2021

PRIVACY OF
STREAMING APPS
AND DEVICES:
WATCHING TV THAT WATCHES US
Common Sense is the
nation's leading nonprofit
organization dedicated to
improving the lives of kids
and families by providing
the trustworthy
information, education,
and independent voice
they need to thrive in the
21st century.

www.commonsense.org
Common Sense is grateful for the generous support and underwriting that funded this report from the Michael
and Susan Dell Foundation, the Bill and Melinda Gates Foundation, and the Chan Zuckerberg Initative.

CREDITS
Authors: Girard Kelly, Common Sense Media
Jeff Graham, Common Sense Media
Jill Bronfman, Common Sense Media
Steve Garton, Common Sense Media

Data analysis: Girard Kelly, Common Sense Media

Jeff Graham, Common Sense Media

Copy editor: Jennifer Robb

Designer: Jeff Graham, Common Sense Media

Suggested citation: Kelly, G., Graham, J., Bronfman, J., & Garton, S. (2021). Privacy of Streaming Apps and Devices: Watching TV that Watches
Us. San Francisco, CA: Common Sense Media This work is licensed under a Creative Commons Attribution 4.0 International Public License.
TABLE OF CONTENTS
Privacy of streaming apps and devices 1

What are streaming services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Apps we rated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

How do streaming services make money? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

How we rate privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

What we found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Compare privacy ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

What are streaming devices? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How we test security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Devices we rated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

What we found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Compare privacy ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Compare security practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Data sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Data safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Account protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Parental consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Child privacy policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Advertisements, marketing, and tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Security testing methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Security framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Security testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Network testing environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

What should parents and educators do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

What should streaming apps and devices do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Children and data privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Appendix 33

Traffic analysis methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Tracking categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

App traffic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Amazon Prime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Apple TV+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Discovery+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Disney+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Hulu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Netflix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Paramount+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

HBO Max . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Peacock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

YouTube TV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Device traffic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Amazon Fire TV Cube . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Apple TV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Google TV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Nvidia Shield TV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Roku Smart Streaming Stick+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

"Do not sell" links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES
PRIVACY OF TV+ or Netflix, and more complex streaming apps
that offer multiple subscription services with access

STREAMING APPS
to hundreds of other third‐party content channels.
There are even streaming apps designed only for
one specific genre or type of content, like animated

AND DEVICES
kids programming, cooking, sports or talk shows, or
apps associated with only a particular film studio's
content. Some streaming apps collect very little be‐
Consumers, parents, and educators are looking for havioral data, and some say they don't sell your data
streaming content services that can be used not to third parties. But others are designed to collect as
only for entertainment and personal development, much behavioral data as possible, using thousands
but also to support distance learning. However, of data points to create a personalized profile about
many households don't have reliable high‐speed a user.
internet or sufficient data plans to stream media With so many apps to choose from, it was difficult
content, let alone enough adequate devices, such to limit our selection, but we carefully selected the
as computers, laptops, TV sets, or tablets. Under top 10 that we believe are representative of most
these circumstances, children and students might types of streaming apps available across different
use a parent's mobile device and parent's account platforms today. We chose streaming apps based
to stream free media content or tutorials, which on the film studios, features, type of content pro‐
may result in the collection of behavioral infor‐ vided, Apple and Google App Store popularity, and
mation about their viewing habits and interactions the number of free and paid subscribers. We also
with content that could lead to privacy risks1 and chose streaming apps used by children and students
harms that may affect children, students, and fam‐ in every major age group at home, on the go, and in
ilies. There are many articles available that com‐ the classroom.
pare all the "best" streaming apps and services on
price, content catalog, and features. However, none
of these articles adequately compares streaming
Apps we rated
apps and services on the most important feature— The streaming apps chosen for this report are listed
privacy. This report examines the privacy practices in Table 1. All prices reflect the standard or basic
of the most popular streaming apps and devices. streaming plan available as of the publication date
of this report. Most streaming apps we tested of‐
fer free trial periods of varying lengths, and some
What are streaming include bundled discounts or add‐ons if multiple
services? streaming services are purchased together. Others
have annual payment plan discounts, and most ser‐
Streaming media apps and services are typically free vices have separate free, basic, or premium price
or paid subscription‐based services that offer on‐ plans based on the type of content available. In ad‐
line streaming of TV shows and movies. Many paid dition, many streaming services allow users to pay
streaming services offer a free trial period after giv‐ extra to stream additional content on‐demand such
ing a valid credit card number. Some streaming ser‐ as renting movies or TV shows that are not included
vices are owned by major film studios that pro‐ in the product's main content catalog.
duce their own content, while other free streaming
We evaluated the privacy policies of the top
apps don't produce their own content, but simply
10 streaming apps: Apple TV+,2 YouTube TV,3
integrate third‐party apps to create content "chan‐
Disney+,4 Paramount+,5 HBO Max,6 Peacock,7
nels." Some, of course, offer both original and shared
content.
However, not all streaming apps are designed to
be the same. There are easy‐to‐use streaming apps
with only one type of subscription service, like Apple 2 Apple TV+, https://www.apple.com/apple‐tv‐plus.
3 YouTube TV, https://tv.youtube.com/welcome.
1 See Kelly, G., Graham, J., Bronfman, J., & Garton, S. (2019). 4 Disney+, https://www.disneyplus.com.
5 Paramount+, https://www.paramountplus.com.
Privacy risks and harms. San Francisco, CA: Common Sense
6 HBO Max, https://www.hbomax.com/.
Media, https://privacy.commonsense.org/resource/privacy‐
risks‐harms‐report. 7 Peacock, https://www.peacocktv.com.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 1
Amazon Prime Video,8 Discovery+,9 Hulu,10 and How do streaming services make
Netflix.11 There are also dozens of completely free money?
and ad supported streaming services that aggregate
third‐party content such as Tubi TV12 , Crackle13 , Most streaming apps and services like traditional ca‐
IMDbTV14 , and PlutoTV15 . Apple TV+ has only a ble TV require a paid monthly subscription to stream
single subscription plan, while Peacock has both unlimited content to any TV or device. There are
free and paid price plans that include additional also many free streaming apps that make money
paid streaming content, such as live sports, orig‐ selling a user's behavioral or viewing data to third
inal shows, and more channels. Paramount+ and parties and displaying targeted advertisements. This
Disney+ both have basic and premium subscription data includes what shows or movies users watch,
plans. HBO Max has both an "Ad Free" streaming what devices are used to watch content, when users
plan and cheaper "With Ads" streaming plan with watch, what location users watch from, how of‐
the same content. Hulu and Discovery+ have differ‐ ten they watch, when they binge watch, and what
ent levels of paid plans that still display limited ad‐ recommended shows they choose to watch. Some
vertisements, and plans that are more expensive but companies use both "streams" of income, subscrip‐
do not display any advertisements. Amazon Prime tion plus data selling.
Video bundles its streaming service for free as part
of its prime membership or as a paid stand‐alone Most streaming apps also sell users' data
streaming service. YouTube TV is the most expensive
streaming service we tested, but it is marketed dif‐
to data brokers who serve targeted ads
ferently than the other streaming services "except to users based on their viewing behavior
Hulu + Live TV" and is a replacement to a traditional and content they watched on other apps
cable television subscription. Lastly, Netflix has ba‐ and services across the internet.
sic, standard, and premium subscription plans that
are all tailored to the video quality of streaming con‐
Many viewers know that free streaming apps are
tent in SD, Full HD, or Ultra HD (4K).
most likely selling their personal information, but
Table 1: Streaming services price plans most viewers may not know that most paid sub‐
scription streaming apps are also selling users' data.
Even more expensive streaming plans with "no ads"
Kids
Product Price/mo. or "limited ads" still collect viewing data from use
Content of the app to track and serve users advertise‐
Apple TV+ $4.99 Yes ments on other apps and services across the inter‐
YouTube TV $64.99 Yes net. Also, data brokers buy and sell users' data and
share it with other companies for data recombina‐
Disney+ $7.99 to $29.99 Yes
tion purposes.
Paramount+ $4.99 to $9.99 Yes
HBO Max $9.99 to $14.99 Yes
How we rate privacy
Peacock Free to $4.99 Yes
Privacy and security are intertwined, and security is
Amazon Prime Video $8.99 to $12.99 Yes the foundation of effective individual privacy. When
Discovery+ $4.99 to $6.99 No evaluating whether to have children use stream‐
Hulu $5.99 to $11.99 Yes ing apps at home or in the classroom, parents and
teachers need to understand both the privacy poli‐
Netflix $8.99 to $17.99 Yes
cies and security practices of the device. To cre‐
ate a truly comprehensive evaluation process, the
Common Sense Privacy Program completes a full,
8 Amazon Prime Video, https://www.amazon.com/Amazon‐ in‐depth, 150‐point inspection16 of a product's pri‐
Video/b?node=2858778011. vacy policies in order to offer privacy ratings17 that
9 Discovery+, https://www.discoveryplus.com.
10 Hulu, https://www.hulu.com/welcome.
are easy to understand.
11 Netflix, https://www.netflix.com.
12 Tubi TV, https://tubitv.com. 16 See Common Sense, Evaluation Questions, https:
13 Crackle, https://www.crackle.com/
//privacy.commonsense.org/resource/evaluation‐questions.
14 IMDB TV, https://www.imdb.com/tv. 17 See Common Sense Privacy Ratings,
15 Pluto TV, https://pluto.tv/welcome. https://privacy.commonsense.org/resource/privacy‐ratings.

2 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 Apple TV+ YouTube TV Disney+ Paramount+ HBO Max
Rating 79% 81% 68% 65% 63%
Bottom Apple TV+ is the only YouTube TV is the best Disney+ has the latest Paramount+ provides HBO Max is the
Line streaming service with livestreaming service releases, original series, streaming access to TV streaming option for all
privacy built‐in by with over 85 top movies, classic films, series, stand‐up shows, of HBO, including
design. channels of and TV shows from movies, reality, and kids original series, movies,
entertainment and Disney, Pixar, Marvel, shows from specials, and more such
cloud DVR storage. Star Wars, and National Nickelodeon, Comedy as Sesame Workshop,
Geographic. Central, BET, MTV, and DC Comics, Looney
Smithsonian Channel. Tunes, and the Cartoon
Network.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE

Pros Apple says they don't YouTube TV received Disney has some of the Paramount+ says they Parents can create a
sell users' data to third the highest overall best practices in the protect student data separate "Kids profile"
parties, don't display numerical score, even categories of Parental privacy if the product is for children to watch
targeted with an orange Consent and Data used by students in curated kid‐friendly
advertisements, and "warning" rating, Safety that includes K–12 schools and content without
don't track users on because Google TV had safe interactions and districts. targeted
other apps and services a more transparent privacy controls. advertisements.
across the internet. policy despite engaging
in some worse privacy
practices.
Cons Apple does not provide YouTube TV says they Disney's policy says it The Paramount+ policy The HBO policy says it
any information about don't sell users' data to sells users' data, targets says it sells users' data, sells users' data, targets
how they protect third parties, but they users with targets users with users with personalized
student data privacy if do target users with advertisements, and advertisements, and advertisements, and
the product is used by advertisements and tracks users on other tracks users on other tracks users on other
students in K–12 track users on other apps and services apps and services apps and services
schools and districts. apps and services across the internet. across the internet. across the internet.

PRIVACY OF STREAMING APPS & DEVICES

across the internet.

3
 commonsense.org
Amazon
Peacock Discovery+ Hulu Netflix
Prime Video
Rating 59% 57% 54% 53% 46%
Bottom Peacock provides free Amazon Prime Video Discovery+ provides Hulu provides Netflix provides
Line access to streaming gives members a large streaming access to streaming access to streaming access to
movies and TV shows selection of "included popular TV brands and thousands of shows and award‐winning original
from The Office, Parks & with Prime" streaming personalities including movies, and live TV series, movies,
Rec, Yellowstone, and TV shows, Amazon HGTV, Food Network, with over 65 channels documentaries, and
NBCUniversal shows originals, and movies TLC, ID, Animal Planet, with premium networks stand‐up specials.
from Bravo, SYFY, USA, without the need to and Discovery Channel. like HBO, Showtime,
E!, and Oxygen. subscribe to other Cinemax, and Starz.
third‐party services.
Pros Peacock says the Users can create Discovery+ says in its Users can create Users can create
service is intended for separate profiles for privacy policy that it is separate profiles for separate profiles for
users of all ages, but personalized content only directed to adults personalized content personalized content
individuals under the recommendations and and not intended for recommendations and recommendations and
age of 13 may use the parents can create a children under the age parents can create a parents can create a

PRIVACY OF STREAMING APPS & DEVICES

service with the separate "Kids" profile of 13. separate "Kids" profile separate "Kids" profile
consent of a parent or for children to watch for children to watch for children to watch
legal guardian. curated kid‐friendly curated kid‐friendly curated kid‐friendly
content. content. content.
Cons Peacock's policy says it Amazon's policy says it The Discovery+ policy Hulu's policy says it Netflix's policy says it
sells users' data, targets does not sell users' says it sells users' data, sells users' data, targets does not sell users'
users with data, but Amazon does targets users with users with data, but Netflix does
advertisements, and say it targets users with advertisements, and advertisements, and say it targets users with
tracks users on other advertisements, and tracks users on other tracks users on other advertisements, and
apps and services tracks users on other apps and services apps and services tracks users on other
across the internet. apps and services across the internet. across the internet. apps and services
across the internet. across the internet.

4
 Table 2: Top 10 streaming apps
The information in this table provides a snapshot of each product's Common Sense privacy rating from February 1, 2021. Expert evaluators assessed
different privacy‐related concerns and ranked a product's practices from "best" to "poor," with special attention given to how these privacy practices
affect kids and families. Score Key: Best (81–100); Good (61–80); Average (41–60); Fair (21–40); Poor (0–20). Rating Key: Pass (Meets our minimum
requirements for privacy and security practices comprised of the Data Sold and Ads & Tracking concern categories); Warning (Does not meet our
recommendations for privacy and security practices that includes at least one or more worse privacy practices or does not clarify certain practices in the
Data Sold or Ads & Tracking concern categories); Fail (Does not have a privacy policy and/or does not use encryption and should not be used). Note that
in addition to the qualitative portion of the rating,18 the score is a quantitative measure and not an aggregate of the concern scores.19 For an
explanation on the score and rating for Apple TV+ and YouTube TV, reference the following section.

Data Data Data Data Data Ads & Parental School

Product Privacy Rating Data Sold
Collection Sharing Security Rights Safety Tracking Consent Purpose
Apple TV+ 79% Pass Good Best Good Best Average Average Good Good Poor
YouTube TV 81% Warning Good Best Best Best Average Good Average Good Average
Disney+ 68% Warning Average Good Fair Best Fair Good Average Best Poor

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE

Paramount+ 65% Warning Average Good Fair Best Fair Poor Average Good Average
HBO Max 63% Warning Average Good Fair Best Fair Average Average Best Poor
Peacock 59% Warning Average Good Fair Best Fair Average Average Good Poor
Amazon Prime Video 57% Warning Average Good Average Best Average Fair Average Average Poor
Discovery+ 54% Warning Average Good Fair Best Average Average Average Fair Poor
Hulu 53% Warning Average Good Average Good Fair Fair Average Poor Poor
Netflix 46% Warning Fair Average Fair Good Poor Poor Average Poor Poor

18 See Privacy Ratings, https://privacy.commonsense.org/resource/privacy‐ratings.

19 See Evaluation Scores, https://privacy.commonsense.org/resource/evaluation‐scores.

PRIVACY OF STREAMING APPS & DEVICES

5
What we found also have the best practices in the category of Data
Safety that includes safe interactions and privacy
The ratings and scores in Table 2 are from our pri‐ controls, but Apple has the best practices in the
vacy evaluation results of the top 10 streaming category of Ads and Tracking than all of the other
apps. Table 2 illustrates a range of privacy prac‐ streaming apps. Also, most streaming apps includ‐
tices from "best" to "poor" based on our privacy ing Peacock27 and Discovery+28 have either fair or
ratings and evaluation concerns.20 Products that average data collection and security practices.
score a "poor" are not necessarily unsafe, but they
have a higher number of privacy problems than Finally, Disney+ and HBO Max29 have the best
the "average" product. Similarly, products that score practices in the category of Parental Consent, but
"best" are not necessarily problem free, but they all of the streaming apps—except YouTube TV and
had relatively fewer problems compared with other Paramount+30 —did not provide any information
products. about how they protect student data privacy when
used in K–12 schools and districts in the School Pur‐
From Table 2, you can see that YouTube TV21 re‐ pose category. However, use of streaming apps in
ceived our highest overall score, but Apple TV+22 schools or districts for educational purposes that
was the only product to earn a "pass" rating for require students to view documentaries or learn‐
better privacy practices that protect everyone. Net‐ ing tutorials are typically outside the scope of the
flix23 received the lowest overall score with a "warn‐ terms of use and license agreement of many stream‐
ing" rating. Specifically, Apple did better than Netflix ing apps. This may change as streaming companies
in every category. YouTube TV received the high‐ realize that their products are being used more and
est overall score, even with a "warning" rating, be‐ more in lesson plans at home and in the classroom
cause YouTube TV had the most comprehensive pol‐ by students.31
icy, despite engaging in some worse privacy prac‐
tices which earned them a "warning" rating. How did
this split occur? We give points for transparency. Compare privacy ratings
YouTube TV's comparatively higher score, in other Table 3 compares the privacy practices of all the
words, speaks to their transparency in telling us that streaming apps we tested, as described in their pri‐
they use our data and share it for advertising. Apple vacy policies. These practices can put children's and
is less comprehensive and transparent in its poli‐ students' privacy at risk if they sell personal data
cies (and could raise their score if they addressed to third‐party companies or use personal informa‐
more issues in their policies), but the fact that Ap‐ tion for third‐party marketing, targeted advertising,
ple's policy says that they do not share or use per‐ tracking, or ad‐profiling purposes. In Table 3, "Yes" is
sonal data for any advertising, marketing, or tracking considered a worse practice that puts children, stu‐
earns them our highest "pass" rating. dents', and consumers' privacy at risk.
In addition, Hulu24 and Netflix did not have better Our privacy evaluations of the top 10 streaming
practices than most other streaming apps in the cat‐ apps indicate that all streaming apps (except Apple
egory of Data Rights, which includes the user's abil‐ TV+) have privacy practices that put consumers' pri‐
ity to access, edit, delete, and export data. However, vacy at considerable risk including selling data, send‐
Apple TV+, YouTube TV, Amazon Prime Video25 , and ing third‐party marketing communications, display‐
Netflix were the only streaming apps that say they ing targeted advertisements, tracking users across
don't sell users' data. YouTube TV and Disney+26 other sites and services, and creating advertising
profiles for data brokers.
20 See Common Sense Evaluation Concerns, https:

//privacy.commonsense.org/resource/evaluation‐concerns.
21 See Privacy Evaluation of YouTube TV

https://privacy.commonsense.org/evaluation/YouTube‐TV
22 See Privacy Evaluation of Apple TV+ 27 See Privacy Evaluation of Peacock TV

https://privacy.commonsense.org/evaluation/AppleTV https://privacy.commonsense.org/evaluation/Peacock‐TV
23 See Privacy Evaluation of Netflix 28 See Privacy Evaluation of Discovery+

https://privacy.commonsense.org/evaluation/Netflix https://privacy.commonsense.org/evaluation/Discovery
24 See Privacy Evaluation of Hulu 29 See Privacy Evaluation of HBO Max

https://privacy.commonsense.org/evaluation/Hulu https://privacy.commonsense.org/evaluation/HBO‐Max
25 See Privacy Evaluation of Amazon Prime Video https: 30 See Privacy Evaluation of Paramount+

//privacy.commonsense.org/evaluation/Amazon‐Prime‐Video https://privacy.commonsense.org/evaluation/Paramount
26 See Privacy Evaluation of Disney+ 31 See Swank K–12 Streaming,

https://privacy.commonsense.org/evaluation/Disney https://www.swank.com/k‐12‐streaming.

6 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Table 3: Privacy rating criteria of streaming apps
Rating Key: Pass (Meets our minimum requirements for privacy and security practices comprised of the Data
Sold and Ads & Tracking concern categories); Warning (Does not meet our recommendations for privacy and
security practices that includes at least one or more worse privacy practices or does not clarify certain
practices in the Data Sold or Ads & Tracking concern categories); Fail (Does not have a privacy policy and/or
does not use encryption and should not be used). Note that in addition to the qualitative portion of the
rating, the score is a quantitative measure and not an aggregate of the concern scores.

