Roon access to personally identifiable core data without user consent

Hestepare · October 15, 2023, 8:16am

Let me provide an ad absurdum. If it had somehow slipped into the TOC that agreeing to the TOC implies that you have to embezzle all the money from every orphanage in a 100 km radius from where you live, you would of course not be bound by the TOC. If the TOC included a clause that you had to provide Roon your firstborn for their annual barbecue, you would not be bound by it either. TOCs are agreements between the company and the user, but they don’t replace laws.

Well no, he has said that there are “logs” that don’t include data like e-mails, IP addresses and so on – data that can identify a person directly. However, he has not said anything about “personal data” as it is defined in the GDPR.

I’ll also repeat, because unfortunately it’s evident that the point has not come across, that this is not what I’m worried about primarily. Like you, I’m a lifetime customer and I like the product. What my question was about is how it’s pulled and what access and info Roon has beyond what Danny has already confirmed. The concern here is NOT that Roon might find the user’s e-mail address (I know they have it), but that Roon has a way to engage at-will with data on a user’s computer that provides much more detailed info about the user and their environment. This is probably fine but it’s potentially concerning, all the more because no officials have yet to say either of the following:

We are fully GDPR compliant but we can’t disclose company secrets (fine)
We have changed something because we looked at it again and did something wrong (fine)
We do everything according to the regulations but in order to be even more transparent we’ll change a few things like adding a “send logs” button (great)
Look here, this is what we do and how we do it, now do you see that this is completely harmless and only beneficial to the user? (great)

At this point we only have:

We think it’s mostly fine but we are a little bit iffy on the GDPR definitions.

Remember that this whole thing sprung out from an official writing the following:

Connected Mac Mini frequently disconnects from Core

the Roon technical support team has had the capability to pull diagnostic information from Roon cores for many years. When customers report issues we routinely query this diagnostic information so as to be better read in on the issue at hand when communicating. We find that the vast majority of our user base appreciates our team being proactive in this way. In fact this is one of the only cases that I can recall in the past 5 years in which this capability has been an issue.

I understand that you would prefer that we not enable diagnostics on your core and I have made a note on your account to that effect. Rest assured no member of the Roon support team will query your core for diagnostic information without your express consent to do so.

Note that a) Roon can collect “diagnostic information” from your computer – that’s information that evidently includes fairly detailed information about your own local network, according to the discussion in that thread.

Note also that b) Roon has chosen this method for convenience and ask the user over a discussion forum to trust them if they want to opt out. It’s not a feature in the app or an e-mail.

If you read the thread you will also see that c) when the user says they’re so concerned over this that they won’t use Roon anymore, Roon has no further comment. Why? Wouldn’t it be reasonable that a serious company who, according to their privacy policy, are “privacy freaks”, comments on this? If for nothing else, then at least for comforting users who are concerned but not ready to stop using the service altogether?