Roon access to personally identifiable core data without user consent

I respectfully disagree. We are talking about a customer’s information request about a process that is not very transparent. Dismissing the customer(s), a practice I’ve seen repeatedly in this forum, does not help Roon or the customer(s), is it?

I have Plex server, Logitech Media Server etc - I’m not concerned with them, as the server(s) configuration provide check-boxes for opt-in or opt-out of diagnostic logging etc. If you need support, they ASK(ed) you to send whatever logs they need (which if you want, you can examine before sending). Maybe Roon should follow suit to stop similar concerns?

PS1: I have no issue with Roon, life sub as like you & @Hestepare, won’t lose sleep over this, but I also would like to see an ‘official’ answer , because I am interested in the topic, as I am sure others do as well. If the discussion leads to improving Roon, all the better for all of us.
PS2: If you want to learn about data protection, privacy etc, check IAPP - plenty of courses.

They should move on then - this thread is between the person with the concern & the Company. If one understands the concern and can provide a valid answer, fine.

image1338×241 10.6 KB

This ^^ is does not in any way promote a ‘thoughtful, considered discussion’.
It’s simply aggravating.

About 60 posts and 3 days ago, I had posted this in reference to that link…

If this is directed to me I will answer this time that yes, I did read the thread when you linked it and 1) it’s four years old and 2) it does not answer my questions.

Oooh! I had the answer then and was about to say it … but I forgot the question … sorry

Still wondering why this thread was put under «Roon community site», it has nothing to do with that. Either «software» or even «feedback» would be better, I suppose.

Don’t you just need to look at the logs to ascertain that?

I’ve just been through my latest RoonServer_log and it contains the following (this is probably not exhaustive):

Operating system of the server
Build number (of Roon)
Local time of server
The approximate geographical location of my server
My external IP address
Some local network IP addresses
Serial numbers of external hard drives (not sure why they’re needed)
Details about other mounted volumes (Time machine etc)
My Roon user ID
Which, if any, music subscription services I’m subscribed to
My email address
My first name and last name
Info about the various Roon endpoints on my network
Various references to the music I play

There may be more, but I got bored after the first 2000 lines.

Unless I’m missing some key point here it seems to me that I can probably be quite easily identified from what my core is doing, because the information is in the logs.

Don’t get me wrong, I have absolutely zero personal problem with this but, like a few others in this thread, I can understand where @Hestepare is coming from.

Maybe to unambiguously distinguish different drives?

Yep. That’s probably it.

FYI I sent an email to Roon on Sunday inviting them to follow up on the questions raised in this thread, but I haven’t heard back yet.

I hope you haven’t been holding your breath.

Haha no.

I did hear back from them, but no answers to my questions so I have posed them yet again. Since the point of this thread is to hear what the company says and not what some forum rando thinks, I won’t parrot their response if I get one but urge them to share it here.

Quick update which is really no update at all: Still waiting for a reply, one week after my last e-mail.

Two weeks since my last e-mail and coming up on three weeks since their last.

Here’s what I wrote:

Hi Kevin,

Thanks for getting back to me.

As you see from my thread in your forum, my concern is tied to the practice you have of collecting logs containing personal data without the customer knowing that you are doing it. This is concerning because it suggests that:

1. Roon to some unknown extent can fetch personal data from each and every Core without the customer knowing

2. there are open communication channels between the Core and Roon which can be compromised

3. Roon deals with personal data in a bigger scale (considering the potential for 24/7 access) than the Privacy policy suggests

In the thread I asked three questions:

1. how does Roon pull the logs? Does it happen in a secure way?

2. what regulations are in place to avoid the misuse of this data by actors internal or external to Roon?

3. is this practice and its implied consequences admissible within the framework of the GDPR?

This has not been addressed in the forum yet (not by Danny either) and for your information there are a handful of other users there who are hoping for an official answer.

Hopefully you will receive an answer soon.

Thanks. I agree. I haven’t heard from them since before 21 October, which is when I sent the e-mail copied above. That’s four weeks ago. I’ve sent reminders about once a week since.

I’m honestly baffled if they think this is acceptable customer service.

Out of interest, why is the information contained within their privacy policy insufficient for your specific needs @Hestepare? I genuinely ask, as for me personally it seems OK and there is plenty of information on this forum to fulfil my requirements. But that’s me …, so what are your particular circumstances / reasoning? What are your next steps if any - would you cease using Roon for example? You are pushing and pushing with this topic, so it would be useful for people to understand your motivation.

Sure Oliver, I can reiterate.

In the first post of this thread I linked to another thread in which Roon said explicitly that they can at any time “pull” personally identifiable data from any user at any time, without the user even knowing. This they do in order to save time on support, which in itself is a good idea.

However, the fact that they can pull this data at will, and the fact that this data is personally identifiable, as well as the fact that it contains information about stuff like the user’s home network enviroment, is not mentioned in the Privacy policy, which you can read here:

https://roon.app/en/privacypolicy

Therefore, I am asking Roon whether this is all done in a secure manner, and to make it more specific, I am wondering if they have thought about this in terms of the GDPR regulations as these fairly concretely limit how personally identifiable data should be accessed, used and stored.

@Jim_F rightly notes that @danny has written two responses in this thread, but both his responses misinterpret the GDPR’s definition of “personal data” (even though he actually links to the EU commision’s web page on the topic). He writes:

But in the link he provides, the definition is rather different:

Personal data is any information that relates to an identified or identifiable living individual .

@DaveN showed here that there is a lot of such information in the logs, which means that even if @danny has responded, these responses are not answers to my questions.

At this point, the question is why Roon won’t simply answer “hey guys, it’s all OK, we promise, but because of reasons we can’t tell you how” or whatever is very strange to me. In fact they answer nothing at all. What motivates this silence?

If Roon isn’t following the GDPR regulations, that means that users are less protected than they should be by law. That can be solved, and the company would be better off if it was.

If Roon is following the regulations, then all is well and a quick note in this thread or a response to the e-mail I sent four weeks ago would be welcome.

So what’s at stake here? I find it curious that the company seems unwilling to answer whether they are operating lawfully. I find it baffling that they provide no answer at all.

What is your intent?

I would be repeating myself.

If you don’t like the thread you can read something else maybe? ‡

‡ This was a response to a now redacted suggestion to move on.

Thank you for responding to my post with your summary of the interaction to date Hestepare. You did not really answer my questions however, particularly in regard to your motivation. I also asked what your personal reasons / circumstances are in regard to this, what are your next steps - i.e. would you stop using Roon if you are not satisfied?

If you could provide this background, I believe it would help. Thanks.