Sell Third‐Party Targeted Third‐Party Track Ad

Product Privacy Rating
Data Marketing Ads Tracking Users Profile
Apple TV+ 79% Pass No No No No No No
YouTube TV 81% Warning No No Yes Yes Yes Yes
Disney+ 68% Warning Yes Yes Yes Yes Yes Yes
Paramount+ 65% Warning Yes Yes Yes Yes Yes Yes
HBO Max 63% Warning Yes Yes Yes Yes Yes Yes
Peacock 59% Warning Yes Yes Yes Yes Yes Yes
Amazon Prime Video 57% Warning No Unclear Yes Yes Yes Yes
Discovery+ 54% Warning Yes Yes Yes Yes Yes Yes
Hulu 53% Warning Yes Yes Yes Yes Yes Yes
Netflix 46% Warning No Yes Yes Yes Yes Yes

What are streaming practices, and to influence smart tech manufactur‐

ers to take these concerns into consideration when
devices? developing their products.
Parents and educators are not just looking for The Privacy Program uses the Digital Standard to do
streaming content services, but also streaming de‐ hands‐on basic security testing33 of the 10 most
vices that can be used for entertainment, per‐ critical security practices that parents and educa‐
sonal development, and to support distance learn‐ tors say they need to make an informed decision.
ing. Streaming devices are hardware‐based technol‐ These security practices include information collec‐
ogy that have their own operating system software tion from a smart device and its companion mobile
and remote control that allows users to easily con‐ application, and the transmission of information be‐
nect the device to a TV and allow online stream‐ tween the device and the internet.
ing of shows and movies from streaming apps and In addition to basic security testing of these critical
services directly to their TV. Our hands‐on security security practices, Common Sense created an 80‐
testing reveals which smart streaming devices are point security assessment34 that incorporates Con‐
more protective of the privacy and security of kids', sumer Report's Digital Standard35 with the Rank‐
students', and consumers' personal information. ing Digital Rights36 questions and OWASP IoT Se‐
curity37 questions.
How we test security
We also do hands‐on security testing of each smart
device using Consumer Reports' Digital Standard.32 33 See Common Sense Privacy Program: Security testing,
The Digital Standard is a set of expectations for how https://privacy.commonsense.org/resource/security‐testing.
smart tech manufacturers should handle privacy, 34 See Common Sense Privacy Program: Full Security

security, and other digital rights. The goal of the Questions, https://privacy.commonsense.org/resource/full‐
Digital Standard testing criteria is to educate con‐ security‐assessment‐questions.
35 See Consumer Reports' Digital Standard,
sumers about a product's privacy policy and security http://www.thedigitalstandard.org.
36 See Ranking Digital Rights, https://rankingdigitalrights.org.
32 See Consumer Reports' Digital Standard, 37 See Open Web Application Security Project,

https://www.thedigitalstandard.org. https://owasp.org/.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 7
 Table 4: Streaming devices and technical specifications

Product Price Output Processor RAM Storage GPU

Apple TV HD $149.00 1080p A8 chip with 64‐bit architecture 2 GB 32 GB A8 Integrated
Graphics
Google TV $49.99 4K Amlogic S905D3 (1.9 GHz 2 GB 8 GB Mali‐G31 MP2 GPU
quad‐core ARM Cortex‐A55)
Amazon Fire TV $119.99 4K Hexa‐core (Quad‐core at up to 2 GB 16 GB ARM Mali G52‐MP2
Cube 2.2GHz + Dual‐core at up to (3EE), 800MHz
1.9GHz
Roku Streaming $39.99 4K ARM Cortex A53 1 GB 512 MB ARM Cortex
Stick+ Integrated Graphics
Nvidia Shield TV $149.99 4K Nvidia Tegra X1+ processor 2 GB 8 GB 256‐core Nvidia GPU

Devices we rated to play streaming games with Google Stadia. The

Amazon Fire TV Cube is a mid‐range cost stream‐
We tested the most popular smart streaming de‐ ing device but is more expensive than other Ama‐
vices to identify the potential privacy risks and zon Fire TV stick streaming devices because of its
harms that may affect the children, students, and expanded storage capacity and faster processor.
families who use these devices. It was difficult to Lastly, the Roku Streaming Stick+ is the cheapest
limit our selection with so many smart streaming de‐ streaming device we tested with the least amount
vices to choose from, but we selected the top five of RAM and storage capacity that is designed pri‐
for this report that we believe are representative marily to stream third‐party content or "channels."
of most types of streaming devices available in the
marketplace today. We chose smart streaming de‐
vices based on the company, product features, op‐
erating system, price, and popularity. We also chose
smart streaming devices used by children and stu‐
dents in every major age group at home and in the
classroom. We tested the following five devices: Ap‐
ple TV,38 Google TV,39 Amazon Fire TV Cube,40
Roku Streaming Stick+,41 and Nvidia Shield TV.42
Regarding price, the Apple TV HD and Nvidia Shield
TV are the most expensive streaming devices we
tested. Apple's streaming device has the most stor‐
age capacity of any device we tested. All the stream‐
ing devices support 4K HDR output except for the
Apple TV HD, but Apple also offers a more expen‐
sive Apple TV 4K model that was not included in
our testing. Nvidia's streaming device is designed to
work best for games with its GeForce Now stream‐
ing platform and includes additional accessories like
the Shield Controller. The Chromecast with Google
TV ("Google TV") is a low‐cost streaming device
compared to Apple and Nvidia that also allows users
38 SeeApple TV, https://www.apple.com/tv.
39 SeeGoogle TV, https://tv.google.
40 See Amazon Fire TV Cube, https://www.amazon.com/all‐

new‐fire‐tv‐cube‐with‐alexa‐voice‐remote/dp/B07KGVB6D6.
41 See Roku Products,

https://www.roku.com/products/streaming‐stick‐plus.
42 See Nvidia Shield TV,

https://www.nvidia.com/en‐us/shield/shield‐tv.

8 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 Roku
Amazon Nvidia
Apple TV Google TV Streaming
Fire TV Shield TV
Stick+
Rating 79% 81% 57% 51% 43%
Bottom The Apple TV is the The Google TV Amazon's Fire The Roku Streaming By design, the Shield TV
Line easiest way to integrates everything streaming devices give Stick+ allows users to works with Android TV
experience Apple TV+, with your Google members a large easily integrate all the and integrates Google
and Apple's policy for Account and brings all selection of "included free and paid Account, Google
this product says they your streaming services with Prime" streaming third‐party subscription Assistant, and streaming
do not collect data for together in one place. TV shows, Amazon services they use. game services like

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE

any other purpose. originals, and movies. Geforce Now.
Pros Apple says they don't Google TV received the Users can create The Roku Streaming Nvidia Shield TV is an
sell users' data to third highest overall separate profiles for Stick is intended for Android TV‐based
parties, don't display numerical score, even personalized content users of all ages and streaming device that
targeted with an orange recommendations and easy to set up. can stream both media
advertisements, and "warning" rating, parents can create a and gaming content
don't track users on because Google TV had separate "Kids" profile with Nvidia Geforce
other apps and services a more transparent for children to watch Now and Android
across the internet. policy despite engaging curated kid‐friendly gaming through the
in some worse privacy content. Google Play Store.
practices.
Cons Apple did not receive Google says they don't Amazon's policy says Roku says they sell Shield TV has the same
the highest numerical sell users' data to third that they target users users' data to third privacy practices as
score because they parties, but they do with advertisements, parties, target users Google's Android TV
don't provide any target users with however, the service with advertisements, that target users with
information about how advertisements and does not display and track users on advertisements and
they protect student track users on other interest‐based ads to other apps and services track users on other
data privacy if the apps and services children when they are across the internet. apps and services

PRIVACY OF STREAMING APPS & DEVICES

product is used in K–12 across the internet. using a registered across the internet.

9
schools and districts. Amazon child profile.
 commonsense.org
Table 5: Top five streaming devices
The information in this table provides a snapshot of each product's Common Sense privacy rating from February 1, 2021. Expert evaluators assessed
different privacy‐related concerns and ranked a product's practices from "best" to "poor," with special attention given to how these privacy practices
affect kids and families. Key: Best (81–100); Good (61–80); Average (41–60); Fair (21–40); Poor (0–20). Rating Key: Pass (Meets our minimum
requirements for privacy and security practices comprised of the Data Sold and Ads & Tracking concern categories); Warning (Does not meet our
recommendations for privacy and security practices that includes at least one or more worse privacy practices or does not clarify certain practices in the
Data Sold or Ads & Tracking concern categories); Fail (Does not have a privacy policy and/or does not use encryption and should not be used). Note that
in addition to the qualitative portion of the rating, the score is a quantitative measure and not an aggregate of the concern scores.
Data Data Data Data Data Ads & Parental School
Product Privacy Rating Data Sold
Collection Sharing Security Rights Safety Tracking Consent Purpose
Apple TV 79% Pass Good Best Good Best Average Average Good Good Poor
Google TV 81% Warning Good Best Best Best Average Good Average Good Average
Amazon Fire TV 57% Warning Average Good Fair Best Fair Good Average Best Poor
Roku Streaming Stick+ 51% Warning Average Good Poor Good Fair Fair Average Poor Poor

PRIVACY OF STREAMING APPS & DEVICES

Nvidia Shield TV 43% Warning Average Average Poor Good Fair Fair Fair Fair Poor

10
What we found streaming apps—except Google TV—did not provide
any information about how they protect student
From Table 5, you can see that Google TV43 re‐ data privacy when used in K–12 schools and dis‐
ceived our highest overall score but Apple TV44 was tricts in the School Purpose category.
the only product to earn a "pass" rating for bet‐
ter privacy practices that protect everyone. Apple, It is also important to understand that additional
Google, and Amazon streaming devices all received third‐party installed "channels" or apps have differ‐
the same overall score and privacy rating as their ent privacy practices than the default streaming de‐
respective streaming apps (Apple TV+ YouTube TV, vice itself. Only the streaming devices' privacy prac‐
and Amazon Prime Video) because they all use the tices were evaluated, but not the privacy practices
same policies to apply to both their streaming device of any third‐party apps that may be installed by
hardware and their streaming app software. Nvidia a user. Additional research has observed numer‐
Shield TV45 received the lowest overall score with ous Smart TV streaming apps that exfiltrate person‐
a "warning" rating. In fact, Nvidia had lower scores ally identifiable information (PII) to third parties and
than Apple in every category. Google TV received platform‐specific parties, mostly for nonfunctional
the highest overall score even with a "warning" rat‐ advertising and tracking purposes.48 Therefore, be‐
ing, because Google TV had the most comprehen‐ fore installing any third‐party additional apps, par‐
sive policy despite engaging in some worse privacy ents and educators should check their privacy poli‐
practices, which earned them a "warning" rating. cies or Common Sense privacy ratings to under‐
stand how these apps may treat data differently
Google's comparatively higher score, in other words, than the streaming device.
speaks to their transparency in telling us that they
use data and share it for advertising. Apple is less
comprehensive in its transparency (and could raise Compare privacy ratings
their score if they addressed more issues in their
Table 6 compares the privacy practices of all the
policies), but the fact that Apple does not share or
streaming devices we tested which are used to de‐
use personal data for any advertising, marketing, or
termine their privacy ratings. These practices can
tracking earns them our highest "pass" rating.
put children's and students' privacy at risk by selling
In addition, Apple TV, Google TV, and Amazon Fire personal data to third‐party companies or by using
TV46 had better practices than the other stream‐ personal information for third‐party marketing, tar‐
ing devices in the category of Data Rights, which geted advertising, tracking, or ad‐profiling purposes.
includes the ability to access, edit, delete, and ex‐ In Table 6, "Yes" is considered a worse practice that
port data. Most importantly, the Roku Streaming puts children, students', and consumers' privacy at
Stick+47 was the only streaming device that says risk.
they sell users' data. The Google TV and Amazon
Our privacy evaluations of the top five streaming
Fire TV have the best practices in the category of
devices indicate that all streaming devices—except
Data Safety that includes safe interactions and pri‐
Apple TV—have privacy practices that put con‐
vacy controls, but Apple has the best practices in the
sumers' privacy at considerable risk including sell‐
category of Ads and Tracking than all of the other
ing data, sending third‐party marketing communica‐
streaming devices.
tions, displaying targeted advertisements, tracking
Finally, Apple TV, Google TV, and the Amazon users across other sites and services, and creating
Fire TV have the best practices in the category of advertising profiles for data brokers. The collection
Parental Consent. Roku does allow parents to cre‐ of behavioral information about viewing habits and
ate child profiles on the streaming device, yet does interactions with streaming devices for advertising
not discuss this practice in their policies. All of the and tracking purposes could lead to privacy risks and
harms that may affect consumers and their children,
43 See Privacy Evaluation of Google TV students, and families.
https://privacy.commonsense.org/evaluation/Google‐TV
44 See Privacy Evaluation of Apple TV

https://privacy.commonsense.org/evaluation/Apple‐TV 48 See J. Varmarken, H. Le, A. Shuba, A. Markopoulou, Z.

45 See Privacy Evaluation of Nvidia
Shafiq, "The TV is Smart and Full of Trackers: Measuring Smart
https://privacy.commonsense.org/evaluation/NVIDIA TV Advertising and Tracking", Proceedings of the Privacy
46 See Privacy Evaluation of Amazon Fire TV
Enhancing Technologies Symposium (PoPETs) 2020, Issue 2.
https://privacy.commonsense.org/evaluation/Amazon‐Fire‐TV July 2020, Montreal, Canada.
47 See Privacy Evaluation of Roku https://petsymposium.org/2020/files/papers/issue2/popets‐
https://privacy.commonsense.org/evaluation/Roku 2020‐0021.pdf

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 11
Table 6: Privacy rating criteria of streaming devices
Rating Key: Pass (Meets our minimum requirements for privacy and security practices comprised of the Data
Sold and Ads & Tracking concern categories); Warning (Does not meet our recommendations for privacy and
security practices that includes at least one or more worse privacy practices or does not clarify certain
practices in the Data Sold or Ads & Tracking concern categories); Fail (Does not have a privacy policy and/or
does not use encryption and should not be used). Note that in addition to the qualitative portion of the
rating, the score is a quantitative measure and not an aggregate of the concern scores.

Third‐Party Targeted Third‐Party Ad

Product Privacy Rating Sell Data Track Users
Marketing Ads Tracking Profile
Apple 79% Pass No No No No No No
Google 81% Warning No No Yes Yes Yes Yes
Amazon 57% Warning No Unclear Yes Yes Yes Yes
Roku 51% Warning Yes Yes Yes Yes Yes Yes
Nvidia 43% Warning No Unclear Yes Yes Yes Yes

Compare security that include its streaming player devices and Roku
TV, which is installed on various third‐party smart
practices TV manufacturers.
Our hands‐on security testing of the following There is a clear differentiation between the integra‐
streaming apps and devices focused on the 10 most tion of three different voice assistants, depending
critical security practices around the collection of in‐ on the streaming device manufacturer and operat‐
formation from the device and on the transmission ing system. Apple integrates its own voice assistant
of information between the device and the internet. "Siri"49 into its streaming devices, which is exclu‐
sive to Apple products and not available to any third
Table 7: Streaming device software and voice party for use. However, Amazon's "Alexa"50 voice
assistant integration assistant is integrated into all of its Fire TV stream‐
ing devices and is available for integration into any
Voice third‐party manufacturer's device, such as Roku's
Device Software
Assistant streaming products. Similarly, Google's voice assis‐
tant, "Google"51 is integrated into all of its streaming
Apple TV Apple tvOS Siri
devices and is also available for integration into any
Google TV Android TV Google third‐party manufacturer's device, such as Android
Amazon Fire TV Fire OS Alexa TV based streaming products, including the Nvidia
Roku Streaming Stick Roku OS Alexa Shield TV.
Nvidia Shield TV Android TV Google

All the streaming devices we tested use different

operating systems, with the exception of the Nvidia
Shield TV, which is a value‐add retailer that runs
a custom version of Google's Android TV operat‐
ing system that is optimized for Nvidia's GeForce
Now gaming platform. Amazon's Fire OS is Ama‐
zon's proprietary operating system that is available
on Amazon's entire product line of Fire TV stream‐
ing devices. Google uses its Android TV operat‐ 49 See Privacy Evaluation of Apple Siri,
ing system on its own Google TV device and its https://privacy.commonsense.org/evaluation/Apple‐Siri.
product line of Google Chromecast and Chrome‐ 50 See Privacy Evaluation of Amazon Alexa,

cast Ultra devices. The Roku OS proprietary oper‐ https://privacy.commonsense.org/evaluation/Amazon‐Alexa.

51 See Privacy Evaluation of Google Assistant,
ating system is used on all Roku streaming devices https://privacy.commonsense.org/evaluation/Google‐Assistant.

12 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Table 8: Privacy policy notice displayed during assistant Alexa with two more policies: the Alexa Pri‐
device setup vacy Hub,61 and Alexa & Alexa Device FAQs.62
The Roku Streaming Stick+ requires users con‐
Device Notice Provided
sent to the Roku Privacy Policy,63 Roku Account
Apple TV Yes Terms,64 and Roku Products Terms of Use.65 The
Google TV Yes Nvidia Shield TV requires users consent to Google's
Amazon Fire TV Yes Terms of Service,66 Google Privacy Policy,67 and the
Roku Streaming Stick Yes Alexa Terms of Use, https://www.amazon.com/gp/help/
customer/display.html?nodeId=201809740;
Nvidia Shield TV Yes Amazon Prime Video Terms of Use,
https://www.primevideo.com/help?nodeId=202095490;
Amazon Prime Usage Rules,
During the Apple TV device set‐up process Apple https://www.primevideo.com/help/?nodeId=G202095500;
requires users to consent to its Privacy Policy,52 Ap‐ Amazon Video Third‐party Software, https://www.amazon.
com/gp/help/customer/display.html?nodeId=201422780;
ple tvOS Terms and Conditions,53 Apple TV War‐
IMDB Conditions of Use, https://www.imdb.com/conditions;
ranty,54 iCloud Terms and Conditions,55 and Game IMDB Privacy Notice, https://www.imdb.com/privacy;
Center Terms and Conditions.56 For the Google TV, IMDB Android Legal Notice,
the set‐up process is also quick, and Google re‐ https://www.primevideo.com/terms;
Amazon Music Terms of Use, https://www.amazon.com/gp/
quires users consent to its Terms of Service,57 Play help/customer/display.html?nodeId=201380010;
Terms of Use,58 and Privacy Policy59 before using Amazon Appstore for Android Terms of Use,
the device. https://www.amazon.com/gp/help/customer/display.html?
nodeId=201485660;
However, Amazon's Fire TV takes its obligation of Additional Terms relating to Appstore Software, https://www.
providing adequate notice to consumers of its poli‐ amazon.com/gp/feature.html?ie=UTF8&docId=1000797711;
Amazon Coins Terms, https://www.amazon.com/gp/help/
cies to a completely different level than Apple or
customer/display.html?nodeId=201434520;
Google, who only require consent to a handful of Amazon Photos Terms of Use, https://www.amazon.com/gp/
different policies. Amazon requires users to log in help/customer/display.html?nodeId=201376540;
with their Amazon account and then provides no‐ Amazon Game Circle Terms of Use,
https://www.amazon.com/gp/help/customer/display.html/?ie=
tice of an exceptionally high number of policies that UTF8&nodeId=201487670;
users must read and provide consent before use Amazon Payments, Inc Customer Agreement,
of their new streaming device.60 In addition, Ama‐ https://pay.amazon.com/help/201212430;
zon requires consumers consent for using the voice Amazon Payments Privacy Notice,
https://pay.amazon.com/help/201751600;
52 See Apple Privacy Policy,
Amazon Prime Terms, https://www.amazon.com/gp/help/
https://www.apple.com/legal/privacy/en‐ww. customer/display.html?nodeId=G2B9L3YR7LR8J4XP;
53 See Apple tvOS Software License Agreement, About Our Returns Policies, https://www.amazon.com/gp/
https://www.apple.com/legal/sla/docs/tvOS14.pdf. help/customer/display.html/?nodeId=201819200;
54 See Apple One (1) Year Limited Warranty, Audible Service Conditions of Use,
https://www.apple.com/legal/warranty/products/accessory‐ https://www.audible.com/legal/conditions‐of‐use;
warranty‐english.html. Amazon Device Return FAQs, https://www.amazon.com/gp/
55 See iCloud Terms and Conditions, help/customer/display.html/?ie=UTF8&nodeId=201818950;
https://www.apple.com/legal/internet‐ State Sales Tax Information, https://sellercentral.amazon.com/
services/icloud/en/terms.html. gp/help/external/G201706680?language=en_US;
56 See Apple Game Center Terms and Conditions, Amazon Silk Terms and Conditions, https://www.amazon.com/
https://www.apple.com/legal/internet‐ gp/help/customer/display.html?nodeId=200775270; and
services/itunes/gamecenter/us/terms.html. Amazon Fire TV Device Terms of Use, https://www.amazon.
57 See Google Terms of Service, com/gp/help/customer/display.html?nodeId=201267340.
61 See Alexa Privacy Hub,
https://policies.google.com/terms?hl=en.
58 See Google Play Terms of Use, https://www.amazon.com/b/?node=19149155011.
62 See Alexa and Alexa Device FAQs, https://www.amazon.
https://play.google.com/about/play‐terms/index.html.
59 See Google Privacy Policy, com/gp/help/customer/display.html?nodeId=201602230.
63 See Roku Privacy Policy,
https://policies.google.com/privacy?hl=en.
60 Amazon requires users provide consent to the following https://docs.roku.com/published/userprivacypolicy/en/us.
64 See Roku Account Terms, https:
twenty‐five (25) policies before use of the Fire TV device:
Amazon Device Terms of Use, https://www.amazon.com/gp/ //docs.roku.com/published/usertermsandconditions/en/us.
65 See Roku Products Terms of Use,
help/customer/display.html?nodeId=202002080;
Conditions of Use, https://www.amazon.com/gp/help/ https://docs.roku.com/published/deviceplayereula/en/us.
66 See Google Terms of Service,
customer/display.html?nodeId=201909000;
Amazon Privacy Notice, https://www.amazon.com/gp/help/ https://policies.google.com/terms?hl=en.
customer/display.html?nodeId=468496; 67 See Google Privacy Policy,

https://policies.google.com/privacy?hl=en.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 13
Google Play Terms of Service.68 After users consent All of the streaming devices allow sharing a user's
to Google's policies they are provided an additional data and integrate with third‐party subscription
notice and required to consent to the Nvidia's Terms services or "channels" such as Netflix,71 YouTube
of Use69 and the Nvidia Privacy Policy.70 TV,72 Prime Video,73 Disney+,74 Apple TV+,75 HBO
Max,76 and more. In addition, all the streaming de‐
In total, Apple requires users consent to five poli‐
vices can integrate free ad‐supported streaming ser‐
cies, Google and Roku both require users consent
vices such as Tubi TV77 , Pluto TV,78 IMDb TV,79 and
to three policies, and Nvidia requires users consent
others. The Apple TV with Apple TV+ and Ama‐
to two policies. However, these companies policies
zon Fire TV Cube with Prime Video are the only
all reference additional supplemental policies that
two streaming devices that by default integrate their
users automatically agree to as well, which serve to
own first‐party original content and therefore those
inflate the number of actual words and policies that
devices by design share less data with third‐party
users are providing their consent when they click "I
service providers unless additional third‐party sub‐
agree."
scription channels or apps are added to the software
Users should not be required to provide informed of the device by the user.
consent to numerous policies that would take hours
to navigate with a remote, read, and understand on
a TV screen in order to use their new streaming de‐
Data safety
vice or service with only a single click that says "I Evaluating data safety in the context of data privacy
agree." The concept that a consumer actually gives takes into consideration best practices of using pri‐
"informed consent" to use streaming apps or devices vacy protections by default and limiting potential in‐
is far from reality. teractions with others. It's better to start with the
maximum privacy that the app or device can provide
Data sharing and then give users the choice to change the set‐
tings. It's also better to have people opt in to shar‐
Evaluating data sharing takes into consideration ing rather than forcing them to opt out if they want
best practices of keeping personal data inside the to protect their privacy. In addition, users talking to
application or smart device to help protect privacy. other people through the app or device might per‐
Any time personal data is available on the inter‐ mit personal information to be shared with strangers
net or on another device, the possibility of unau‐ or be made publicly available.
thorized sharing or breach is increased. Connecting
social media accounts could allow children or stu‐ Table 10: Privacy protecting default controls are
dents to share personal information with other peo‐ enabled
ple and with third‐party companies. In addition, in‐
stalling third‐party apps with a smart device could Default
Device
allow the collection and use of personal information Protecting
for a different purpose.
Apple TV Yes
Table 9: Devices integrates third‐party apps Google TV No
Amazon Fire TV No
Device Third‐Party Content Roku Streaming Stick No
Apple TV Yes Nvidia Shield TV No
Google TV Yes
Amazon Fire TV Yes
Roku Streaming Stick Yes
71 Netflix, https://www.netflix.com.
Nvidia Shield TV Yes 72 YouTube TV, https://tv.youtube.com/welcome.
73 Amazon Prime Video, https://www.amazon.com/Amazon‐

