Frame” in the American music academy, and the ensuing controversy resulted in one Professor Timothy Jackson being cancelled. Jackson sued his university for violating his academic and free speech rights, and sued a dozen others for defamation. This is still in court.

So let me ask you a real question using the above situation to develop a hypothetically bad outcome. Does roonlabs have enough PII and other pseudoanonymized data to identify a person as a likely racist (in the context of Schenker’s “white racial frame” of music theory) because roonlabs knows that

  1. They have mostly classical music written by 18th and 19th century white European composers in their roon-accessible collection (or streamed music) and performed by musicians who are mostly not people of color.
  2. They are likely in a wealthy demographic because they have lifetime subscriptions to roon.
  3. They listen to academic podcasts or internet radio stations that relate to classical music and perhaps even music theory.
  4. They have made potentially controversial comments on your forums that could offend some and ignite a cancel mob.

Knowledge of these demographics, interests, and attitudes, bundled together with PII and dropped into the wrong hands, could certainly produce legal effects in our present dysfunctional society similar to those Professor Jackson is claiming, effects that could significantly affect us. Any of the third parties you supply data to, or other partners you work with, could be putting this all together. Likely not doing so to tag us as racists as in my hypothetical, of course, but this is just one example of the confluence and tensions of roonlabs power having our data, incomplete transparency, our lack of control of that data, and unintended (or intended) consequences that results when we can’t control our data as legal protections would allow.

So can you assure us that you’re not the equivalent of Facebook giving our data to the equivalent of Cambridge Analytics who could cause us, or society, significant consequences and legal effects?

Thanks,
- Eric

Apropos this conversation:

From an article published last Tuesday, “How AI can identify people even in anonymized datasets”

According to the European Union’s General Data Protection Regulation and the California Consumer Privacy Act, companies that collect information about people’s daily interactions can share or sell this data without users’ consent. The catch is that the data must be anonymized. Some organizations might assume that they can meet this standard by giving users pseudonyms, says Yves-Alexandre de Montjoye, a computational privacy researcher at Imperial College London. “Our results are showing that this is not true.”

Well, we never give your personal data to any company. So yes, I can assure you we are not the “equivalent of Facebook giving our data to the equivalent of Cambridge Analytics”.

For example, I know what lyrics you viewed so I can pay our lyrics provider, but the data shared is in aggregate and isn’t associated with any PII or even psuedo-anonymous.

How about roonlabs ability to use our data to produce legal effects that significantly effect users?

roonlabs may store enough PII and other pseudoanonymized data to identify a person as a likely racist (in the context of Schenker’s “white racial frame” of music theory). (I’ll use the term “PII key” to refer to PII or pseudoanonymized data or anonymized PII.)

Technically, you could do so if you keep the following information that would allow you to determine each of the data points in my previous message. (That is, if you keep the following information on your servers, even if only in logs, and the data isn’t kept solely in our local databases in a manner accessible only by our cores and not roonlabs.)

  1. [classical music listener] Store every album metadata request by each user along with a PII key, or stored in taste profiles with a PII key.
  2. [wealthy demographic] Store every subscription and subscription type by user. Also, inference by probing every streaming endpoint device model (price) used with roon, and probably every computer device accessed by roon. By storing geographic location for your contractual obligations to third parties, roonlabs can also determine our neighborhoods and house values.
  3. [music theorist] Store every radio station listened to by each user along with a PII key.
  4. [controversial poster] Store the association between every forum login and a PII key.

When you “process and cross-reference” information about our music collections on your servers, you could retain that information or any derivative information along with PII keys. The musical taste profiles you build could contain PII keys.

Which of the above data contain PII keys, which do you keep, and which can I have you delete per GDPR?

Thanks,
- Eric

It’s unclear if we can do the above, and without further legal guidance, I’m unwilling to entertain such complicated theoreticals.

However, if you delete your account and change your PII, we won’t associate it because we don’t have it.