It used to be that people paid for free television with their attention by watching adverts. With online video, they may be paying with their personal information as well. An analysis of traffic from Roku and Amazon Fire TV channels shows trackers are used on the majority of their channels, with widespread transmission of unique identifiers of devices, machine addresses and wireless network names. Some of the discoveries were more disturbing. The research suggests that many users are being constantly and pervasively tracked without their knowledge or consent.

Researchers from Princeton University and the University of Chicago built a system to automatically analyse the network traffic of 1,000 channels from the Roku channel store and 1,000 channels from the Amazon Fire TV channel store.

They found collection of persistent identifiers for tracking, such as network addresses and network identifiers. There was a connection to at least one tracker on the traffic of 691 of the most popular 1,000 channels on Roku and 894 of the most popular channels on Amazon Fire TV.

Some of the tracking domains discovered may not necessarily be a surprise. The most popular ones included DoubleClick, Google Analytics, and Amazon Adsystem. Others included known advertising networks, like SpotXchange.

An example given shows a request to spotexchange.com providing the device make and model, unique identifier, internet address, together with the channel, genre and programme title.

This is simply part of a standard request used to deliver addressable advertising.

Intriguingly, requests to Facebook.com were present in almost a fifth of the top 1,000 channels on Roku.

On Roku, some free games included requests to over 40 different trackers, suggesting that they were used for more than simply advertising or usage metrics. Indeed, tracking and correlating users may be their primary business objective.

One Fire TV, two news channels from ABC affiliated stations each included requests to over 60 different trackers.

Various unique identifiers were found in these requests to trackers. They included the serial numbers of devices, unique device identifiers, network adapter addresses, WiFi network names, location information including postcodes, and personal information such as email address.

Four channels, two on each platform, shared the email address of the profile used for account creation with third- party trackers on the web.

794 of the 1000 Roku channels and 762 of the Fire TV channels sent at least one request unencrypted in clear text.

From 100 channels selected at random on each platform, 9 channels on Roku and 14 channels on Fire TV disclosed the title of the video to a tracking domain. The majority of these channels were news channels. On Roku, all the titles were leaked over unencrypted connections, potentially exposing viewing preferences to eavesdroppers.

Both Roku and Amazon Fire TV provide privacy options to users that purport to limit tracking on their devices. On Roku, this option is called “Limit Ad Tracking” and on Amazon Fire TV it is called “Disable Interest based Ads”. Both options are off by default.

Although selecting these options restricted or limited tracking by specific advertising identifiers, it did not appear to prevent all tracking. On Roku it did not affect the number of trackers contacted by the channels. The number of domains contacted actually increased. On Fire the number of contacted tracker domains remained around the same.

The researchers recommend that online video platforms should offer better privacy controls and that regulators and policy makers should ensure privacy protection covers emerging online video platforms, where the research shows users are constantly and pervasively tracked.

The research covered two popular platforms, but similar results might be found on other services and smart television platforms.

The research paper, ‘Watching You Watch: The tracking ecosystem of over-the-top TV streaming devices’ is available from the Princeton University web site.