Video/b?node=2858778011.
68 See Google Play Terms of Use, 74 Disney+, https://www.disneyplus.com.
75 Apple TV+, https://www.apple.com/apple‐tv‐plus.
https://play.google.com/about/play‐terms/index.html.
69 See Nvidia Terms of Use, 76 HBO Max, https://www.hbomax.com.
77 Tubi TV, https://tubitv.com.
https://www.nvidia.com/en‐us/geforce‐now/terms‐of‐use/.
70 See Nvidia Privacy Policy, 78 Pluto TV, https://pluto.tv/welcome.

https://www.nvidia.com/en‐us/about‐nvidia/privacy‐policy/. 79 IMDB TV, https://www.imdb.com/tv.

14 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Each of the streaming devices have different opt in data. Only after the Amazon Fire TV Cube device
or opt out default privacy settings with some incor‐ has completed setup can users navigate to the "Set‐
porating privacy‐by‐default80 principles by select‐ tings" menu item, select "Preferences," then "Privacy
ing the most privacy‐protecting settings by default. Settings" and make privacy choices about whether
However, default privacy settings of a streaming de‐ to share "Device Usage Data" or whether to "Col‐
vice are not always consistent with the default pri‐ lect App Usage Data," share "Data Monitoring," or
vacy settings of additional third‐party apps that may display "Interest‐Based Ads" which are all enabled
be installed. The privacy settings of third‐party apps by default.
should also be checked to ensure they respect your
The Roku Streaming Stick+ set‐up process did not
choices. The Apple TV was the only streaming de‐
display notice of privacy settings or choices a user
vice that used privacy‐by‐design to require opt in
can make about sharing data. Only after the Roku
consent for any data sharing and set default pri‐
device has completed setup can users navigate to
vacy controls to the most privacy‐protecting set‐
the "Settings" menu, and choose to opt in to the sin‐
tings. Apple provided clear notice during the device
gle privacy setting "Limit Ad Tracking" which is not
set‐up process of Apple's "Data and Privacy Notice"
enabled by default. This setting is worded in such a
summary and link to "Learn More Privacy Notice"
way that it may be misleading that opting in to lim‐
that links to Apple's privacy policy. The Apple TV
iting a worse practice is actually opting out of use
provided notice to users to provide opt in consent
of your data for that worse practice, which is not a
to "share audio recordings" of Siri voice commands
principle of privacy by design.
for research purposes. In addition, Apple provided
notice to users to opt in to using and sharing "Loca‐ Lastly, the Nvidia Shield TV uses the default Android
tion Services," and sharing TV usage data for first‐ TV settings and only provides privacy choices with
party "Apple TV Analytics" and Third‐Party "Devel‐ respect to the user's Google account settings for
oper App Analytics." sharing "Location Data" and "Usage & Diagnostics"
data and the "Limit Ad Tracking" setting as part of
The Google TV set‐up process required users au‐
the user's Google profile which are not enabled by
thenticate with their Google Account and provided
default.
notice of additional legal terms that require agree‐
ment with Google Device Arbitration Agreement81
and use of Google Services to "Use Location" and Account protection
"Help Improve Chromecast" both of which use a Evaluating account protection takes into consid‐
checkmark to indicate consent, but are pre‐checked, eration best practices of using strong passwords
meaning the user must opt out of sharing data for and providing accounts for children with parental
these additional purposes. The onboarding expe‐ controls. Strong passwords can help prevent unau‐
rience following up with another notification that thorized access to personal information. Children
"Google uses activity to improve recommendations." younger than 13 may not understand when they
By activity, they usually mean "your data," and by are sharing personal information, so they should be
"recommendations," they usually mean ads. Within required to create special accounts with more pro‐
the "Privacy Settings" menu of Google TV, there are tection under the law. Lastly, parents can help chil‐
additional options for "Scanning always available for dren younger than 13 use a device or app with dig‐
other networks" which can share WIFI SSID location ital well‐being protections in mind by using parental
information, and "Usage and Diagnostics," and "Limit controls.
Ad Tracking" which are associated with a user's
cross‐device Google Account privacy settings. Table 11: Strong Passwords are Required for
Accounts
The Amazon Fire TV Cube set‐up process is differ‐
ent from the Apple or Google streaming device set‐
Strong
up process because there is no notice of privacy Device
settings or choices a user can make about sharing Passwords
Apple TV Yes
80 See General Data Protection Regulation (EU) 2016/679 Google TV Yes
(GDPR), Art. 25, Recital 78.
81 See Google Terms, Amazon Fire TV Yes
https://policies.google.com/terms?hl=en; Google Arbitration Roku Streaming Stick Yes
Agreement,
https://support.google.com/store/answer/9427031?hl=en. Nvidia Shield TV Yes

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 15
All the streaming devices include the use of Providing parental controls or settings for each
company‐specific user accounts that need to be cre‐ streaming device is an industry best privacy‐
ated either on the device itself, or with another mo‐ protecting practice that allows parents to provide
bile device or computer in order to log in and use parental consent for the collection and disclosure of
the streaming device. The Apple, Google, Amazon, personal information from their children.
Roku, and Nvidia streaming devices all recommend
Apple requires a parent to provide consent for a
using strong passwords with an account in order to
child account through the Family Sharing setting of
use the device and protect a user's personal infor‐
their Apple ID account on another Apple device,
mation from unauthorized access.
where they can create an Apple ID for their child.
A parent must first review Apple's parent privacy
Parental consent disclosure,82 then enter their child's personal infor‐
mation, including an iCloud.com email address and
For children age 13 or younger, a parent or
a password that meets strong and complex pass‐
guardian's verifiable consent is required before the
word requirements. Parental controls for a child pro‐
collection, use, or disclosure of the child's personal
file will move over to the Apple TV+ website83 and
information to an application or service.
child account users will need to request permission
Table 12: Child Age Gates are Used from their parent or guardian to download apps, rent
movies, and watch content. However, content re‐
strictions set through parental controls on the Apple
Age Appropriate
Device TV+ website do not apply to Apple TV+ in the Apple
User TV app on iPhone, iPad, iPod touch, Apple TV, Mac,
Apple TV Yes smart TVs, or other streaming devices.
Google TV Yes The Google TV user experience is tied to the signed‐
Amazon Fire TV Yes in Google account holder's settings that apply to any
Roku Streaming Stick Yes service the user is logged in to with their Google
account. The Google TV device has settings to add
Nvidia Shield TV Yes
a different Google account and provides an option
for parents to create separate child profiles. After a
All of the streaming devices are intended for a gen‐ parent provides consent to create a profile for their
eral audience and require users to be older than 18 child, Google provides notice that a child profile is
in order to create an account with the service and tied to a parent's account and will not have a user‐
use the device. In addition, there is notice provided name or password associated with their profile. In
on all devices during the account creation process addition, parents can manage their child's account
that users are not eligible to sign up for an account to set ground rules with activity controls, screen
with the service if they enter a birth date or birth time, content ratings, and restrictions on installing
year that indicates they are younger than 18 years apps and devices through Google Family Link84 and
old. Also, all users during the account creation pro‐ YouTube Kids.85
cess must provide a form of payment, such as a The Amazon Fire TV Cube provides settings on the
credit card, to their account to verify that it is owned device with parental controls that are restricted by
by an individual over the age of 18 and to purchase a five‐digit PIN. After the parental controls are en‐
or rent media content on each streaming device. abled, additional settings can be selected such as
"PIN Protect Purchases," "Viewing Restrictions" of
Table 13: Parental Controls are Available content based on age rating, and PIN Protect App
Launches and the Amazon Photos App. However,
Device Parental Controls Amazon does provide its own curated kids' content
Apple TV Yes
Google TV Yes
82 See Apple Family Privacy Disclosure for Children, https:
Amazon Fire TV Yes //www.apple.com/legal/privacy/en‐ww/parent‐disclosure.
83 Apple TV+, https://tv.apple.com.
Roku Streaming Stick No
84 See Privacy Evaluation of Family Link, https:
Nvidia Shield TV No //privacy.commonsense.org/evaluation/Google‐Family‐Link.
85 See Privacy Evaluation of YouTube Kids,

https://privacy.commonsense.org/evaluation/YouTube‐Kids.

16 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

through a separate Amazon Kids+ service,86 which with different content moderation filters. Parents
has a separate terms87 and is all‐in‐one subscription expect a child profile to also have better privacy pro‐
that gives kids access to thousands of kid‐friendly tecting practices that include limiting the collection
books, movies, TV shows, educational apps, Audi‐ of personal information to only the data required to
ble books, and games on compatible Fire, Fire TV, provide the service, and the prohibition on use of a
Android, iOS and Kindle devices. child's data for targeted advertising, marketing com‐
munications, or other tracking or advertising profile
The Roku Streaming Stick+ did provide parental con‐
purposes.
trols to restrict content based on age rating and the
creation of a PIN through the Roku website88 af‐ However, even if a company provides parents with
ter authentication. However, parental controls are the option of creating a child profile, the company
available only if a user accesses the "Roku Chan‐ can still collect data from kids when the child uses
nel" in a "logged‐in" state. Parental control content the device for the first time after its initial set‐up
restrictions apply only to viewing within the Roku before a child profile has been created, or when a
Channel, and did not affect any other channels. In child is using the device outside of their restricted
addition, setting a PIN does not prevent users from account. The child profiles or restricted accounts on
exiting the Roku Channel and accessing content the streaming devices we tested are primarily used
from another channel. The PIN is only required to for content moderation of age‐appropriate content
make purchases and add items from the Roku Chan‐ and restriction of the use of installing and using
nel Store. third‐party apps.
The Nvidia Shield TV did not include parental con‐
Table 15: Child Profiles are Available on App
trols or the option to create a separate child profile
during the Google account creation and device set‐
Device Child Profile
up process. However, the device did provide the op‐
tion of different users of the device with the use of Apple TV+ None
an "Owner" and "Restricted Profile." The restricted YouTube TV None
profile can be used by parents to allow only cer‐ Disney+ Yes
tain approved apps or "channels" to be used by their
kids or teens on the device in the restricted mode, Paramount+ Yes
which requires a four‐digit PIN to leave restricted HBO Max Yes
mode. However, once an app or channel is approved
Peacock None
for use with the restricted account, the use of that
third‐party service is not restricted with respect to Amazon Prime Video Yes
its data collection practices. Discovery+ None
Hulu Yes
Table 14: Child Profiles are Available on Device
Netflix Yes
Device Child Profile
Apple TV No
Google TV Yes Parents need to know that parental
Amazon Fire TV No controls focus on age‐appropriate
Roku Streaming Stick No content rather than data collection
Nvidia Shield TV No practices.

Disney+, Paramount+, HBO Max, Amazon Prime

Parental controls give parents more control over Video, Hulu, and Netflix all allow users to create sep‐
their child's use of a streaming device which allows arate profiles for personalized content recommen‐
for the creation of a separate "profile" for their child dations and for parents to create a separate "Kids"
profile for children to watch curated kid‐friendly
86 Amazon Kids+ https://www.amazon.com/kidsplus.
87 See
content. In addition, Paramount+ child profiles pro‐
Amazon Kids+ Terms & Conditions,
https://www.amazon.com/gp/help/customer/display.html?
vide additional segmentation that support a "kids
nodeId=201222340. mode" with a choice between "Younger Kids" (TV‐
88 See Roku Account Settings, https://my.roku.com. Y) or "Older Kids" with content ratings up to (PG)

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 17
Table 16: Streaming Device Child Privacy Policy

Child Third‐Party Targeted Third‐Party Ad

Device Sell Data Track Users
Policy Marketing Ads Tracking Profile
Apple TV Yes No No No No No No
Google TV Yes No No No Yes Yes Unclear
Amazon Fire TV Yes No Unclear No Unclear Unclear Unclear
Roku Streaming Stick No Unclear Unclear Unclear Unclear Unclear Unclear
Nvidia Shield TV No No Unclear Unclear Unclear Unclear Unclear

in order to better recommend age‐appropriate con‐ targeted to their interests from Apple's advertising
tent to younger viewers. All of the streaming ser‐ platform on devices associated with a child's Apple
vices we tested provide kid—and family—directed ID. However, a child will still be able to receive non‐
TV shows and movies, except Discovery+. targeted contextual advertising on those devices.
In addition, the "Allow Apps to Ask to Track" set‐
Apple TV+, YouTube TV, and Peacock also include
ting on devices is turned off and cannot be enabled.
kids and family content directed to children under
Apps and advertisers are restricted from accessing
13 years of age on their streaming platforms, but
the "Advertising Identifier" provided by an Apple de‐
these services do not allow for the creation of sepa‐
vice's operating system, and are also responsible for
rate child profiles or accounts. Apple TV+ is the only
complying with Apple's guidelines prohibiting them
streaming service without a child profile feature that
from engaging in targeted advertising or advertising
still protects children's privacy because Apple pro‐
measurement, or sharing information with data bro‐
vides better privacy protecting practices for all of
kers.
its users, regardless of their age.
Google's use of a child profile on the streaming de‐
vice allows parents to change the content recom‐
Child privacy policy mendations to be age appropriate, and use better
Streaming apps and devices with kid and family di‐ privacy practices that prohibit targeted advertise‐
rected content should minimally include child pro‐ ments to protect children's privacy. Children may
files or child accounts to provide a safer experi‐ still see contextual advertising based on informa‐
ence with age‐appropriate content recommenda‐ tion, like the content of the show or movie a child is
tions and better privacy practices that protect chil‐ viewing, the current search query, or general loca‐
dren's data when they are using the streaming app tion such as a city or state. However, Google's Fam‐
or device. Additional privacy protections that apply ily Link90 Disclosure for Parents of Children Under
to children's data when using separate child pro‐ 1391 says that third‐party tracking of children using
files also need to be clearly communicated to par‐ child profiles may still occur from specific third‐party
ents with a separate child privacy policy that ex‐ partners for advertising and measurement purposes,
plains what stronger privacy protecting practices are using their own third‐party cookies or similar track‐
in place when children are using the streaming app ing technologies.
or device.
Apple's privacy policy says that it protects the pri‐
vacy of all the users of its Apple TV streaming de‐
vice and therefore the use of a separate child pro‐
file would not change Apple's already default better
privacy‐protecting practices that earned it a "Pass"
privacy rating. In addition, Apple's Family Privacy
Disclosure for Children89 policy says personalized 90 See Privacy Evaluation of Family Link, https:
ad settings cannot be enabled for a child's Apple //privacy.commonsense.org/evaluation/Google‐Family‐Link.
91 See Google Family Link Disclosure for Parents of Children
ID. Apple says a child will not receive advertising
under 13, https://families.google.com/familylink/privacy/notice;
Privacy Notice for Google Accounts and Profiles Managed with
89 See
Apple Family Privacy Disclosure for Children, https: Family Link, for Children under 13,
//www.apple.com/legal/privacy/en‐ww/parent‐disclosure. https://families.google.com/familylink/privacy/child‐policy.

18 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Amazon's Children's Privacy Disclosure92 policy the sale of data from children under 13 years of
says they will not serve any interest‐based adver‐ age. In addition, their cookie policy100 says cookies
tisements93 to children when using child profiles or on child‐directed services prohibit targeted adver‐
accounts. However, Amazon's privacy policy94 and tisements and no third‐party tracking is allowed.
child privacy policy does not disclose whether chil‐ Paramount+ has better privacy practices for chil‐
dren may still receive third‐party marketing commu‐ dren across all indicators except one: third‐party
nications, or are tracked by third parties on other marketing. Paramount+ says they may share chil‐
apps or services across the internet. dren's information with sponsors and other third‐
party partners for contests, giveaways, and sweep‐
Lastly, Roku and Nvidia's privacy policies do not dis‐
stakes.
close any additional privacy protections for children
and also do not not provide any separate child pro‐ HBO Max has an integrated Children's Privacy Pol‐
file accounts on their streaming devices. Roku is the icy101 section in their main privacy policy102 that
only streaming device that allows for selling data of says HBO may use children's information collected
users to third parties. In addition, Roku's privacy pol‐ through "Kids Profiles" to show marketing offers,
icy does not disclose any prohibition on selling data promotions, and contextual advertisements based
of children under 16 years of age.95 on what the child is watching. HBO's California and
CCPA Privacy Rights and Disclosures103 section of
As shown in Table 17, both Apple TV+ and Google's
their privacy policy says they do not sell the informa‐
YouTube TV have separate child privacy policies, but
tion of California consumers under 16 years of age.
only Apple TV+ protects children's privacy across all
However, HBO's policy does say third parties may
indicators. Disney+ also has a separate Children's
use cookies or similar technologies to understand
Privacy Policy96 and related Online Tracking Tech‐
and personalize a child's online experience within
nologies and Advertising97 policy, but does not dis‐
the service for advertising and the content a child
close whether additional privacy protections are in
is watching and on other apps and services across
place for children such as prohibitions on targeted
the internet.
advertisements, third‐party marketing communica‐
tions, or tracking children across other apps or ser‐ Peacock, which is owned by NBCUniversal, has a
vices. In addition, Disney has a California Consumer separate Children's Privacy Policy104 that also says
Privacy Act98 policy, but does not disclose whether children may receive third‐party marketing commu‐
data from children under 16 years of age are ex‐ nications for contests and sweepstakes. However,
cluded from sale to third parties, or whether parents the policy does not disclose any prohibitions on the
can opt out of the sale of their child's data on their sale of children's data to third parties or prohibitions
behalf. on the use of children's data for targeted advertise‐
ments or third‐party tracking.
Paramount+, which is owned by ViacomCBS, says in
their Children's Privacy Policy99 that they prohibit Discovery+ says in its privacy policy105 that it is di‐
rected to adults and not intended for children un‐
92 See Amazon's Children's Privacy Disclosure,
der the age of 13. Therefore, it is expected that Dis‐
https://www.amazon.com/gp/help/customer/display.html? covery+ would not provide a separate child privacy
nodeId=202185560.
93 See Amazon‐Interest‐Based Ads, policy or disclose any additional privacy protec‐
https://www.amazon.com/b/?&node=5160028011. tions for children. However, Discovery+ has content
94 See Amazon Privacy Notice, https://www.amazon.com/ that would likely appeal to children and especially
gp/help/customer/display.html?nodeId=468496.
95 See California Consumer Privacy Act (CCPA), Cal. Civ.
100 See ViacomCBS, Cookie Policy,
Code §§1798.115(a)(1)‐(3), 1798.115(c)(1), 1798.120(c),
1798.135(a)(2)(A)‐(B), 1798.140(t)(1). https://www.viacomcbsprivacy.com/en/cookies.
96 See The Walt Disney Company, Children's Privacy Policy, 101 HBO Max, Children's Privacy Policy,

https://privacy.thewaltdisneycompany.com/en/for‐ https://www.hbomax.com/privacy/en‐us#otnotice‐section‐
parents/childrens‐online‐privacy‐policy. 960b6cd7‐87f8‐4f59‐9225‐b4da79e1aad2.
97 See The Walt Disney Company, Online Tracking 102 HBO Max Privacy Policy,

Technologies and Advertising, https://www.hbomax.com/privacy.

https://privacy.thewaltdisneycompany.com/en/privacy‐ 103 HBO Max, California and CCPA Privacy Rights and

controls/online‐tracking‐and‐advertising/ Disclosures, https:

98 See The Walt Disney Company, California Consumer //www.hbomax.com/privacy/app#page11381‐band50811.
Privacy Act (CCPA), 104 See NBCUniversal, Children's Privacy Policy,

https://privacy.thewaltdisneycompany.com/en/dnsmi. https://www.nbcuniversal.com/privacy/Children.
99 See ViacomCBS, Children's Privacy Policy, 105 See Discovery, Privacy Notice,

https://www.viacomcbsprivacy.com/en/childrens. https://corporate.discovery.com/privacy‐policy.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 19
Table 17: Streaming App Child Privacy Policy

Child Third‐Party Targeted Third‐Party Ad

App Sell Data Track Users
Policy Marketing Ads Tracking Profile
Apple TV+ Yes No No No No No No
YouTube TV Yes No No No Yes Yes Unclear
Disney+ Yes Unclear Unclear Unclear Unclear Unclear Unclear
Paramount+ Yes No Yes No No No No
HBO Max Yes No Yes No Unclear Unclear Unclear
Peacock Yes Unclear Yes Unclear Unclear Unclear Unclear
Amazon Prime Video Yes No Unclear No Unclear Unclear Unclear
Discovery+ N/A N/A N/A N/A N/A N/A N/A
Hulu No Unclear Unclear Unclear Unclear Unclear Unclear
Netflix No No Unclear Unclear Unclear Unclear Unclear

students in K–12 classrooms with its Animal Planet Adequate privacy protections for children typically
content with documentaries customized to helping require a separate child profile and child privacy pol‐
children learn about the natural world and Discov‐ icy that clarifies different data collection and use
ery's annual "Shark Week" event that is used by ed‐ practices are in place for child accounts. However,
ucators across the country to encourage students none of the streaming apps and devices provided a
to learn more about marine biology. As such edu‐ separate child profile with stronger privacy practices
cators and parents should carefully consider the im‐ for children across all evaluation criteria. Although
plications of using content platforms not intended Apple allows the creation of child accounts with
for children because there are no additional privacy Family Accounts, and Google allows the creation
protections put in place. of child accounts through Family Link, all streaming
apps and devices need a separate child profile which
Similarly, Hulu's privacy policy106 and Netflix's pri‐
have stronger privacy‐protecting data collection and
vacy policy107 say the services are intended only
use practices for children already in place.
for adults, and children under 13 years of age are
not permitted to register with the services. These
streaming services say they are not intended to be Parental controls, PINs, or restricted
used by children without the involvement and ap‐ child accounts are not sufficient to
proval of a parent or guardian.
protect a child's data unless additional
However, Hulu and Netflix both provide kid—and privacy protections are put in place.
family targeted—TV shows and movie content to
children and provide parents with the ability to cre‐
ate separate child profiles, with the expectation chil‐
dren would use and interact with the service to view
Advertisements, marketing, and
kid‐friendly content. Hulu and Netflix do not pro‐ tracking
vide a separate child privacy policy or disclose any Responsible advertising practices limit the use of
additional privacy protections for children. There‐ personal information for any third‐party marketing,
fore, Hulu and Netflix need to put in place stronger targeted advertising, tracking, or profiling purposes.
privacy practices with separate child privacy policies
to better protect children and use their existing child
profile account features to allow parents to enable
stronger privacy protections for children.

106 See Hulu Privacy Policy, https://www.hulu.com/privacy.

107 See Netflix, Privacy Statement,
https://help.netflix.com/legal/privacy.

20 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Table 18: Marketing messages are sent new home for free and premium TV" which en‐
courages the user to "Add a premium subscription
Marketing on the Roku Channel and enjoy all your favorites
Device Method
Messages in one place." Roku continues to send marketing
communications every other day reminding sub‐
Apple TV No None
scribers to use their Roku device and sign up for
Google TV Yes Opt‐in more third‐party channels. Roku's marketing emails
Amazon Fire TV Yes Opt‐in include subjects such as "You've got 3 months of Ap‐
Roku Streaming Stick Yes Opt‐out ple TV+ for free*. Just for Roku customers," and to
explore new third‐party app categories. Roku does
Nvidia Shield TV Yes Opt‐in
include an unsubscribe feature at the bottom of ev‐
ery marketing communication.
The Apple TV registration process did not provide The Nvidia Shield TV registration process includes
notice of any marketing communications that may notice of Google's policies and opt in consent to
be sent to the user and Apple did not send any "Get the Most out of Google Assistant" market‐
first‐party or third‐party marketing communications ing communications. In addition, Nvidia prominently
to the user's Apple ID email address after setup displays notice of opt in consent to "Join Shield Re‐
of the Apple TV. During the Google TV registra‐ wards!" which offers free third‐party content trial
tion process users are provided opt in consent to subscriptions with third‐party email marketing pro‐
sign up for Google's "Stay in the Know" marketing motions. The choices to join Shield Rewards may be
communications. After the Google TV setup is com‐ confusing: Users need to choose to have a direct
plete the user receives a service notification email relationship with Google or Nvidia. The choices are
from Google titled, "Welcome to Chromecast with as follows: Not Now (Default), Use my Google Ac‐
Google TV" which provides additional notice of opt count, Use a Different Email, Don't Show Me Again,
in consent to explore third‐party apps for use with and View Privacy Policy.
the Google TV and sign‐up for Google's "Stay in
the Know" marketing communications about new Table 19: Advertising is displayed
Google hardware products, and related features,
services, and offers. Displayed
Device Content
The Amazon Fire TV registration process sent a first‐ Ads
party marketing communication after set‐up was Apple TV First‐party Apple TV+
complete titled "Welcome to the Fire TV Family"
Google TV Third‐party Special Offers
which encouraged the user to learn more about
their new device and purchase colorful remote cov‐ Amazon Fire TV First‐party Prime Video
ers.108 However, Amazon did not send any third‐ Roku Streaming Stick Third‐party Special Offers
party marketing communications to the user's Ama‐ Nvidia Shield TV First‐party Nvidia Games
zon account email address after setup of the Fire TV
device.
Advertising may be displayed within each third‐
The Roku Streaming Stick+ registration process did
party "channel" or subscription service, regardless
not provide opt in notice and consent of market‐
of the device used. For example, viewing content in
ing communications. Instead Roku sends both first‐
the "Netflix" channel or "Prime Video" channel on
party (Roku) and third‐party (Channels) marketing
any streaming device may display first‐party video
communications that are opt out. Roku sent an ini‐
advertisements for TV shows and movies and other
tial email communication titled, ``Roku! Let's get
media content from that provider. Table 19 only
started'' which includes third‐party content labeled
looks at advertising displayed by the device itself, ir‐
"Free channels to check out" that will add those
respective of any third‐party apps or channels which
third‐party services into the user's Roku streaming
display their own advertising for third‐party content
software. Roku follows up with a second market‐
that are used interchangeably.
ing communication a day later titled "Meet your
The Apple TV displayed no advertisements dur‐
108 See Made for Amazon Remote Cover Case, for Alexa Voice ing the device set‐up process, but did show first‐
Remote ‐ Candy Red, https://www.amazon.com/Amazon‐ party Apple TV+ previews for Apple original TV
Mission‐Cables‐All‐new‐controls/dp/B07JCJP2N5. shows and movies available on Apple TV+ while

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 21
using the device. The Google TV displayed no ad‐ Social Networking; and TPAM: Third‐Party Analyt‐
vertisements during the device set‐up process, but ics Marketing.110 Additional information about the
did show third‐party subscription content previews classification of each domain for each streaming app
for TV shows and movies available on Peacock, Ap‐ or device is available in the Appendix.
ple TV+, HBO Max, and Tubi TV while using the de‐
It is also important to understand that the pres‐
vice.
ence of trackers in each classification only looks
The Amazon Fire TV Cube displayed no advertise‐ at unique primary domains and not their subdo‐
ments during the device set‐up process, but did mains which could have multiple requests and used
show first‐party Prime Video previews for free and for a potentially non‐tracking purpose. Also, pre‐
pay‐per‐view Amazon original TV shows and movies sumed first‐party requests from the streaming app
available on Prime Video while using the device. or device are not counted as a third‐party domain
In addition, the Fire TV also displays third‐party tracker in our analysis. Therefore, any first‐party do‐
subscription content previews for TV shows and main requests that are owned by their respective
movies available on other channels. company are excluded—even if Tracker Radar would
have classified the domains as trackers if observed
The Roku Streaming Stick+ displays third‐party ad‐
in other companies' products.
vertisements for "Add More Channels" during the
device set‐up process and another advertisement to
join "Free Trials" of third‐party subscription services, Observing first‐ or third‐party trackers is
such as Showtime, StarZ, Paramount+, AMC+, and an important step in validating a
many more. The user is required to scroll past all the
available third‐party subscriptions to the very bot‐
product's privacy practices, but it is also
tom of the screen to continue with the set‐up pro‐ an ephemeral process that is constantly
cess. After the device set‐up process is complete, changing. Tracking the trackers is simply
the Roku displays first‐party vertical banner adver‐ a snapshot in time based on the most
tisements for Roku products while using the de‐
vice to "Buy Another Roku Device" and a full‐screen
up‐to‐date knowledge we have of each
video advertisement to sign up for Roku's premium particular tracker's past behavior.
"Roku Express Service."
In addition, a domain may not be counted as a
The Nvidia Shield TV displayed no advertisements
tracker in our analysis because Tracker Radar has
during the device set‐up process, but does show
not yet collected information about that particular
first‐party featured games from Nvidia Games,
domain or subdomain with DuckDuckGo's Tracker
which is part of Nvidia's GeForce Now subscription
Radar Collector.111 Moreover, Tracker Radar is a
service. In addition, the device displays a "App Spot‐
data set of the most common third‐party domains
light" banner advertisement at the bottom of the
on the web which was not necessarily designed to
home screen that says it is featured by Google Play.
apply to known tracking domains from streaming
Our observational analysis and classification of ad‐ mobile applications and devices. However, our anal‐
vertising and tracking domains that were sent and ysis still indicates that streaming apps and devices
received by each streaming device is displayed in Ta‐ that use trackers should be more carefully scruti‐
ble 20. We indicate whether any primary domains nized by parents and educators before use, and their
are classified as trackers, based on the open source privacy policies carefully read to better understand
Tracker Radar project from DuckDuckGo.109 The their privacy practices. Lastly, our observational re‐
Track Radar tool is not a block list, but is a data set of sults of trackers are simply a snapshot of behavior
the most common third‐party domains on the web we observed from a streaming app or device on a
with information about their behavior, classification, specific date and time in our particular network en‐
and ownership. Each observed domain in our secu‐ vironment, which could change based on different
rity testing is classified by Tracker Radar into the fol‐ testing configurations or real world use.
lowing advertising and tracking categories that are
relevant to streaming apps and devices: AP: Action
Pixels; AF: Ad Fraud; AMT: Ad Motivated Tracking; 110 DuckDuckGo Tracker Radar, Categories,

AD: Advertising; AM: Audience; Measurement; SN: https://github.com/duckduckgo/tracker‐

radar/blob/main/docs/CATEGORIES.md.
109 DuckDuckGo Tracker Radar, 111 DuckDuckGo Tracker Radar Detector,

https://github.com/duckduckgo/tracker‐radar. https://github.com/duckduckgo/tracker‐radar‐collector.

22 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Table 20: Tracking behavior based on domain or primary domain contacted
Abbreviated columns are as follows: (AP) Action Pixels, (AF) Ad Fraud, (AMT) Ad Motivated Tracking, (AD)
Advertising, (AM) Audience Management, (SN) Social Network, (TPAM) Third‐Party Analytics Marketing. For
further explanation, see appendix Tracking Categories.

Device AP AF AMT AD AM SN TPAM

Apple TV No No No No No No No
Google TV No No Yes Yes No No No
Amazon Fire TV No No No No No No No
Roku Streaming Stick No No Yes Yes No No No
Nvidia Shield TV Yes Yes Yes Yes Yes Yes Yes

The Apple TV sent and received requests from Ap‐ Additionally, our observation of domain requests in‐
ple related cloud services and third‐party domains, dicated many streaming devices used unencrypted
but did not send or receive any presumed third‐ requests to send and receive data for the pur‐
party advertising or tracking domain requests.112 pose of displaying cover artwork for TV shows and
This better privacy‐protective observational behav‐ movies from third‐party content providers, to col‐
ior is expected from a product with a highly trans‐ lect data analytics, and to display advertisements
parent privacy policy that received a high overall from third‐party ad networks; all could potentially
score and "Pass" privacy rating. These better prac‐ expose streaming device users to a Man‐in‐the‐
tices also align with our privacy evaluation crite‐ Middle (MiTM) attack.117 Encrypting all data sent
ria that require products not engage in third‐party and received between the streaming device and the
tracking of users. However, the Google TV sent and internet is an industry standard best practice which
received requests to both third‐party advertising prevents the interception of unencrypted traffic and
and tracking domains, such as DoubleClick, that its modification by an attacker who could include
could be used for tracking or profiling for advertising malicious or nefarious content. This potential harm
purposes.113 is especially acute for child users of streaming de‐
vices who are using restricted profiles and viewing
The Amazon Fire TV Cube primarily sent and re‐
content that is specifically moderated to be age ap‐
ceived network requests during testing to Amazon‐
propriate. Without reasonable security practices in
related cloud services and also included first‐party
place that include industry standard encryption of
advertising and tracking domains, such as Ama‐
the content and cover artwork sent and received by
zon's Adsystem and AWS analytics, which are not
the streaming device, there is an increased risk of
counted in this analysis, but are used for third‐party
the possible interception or injection of harmful or
advertising and tracking purposes on other sites and
offensive images into a child's viewing experience.
services.114 The Roku Streaming Stick+ also sent
and received requests to known third‐party adver‐ In Table 21 as part of our limited observational test‐
tising domains such as the advertising service Dou‐ ing of the streaming apps and devices we found
bleClick, that could be used for tracking or profiling all apps and devices sent and received data from
purposes.115 presumed third‐party domains—except Apple TV+,
which did not send or receive any third‐party
The Nvidia Shield TV sent and received data to both
domain requests as indicated by NA. For third‐
third‐party advertising and tracking domains, such
party advertising and tracking domains, Apple TV+,
as Google Syndication and Facebook, even though
YouTube TV, HBO Max, Amazon Prime Video, and
no Facebook account login was displayed or used
Netflix all had better observational privacy practices
during testing, which means a user's data could be
of no known presumed third‐party tracker domains
used by third parties for tracking or profiling pur‐
classified by Tracker Radar. However, both Amazon
poses.116
Prime Video and YouTube TV did have presumed
112 See
first‐party domains that were classified as trackers
Appendix, Apple TV.
113 See Appendix, Google TV.
114 See Appendix, Amazon Fire TV Cube. 117 Internet Society, Fact Sheet: Man‐in‐the‐Middle Attacks,
115 See Appendix, Roku Streaming Stick+.
https://www.internetsociety.org/wp‐
116 See Appendix, Nvidia Shield TV. content/uploads/2020/03/Man‐in‐the‐Middle‐Fact‐Sheet.pdf.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 23
Table 21: Tracking behavior based on domain or primary domain contacted
Abbreviated columns are as follows: (AP) Action Pixels, (AF) Ad Fraud, (AMT) Ad Motivated Tracking, (AD)
Advertising, (AM) Audience Management, (SN) Social Network, (TPAM) Third‐Party Analytics Marketing. For
further explanation, see appendix Tracking Categories.

App AP AF AMT AD AM SN TPAM

Apple TV+ NA NA NA NA NA NA NA
YouTube TV No No No No No No No
Disney+ No No Yes Yes Yes No Yes
Paramount+ Yes Yes Yes Yes Yes Yes Yes
HBO Max No No No No No No No

Peacock No No Yes Yes Yes No Yes

Amazon Prime Video No No No No No No No
Discovery+ No No Yes Yes Yes No Yes
Hulu Yes Yes Yes Yes Yes No Yes
Netflix No No No No No No No

which were not counted as part of our analysis be‐ Doubleclick,119 and Scorecard research.120 Our ob‐
cause they were owned by their respective first‐ servations indicate these streaming apps are shar‐
party company, but they would have been consid‐ ing a user's data with the greatest number of known
ered third‐party trackers if observed in other prod‐ third‐party advertising and tracking companies. If a
ucts. Therefore, there is an inherent bias against streaming app or device only sends and receives
classifying third‐party trackers for large companies data to their own first‐party primary domains, then
who own and control the full product lifecycle from we are unable to observe what the streaming app
hardware to hosting infrastructure, content cre‐ and device actually does with the personal informa‐
ation, and delivery through cloud software services. tion they collect after they have received it. How‐
Smaller companies who create only a mobile appli‐ ever, just because we only observed a streaming
cation or hardware as a value‐added retailer need app or device communicating with first‐party pri‐
to rely heavily on third party companies to integrate mary domains does not mean that the app or device
third‐party content and cloud services which would does not either communicate directly or indirectly
therefore result in observation of more third‐party with third parties through another method that was
advertising and tracking technologies. not observed during testing.
For streaming apps and devices with parental con‐
Tracking behavior provides valuable trols and child profiles, we also analyzed the domain
insight into how streaming services share requests sent and received without parental con‐
trols or child profiles enabled, and also after parental
data, but reading the privacy policies is controls or child profiles had been enabled and were
also required to complete the whole in use on each app or device. As expected, because
picture of how a product can still use or parental controls are primarily used to restrict age‐
share a user's data. inappropriate content and not to limit data collec‐
tion from child profiles, we did not observe any sig‐
nificant change in the unique domain requests sent
Paramount+, Peacock, and Hulu all had worse
and received by the streaming apps or devices with
observational privacy practices because they had
or without parental controls or child profiles in use.
the most unique presumed third‐party tracking
domain requests, such as Facebook,118 Google

119 See Google Marketing Platform,

https://marketingplatform.google.com/about/enterprise.
120 Scorecard Research,
118 See Facebook, https://www.facebook.com. https://www.scorecardresearch.com/home.aspx.

24 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

Software updates software updates with encryption to the devices.
However, the Roku Streaming Stick+ was observed
Evaluating software updates takes into considera‐ sending a large amount of nonencrypted data121
tion best practices of keeping a smart device se‐ during the firmware update process. During the up‐
cure with up‐to‐date software patches and settings. date process, all devices displayed a notice that the
When a company improves its app or device, bet‐ software update was being verified. It is possible
ter privacy and security should be part of the pack‐ that the Roku software update download was veri‐
age and should be automatically updated or easy to fied on the device before installation to ensure the
update. updates were not corrupted or contain malware, but
this is not a security best practice to send firmware
Table 22: Software Updates are Automatically
updates over the internet without reasonable secu‐
Installed
rity protections.
Updates
Device
Automatic Security testing
Apple TV Yes methodology
Google TV Yes
To begin, Common Sense conducted a hands‐on ba‐
Amazon Fire TV Yes sic security assessment of the 10 most critical se‐
Roku Streaming Stick Yes curity practices around the collection of informa‐
Nvidia Shield TV Yes tion from a smart device and from a companion
mobile application with the internet, and the trans‐
mission of information between the device and the
All streaming devices provided firmware updates, ei‐ app. These 10 critical questions are organized into
ther during or after the set‐up process was com‐ five categories which were derived from the Con‐
plete. However, parents and educators should also sumer Reports "Digital Standard" testing criteria.122
keep in mind that all smart devices may not con‐ In addition to a basic security assessment of the 10
tinue to provide software updates past the product's most critical security practices of a smart device, the
warranty. And if smart devices do not receive reg‐ Common Sense Privacy program created a full, 80‐
ular security updates and patches, there could be point inspection of the security practices of a smart
an increased risk to a child's or student's personal device and mobile application.123
information.

