I’ve found myself thinking a lot about Roku this week. Or, rather, trying really hard not to think about Roku and all the ways it should be doing better.
The streaming platform and the company mostly need no introduction. It basically started as a low-cost way to stream Netflix and then grew into a wonderfully service-agnostic option. That is, it treated Netflix like it treated HBO. Or whatever other service had a “channel” (read: app) on the platform.
Roku was (and is) inexpensive to buy, and easy to use. And I’m just not sure I can recommend it anymore.
A few reasons for that. First, and perhaps the least worrisome, is that Roku is now more of an advertising platform first and a streaming platform second. Those things go hand in hand, sure. But make no mistake, it’s the ad part that’s running the show now. Of Roku’s two revenue buckets — devices (as in hardware) and platform (advertising and anything else) — one finished 2023 with about 510% more revenue than the other. That is, $2.994 billion versus $491 million. And only one of those segments turned a profit. I’ll let you figure out which was which.
Not to say that I love what Roku has become, but you can’t blame a business for making money. (And an ad-blocking scheme at least helps a little.)
I’m also not in the camp of folks freaking out recently over Roku’s Dispute Resolution Terms. It’s dangerous (and dumb) for anyone who’s not a lawyer to pretend to be a lawyer for the purposes of parsing the fine print of a user agreement. And while I’m not a huge fan of forced arbitration in principle, it’s also not realistic for a company to potentially have to fight lawsuit after lawsuit. It has to be able to protect itself and mitigate that sort of thing. Arbitration is one way.
The recent to-do has to do with the right-to-opt-out clause. You have 30 days to opt out of arbitration. You have to do so in writing, by mail. (As legal stuff is often done.) And you have to include a copy of your receipt. Folks are upset about that last part, as if they’ve never received a receipt for something they’ve purchased before, either online or in meatspace. And a whole month isn’t exactly a long time to hang on to something like that immediately after purchase.
Don’t get me wrong — it’s doubtful I’d think twice about a receipt from a $30 Roku device. If I picked up one up in a store, the receipt might be tossed out before I get home. But if I bought something online? It’ll likely be in my email forever. But in any event, it’s not unreasonable for Roku to require someone demanding to opt out of arbitration to prove that they actually purchased a product in the first place. That’s the most basic of requirements. Because if you can’t prove you actually bought the thing, then you have no reason to opt out of arbitration at all, right?
And I’d even be willing to not raise too much Cain over a recent security event in which 15,000-plus Roku accounts apparently got hit by a credential-stuffing attack. That’s an attack by which your username and password were leaked elsewhere, and then were used on some other service, just to see if they’d work. In this case, those logins also worked at Roku.
We cannot and must not blame the victim (that’s ultimately the account holder, not Roku), though it is a reminder that we should have unique passwords for every single service. Don’t reuse passwords, boys and girls. No, the blame goes to the hackers. Mostly.
It’s Roku’s response that really bothers me. In its letter notifying users of the data breach — something that some states require by law — Roku opens with the following: “We take our viewers’ privacy and security seriously.”
I’m not convinced it actually does, for one simple reason: Roku does not even have the option — let alone the requirement — for two-factor authentication on its accounts.
Roku needs to implement two-factor authentication. Yesterday.
In the year of our lord 2024, that is inexcusable. Every company should at least offer 2FA as an option. (It really should require it.) Amazon requires it if you log in to a Fire TV device. Google requires it if you log in to Android TV or Apple TV. Apple has it as part of its accounts processes.
I asked Roku about potentially offering 2FA at some point. It didn’t answer that question. Not about 2FA over text message. Or time-based software token. Or Passkeys. It did, however, give the following unattributed statement, which I’ll reproduce here in its entirety:
“Roku’s security team recently detected suspicious activity that indicated a limited number of Roku accounts were accessed by unauthorized actors using login credentials obtained from third-party sources (e.g., through data breaches of third-party services that are not related to Roku). In response, we took immediate steps to secure these accounts and are notifying affected customers. Roku is committed to maintaining our customers’ privacy and security, and we take this incident very seriously.”
So there’s that.
If Roku really took its 80 million monthly active users’ security seriously, it would at least offer two-factor authentication as an option. After a breach like this you’d think Roku might implement 2FA in addition to requiring password resets.
But it hasn’t yet. And I’m just not sure I can recommend anyone use Roku until it does.
(Note: A previous version of this column said that the 15,000-plus accounts represented about 19 percent of Roku’s 80 million monthly after users. Obviously that was not correct — it’s more like 0.018 percent. That’s much less worse, and I regret the error. But it does not change the need for two-factor authentication.)
