I just started a trial this afternoon, and I’ve got a few questions about security in this system.
-
Why does the Android client want access to my contacts?
-
Clearly the Core is talking to external servers to fetch metadata. You could build up a pretty good idea of a user’s musical taste by keeping that data (in the external servers). Is there a way to inspect what Roon knows about my account, what metadata I’ve looked up, what I’ve played? What it’s kept? What are the contractual obligations on Roon’s part (in exchange for my money) to keep that information private? The privacy policy referred to in Roon’s terms & conditions seems to be about their website, not their software.
From the Terms & Conditions:
By accepting the terms of this agreement, you agree that we, our subsidiaries and agents may collect, maintain, process and use diagnostic, technical, usage and related information, including but not limited to information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Roon Software, and to verify compliance with the terms of this License.
6.2 We may use this information, as long as it is collected in a form that does not personally identify you, to provide and improve our products and services.
"Improve " for whom? And, it’s often surprising to non-security people the techniques that can be used to personally identify people from supposedly scrubbed data. So it would be great to have some reassurance on that point.
- I really like the new Chromecast support, and it tipped the balance for me to spend some time to look at this system. However, I keep my Google Homes and smart switches and their like on an isolated subnet of my LAN, so that they can’t access my NAS etc. The Roon Core has to access the NAS, so it’s on a different subnet. So I’ll have to build some custom router tables. My question is, do the Google Homes have to be able to access the NAS, or just the machine the Core is running on? I assume the data flowing to the Chromecast mini-app is coming from the Core.