Table 23: Software Update Transmissions are Security framework

Secure
The following five "Smart Tech" evaluation con‐
cern categories comprise 10 basic security ques‐
Updates
Device tions. These security questions illustrate the diverse
Secure security‐related issues needed to complete a basic
Apple TV Yes security assessment of smart tech devices:
Google TV Yes Data sharing. Evaluating data sharing takes into
Amazon Fire TV Yes consideration best practices of keeping personal
Roku Streaming Stick No data inside the application or smart device to help
protect privacy. Connecting social media accounts
Nvidia Shield TV Yes
could allow people to share personal information
with other people and with third‐party companies.
Software updates should always be transferred se‐ In addition, installing third‐party apps with a smart
curely to the device with encryption to ensure mal‐
121 The Roku Streaming Stick+ downloaded firmware over
ware or other harmful software is not unintention‐
ally installed on the device, which could compromise port 80 from the domain http://firmware.roku.com.
122 See Consumer Reports, The Digital Standard,
the privacy of all users' personal information col‐ https://www.thedigitalstandard.org.
lected from the device and companion applications. 123 See Common Sense Privacy Program, Full Security

Assessment Questions,
The Apple, Google, Amazon, and Nvidia de‐ https://privacy.commonsense.org/resource/full‐security‐
vices were all observed downloading firmware and assessment‐questions.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 25
device could allow the collection and use of per‐ could contain personal information about the user,
sonal information for a different purpose. Criteria including what they're doing with the device or app.
for Data Sharing include sharing with: 1) social me‐ Criteria for Device Security include: 8) securing data
dia accounts and 2) the third‐party app store. and 9) ads and tracking requests.
Data safety. Evaluating data safety takes into con‐ Software updates. Evaluating software updates
sideration best practices of using privacy protec‐ takes into consideration best practices of keeping
tions by default and limiting potential interactions a device secure with up‐to‐date software patches
with others. It's better to start with the maximum and settings. When a company improves its app or
privacy that the app or device can provide, and then device, better privacy and security should be part
give users the choice to change the settings.124 In of the package and should be automatically updated
addition, users talking to other people through the or easy to update. Criteria for Software Updates in‐
app or device might permit sharing personal infor‐ clude: 10) updates available.
mation with strangers. Criteria for Data Safety in‐
clude: 3) providing privacy‐protecting controls and
4) limiting social interactions.
Security testing
To perform basic information security testing we
Account protection. Evaluating account protection
created a "blank slate" testing environment that
takes into consideration best practices of using
monitored only the data sent and received between
strong passwords and providing accounts for chil‐
a smart device, its companion mobile application,
dren with parental controls. Strong passwords can
and the internet.129 This included purchasing and
help prevent unwanted access to personal informa‐
setting up networking hardware equipment to mon‐
tion. Children younger than 13 may not understand
itor network traffic in order to create a specific
when they are sharing personal information, so they
type of testing environment. Also, iOS130 and An‐
should be required to create special accounts with
droid131 mobile devices were used for testing and
more protection under the law.125 Lastly, parents
each was factory reset without any personal infor‐
can help children under the age of 13 use a device
mation loaded onto the device in order to test only
or app with digital well‐being protections in mind by
a single companion mobile application at a time. Ad‐
using parental controls. Criteria for Account protec‐
ditionally, software was installed on our local com‐
tion include: 5) requiring a strong password, 6) dis‐
puter for network packet analysis.132
playing an age gate, and 7) providing parental con‐
trols and optional child profile. There are several different types of information se‐
curity testing that could be used to monitor net‐
Device security. Evaluating device security takes
work traffic and determine security vulnerabilities
into consideration best practices of securing per‐
of smart devices. Some methods make extensive
sonal information against unwanted use that is
use of an intercepting software proxy to observe,
shared between the mobile device, smart tech,
and in some cases modify, encrypted network re‐
and the internet. Keeping personal information en‐
quests generated by the application.133 There are
crypted,126 or masked,127 helps to protect informa‐
also mobile application frameworks that can be used
tion while it is transmitted.128 In addition, advertis‐
with Android mobile devices or jailbroken134 iOS
ing and tracking requests from the device or app

124 See 129 See Ren, Jingjing, Dubois, Daniel J., Choffnes, David,
General Data Protection Regulation (EU) 2016/679
(GDPR) (generally, provides for data subjects to opt in); See also Mandalari, Anna M., Kolcun, Roman, Haddadi, Hamed,
California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code Information Exposure From Consumer IoT Devices: A
§ 1798.140 (generally, provides for data subjects to opt out). Multidimensional, Network‐Informed Measurement Approach, IMC
125 COPPA, 16 C.F.R. Part 312. '19: Proceedings of the Internet Measurement Conference,
126 Encryption is the process of converting information or Oct. 2019, pp. 267–279,
data into a code, to prevent unauthorized access. https://doi.org/10.1145/3355369.3355577.
127 Data masking is the process of hiding original data with 130 iOS is a mobile operating system created and developed

modified content, used to protect data. by Apple Inc. for iPhone.

128 De‐encryption is the conversion of encrypted data into its 131 Android is an open‐source operating system used for

original form. Reidentification is the practice of matching smartphones and tablets.

132 See OWASP Zed Attack Proxy (ZAP),
anonymous data with publicly available data or auxiliary data in
order to discover the individual to which the data belongs. https://www.zaproxy.org/.
133 Intercepting proxies are tools used to analyze the normal
While encryption or anonymization are not perfect, these
measures provide some security over allowing unencrypted session created between a client and server.
data to pass over public channels (i.e. passed from product to 134 Jailbreaking refers to the process of removing all

product via internet protocols). restrictions imposed on an iOS device.

26 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

devices to gain root administrator level access135 students if desired. Security Onion can also be in‐
to the mobile operating system in order to observe stalled in a virtual machine, which allows students
network requests from a mobile application to the and researchers without access to the devices to
internet. However, these advanced approaches are reproduce the testing results and investigate the
still limited for the purposes of our basic security findings themselves by importing the original pcap
testing because they can observe 1) decrypted net‐ (packet capture of network traffic) data used for
work traffic between the mobile application and the testing.
internet, and 2) decrypted network traffic between
Overall the goal of designing the testing environ‐
the smart streaming device and the mobile device,
ment was to get educators and students to start
but they cannot decrypt and observe data sent from
testing the privacy and security of smart devices
the smart device directly to the internet.
with minimal effort and a small learning curve.
When researching which method to use for our ba‐ Therefore, we believe the following network test‐
sic information security testing we considered how ing environment relies more on basic hands‐on
difficult it would be for nontechnical educators and networking and operating system installation skills,
students to reproduce our network testing environ‐ rather than extensive computer science knowledge
ment for their own educational and testing pur‐ of open‐source software tools and Unix adminis‐
poses.136 Therefore, we designed our method of ba‐ tration processes139 often used by security pro‐
sic information security testing to be used as part fessionals to configure information security testing
of a project‐based collaborative development ex‐ environments.
perience for both teachers and secondary students
to increase their experience with and knowledge of Network testing environment
hands‐on software and hardware tools and how to
test the privacy and security of a mobile application, The diagram below illustrates the basic network
online service, or smart device. Through the unifying topography environment used for testing all five
theme of learning about smart technology, teachers streaming devices. However, it is important to note
and students could work together to learn various that every network hardware configuration is dif‐
technologies (focusing on their individual interests ferent and may require different devices to connect
and use of the technology). They could also use this to the internet, such as a DSL140 or cable modem,
process to consider how to protect their privacy and router, or gateway, that may need to be configured
gauge the security of their data while engaging with to allow the network switch in our diagram below to
everyday smart technologies, like streaming devices. connect to the internet.
We believe the following testing process that uses The following list describes the components re‐
a hardware‐based network environment testing ap‐ quired for the testing environment:
proach with the preconfigured open‐source data
The internet. The basic information security testing
analysis software Security Onion is the easiest
environment requires that all devices be connected
method to set up and start security testing smart de‐
to the internet in order to make and receive network
vices quickly with educators and students.137 Secu‐
requests that can be captured and analyzed by the
rity Onion software provides an out‐of‐the‐box so‐
Security Onion server. This type of security testing
lution that is easy to install on a computer and pro‐
environment attempts to recreate as closely as pos‐
vides extensive documentation for educators and
sible the real‐world interaction, data collection, and
students to learn how to perform basic security
use of streaming devices and companion mobile ap‐
analysis.138
plications running on a smartphone.141
In addition, Security Onion software also provides
Network switch. The switch in our testing environ‐
the flexibility for more advanced security testing for
ment can be a low‐cost device that is used to con‐
nect a wireless access point142 to the internet and
135 Root administrator access provides all privileges to the

operating system of an Android mobile device. 139 Unix is an operating system which supports multi‐tasking
136 While some of the audience for our research may be a and multi‐user functionality.
CTO or IT professionals, we also seek to inform school district 140 A digital subscriber line (DSL) is a device used to connect a

administrators and classroom teachers who may have no computer or router to a telephone line which provides
technical background. connection to the internet.
137 Security Onion, https://securityonion.net/. 141 iOS or Android varieties.
138 See Security Onion Documentation, 142 A network switch is a networking hardware device that

https://securityonion.readthedocs.io/en/latest/. connects other devices on a computer network by using packet

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 27
Figure 1: Image of network testing environment switch to mirror all network packets146 from the
structure. wireless access point that uses Wi‐Fi to another port
on the network switch for packet capture and anal‐
ysis by the connected Security Onion server.147
Streaming device. Each streaming device used for
testing was wirelessly connected to the wireless
access point only one at a time to ensure data cap‐
tured originated from a specific device because the
network switch will mirror all network traffic from
the streaming device to another port on the network
switch for the Security Onion server to capture for
analysis of that specific smart device.
Smartphone. A low‐cost Android or iOS smart‐
phone can be used in the testing environment with
the mobile application used to control the streaming
device installed. The mobile device was "factory re‐
set" before use, meaning that the operating system
had been reinstalled and no other applications were
installed on the device to avoid inadvertent data col‐
also connect a Security Onion server for monitoring lection during our basic information security testing.
all network packets received by the wireless access The mobile device was wirelessly connected to the
point. In order to monitor all the network packets wireless access point and the network switch mir‐
that are sent and received from the streaming de‐ rored all network traffic from the mobile application
vice to the internet, our testing environment used a on the smartphone to another port on the network
switch with port mirroring.143 switch for the Security Onion server to capture for
analysis.
Security Onion server. Security Onion is a free and
open‐source Linux distribution for intrusion detec‐ Laptop. A low‐cost laptop in our testing environ‐
tion, enterprise security monitoring, and log man‐ ment was used to connect to the wireless access
agement.144 The software is available in a down‐ point and access the basic information security test‐
loadable image that can be used to create a bootable ing tools on the Security Onion Server through a
USB device that allows users to quickly install the web browser or over a SSH terminal session.148
network monitoring server on a personal computer
that meets the sufficient hardware requirements. Process overview
The Security Onion server captures network traf‐
fic145 from the wireless access point on the mirrored The basic information security testing process was
port of the network switch for security analysis. designed into three modules to analyze several dif‐
ferent security‐related data points with Security
Wireless access point. The wireless access point in Onion to determine the security practices of the
our testing environment can be a low‐cost device to smart device and companion mobile application.
connect wireless devices for basic information secu‐
rity testing to the network switch and the internet. 1) What type of network requests are being sent
This network configuration allows for the network and received from the streaming device and the
mobile application? This module illustrates what
type of secure or unsecure requests are sent
switching technology to receive and forward data from the
from the smart device to the internet and re‐
source device to the destination device. quests received between the smart device and
143 Port mirroring is used on a network switch to send a copy

of all network packets received on a designated switch port to a 146 A packet is a unit of data that is routed between an origin

network monitoring connection on another switch port. This is and a destination on the internet or any other packet‐switched
commonly used for network devices that require monitoring or network.
network traffic such as an intrusion detection system (IDS). 147 See Security Onion Documentation,
144 Security Onion, https://securityonion.net/. https://securityonion.readthedocs.io/en/latest/.
145 Network traffic is the data set for this testing 148 Secure Shell (SSH) is a cryptographic network protocol for

methodology. It is the flow of data from inside the product to operating network services securely through terminal emulation
the outside world. software.

28 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 mobile application. This analysis provides users Testing limitations. However, there are limitations
with more information about whether reason‐ with this basic information testing approach. First,
able security practices, such as encryption, are our testing results are simply a snapshot of behavior
used to protect personal data while in transit we observed from a smart device and mobile appli‐
from its source to its destination. cation on a specific date and time in our particular
network environment, which could change based on
2) What destinations are network requests sent to?
different testing configurations or real‐world use.150
This module illustrates what third‐party com‐
In addition, firmware updates to the smart device
panies send and receive data from a smart de‐
and software updates to the companion mobile ap‐
vice and mobile application. Intuitively, most
plication could also change expected observational
smart devices and mobile applications commu‐
behavior from what was observed during our testing
nicate primarily with the manufacturer's online
period.151
web services, but often third‐party advertising
or tracking services can be seen sending or re‐ Second, our testing can only see what data is trans‐
ceiving data from the smart device or mobile ferred from one device or server to another, but
application. not subsequent data processing or sharing with third
parties.152 For example, a smart device or mobile
3) How much data is shared with the company or
app may only send and receive data to one desti‐
third parties? This module illustrates the total
nation server address, such as Amazon's web ser‐
amount of bytes sent from the smart device or
vices, before forwarding the data packets off to
mobile application to the company's servers or
other third‐party domains to be processed else‐
third parties. This analysis provides users with
where. Users will be unable to observe what the
more information about when data is collected
first‐party company (e.g., Amazon Web Services in
and how much data is actually collected.
this example) actually does with the personal in‐
This three‐step modular process is helpful to illumi‐ formation it collects after it has received it. There‐
nate who the smart device and mobile application fore, we believe reading the privacy policies of these
are talking to (the company or third‐party servers), smart devices is also a critically important part of
but is limited because it does not show the content evaluating the privacy and security of a streaming
of the data that is actually being sent between the device.
parties because it is likely encrypted.
In addition to observing the smart device's data col‐
Security Onion software. After the network test‐ lection and sharing practices, it is important to know
ing environment is deployed successfully and the how each company promises it will process personal
streaming device, mobile device, and laptops can ac‐ data after it has been collected. Combining some
cess the internet through the wireless access point, knowledge of actual data flows, as we have done
then users need to install Security Onion on a in this testing, with the legal obligations described
personal computer or laptop attached to the net‐ in the privacy policies puts more of the crucial puz‐
work switch. After installation of the Security Onion zle pieces on the table. Putting them together into
server, users can use their laptops to connect to a coherent whole, however, requires more work.
the Security Onion server and begin the informa‐
tion testing modules that teach basic security moni‐ 150 Our observational testing was conducted from single use

toring skills. It includes preconfigured network secu‐ observation for each app or device from January 2021 to June
2021
rity testing software applications and utilities, such 151 Firmware is data that is stored on a hardware device that
as Elasticsearch, Logstash, Kibana, Snort, Suricata, provides instructions on how that device should operate.
Zeek, Wazuh, Sguil, Squert, CyberChef, Network‐ Firmware updates are one of the weak points in IoT security,
Miner, and many other security analysis tools.149 particularly where the devices are either not updated at all and
considered disposable once the initial software has become
outdated, or require the user to locate and perform manual
updates. In contrast to firmware updates and their security
149 See Elasticsearch, https://www.elastic.co/; Logstash, limitations, software updates may be effectuated automatically
https://www.elastic.co/logstash; Kibana, from the server, without user input, or, with user input but with
https://www.elastic.co/kibana; Snort, https://www.snort.org/; the click of a button.
Suricata, https://suricata‐ids.org/; Zeek, https://zeek.org/; 152 The term "third parties" is somewhat misleading in the

Wazuh, https://wazuh.com/; Squil, sense that it implies only one entity might receive the data, in a
https://bammv.github.io/sguil/index.html; Squert, single transaction. In actuality, data brokers and other initial
https://github.com/int13h/squert; CyberChef, recipients of the data often forward and resell this information
https://gchq.github.io/CyberChef/; NetworkMiner, over multiple transactions, combine data with other data for use
https://www.netresec.com/index.ashx?page=NetworkMiner. and sale, and store data for future use and sale.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 29
Advanced techniques. Currently, the basic informa‐ of encrypted data with pinned digital certificates
tion security testing modules are designed to only on the smart device, or runtime malware detection
analyze the source and destination of network traf‐ code in the mobile application to prevent circum‐
fic requests to determine where data is sent and re‐ vention of encryption.
ceived. Educators and students interested in privacy
Therefore, the results presented in this paper on
and security research are not expected to use packet
the privacy and security practices of the top five
analysis to review the actual content of the data
streaming devices and top 10 streaming apps did
transferred between devices, apps, and the internet
not attempt to decrypt any encrypted network traf‐
because the network packets are likely encrypted
fic in order to examine the content of what data was
with TLS encryption,153 which would require more
actually sent and received by the streaming devices
advanced security monitoring techniques beyond
or companion mobile application. This research only
the scope of our basic testing environment. How‐
examined the source and destination of where data
ever, Security Onion is extremely flexible and allows
was sent and received. We encourage additional re‐
for more advanced monitoring techniques such as
search and experimentation based on these results,
the use of a separate "forward node" and installation
including analyzing content transmitted or received
of third‐party software proxies that can be used to
as well as identifying if additional third parties are
decrypt TLS‐encrypted data sent and received from
implicated.
the mobile application and the internet.154
A user would need to introduce another Security
Onion server as a forward node or stand‐alone What should parents and
server that runs a proxy that could decrypt, inspect,
and re‐encrypt TLS traffic before forwarding it to the
educators do?
Security Onion "master server" and then the inter‐ Parents and educators have several options when
net. Also, students could learn to relay mirrored net‐ deciding whether to use streaming media apps and
work traffic to a network interface on a computer devices. Some may be thinking about which stream‐
with Security Onion and use network analysis tools ing app they should subscribe to, or which stream‐
with the use of digital certificates to decrypt net‐ ing device to purchase, and others may have already
work traffic.155 made up their mind to subscribe to one or more ser‐
vices, but aren't sure which one is best for privacy.
As discussed, this is an advanced man‐in‐the‐middle
Some may want to know how to change their app's
security analysis technique that is outside the scope
privacy settings to best protect their children or stu‐
of our basic information testing approach, but could
dents. Parents and educators may also want to know
provide more insight for advanced students about
how to exercise their data rights and tell companies
what data is actually being sent and received by
not to sell their data.
the companion mobile application on a mobile de‐
vice, but not from the streaming device because Below are some suggestions for managing this pro‐
a trusted digital security certificate cannot be in‐ cess to better protect child and student users:
stalled on the smart device itself.156 As discussed,
• Check the privacy settings. All streaming apps
this advanced technique is considered out of scope
have some settings inside that allow varying de‐
for the basic information security testing because
grees of data collection features to be turned
data from smart devices cannot be easily decrypted,
on or off. If it's not necessary to collect viewing
and mobile applications that send and receive en‐
data or analytics data on how the app is used,
crypted data often put in place advanced mech‐
then these extra features can be turned off to
anisms to prevent the interception or decryption
minimize the amount of sensitive information
collected.
153 Transport Layer Security ("TLS") is a cryptographic protocol

designed to provide communications security over a computer • Check Common Sense Media. Streaming con‐
network. tent may not be age appropriate, but our media
154 See Security Onion Documentation, supra note 65.
reviews can help take away the guesswork.157
155 Digital certificates are an electronic document used to

prove the ownership of a public key. • Encourage supervision. Children and students
156 A public key certificate, also known as a digital security should use streaming apps only when an adult
certificate is an electronic file used to prove the ownership of a
public key. The certificate includes information about the key,
information about the identity of its owner, and the digital 157 Common Sense Media,
signature of an entity that has verified the certificate's contents. https://www.commonsensemedia.org.

