Security questions about Roon

I just started a trial this afternoon, and I’ve got a few questions about security in this system.

  1. Why does the Android client want access to my contacts?

  2. Clearly the Core is talking to external servers to fetch metadata. You could build up a pretty good idea of a user’s musical taste by keeping that data (in the external servers). Is there a way to inspect what Roon knows about my account, what metadata I’ve looked up, what I’ve played? What it’s kept? What are the contractual obligations on Roon’s part (in exchange for my money) to keep that information private? The privacy policy referred to in Roon’s terms & conditions seems to be about their website, not their software.

From the Terms & Conditions:

By accepting the terms of this agreement, you agree that we, our subsidiaries and agents may collect, maintain, process and use diagnostic, technical, usage and related information, including but not limited to information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Roon Software, and to verify compliance with the terms of this License.

6.2 We may use this information, as long as it is collected in a form that does not personally identify you, to provide and improve our products and services.

"Improve " for whom? And, it’s often surprising to non-security people the techniques that can be used to personally identify people from supposedly scrubbed data. So it would be great to have some reassurance on that point.

  1. I really like the new Chromecast support, and it tipped the balance for me to spend some time to look at this system. However, I keep my Google Homes and smart switches and their like on an isolated subnet of my LAN, so that they can’t access my NAS etc. The Roon Core has to access the NAS, so it’s on a different subnet. So I’ll have to build some custom router tables. My question is, do the Google Homes have to be able to access the NAS, or just the machine the Core is running on? I assume the data flowing to the Chromecast mini-app is coming from the Core.
1 Like

That is correct.

Your #2 question really needs a reply from @brian / @danny.

While we do not keep track of that data in a manner tired to you, we have been building a new system of realtime metadata updates that allows Roon Cores to subscribe to certain object IDs.

Its all anonymous or related to licensing. The big exception is that we know the object IDs of each lyrics you opened and which region you hit from (geoip). These IDs + regions are how we meet copyright requirements, but we never pass on any connection to you there. The ID is from our lyric provider and therefore useless to anyone but them.

We never pass on any information related to any Roon subscriber to anyone outside the company, and most of the employees can’t access it either. Roon members are our life line and most valuable relationship. We would be stupid to give that out.

The juicy stuff is all held in the Roon Core itself. This is one of the reasons your play history doesn’t follow you around if you blow away your DB (we’d like to solve this).

We track a ton of stuff

You can read the real privacy policy for the software by clicking on link in the software, which should take you here: https://kb.roonlabs.com/Privacy_Policy

Your assumption is correct. Same for discovery packets.

For the product as defined by Roon Labs LLC.

While we are not “security people”, we know enough who are and aren’t dummies here. We do have some security background. Segmented databases, with missing foreign keys, scubbed logs, recycled machines, etc… It turns out that disposing/not keeping data in our servers is also cost effective.

2 Likes

You should only need network connectivity between the Core and your Chromecast devices. In order for Roon to use your devices, the devices need to be discoverable via mDNS from the machine running your Core. Both the Core and the Chromecast devices need to be able to initiate TCP connections to each other.

Thank you, Carl. I’d missed that Android FAQ.

It’s talking permanently - that is very unsettling, and it’s the reason why I use Roon very rarely…

I think that depends on what it is sending to those servers.
If it is looking up albums, that’s not so very unsettling.
If it sends your identity, that would be more so.

We shouldn’t be naive, it is true that people have been able to do remarkable data mining from apparently anonymous data. To avoid that, you have tell your friends to never take a picture of you, because it may end up on Facebook and people do face recognition. This is the world we live in.

If you really don’t want to use anything that talks to servers, you can’t use a TV or phone or computer or tablet or car or thermostat made in the last few years. And no online shopping. Or tax returns. It’s possible to live like that, but it’s not easy. You would give up a lot. Including Roon, which uses a computer.

1 Like

Thanks, Mr. Dulai. I appreciate your taking time to reply.

I didn’t mean to imply that your people were in any way “dummies”. I’ve done software and networking projects for 30 years in Silicon Valley at all levels of the OS, and I appreciate the technical aspects of your products. I also understand how hard it is to make all those things work together.

Thanks for the correct link to the privacy policy. One comment:

Roon captures information about how and where you use the software, and statistical reports about this information are stored on our servers for analysis. The data is transmitted and stored without any reference to your personal information.

This would be tricky to do, though I think I see how it could be done, by using short-lived authorization tokens and two separate UUIDs, one for the account, one for the collection. Assuming all communications are encrypted. Just as long as there’s no single ID which occurs in both the accounts database and the “statistical” database.

It turns out that disposing/not keeping data in our servers is also cost effective.

:slight_smile: Yes. (Or anyone else’s servers, I suppose; English is such a slippery language.)

Most attacks which de-anonymize anonymized databases do so by correlating the data in it with other outside databases, of which the original database’s builder might well be unaware. So they’re hard to anticipate. The best defense is never to let those supposedly anonymized DBs be stolen or leaked – strong encryption, minimal copies, secured systems, restricted access, secured backups, etc. But that’s kind of a brittle defense. And it often makes them hard to use for normal work purposes. It’s always tempting to relax the security on them – after all, they’re anonymized. If you look at the Chicago Public Schools breach last month, or the Exactis breach, it’s a good bet that some employee was trying to make their life easier – and had the credentials to do it.

Well, I’m just running off at the mouth here, trying to explain what I worry about.

But when you exchange money for service, unlike “free”, you’re in a contractual relationship, and you can expect each party to adhere to the terms of the contract.

While I understand the importance of keeping things secure against unauthorized breaches, are you worried that your play history will be stolen and you will be publically shamed by your guilty pleasures?

We never store your credit card data (our payment processor does that). In the event of a full breach, it’s important to be aware of what exactly you spend energy worrying about.

Yeah, I know, I know, it’s kind of like worrying about people knowing what books you checked out of the public library. :slight_smile:

1 Like

Sonya Sotomayor, U. S. Supreme Court justice, put it something like this (my riff on it):

Maybe you have been to an hourly motel, or a gay bar, or an AIDS clinic, or a drug rehab clinic, or a mosque or synagogue or church, or a divorce attorney, or a defense attorney, or a headhunter, all of which are legal, but maybe you don’t want your family or friends or neighbors or boss or The Times or Julian Assange to know about it.

2 Likes

My worries are not about my rep. I’m a low-fi kind of guy who’s entranced by the idea of a $35 Roon endpoint. And I only listen to embarrassingly corny hits from the standard boomer playlist.

My worries are about something else entirely, which I won’t go into further in a public forum. But I will say that bad actors think entirely differently about things – one of the things that makes a successful security consultant is learning to think like that, and it takes years to do.

Roon rocks. But I have concerns about keeping credit card info on file. For one, keeping CVV codes is in violation of credit card company policies. I’m not sure what else can be kept and how long, and what kind of encryption requirements must be inplace. Is Roon’s method of retaining customer credit card information certified to be in compliance with well-established privacy and security principles? Thank you.

This has been answered elsewhere … can’t find it at the moment but Roon does not hold your credit card information. I understand that the last four digits are kept so you can track the payment history. That’s all. Roon user a payment provider to process subscriptions.

This is one thread where credit card issues were answered by Danny in his above post: