Amid last week's broader market turmoil, Roku (ROKU 2.85%) suffered a more individualized setback when Consumer Reports reported that Roku TV sets and media players were vulnerable to hacking. According to the article, one wouldn't even need to be very skilled to take control of someone else's television set: "a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume."
There have been plenty of unsettling reports about the potential for connected devices in our homes to listen in on us. Last year, the Federal Trade Commission fined television maker Vizio $2.2 million because it was tracking the content that its set owners watched, and then selling the data to advertisers. Wikileaks has asserted that the CIA can turn any connected device into a spy tool. And even former FBI Director James Comey said he puts tape over his computer's webcam. Heck, so does Facebook CEO Mark Zuckerberg.
Roku's stock fell more than 4% the day after the Consumer Reports report was released, and whether that drop was more connected to the larger market malaise or to investors' concerns about hackers, the news highlights the threats to our privacy from seemingly innocent devices.
Tuning into your preferences
According to Consumer Reports, smart TVs from Samsung, as well as those using the Roku TV platform from Chinese manufacturer TCL, including Hisense, Hitachi, Insignia, Philips, RCA, and Sharp, exhibit the hacking vulnerability. Some of Roku’s own streaming-media players, like the Ultra, were also afflicted.
In addition to offering pranksters the opportunity to change your channels or mess with your TV's volume control, the information collected by the platform's automatic content recognition technology (ACR) could be taken, then combined with other data collected and used to target advertising or programming to you.
Although it sounds ominous, and Roku's stock may have been impacted, the device maker says that Consumer Reports misunderstands the issue, and asserts that, rather than being a vulnerability, these are features that are functioning exactly as designed. ACR, it said, allows owners to use Roku's More Ways to Watch service "to stream live broadcast shows from the beginning, find full episodes of shows you missed, discover similar shows and movies and see ads that are more relevant to you."
That's akin to how Netflix recommends new content for you, or how ads similar to what you just searched for on Google suddenly populate the pages you view on the internet. So, yes, it could be used to push ads or content to you, but that's what it's supposed to do.
Roku went on to point out that unlike those of other manufacturers, its ACR program was designed as an opt-in option. Customers have to specifically say they want to be allowed to use this functionality; they aren't defaulted into it. If you think there's a potential for problems, you can opt out, though you do lose its capabilities.
Certainly, there's an incentive for set manufacturers to help advertisers push targeted ads to users, and regain some of the ground television has lost to digital advertising. Industry site eMarketer forecast that TV ad spending would hit $72 billion last year, or 35.8% of total media ad spending in the U.S., but would be surpassed for the first time by total digital ad spending, which would reach equal $77.4 billion, or 38.4% of total ad spending.
The future of streaming
Currently, streaming services like Netflix that deliver ad-free content still dominate the market, but an increasing number of consumers are receiving ad-supported content through rival platforms such as Hulu, and now Roku is dipping its toes in the water.
The Roku Channel it unveiled last September will have content that will be ad-supported -- the device maker will split the revenues with the producers. So it's quite possible the company wasn't inadvertently designing vulnerabilities into its smart TV platform, but rather specifically embedding an additional way it could tap a new revenue stream.
As the Consumer Reports report makes clear, the crude exploits that these vulnerabilities enable do "not allow a hacker to spy on the user or steal information." It seems the worst thing that might happen is some clown changing your channels on you. On the flip side, the best potential result could be a heightened, more personalized viewing experience.