30 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 is present to supervise use and limit use The following privacy practices are used in our eval‐
of streaming apps based on age‐appropriate uation process to determine whether a product re‐
screen‐time recommendations. ceives a "Pass" or "Warning" rating for unclear or
• Check which apps or subscriptions are in‐ worse practices. These practices are also the most
stalled. Remove unwanted third‐party stream‐ important factors for consumers, parents, and ed‐
ing apps or TV subscriptions to limit informa‐ ucators when choosing a better privacy‐protecting
tion collection. product for themselves or their children or students.
• Ask companies not to sell your data. Use free A company should disclose in their privacy policy all
online resources, like donotsell.org,158 to re‐ of the following best practices:
quest that companies not sell your personal • No selling data. A user's personal information
data for profit. should not be sold or rented to third parties. If a
• Make your preferences known to companies user's personal information is sold to third par‐
and legislators. Many parents have taken (or ties, then there is an increased risk that the per‐
wanted to take) steps to limit data collection— sonal information could be used in ways that
recent research indicates about half of those were not intended at the time at which the
surveyed think they have, and half want to user provided their personal information to the
but don't know how.159 This is the jumping‐off company, resulting in unintended harm. Two‐
point for action. The next step is to empower thirds of the streaming apps and devices we
parents and educators so that they know how tested disclosed in their privacy policies that
to exercise their privacy protecting options. they sell users' data. Only Apple, Google, Ama‐
Legislators can support this practice by man‐ zon, Netflix, and Nvidia disclosed they do not
dating features allowing parental controls, and sell their user's data for profit to third parties.
when that doesn't fully protect kids, allowing
• No third‐party marketing communications.
the information to be deleted from devices and
A user's personal information should not be
databases.
shared with third parties for marketing pur‐
• Make informed decisions about which apps poses. A streaming app or device that requires
to use. This report is a snapshot of stream‐ a user to be contacted by third‐party com‐
ing apps and devices right now. Business prac‐ panies for their own revenue generating pur‐
tices change rapidly as companies think cre‐ poses increases the risk of exposure to inap‐
atively about how to gather, process, and sell propriate messages and influences that may ex‐
data. In deciding whether to purchase subscrip‐ ploit a user's preferences and vulnerabilities.
tions or use streaming apps, consider the im‐ Third parties who try to influence a user's pur‐
pact on children that use the service and the chasing behavior for other goods and services
amount of screen time. Factor into your deci‐ may cause unintended harm. Only Apple and
sion the cost of the service, purchases that may Google disclosed they do not send users third‐
be made with the app, and the potential use party marketing communications by default.
of your personal information by the company
and other third‐party companies the app might • No displaying targeted advertising. Target‐
share your data with over time. ing users with personalized advertising on the
streaming service based on their personal in‐
formation or viewing habits should not be dis‐
What should streaming played in the product or elsewhere on the in‐
ternet. A user's personal information provided
apps and devices do? to a streaming app or device should not be used
There are several industry best privacy practices to exploit that user's specific knowledge, traits,
that streaming app and device companies can adopt and viewing behaviors to influence their de‐
to differentiate themselves from their competitors sire to purchase goods and services. Only Ap‐
and earn their consumers' trust as a product that re‐ ple disclosed they do not display targeted ad‐
spects their privacy and the privacy of their children. vertisements on their service to all users. How‐
ever, Google, HBO, and Amazon disclosed in
158 CCPA:Do Not Sell My Information, http://donotsell.org. their additional child privacy policies that they
159 Common Sense, Privacy user research, studies to do not display targeted advertisements to chil‐
understand parents' privacy‐related knowledge and concerns
(2019).
dren.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 31
 • No third‐party tracking. A streaming app or and control what personal information is collected
device should not permit third‐party advertis‐ from apps they use. And if so, does the user know
ing services or tracking technologies to collect how to control what information is collected and
any information from a user while using the ser‐ whether their child's or students' personal data is
vice. A user's personal and viewing information being used to deliver personalized or targeted ads?
provided to a streaming app or device should Streaming apps and devices can request access to a
not be also used by a third party to persistently user's mobile device location, play age‐appropriate
track that user's behavioral actions on the app or age‐inappropriate media, and subscribe to dif‐
or device to influence what content they see in ferent third‐party app content providers through
the product and elsewhere online. Third‐party channels. Parents and educators may also feel like
tracking can influence a user's decision‐making they don't have the ability to make a meaningful
processes without their knowledge, which may choice when it comes to privacy because the TV
cause unintended harm. Only Apple disclosed shows, movies, or educational content they need is
they do not engage in third‐party tracking of all only available on a single streaming platform.
users.
• The facts: Streaming apps and devices may be
• No tracking across apps. A user's personal treated as trusted services, but they can collect
information should not be tracked and used a significant amount of behavioral viewing data
to target them with advertisements on other and personal information to influence your be‐
third‐party websites or services. A user's per‐ havior to get you to watch one more episode
sonal information provided to a streaming app and consume more content.
or device should not be used by a third party to • The feelings: Parents and educators may have
persistently track that user's behavioral actions feelings about streaming apps and devices al‐
over time and across the internet on other apps ways collecting data from their children and
and services. Only Apple disclosed they do not students while they are watching to create
engage in tracking any user over time across a personalized profile—basically noting every
other third‐party apps and services. show that has been watched or not watched.
• No data profiling. A company should not al‐ This is often referred to as the "creepiness"
low third parties to use a user's data to cre‐ factor and could include collecting behavioral
ate a profile, engage in data enhancement or data without express permission, or using the
social advertising, or target advertising based data for purposes other than what the app was
on that profile. Automated decision‐making, in‐ initially used for. For example, a person might
cluding the creation of data profiles for track‐ watch a show on a streaming service and get an
ing or advertising purposes, can lead to an in‐ email or advertisement elsewhere selling them
creased risk of harmful outcomes that may dis‐ merchandise related to the show.
proportionately and significantly affect children • The future: Beyond what is currently collected
or students. Only Apple disclosed they do not and how it is used, streaming apps may store
engage in profiling all users for the purpose of behavioral data indefinitely. At some point,
advertising or tracking users over time. companies may use the data in ways that no
• Protect use by students in K–12. Streaming one has yet imagined, such as changing de‐
apps and devices should provide more informa‐ fault interactions on other unrelated apps and
tion about how they protect student data pri‐ services based on what types of content that
vacy when used in K–12 schools and districts. was already watched. In addition, data brokers
Streaming companies that don't talk about how could also combine behavioral data in the fu‐
they protect student data privacy and also have ture with data collected from other apps and
content directed to children, or would appeal to services in order to reidentify presumed anony‐
children, need to clarify and discuss how they mous or deidentified data. In order to bet‐
protect children and students. ter protect children, the streaming media in‐
dustry needs to develop alternative monetiza‐
tion methodologies for distributing content in
Children and data privacy a more privacy‐protecting manner; additionally
streaming app developers should incorporate
When it comes to their children and students, par‐ privacy‐by‐design principles.
ents and educators value the ability to understand

32 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

APPENDIX Tracking categories
For the purposes of our analysis we only consid‐
Traffic analysis ered Tracker Radar categories160 that could pose a
privacy risk, especially because it is unlikely that a
methodology user of a streaming app or device would know any
tracking was happening. As such, we have excluded
During the operation of each device or app, traffic
the "Social–Comment" and "Social–Share" Tracker
was captured and later analyzed. Due to the ma‐
Radar categories in our analysis as it is likely the
jority of, but not all, traffic being transmitted over
user would see the respective interfaces or social
secure communication channels we only have ag‐
share buttons making it more explicit that data is
gregate domain level information and therefore do
being shared or transmitted that could be used to
not have insight into particular resources accessed.
track behavior. It should also be noted that we con‐
Each application's traffic was only observed using
sidered "Obscure Ownership," "Session Replay," and
the lowest price point there may be observable dif‐
"Unknown High Risk Behavior" but at least for the
ferences in traffic based on pay plan that we did
traffic that we were able to observe no streaming
not make an effort to observe. As such, any of the
devices or apps contacted domains triggering any
following analysis should be interpreted with some
of those Tracker Radar categories. Several other in‐
caution.
nocuous categories were also excluded. The cate‐
Our analysis is intended to indicate the possibility gories we included in our analysis are as follows:
that the respective tracking behavior could be hap‐
• Action Pixels (AP): This tracker may be col‐
pening based on the device or app accessing re‐
lecting user specific events in a first‐party or
sources on a particular domain known to have ex‐
third‐party environment.
hibited tracking behavior. For all domains captured,
we first made a best effort to determine if the traffic • Ad Fraud (AF): The tracker is intended to help
was presumably from the first party or third party. prevent ad fraud (either on behalf of the pub‐
We then ran two sets of analysis to categorize the lisher or the network). These can come from a
potential for tracking related behavior based on the network (like Google) or ad middleware (soft‐
domains contacted for each app or device. If a do‐ ware designed to identify bots and not show
main is indicated as potentially engaging in a track‐ them ads).
ing behavior, it should be interpreted to mean that • Ad Motivated Tracking (AMT): The tracking that
caution is warranted with respect to tracking con‐ takes place is related to advertising. This could
cerns. In addition, the observed traffic does not nec‐ include targeting users, header bidding, ad bea‐
essarily mean that the respective tracking behavior cons, demographic collection, preventing ad
was necessarily engaged in. fraud, etc.
For each domain we observed, we also indicate the • Advertising (AD): The purpose of this tracker is
"Matching Domain" indicating which Tracker Radar related to advertising.
domain file was used to provide the tracking cat‐ • Audience Measurement (AM): Similar to ana‐
egories. We only considered domains in the U.S. lytics, but may focus on deeper demographics,
directory for Tracker Radar. If a domain indicates behavior sets, and specific actions.
"NA" that means we did not have a corresponding
Tracker Radar domain file to classify the domain traf‐ • Social Network (SN): The domain is owned by
fic. Some of these unknown domains are expected a major social network.
as the process to obtain the Tracker Radar data is • Third‐Party Analytics Marketing (TPAM): Re‐
from a web browser—a context notably different lated to third‐party analytics systems for mar‐
than the apps or devices that we tested. As such, keting, usually marketing attribution or funnel
there may not have been opportunities to observe management.
traffic as seen when using an app or device as op‐
posed to a web browser.
We used a git checkout of the tracker‐radar project
with git tag `2021.03' corresponding to a git hash
160 DuckDuckGo Tracker Radar, Categories,
3580393035dd1d7e8daf6172b63afbaceeec9036.
https://github.com/duckduckgo/tracker‐
radar/blob/main/docs/CATEGORIES.md.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 33
App traffic analysis
Amazon Prime
Table 24: Amazon Prime presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

s3‐iad‐ww.cf.videorolls.row.aiv‐cdn.n NA NA NA NA NA NA NA NA
et
api.us‐east‐1.aiv‐delivery.net NA NA NA NA NA NA NA NA
cf‐timedtext.aux.pv‐cdn.net NA NA NA NA NA NA NA NA
doh6p23r7m48u.cloudfront.net NA NA NA NA NA NA NA NA
dp‐gw‐na.amazon.com amazon.com No No Yes No No No Yes

msh.amazon.com amazon.com No No Yes No No No Yes

atv‐ext.amazon.com amazon.com No No Yes No No No Yes
device‐metrics‐us‐2.amazon.com amazon.com No No Yes No No No Yes
images‐na.ssl‐images‐amazon.com ssl‐images‐amazon.com No No No No No No No
m.media‐amazon.com media‐amazon.com No No No No No No No

s3‐iad‐2.cf.dash.row.aiv‐cdn.net NA NA NA NA NA NA NA NA
pop‐iad‐2.cf.dash.row.aiv‐cdn.net NA NA NA NA NA NA NA NA
dmqdd6hw24ucf.cloudfront.net NA NA NA NA NA NA NA NA
cf‐trickplay.aux.pv‐cdn.net NA NA NA NA NA NA NA NA
ecx.images‐amazon.com images‐amazon.com No No No No No No No

Total: 0 0 0 4 0 0 0 4

Table 25: Amazon Prime presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

homecloudcastsdk‐pa.googleapis.com NA NA NA NA NA NA NA NA
play.googleapis.com NA NA NA NA NA NA NA NA
www.hulu.com hulu.com No No No No No No No
www.googleapis.com www.googleapis.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Apple TV+
Table 26: Apple TV+ presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

p69‐fmfmobile.icloud.com NA NA NA NA NA NA NA NA
is1‐ssl.mzstatic.com mzstatic.com No No No No No No No
is3‐ssl.mzstatic.com mzstatic.com No No No No No No No
is5‐ssl.mzstatic.com mzstatic.com No No No No No No No

34 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 is2‐ssl.mzstatic.com mzstatic.com No No No No No No No
s.mzstatic.com mzstatic.com No No No No No No No
uts‐api.itunes.apple.com apple.com No No No No No No No
play‐edge.itunes.apple.com apple.com No No No No No No No
play.itunes.apple.com apple.com No No No No No No No
vod‐ap3‐aoc.tv.apple.com apple.com No No No No No No No
cma2.itunes.apple.com apple.com No No No No No No No
xp.apple.com apple.com No No No No No No No
np‐edge.itunes.apple.com apple.com No No No No No No No
init.itunes.apple.com apple.com No No No No No No No
pd.itunes.apple.com apple.com No No No No No No No
iphone‐ld.apple.com apple.com No No No No No No No
daf.xp.apple.com apple.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

We did not observe any presumed third‐party traffic for Apple TV+.

Discovery+
Table 27: Discovery+ presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

us1‐prod‐images.disco‐api.com disco‐api.com No No No No No No No
avatars‐prod.disco‐api.com disco‐api.com No No No No No No No
us1‐prod.disco‐api.com disco‐api.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Table 28: Discovery+ presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

people‐pa.googleapis.com NA NA NA NA NA NA NA NA
play.googleapis.com NA NA NA NA NA NA NA NA
android.googleapis.com NA NA NA NA NA NA NA NA
app‐measurement.com NA NA NA NA NA NA NA NA
firebase‐settings.crashlytics.com NA NA NA NA NA NA NA NA
passwordsleakcheck‐pa.googleapis.co NA NA NA NA NA NA NA NA
m
api.getblueshift.com getblueshift.com No No No No No No No
4unal8ngvngjm07lj2q2umlc4.litix.io litix.io No No No No No No No
api.arkoselabs.com arkoselabs.com No No No No No No No
content‐ause2‐ur‐discovery1.uplynk.c uplynk.com No No No No No No No
om

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 35
client‐api.arkoselabs.com arkoselabs.com No No No No No No No
x‐default‐stgec.uplynk.com uplynk.com No No No No No No No
2ecd5.v.fwmrm.net fwmrm.net No No Yes Yes No No Yes
www.googleapis.com www.googleapis.com No No No No No No No
cdn.branch.io branch.io No No No Yes Yes No Yes
api2.branch.io branch.io No No No Yes Yes No Yes
mobile‐collector.newrelic.com newrelic.com No No No No No No No
firebaseinstallations.googleapis.com firebaseinstallations.goo No No No No No No No
gleapis.com
bsftassets.s3‐us‐west‐2.amazonaws.c amazonaws.com No No No No No No No
om
connectivitycheck.gstatic.com gstatic.com No No No No No No No
android.clients.google.com google.com No No No No No No No
Total: 0 0 0 1 3 2 0 3

Disney+
Table 29: Disney+ presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

vod‐cmc‐na‐west‐2.media.dssott.com NA NA NA NA NA NA NA NA
search‐api‐disney.svcs.dssott.com NA NA NA NA NA NA NA NA
global.edge.bamgrid.com NA NA NA NA NA NA NA NA
sanalytics.disneyplus.com NA NA NA NA NA NA NA NA
vod‐ftc‐na‐west‐2.media.dssott.com NA NA NA NA NA NA NA NA
appconfigs.disney‐plus.net NA NA NA NA NA NA NA NA
bam‐sdk‐configs.bamgrid.com NA NA NA NA NA NA NA NA
content.global.edge.bamgrid.com NA NA NA NA NA NA NA NA
disney.playback.edge.bamgrid.com NA NA NA NA NA NA NA NA
vod‐akc‐na‐west‐2.media.dssott.com NA NA NA NA NA NA NA NA
Total: 0 0 0 0 0 0 0 0

Table 30: Disney+ presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

android.googleapis.com NA NA NA NA NA NA NA NA
play.googleapis.com NA NA NA NA NA NA NA NA
growth‐pa.googleapis.com NA NA NA NA NA NA NA NA
7ba3f64df98de730df38846b54ecfb conviva.com No No No No No No No
df7f61f80f.cws.conviva.com
sdk.iad‐03.braze.com braze.com No No No No No No No

36 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 www.googleapis.com www.googleapis.com No No No No No No No
disney.demdex.net demdex.net No No Yes Yes No No Yes
assets.adobedtm.com adobedtm.com No No Yes No Yes No Yes
connectivitycheck.gstatic.com gstatic.com No No No No No No No
www.google.com google.com No No No No No No No
mtalk.google.com google.com No No No No No No No
android.clients.google.com google.com No No No No No No No
Total: 0 0 0 2 1 1 0 2

Hulu
Table 31: Hulu presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

ads‐e‐darwin.hulustream.com NA NA NA NA NA NA NA NA
manifest‐dp.hulustream.com NA NA NA NA NA NA NA NA
discover.hulu.com hulu.com No No No No No No No
ib.hulu.com hulu.com No No No No No No No
img2.hulu.com hulu.com No No No No No No No
engage.hulu.com hulu.com No No No No No No No
img4.hulu.com hulu.com No No No No No No No
play.hulu.com hulu.com No No No No No No No
vortex.hulu.com hulu.com No No No No No No No
home.hulu.com hulu.com No No No No No No No
ariel.hulu.com hulu.com No No No No No No No
auth.hulu.com hulu.com No No No No No No No
emu.hulu.com hulu.com No No No No No No No
img1.hulu.com hulu.com No No No No No No No
img3.hulu.com hulu.com No No No No No No No
views.hulu.com hulu.com No No No No No No No
www.hulu.com hulu.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Table 32: Hulu presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

android.googleapis.com NA NA NA NA NA NA NA NA
app‐measurement.com NA NA NA NA NA NA NA NA
firebase‐settings.crashlytics.com NA NA NA NA NA NA NA NA
play.googleapis.com NA NA NA NA NA NA NA NA
update.googleapis.com NA NA NA NA NA NA NA NA

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 37
launches.appsflyer.com appsflyer.com No No No No No No No
cws‐hulu.conviva.com conviva.com No No No No No No No
www.googleapis.com www.googleapis.com No No No No No No No
firebaseremoteconfig.googleapis.com firebaseremoteconfig.g No No No No No No No
oogleapis.com
firebaseinstallations.googleapis.com firebaseinstallations.goo No No No No No No No
gleapis.com

collect.tealiumiq.com tealiumiq.com Yes No Yes Yes Yes No Yes

secure‐dcr.imrworldwide.com imrworldwide.com Yes No Yes Yes Yes No Yes
cdn‐gl.imrworldwide.com imrworldwide.com Yes No Yes Yes Yes No Yes
wqc89bfta2l4f0st2vn6tk00kx82b161 imrworldwide.com Yes No Yes Yes Yes No Yes
7987040.uaid.imrworldwide.com
z.moatads.com moatads.com Yes Yes Yes Yes Yes No Yes
assetshuluimcom‐a.akamaihd.net akamaihd.net No No No No No No No
accounts.youtube.com youtube.com No No Yes No No No No
tags.tiqcdn.com tiqcdn.com No No Yes Yes Yes No Yes
accounts.doubleclick.net doubleclick.net No No Yes Yes No No No
clients4.google.com google.com No No No No No No No
accounts.google.com google.com No No No No No No No
android.clients.google.com google.com No No No No No No No
Total: 0 5 1 8 7 6 0 6

Netflix
Table 33: Netflix presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

ipv4‐c067‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
android‐h2.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
ipv4‐c051‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c069‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
android‐appboot.netflix.com NA NA NA NA NA NA NA NA
android.prod.cloud.netflix.com NA NA NA NA NA NA NA NA
Total: 0 0 0 0 0 0 0 0

38 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 Table 34: Netflix presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

homecloudcastsdk‐pa.googleapis.com NA NA NA NA NA NA NA NA
sessions.bugsnag.com bugsnag.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Paramount+
Table 35: Paramount+ presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

wwwimage‐us.pplusstatic.com NA NA NA NA NA NA NA NA
thumbnails.cbsig.net NA NA NA NA NA NA NA NA
www.paramountplus.com NA NA NA NA NA NA NA NA
sparrow.paramountplus.com NA NA NA NA NA NA NA NA
saa.cbsi.com cbsi.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Table 36: Paramount+ presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

android.googleapis.com NA NA NA NA NA NA NA NA
app‐measurement.com NA NA NA NA NA NA NA NA
cbsi.live.ott.irdeto.com NA NA NA NA NA NA NA NA
chromesyncpasswords‐pa.googleapis. NA NA NA NA NA NA NA NA
com
geller‐pa.googleapis.com NA NA NA NA NA NA NA NA

passwordsleakcheck‐pa.googleapis.co NA NA NA NA NA NA NA NA
m
people‐pa.googleapis.com NA NA NA NA NA NA NA NA
play.googleapis.com NA NA NA NA NA NA NA NA
safebrowsing.googleapis.com NA NA NA NA NA NA NA NA
update.googleapis.com NA NA NA NA NA NA NA NA
i‐amlg‐prod.appspot.com i‐amlg‐prod.appspot.co No No No No No No No
m
control.kochava.com kochava.com No No No No No No No
87a6b28bc7823e67a5bb2a0a6728c conviva.com No No No No No No No
702afcae78d.cws.conviva.com
kvinit‐prod.api.kochava.com kochava.com No No No No No No No
ceres.iad‐03.braze.com braze.com No No No No No No No
www.googleapis.com www.googleapis.com No No No No No No No
r1‐‐‐sn‐qxoedn7k.googlevideo.com googlevideo.com No No No No No No No

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 39
r2‐‐‐sn‐q4flrn7r.googlevideo.com googlevideo.com No No No No No No No
r2‐‐‐sn‐q4fl6nsy.googlevideo.com googlevideo.com No No No No No No No
link.theplatform.com theplatform.com No No No No No No No
api2.branch.io branch.io No No No Yes Yes No Yes
cdn.branch.io branch.io No No No Yes Yes No Yes
imasdk.googleapis.com imasdk.googleapis.com No No No No No No No
mobile‐collector.newrelic.com newrelic.com No No No No No No No
tv.rlcdn.com rlcdn.com No Yes Yes Yes No No Yes
sb.scorecardresearch.com scorecardresearch.com No No No No Yes No No
qixhcdih3kiwsarl8bp20oo4hqhz5161 imrworldwide.com Yes No Yes Yes Yes No Yes
8437043.uaid.imrworldwide.com
secure‐dcr.imrworldwide.com imrworldwide.com Yes No Yes Yes Yes No Yes
sdk.imrworldwide.com imrworldwide.com Yes No Yes Yes Yes No Yes
secure‐gg.imrworldwide.com imrworldwide.com Yes No Yes Yes Yes No Yes

yw14dzy9uqrrixbmofkza1awgmbm91 imrworldwide.com Yes No Yes Yes Yes No Yes

618437501.uaid.imrworldwide.com
dpm.demdex.net demdex.net No No Yes Yes No No Yes
storage.googleapis.com storage.googleapis.com No No No No No No No
cbsinteractive.hb.omtrdc.net omtrdc.net No No Yes Yes Yes No Yes
accounts.youtube.com youtube.com No No Yes No No No No
www.facebook.com facebook.com Yes Yes Yes Yes Yes Yes No
connectivitycheck.gstatic.com gstatic.com No No No No No No No
www.google‐analytics.com google‐analytics.com No No No Yes Yes No Yes
pagead2.googlesyndication.com googlesyndication.com No No Yes Yes No No No
pubads.g.doubleclick.net doubleclick.net No No Yes Yes No No No
ad.doubleclick.net doubleclick.net No No Yes Yes No No No
accounts.doubleclick.net doubleclick.net No No Yes Yes No No No
android.clients.google.com google.com No No No No No No No
clients4.google.com google.com No No No No No No No
accounts.google.com google.com No No No No No No No
dai.google.com google.com No No No No No No No
mtalk.google.com google.com No No No No No No No
www.google.com google.com No No No No No No No
redirector.gvt1.com gvt1.com No No No No No No No
r1‐‐‐sn‐qxo7rn7l.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐qxoedn7d.gvt1.com gvt1.com No No No No No No No
connectivitycheck.gstatic.com gstatic.com No No No No No No No
Total: 0 6 2 14 16 11 1 11

40 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

HBO Max
Table 37: HBO Max presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

artist.api.cdn.hbo.com hbo.com No No No No No No No
gateway.api.hbo.com hbo.com No No No No No No No
comet.api.hbo.com hbo.com No No No No No No No
oauth‐us.api.hbo.com hbo.com No No No No No No No
oauth.api.hbo.com hbo.com No No No No No No No

telegraph.api.hbo.com hbo.com No No No No No No No
sessions‐us.api.hbo.com hbo.com No No No No No No No
sessions.api.hbo.com hbo.com No No No No No No No
cmaf.cf.us.hbomaxcdn.com NA NA NA NA NA NA NA NA
Total: 0 0 0 0 0 0 0 0

Table 38: HBO Max presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

play.googleapis.com NA NA NA NA NA NA NA NA
hercules.iad.appboy.com appboy.com No No No No No No No
www.googleapis.com www.googleapis.com No No No No No No No
www.google.com google.com No No No No No No No
android.clients.google.com google.com No No No No No No No
storage.googleapis.com storage.googleapis.com No No No No No No No
connectivitycheck.gstatic.com gstatic.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Peacock
Table 39: Peacock presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

ovp.peacocktv.com NA NA NA NA NA NA NA NA
imageservice.disco.peacocktv.com NA NA NA NA NA NA NA NA
atom.peacocktv.com NA NA NA NA NA NA NA NA
g005‐sf‐us‐cmaf‐prd‐ak.cdn.peacockt NA NA NA NA NA NA NA NA
v.com
atlantis.disco.peacocktv.com NA NA NA NA NA NA NA NA
ctl.stream.peacocktv.com NA NA NA NA NA NA NA NA
g002‐vod‐us‐cmaf‐prd‐ak‐a331.cdn.p NA NA NA NA NA NA NA NA
eacocktv.com
g005‐sf‐us‐cmaf‐prd‐ak‐a196.cdn.pe NA NA NA NA NA NA NA NA
acocktv.com

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 41
g005‐sf‐us‐cmaf‐prd‐ak‐a247.cdn.pe NA NA NA NA NA NA NA NA
acocktv.com
init.clients.peacocktv.com NA NA NA NA NA NA NA NA
rango.id.peacocktv.com NA NA NA NA NA NA NA NA
config.clients.peacocktv.com NA NA NA NA NA NA NA NA
cybertron.id.peacocktv.com NA NA NA NA NA NA NA NA
g002‐vod‐us‐cmaf‐prd‐ak.cdn.peacoc NA NA NA NA NA NA NA NA
ktv.com
mobile.clients.peacocktv.com NA NA NA NA NA NA NA NA

persona.id.peacocktv.com NA NA NA NA NA NA NA NA
recs.disco.peacocktv.com NA NA NA NA NA NA NA NA
throttled.ovp.peacocktv.com NA NA NA NA NA NA NA NA
www.peacocktv.com NA NA NA NA NA NA NA NA
video‐ads‐module.ad‐tech.nbcuni.co nbcuni.com No No No No No No No
m
Total: 0 0 0 0 0 0 0 0

Table 40: Peacock presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

people‐pa.googleapis.com NA NA NA NA NA NA NA NA
playatoms‐pa.googleapis.com NA NA NA NA NA NA NA NA
android.googleapis.com NA NA NA NA NA NA NA NA
chromesyncpasswords‐pa.googleapis. NA NA NA NA NA NA NA NA
com
play.googleapis.com NA NA NA NA NA NA NA NA
android‐appboot.netflix.com NA NA NA NA NA NA NA NA
android‐h2.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
android.prod.cloud.netflix.com NA NA NA NA NA NA NA NA
app‐measurement.com NA NA NA NA NA NA NA NA
beacons.gvt2.com NA NA NA NA NA NA NA NA
firebase‐settings.crashlytics.com NA NA NA NA NA NA NA NA
growth‐pa.googleapis.com NA NA NA NA NA NA NA NA
notifications‐pa.googleapis.com NA NA NA NA NA NA NA NA
passwordsleakcheck‐pa.googleapis.co NA NA NA NA NA NA NA NA
m
secure.insightexpressai.com insightexpressai.com No No Yes Yes Yes No No
47e224be59415ec068b94bca85758 conviva.com No No No No No No No
1bd7dde7fb6.cws.conviva.com
control.kochava.com kochava.com No No No No No No No
kvinit‐prod.api.kochava.com kochava.com No No No No No No No

42 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 sdk.iad‐03.braze.com braze.com No No No No No No No
29773.v.fwmrm.net fwmrm.net No No Yes Yes No No Yes
www.googleapis.com www.googleapis.com No No No No No No No
mssl.fwmrm.net fwmrm.net No No Yes Yes No No Yes
mobile‐collector.newrelic.com newrelic.com No No No No No No No
firebaseinstallations.googleapis.com firebaseinstallations.goo No No No No No No No
gleapis.com
nativesdks.mparticle.com mparticle.com No No No No No No No

identity.mparticle.com mparticle.com No No No No No No No
config2.mparticle.com mparticle.com No No No No No No No
sb.scorecardresearch.com scorecardresearch.com No No No No Yes No No
nbcstreaming.hb.omtrdc.net omtrdc.net No No Yes Yes Yes No Yes
assets.adobedtm.com adobedtm.com No No Yes No Yes No Yes

connectivitycheck.gstatic.com gstatic.com No No No No No No No
www.gstatic.com gstatic.com No No No No No No No
googleads.g.doubleclick.net doubleclick.net No No Yes Yes No No No
www.google.com google.com No No No No No No No
android.clients.google.com google.com No No No No No No No

Total: 0 0 0 6 5 4 0 4

YouTube TV
Table 41: YouTube TV presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

android.googleapis.com NA NA NA NA NA NA NA NA
play.googleapis.com NA NA NA NA NA NA NA NA
r2‐‐‐sn‐qxoedne7.googlevideo.com googlevideo.com No No No No No No No
r1‐‐‐sn‐qxoedne7.googlevideo.com googlevideo.com No No No No No No No
r3‐‐‐sn‐qxoedn7k.googlevideo.com googlevideo.com No No No No No No No
r4‐‐‐sn‐qxoedn7z.googlevideo.com googlevideo.com No No No No No No No
r1‐‐‐sn‐qxo7rn7l.googlevideo.com googlevideo.com No No No No No No No
r5‐‐‐sn‐qxoedne7.googlevideo.com googlevideo.com No No No No No No No
r4‐‐‐sn‐qxoedne7.googlevideo.com googlevideo.com No No No No No No No
r4‐‐‐sn‐qxoedn7k.googlevideo.com googlevideo.com No No No No No No No
r2‐‐‐sn‐qxoedn7z.googlevideo.com googlevideo.com No No No No No No No
r5‐‐‐sn‐qxoedn7d.googlevideo.com googlevideo.com No No No No No No No
r6‐‐‐sn‐qxoedn7z.googlevideo.com googlevideo.com No No No No No No No
redirector.googlevideo.com googlevideo.com No No No No No No No
r2‐‐‐sn‐qxo7rn7l.googlevideo.com googlevideo.com No No No No No No No

r2‐‐‐sn‐qxoedn7e.googlevideo.com googlevideo.com No No No No No No No

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 43
r5‐‐‐sn‐qxo7rn7l.googlevideo.com googlevideo.com No No No No No No No
r5‐‐‐sn‐qxoedn7k.googlevideo.com googlevideo.com No No No No No No No
r6‐‐‐sn‐qxoedn7e.googlevideo.com googlevideo.com No No No No No No No
r4‐‐‐sn‐qxoedn7e.googlevideo.com googlevideo.com No No No No No No No
r6‐‐‐sn‐qxoedn7d.googlevideo.com googlevideo.com No No No No No No No
manifest.googlevideo.com googlevideo.com No No No No No No No
r5‐‐‐sn‐qxoedn7e.googlevideo.com googlevideo.com No No No No No No No
firebaseinstallations.googleapis.com firebaseinstallations.goo No No No No No No No
gleapis.com
yt3.ggpht.com ggpht.com No No No No No No No
www.googleadservices.com googleadservices.com No No Yes Yes No No No
www.googletagmanager.com googletagmanager.com No No Yes Yes Yes No Yes
connectivitycheck.gstatic.com gstatic.com No No No No No No No
android.clients.google.com google.com No No No No No No No
www.google.com google.com No No No No No No No

Total: 0 0 0 2 2 1 0 1

Table 42: YouTube TV presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

mobile‐collector.newrelic.com newrelic.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Device traffic analysis

Amazon Fire TV Cube
Table 43: Amazon Fire TV Cube presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

andr‐59e19706d5‐cbc62794911ff31 NA NA NA NA NA NA NA NA
b‐e1b148d80a9aa0d4ca‐2610165.na
.api.amazonvideo.com
d1s31zyz7dcc2d.cloudfront.net NA NA NA NA NA NA NA NA
api.us‐east‐1.aiv‐delivery.net NA NA NA NA NA NA NA NA
andr‐28‐aftr‐620019910.api.amazon NA NA NA NA NA NA NA NA
video.com
d14j89z87mkhwa.cloudfront.net NA NA NA NA NA NA NA NA
d21m0ezw6fosyw.cloudfront.net NA NA NA NA NA NA NA NA
aftv‐28‐amazon‐aftr‐3242.api.amazo NA NA NA NA NA NA NA NA
nvideo.com
aftv‐28‐amazon‐aftr‐3242.na.api.ama NA NA NA NA NA NA NA NA
zonvideo.com

44 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 andr‐28‐aftr‐0.api.amazonvideo.com NA NA NA NA NA NA NA NA
andr‐59e19706d5‐cbc62794911ff31 NA NA NA NA NA NA NA NA
b‐e1b148d80a9aa0d4ca‐2610165.ap
i.amazonvideo.com

d3a510xmpll7o6.cloudfront.net NA NA NA NA NA NA NA NA
ters.us‐east‐1.aiv‐delivery.net NA NA NA NA NA NA NA NA
wl.amazon‐dss.com NA NA NA NA NA NA NA NA
mobileanalytics.us‐east‐1.amazonaws. mobileanalytics.us‐east‐ No No No No No No No
com 1.amazonaws.com
cognito‐identity.us‐east‐1.amazonaws cognito‐identity.us‐east No No No No No No No
.com ‐1.amazonaws.com
prod‐iad.notification.mayday‐screen‐s a2z.com No No No No No No No
haring.cs.a2z.com
kinesis.us‐east‐1.amazonaws.com kinesis.us‐east‐1.amazo No No No No No No No
naws.com
ktpx.amazon.com amazon.com No No Yes No No No Yes
msh.amazon.com amazon.com No No Yes No No No Yes
mas‐ext.amazon.com amazon.com No No Yes No No No Yes
unagi‐na.amazon.com amazon.com No No Yes No No No Yes
api.amazon.com amazon.com No No Yes No No No Yes
device‐metrics‐us.amazon.com amazon.com No No Yes No No No Yes
arcus‐uswest.amazon.com amazon.com No No Yes No No No Yes
atv‐ext.amazon.com amazon.com No No Yes No No No Yes

dp‐gw‐na.amazon.com amazon.com No No Yes No No No Yes

aviary.amazon.com amazon.com No No Yes No No No Yes
fls‐na.amazon.com amazon.com No No Yes No No No Yes
dp‐discovery‐na‐ext.amazon.com amazon.com No No Yes No No No Yes
idc‐service‐oz.amazon.com amazon.com No No Yes No No No Yes

aca‐livecards‐service.amazon.com amazon.com No No Yes No No No Yes

cortana‐gateway.amazon.com amazon.com No No Yes No No No Yes
ags‐ext.amazon.com amazon.com No No Yes No No No Yes
appstore‐tv‐prod‐na.amazon.com amazon.com No No Yes No No No Yes
dcape‐na.amazon.com amazon.com No No Yes No No No Yes

devicemessaging.us‐east‐1.amazon.co amazon.com No No Yes No No No Yes

m
dna.amazon.com amazon.com No No Yes No No No Yes
prime.amazon.com amazon.com No No Yes No No No Yes
alexa.amazon.com amazon.com No No Yes No No No Yes
firs‐ta‐g7g.amazon.com amazon.com No No Yes No No No Yes
device‐messaging‐na.amazon.com amazon.com No No Yes No No No Yes
det‐ta‐g7g.amazon.com amazon.com No No Yes No No No Yes
dps‐proxy.amazon.com amazon.com No No Yes No No No Yes

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 45
ftvr‐na.amazon.com amazon.com No No Yes No No No Yes
cs‐ext.amazon.com amazon.com No No Yes No No No Yes
digprjsurvey.amazon.com amazon.com No No Yes No No No Yes
firetvdeviceprofilemanagementservice amazon.com No No Yes No No No Yes
‐na.amazon.com
mads.amazon.com amazon.com No No Yes No No No Yes
mas‐sdk.amazon.com amazon.com No No Yes No No No Yes
na.account.amazon.com amazon.com No No Yes No No No Yes

paifas.amazon.com amazon.com No No Yes No No No Yes

remoteconfig‐na.amazon.com amazon.com No No Yes No No No Yes
todo‐ta‐g7g.amazon.com amazon.com No No Yes No No No Yes
softwareupdates.amazon.com amazon.com No No Yes No No No Yes
www.amazon.com amazon.com No No Yes No No No Yes

images‐na.ssl‐images‐amazon.com ssl‐images‐amazon.com No No No No No No No
i8xcss1sc8.execute‐api.us‐west‐2.am amazonaws.com No No No No No No No
azonaws.com
cdws.us‐east‐1.amazonaws.com amazonaws.com No No No No No No No
drive.amazonaws.com amazonaws.com No No No No No No No
device‐artifacts‐v2.s3.amazonaws.co amazonaws.com No No No No No No No
m
kraken‐measurements.s3‐external‐1.a amazonaws.com No No No No No No No
mazonaws.com
m.media‐amazon.com media‐amazon.com No No No No No No No
content‐na.drive.amazonaws.com amazonaws.com No No No No No No No
screensaver‐sponsored‐content‐asset amazonaws.com No No No No No No No
s.s3.us‐east‐2.amazonaws.com
pinpoint.us‐east‐1.amazonaws.com amazonaws.com No No No No No No No
s3‐iad‐2.cf.dash.row.aiv‐cdn.net NA NA NA NA NA NA NA NA
pop‐iad‐2.cf.dash.row.aiv‐cdn.net NA NA NA NA NA NA NA NA
fireoscaptiveportal.com NA NA NA NA NA NA NA NA
ecx.images‐amazon.com images‐amazon.com No No No No No No No
g‐ecx.images‐amazon.com images‐amazon.com No No No No No No No

spectrum.s3.amazonaws.com amazonaws.com No No No No No No No
aax‐us‐east.amazon‐adsystem.com amazon‐adsystem.com No No Yes Yes No No No
Total: 0 0 0 39 1 0 0 38

46 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 Table 44: Amazon Fire TV Cube presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

occ‐0‐586‐590.1.nflxso.net NA NA NA NA NA NA NA NA
subtitles.cdn‐ec.viddler.com NA NA NA NA NA NA NA NA
ichnaea.netflix.com NA NA NA NA NA NA NA NA
api‐global.netflix.com NA NA NA NA NA NA NA NA
nrdp.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
ipv4‐c021‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c043‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c069‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c037‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
occ‐0‐590‐586.1.nflxso.net NA NA NA NA NA NA NA NA
h1‐scm.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
h2‐scm.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
preapp.prod.partner.netflix.net NA NA NA NA NA NA NA NA
thumbs.cdn‐ec.viddler.com NA NA NA NA NA NA NA NA
secure.netflix.com NA NA NA NA NA NA NA NA
ipv4‐c012‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
push.prod.netflix.com NA NA NA NA NA NA NA NA
uiboot.netflix.com NA NA NA NA NA NA NA NA
www.netflix.com NA NA NA NA NA NA NA NA
assets.nflxext.com nflxext.com No No No No No No No
codex.nflxext.com nflxext.com No No No No No No No
sessions.bugsnag.com bugsnag.com No No No No No No No
www.googleapis.com www.googleapis.com No No No No No No No
amazonadsi‐a.akamaihd.net akamaihd.net No No No No No No No
a261avoddashs3ww‐a.akamaihd.net akamaihd.net No No No No No No No
avodmp4s3ww‐a.akamaihd.net akamaihd.net No No No No No No No
Total: 0 0 0 0 0 0 0 0

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 47
Apple TV
Table 45: Apple TV presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

setup.icloud.com NA NA NA NA NA NA NA NA
p69‐escrowproxy.icloud.com NA NA NA NA NA NA NA NA
edge‐039.usden.icloud‐content.com NA NA NA NA NA NA NA NA
metrics.icloud.com NA NA NA NA NA NA NA NA
keyvalueservice.icloud.com NA NA NA NA NA NA NA NA

p69‐availability.icloud.com NA NA NA NA NA NA NA NA
p69‐fmipmobile.icloud.com NA NA NA NA NA NA NA NA
p69‐keyvalueservice.icloud.com NA NA NA NA NA NA NA NA
is3‐ssl.mzstatic.com mzstatic.com No No No No No No No
is2‐ssl.mzstatic.com mzstatic.com No No No No No No No

is1‐ssl.mzstatic.com mzstatic.com No No No No No No No
is4‐ssl.mzstatic.com mzstatic.com No No No No No No No
s.mzstatic.com mzstatic.com No No No No No No No
is5‐ssl.mzstatic.com mzstatic.com No No No No No No No
apps.mzstatic.com mzstatic.com No No No No No No No
gspe21‐ssl.ls.apple.com apple.com No No No No No No No
uts‐api.itunes.apple.com apple.com No No No No No No No
init.itunes.apple.com apple.com No No No No No No No
xp.apple.com apple.com No No No No No No No
bag.itunes.apple.com apple.com No No No No No No No
itunes.apple.com apple.com No No No No No No No
p3‐buy.itunes.apple.com apple.com No No No No No No No
gsa.apple.com apple.com No No No No No No No
mesu.apple.com apple.com No No No No No No No
play.itunes.apple.com apple.com No No No No No No No
vod‐ak‐aoc.tv.apple.com apple.com No No No No No No No
identity.ess.apple.com apple.com No No No No No No No
api‐edge.apps.apple.com apple.com No No No No No No No
buy.itunes.apple.com apple.com No No No No No No No
play‐edge.itunes.apple.com apple.com No No No No No No No
hls.itunes.apple.com apple.com No No No No No No No
gdmf.apple.com apple.com No No No No No No No
guzzoni.apple.com apple.com No No No No No No No
pancake.apple.com apple.com No No No No No No No
profile.ess.apple.com apple.com No No No No No No No
vod‐ap2‐aoc.tv.apple.com apple.com No No No No No No No

48 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 amp‐api.apps.apple.com apple.com No No No No No No No
aidc.apple.com apple.com No No No No No No No
cl3.apple.com apple.com No No No No No No No
sylvan.apple.com apple.com No No No No No No No
configuration.apple.com apple.com No No No No No No No
client‐api.itunes.apple.com apple.com No No No No No No No
ld‐4.itunes.apple.com apple.com No No No No No No No
pd.itunes.apple.com apple.com No No No No No No No
albert.apple.com apple.com No No No No No No No
vod‐ap1‐aoc.tv.apple.com apple.com No No No No No No No
api.apps.apple.com apple.com No No No No No No No
gsas.apple.com apple.com No No No No No No No
cma2.itunes.apple.com apple.com No No No No No No No
gspe35‐ssl.ls.apple.com apple.com No No No No No No No
configuration.ls.apple.com apple.com No No No No No No No
daf.xp.apple.com apple.com No No No No No No No
gspe1‐ssl.ls.apple.com apple.com No No No No No No No
np‐edge.itunes.apple.com apple.com No No No No No No No
upp.itunes.apple.com apple.com No No No No No No No
valid.apple.com apple.com No No No No No No No
sf‐api‐token‐service.itunes.apple.com apple.com No No No No No No No
cl2.apple.com apple.com No No No No No No No
cma.itunes.apple.com apple.com No No No No No No No
courier.push.apple.com apple.com No No No No No No No

bookkeeper.itunes.apple.com apple.com No No No No No No No
gs‐loc.apple.com apple.com No No No No No No No
homesharing.itunes.apple.com apple.com No No No No No No No
init.push.apple.com apple.com No No No No No No No
gsp64‐ssl.ls.apple.com apple.com No No No No No No No

humb.apple.com apple.com No No No No No No No
iphonesubmissions.apple.com apple.com No No No No No No No
init.gc.apple.com apple.com No No No No No No No
iosapps.itunes.apple.com apple.com No No No No No No No
radio.itunes.apple.com apple.com No No No No No No No

profile.gc.apple.com apple.com No No No No No No No
sp.itunes.apple.com apple.com No No No No No No No
static.gc.apple.com apple.com No No No No No No No
sandbox.itunes.apple.com apple.com No No No No No No No
lcdn‐locator.apple.com apple.com No No No No No No No
updates‐http.cdn‐apple.com cdn‐apple.com No No No No No No No

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 49
ocsp.apple.com apple.com No No No No No No No
captive.apple.com apple.com No No No No No No No
init‐p01md.apple.com apple.com No No No No No No No
static.ess.apple.com apple.com No No No No No No No
init.ess.apple.com apple.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Table 46: Apple TV presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

ipv4‐c011‐den001‐dev‐ix.1.oca.nflxvi NA NA NA NA NA NA NA NA
deo.net
ipv4‐c073‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ios.prod.http1.netflix.com NA NA NA NA NA NA NA NA
ipv4‐c049‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c074‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net

ipv4‐c072‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
occ‐0‐586‐590.1.nflxso.net NA NA NA NA NA NA NA NA
ichnaea‐web.netflix.com NA NA NA NA NA NA NA NA
www.netflix.com NA NA NA NA NA NA NA NA
assets.nflxext.com nflxext.com No No No No No No No
webvtt‐s.nflxext.com nflxext.com No No No No No No No
appboot.netflix.com NA NA NA NA NA NA NA NA
ocsp.digicert.com digicert.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Google TV
Table 47: Google TV presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

android.googleapis.com NA NA NA NA NA NA NA NA
embeddedassistant.googleapis.com NA NA NA NA NA NA NA NA
zerostateproxy‐pa.googleapis.com NA NA NA NA NA NA NA NA
fcm.googleapis.com NA NA NA NA NA NA NA NA
playatoms‐pa.googleapis.com NA NA NA NA NA NA NA NA
androidtvlauncherxfe‐pa.googleapis.c NA NA NA NA NA NA NA NA
om

50 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 androidtvsetupwraithfe‐pa.googleapis NA NA NA NA NA NA NA NA
.com
auditrecording‐pa.googleapis.com NA NA NA NA NA NA NA NA
playmoviesdfe‐pa.googleapis.com NA NA NA NA NA NA NA NA
app‐measurement.com NA NA NA NA NA NA NA NA
footprints‐pa.googleapis.com NA NA NA NA NA NA NA NA
androidtvcustomization‐pa.googleapis NA NA NA NA NA NA NA NA
.com
chromesyncpasswords‐pa.googleapis. NA NA NA NA NA NA NA NA
com
powerful‐gizmo‐526.appspot.com NA NA NA NA NA NA NA NA
androidtvchannels‐pa.googleapis.com NA NA NA NA NA NA NA NA

app.goo.gl NA NA NA NA NA NA NA NA
beacons.gcp.gvt2.com NA NA NA NA NA NA NA NA
clientservices.googleapis.com NA NA NA NA NA NA NA NA
device‐provisioning.googleapis.com NA NA NA NA NA NA NA NA
fir‐auth‐gms.firebaseapp.com NA NA NA NA NA NA NA NA
firebaseperusertopics‐pa.googleapis.c NA NA NA NA NA NA NA NA
om
g.co NA NA NA NA NA NA NA NA
geomobileservices‐pa.googleapis.com NA NA NA NA NA NA NA NA
googlehomefoyer‐pa.googleapis.com NA NA NA NA NA NA NA NA
homecloudirdb‐pa.googleapis.com NA NA NA NA NA NA NA NA
iid.googleapis.com NA NA NA NA NA NA NA NA
mdh‐pa.googleapis.com NA NA NA NA NA NA NA NA
near.by NA NA NA NA NA NA NA NA
notifications‐pa.googleapis.com NA NA NA NA NA NA NA NA
pai.googlezip.net NA NA NA NA NA NA NA NA
people‐pa.googleapis.com NA NA NA NA NA NA NA NA
www.googleapis.com www.googleapis.com No No No No No No No
redirector.googlevideo.com googlevideo.com No No No No No No No
r5‐‐‐sn‐q4flrnes.googlevideo.com googlevideo.com No No No No No No No
imasdk.googleapis.com imasdk.googleapis.com No No No No No No No
r2‐‐‐sn‐q4fl6ney.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4flrn7y.gvt1.com gvt1.com No No No No No No No
r1‐‐‐sn‐q4flrnee.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4fl6n7d.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4fl6nle.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4fl6nlr.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4flrnle.gvt1.com gvt1.com No No No No No No No
r3‐‐‐sn‐q4f7sn7l.gvt1.com gvt1.com No No No No No No No

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 51
r3‐‐‐sn‐q4fl6nly.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4flrnez.gvt1.com gvt1.com No No No No No No No
r3‐‐‐sn‐q4fl6ns7.gvt1.com gvt1.com No No No No No No No
r3‐‐‐sn‐q4fl6nlr.gvt1.com gvt1.com No No No No No No No
r3‐‐‐sn‐qxoedn7e.gvt1.com gvt1.com No No No No No No No
r4‐‐‐sn‐q4fl6ne7.gvt1.com gvt1.com No No No No No No No
r4‐‐‐sn‐q4f7sn76.gvt1.com gvt1.com No No No No No No No
r4‐‐‐sn‐q4fl6ner.gvt1.com gvt1.com No No No No No No No
r4‐‐‐sn‐q4fl6nly.gvt1.com gvt1.com No No No No No No No
firebaseinstallations.googleapis.com firebaseinstallations.goo No No No No No No No
gleapis.com
lh3.googleusercontent.com googleusercontent.com No No No No No No No
play‐lh.googleusercontent.com googleusercontent.com No No No No No No No

ccp‐lh.googleusercontent.com googleusercontent.com No No No No No No No
lh3‐dz.googleusercontent.com googleusercontent.com No No No No No No No
i.ytimg.com ytimg.com No No No No No No No
fonts.googleapis.com fonts.googleapis.com No No No No No No No
encrypted‐tbn2.gstatic.com gstatic.com No No No No No No No

encrypted‐tbn3.gstatic.com gstatic.com No No No No No No No
connectivitycheck.gstatic.com gstatic.com No No No No No No No
fonts.gstatic.com gstatic.com No No No No No No No
www.gstatic.com gstatic.com No No No No No No No
encrypted‐tbn0.gstatic.com gstatic.com No No No No No No No
encrypted‐tbn1.gstatic.com gstatic.com No No No No No No No
pagead2.googlesyndication.com googlesyndication.com No No Yes Yes No No No
ade.googlesyndication.com googlesyndication.com No No Yes Yes No No No
clients5.google.com google.com No No No No No No No
android‐safebrowsing.google.com google.com No No No No No No No
history.google.com google.com No No No No No No No
enterprise.google.com google.com No No No No No No No
clients4.google.com google.com No No No No No No No
dl.google.com google.com No No No No No No No
android.clients.google.com google.com No No No No No No No
accounts.google.com google.com No No No No No No No
clients3.google.com google.com No No No No No No No
play.google.com google.com No No No No No No No
www.google.com google.com No No No No No No No
mtalk.google.com google.com No No No No No No No
alt2‐mtalk.google.com google.com No No No No No No No
www.gstatic.com gstatic.com No No No No No No No

52 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 connectivitycheck.gstatic.com gstatic.com No No No No No No No
Total: 0 0 0 2 2 0 0 0

Table 48: Google TV presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

occ‐0‐586‐590.1.nflxso.net NA NA NA NA NA NA NA NA
nrdp.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
ichnaea.netflix.com NA NA NA NA NA NA NA NA
api‐global.netflix.com NA NA NA NA NA NA NA NA
ipv4‐c042‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c078‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
push.prod.netflix.com NA NA NA NA NA NA NA NA
secure.netflix.com NA NA NA NA NA NA NA NA
uiboot.netflix.com NA NA NA NA NA NA NA NA
app.primevideo.com NA NA NA NA NA NA NA NA
occ‐0‐590‐586.1.nflxso.net NA NA NA NA NA NA NA NA
play.hbomax.com NA NA NA NA NA NA NA NA
play.hbonow.com NA NA NA NA NA NA NA NA
assets.nflxext.com nflxext.com No No No No No No No
sessions.bugsnag.com bugsnag.com No No No No No No No
codex.nflxext.com nflxext.com No No No No No No No
hbomax.onelink.me onelink.me No No No No No No No
hbonow.onelink.me onelink.me No No No No No No No
nrdp52‐appboot.netflix.com NA NA NA NA NA NA NA NA
googleads.g.doubleclick.net doubleclick.net No No Yes Yes No No No

pubads.g.doubleclick.net doubleclick.net No No Yes Yes No No No

Total: 0 0 0 2 2 0 0 0

Nvidia Shield TV
Table 49: Nvidia Shield TV presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

img.nvidiagrid.net NA NA NA NA NA NA NA NA
prod.northstar.nvidiagrid.net NA NA NA NA NA NA NA NA
layouts.nvidiagrid.net NA NA NA NA NA NA NA NA
prod.cloudmatchbeta.nvidiagrid.net NA NA NA NA NA NA NA NA
gfnpc.api.entitlement‐prod.nvidiagrid. NA NA NA NA NA NA NA NA
net

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 53
rconfig.nvidiagrid.net NA NA NA NA NA NA NA NA
services.tegrazone.com NA NA NA NA NA NA NA NA
static.nvidiagrid.net NA NA NA NA NA NA NA NA
ota.nvidia.com nvidia.com No No No No No No No
images.nvidia.com nvidia.com No No No No No No No
mobileupdate.nvidia.com nvidia.com No No No No No No No
ls.dtrace.nvidia.com nvidia.com No No No No No No No
ota‐downloads.nvidia.com nvidia.com No No No No No No No
events.gfe.nvidia.com nvidia.com No No No No No No No
Total: 0 0 0 0 0 0 0 0

Table 50: Nvidia Shield TV presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

play.googleapis.com NA NA NA NA NA NA NA NA
nrdp.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
api‐global.netflix.com NA NA NA NA NA NA NA NA
occ‐0‐586‐590.1.nflxso.net NA NA NA NA NA NA NA NA
ichnaea.netflix.com NA NA NA NA NA NA NA NA
occ‐0‐590‐586.1.nflxso.net NA NA NA NA NA NA NA NA
secure.netflix.com NA NA NA NA NA NA NA NA
mclients.googleapis.com NA NA NA NA NA NA NA NA
preapp.prod.partner.netflix.net NA NA NA NA NA NA NA NA
app‐measurement.com NA NA NA NA NA NA NA NA
ipv4‐c069‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
settings.crashlytics.com NA NA NA NA NA NA NA NA
uiboot.netflix.com NA NA NA NA NA NA NA NA
geomobileservices‐pa.googleapis.com NA NA NA NA NA NA NA NA
playatoms‐pa.googleapis.com NA NA NA NA NA NA NA NA

plex.tv NA NA NA NA NA NA NA NA
androidtvchannels‐pa.googleapis.com NA NA NA NA NA NA NA NA
antv‐28‐nvidia‐shieldandroidtv‐5050 NA NA NA NA NA NA NA NA
03009.api.amazonvideo.com
atv‐a1kaxig6vxsg8y‐nvidia‐sif‐shielda NA NA NA NA NA NA NA NA
droidtv‐nvidiasifleasekeys.api.amazon
video.com
chromesyncpasswords‐pa.googleapis. NA NA NA NA NA NA NA NA
com
footprints‐pa.googleapis.com NA NA NA NA NA NA NA NA
apicache.vudu.com NA NA NA NA NA NA NA NA

54 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 app.primevideo.com NA NA NA NA NA NA NA NA
assets.androidtv.com NA NA NA NA NA NA NA NA
auditrecording‐pa.googleapis.com NA NA NA NA NA NA NA NA
beacons.gcp.gvt2.com NA NA NA NA NA NA NA NA
beacons4.gvt2.com NA NA NA NA NA NA NA NA
clientservices.googleapis.com NA NA NA NA NA NA NA NA
ipv4‐c021‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
mdh‐pa.googleapis.com NA NA NA NA NA NA NA NA
people‐pa.googleapis.com NA NA NA NA NA NA NA NA
playmoviesdfe‐pa.googleapis.com NA NA NA NA NA NA NA NA
powerful‐gizmo‐526.appspot.com NA NA NA NA NA NA NA NA
push.prod.netflix.com NA NA NA NA NA NA NA NA
voledevice‐pa.googleapis.com NA NA NA NA NA NA NA NA

www.netflix.com NA NA NA NA NA NA NA NA
youtubei.googleapis.com NA NA NA NA NA NA NA NA
assets.nflxext.com nflxext.com No No No No No No No
codex.nflxext.com nflxext.com No No No No No No No
watch.amazon.co.jp amazon.co.jp No No No No No No No

watch.amazon.co.uk amazon.co.uk No No No No No No No
watch.amazon.de amazon.de No No No No No No No
sessions.bugsnag.com bugsnag.com No No No No No No No
www.googleapis.com www.googleapis.com No No No No No No No
device‐metrics‐us‐2.amazon.com amazon.com No No Yes No No No Yes

watch.amazon.com amazon.com No No Yes No No No Yes

r2‐‐‐sn‐q4flrner.gvt1.com gvt1.com No No No No No No No
r2‐‐‐sn‐q4flrnes.gvt1.com gvt1.com No No No No No No No
firebaseinstallations.googleapis.com firebaseinstallations.goo No No No No No No No
gleapis.com
2ctcysy2xi.execute‐api.us‐west‐1.ama amazonaws.com No No No No No No No
zonaws.com
ajax.googleapis.com ajax.googleapis.com No No No No No No No
lh3.googleusercontent.com googleusercontent.com No No No No No No No
ccp‐lh.googleusercontent.com googleusercontent.com No No No No No No No
play‐lh.googleusercontent.com googleusercontent.com No No No No No No No
yt3.ggpht.com ggpht.com No No No No No No No
i.ytimg.com ytimg.com No No No No No No No
fonts.googleapis.com fonts.googleapis.com No No No No No No No
nvidia.tt.omtrdc.net omtrdc.net No No Yes Yes Yes No Yes
mboxedge35.tt.omtrdc.net omtrdc.net No No Yes Yes Yes No Yes
graph.facebook.com facebook.com Yes Yes Yes Yes Yes Yes No

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 55
ssl.gstatic.com gstatic.com No No No No No No No
connectivitycheck.gstatic.com gstatic.com No No No No No No No
encrypted‐tbn0.gstatic.com gstatic.com No No No No No No No
www.gstatic.com gstatic.com No No No No No No No
fonts.gstatic.com gstatic.com No No No No No No No
encrypted‐tbn1.gstatic.com gstatic.com No No No No No No No
encrypted‐tbn3.gstatic.com gstatic.com No No No No No No No
encrypted‐tbn2.gstatic.com gstatic.com No No No No No No No
pagead2.googlesyndication.com googlesyndication.com No No Yes Yes No No No
alt5‐mtalk.google.com google.com No No No No No No No

clients4.google.com google.com No No No No No No No
history.google.com google.com No No No No No No No
www.google.com google.com No No No No No No No
mtalk.google.com google.com No No No No No No No
clients3.google.com google.com No No No No No No No

accounts.google.com google.com No No No No No No No
play.google.com google.com No No No No No No No
policies.google.com google.com No No No No No No No
android‐safebrowsing.google.com google.com No No No No No No No
alt2‐mtalk.google.com google.com No No No No No No No

android.clients.google.com google.com No No No No No No No
images2.vudu.com NA NA NA NA NA NA NA NA
nrdp52‐appboot.netflix.com NA NA NA NA NA NA NA NA
i.ytimg.com ytimg.com No No No No No No No
www.gstatic.com gstatic.com No No No No No No No
connectivitycheck.gstatic.com gstatic.com No No No No No No No
Total: 0 1 1 6 4 3 1 4

Roku Smart Streaming Stick+

Table 51: Roku Smart Streaming Stick+ presumed first‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

scribe.logs.roku.com NA NA NA NA NA NA NA NA
image.roku.com NA NA NA NA NA NA NA NA
channels.roku.com NA NA NA NA NA NA NA NA
display.ravm.tv NA NA NA NA NA NA NA NA
amarillo.sb.roku.com NA NA NA NA NA NA NA NA
images.sr.roku.com NA NA NA NA NA NA NA NA
api.rokutime.com NA NA NA NA NA NA NA NA

56 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

 cooper.logs.roku.com NA NA NA NA NA NA NA NA
api.sr.roku.com NA NA NA NA NA NA NA NA
api2.sr.roku.com NA NA NA NA NA NA NA NA
tis.cti.roku.com NA NA NA NA NA NA NA NA
configsvc.cs.roku.com NA NA NA NA NA NA NA NA
content.sr.roku.com NA NA NA NA NA NA NA NA
track.sr.roku.com NA NA NA NA NA NA NA NA
amoeba‐plus.web.roku.com NA NA NA NA NA NA NA NA
plugins.roku.com NA NA NA NA NA NA NA NA
ravm.tv NA NA NA NA NA NA NA NA
amarillo.sw.roku.com NA NA NA NA NA NA NA NA
cloudservices.roku.com NA NA NA NA NA NA NA NA
component‐cdn.cs.roku.com NA NA NA NA NA NA NA NA
ls.cti.roku.com NA NA NA NA NA NA NA NA
samples.voice.cti.roku.com NA NA NA NA NA NA NA NA
search.roku.com NA NA NA NA NA NA NA NA
us.cts‐delivery.roku.com NA NA NA NA NA NA NA NA
vod.delivery.roku.com NA NA NA NA NA NA NA NA
api.rpay.roku.com NA NA NA NA NA NA NA NA
bookmarks.sr.roku.com NA NA NA NA NA NA NA NA
cts‐delivery.roku.com NA NA NA NA NA NA NA NA
customer‐feedbacks.web.roku.com NA NA NA NA NA NA NA NA
identity.ads.roku.com NA NA NA NA NA NA NA NA

keysvc.cs.roku.com NA NA NA NA NA NA NA NA
lat‐services.api.data.roku.com NA NA NA NA NA NA NA NA
lingua.web.roku.com NA NA NA NA NA NA NA NA
navigation.sr.roku.com NA NA NA NA NA NA NA NA
optimus.cti.roku.com NA NA NA NA NA NA NA NA

p.ads.roku.com NA NA NA NA NA NA NA NA
predictive‐text.web.roku.com NA NA NA NA NA NA NA NA
retail‐prod.web.roku.com NA NA NA NA NA NA NA NA
rights‐manager.sr.roku.com NA NA NA NA NA NA NA NA
roku‐device‐activate.web.roku.com NA NA NA NA NA NA NA NA

tts.cti.roku.com NA NA NA NA NA NA NA NA
voice5.cti.roku.com NA NA NA NA NA NA NA NA
wwwimg.roku.com NA NA NA NA NA NA NA NA
cigars.roku.com NA NA NA NA NA NA NA NA
channels.roku.com NA NA NA NA NA NA NA NA
captive.roku.com NA NA NA NA NA NA NA NA
firmware.roku.com NA NA NA NA NA NA NA NA

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 57
amoeba2.web.roku.com NA NA NA NA NA NA NA NA
Total: 0 0 0 0 0 0 0 0

Table 52: Roku Smart Streaming Stick+ presumed third‐party domains contacted

Domain Matching Domain AP AF AMT AD AM SN TPAM

occ‐0‐586‐590.1.nflxso.net NA NA NA NA NA NA NA NA
nrdp.prod.ftl.netflix.com NA NA NA NA NA NA NA NA
ichnaea.netflix.com NA NA NA NA NA NA NA NA
api‐global.netflix.com NA NA NA NA NA NA NA NA
push.prod.netflix.com NA NA NA NA NA NA NA NA
ipv4‐c037‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
ipv4‐c072‐den001‐ix.1.oca.nflxvideo. NA NA NA NA NA NA NA NA
net
secure.netflix.com NA NA NA NA NA NA NA NA
cfp4573tkkhwnes5xpcxs‐usw2.r.nflxs NA NA NA NA NA NA NA NA
o.net
oca‐api.eu‐west‐1.origin.prodaa.netfli NA NA NA NA NA NA NA NA
x.com

oca‐api.us‐west‐2.origin.prodaa.netfli NA NA NA NA NA NA NA NA
x.com
anycast.ftl.netflix.com NA NA NA NA NA NA NA NA
oca‐api.us‐east‐1.origin.prodaa.netflix NA NA NA NA NA NA NA NA
.com
uiboot.netflix.com NA NA NA NA NA NA NA NA
occ‐0‐590‐586.1.nflxso.net NA NA NA NA NA NA NA NA
pr.service.expressplay.com NA NA NA NA NA NA NA NA
assets.nflxext.com nflxext.com No No No No No No No
codex.nflxext.com nflxext.com No No No No No No No
link.theplatform.com theplatform.com No No No No No No No
tpc.googlesyndication.com googlesyndication.com No No Yes Yes No No No
securepubads.g.doubleclick.net doubleclick.net No No Yes Yes No No No
adclick.g.doubleclick.net doubleclick.net No No Yes Yes No No No
index.ehub.netflix.com NA NA NA NA NA NA NA NA
nrdp50‐appboot.netflix.com NA NA NA NA NA NA NA NA
Total: 0 0 0 3 3 0 0 0

58 PRIVACY OF STREAMING APPS & DEVICES commonsense.org

"Do not sell" links
Apps
Two‐thirds of the streaming apps and devices we tested disclosed in their privacy policies that they sell users'
data to third parties. The following links provide users with the ability to provide opt out consent to the stream‐
ing services they use to stop them from selling their data to third‐party companies.
• Apple TV+: The policies state they do not sell personal information.
• YouTube TV: The policies state they do not sell personal information.
• Disney+: https://privacyportal‐de.onetrust.com/webform/64f077b5‐2f93‐429f‐a005‐
c0206ec0738e/0a4f1f0b‐7130‐421f‐971d‐ef578c0bce6d
• Paramount+: https://www.viacomcbsprivacy.com/dns
• HBO Max: https://www.warnermediaprivacy.com/do‐not‐sell/request/
• Peacock: https://privacyportal.onetrust.com/webform/17e5cb00‐ad90‐47f5‐a58d‐
77597d9d2c16/612ec9ee‐1248‐4528‐965f‐47143d2ec631
• Amazon Prime Video: The policies state they do not sell personal information.
• Discovery+: https://privacyportal‐cdn.onetrust.com/dsarwebform/50417659‐aa29‐4f7f‐b59d‐
f6e887deed53/59ad2e6e‐03b5‐44a2‐8f89‐b5aed0acc924.html
• Hulu: https://privacyportal‐hulu‐cdn.onetrust.com/dsarwebform/dbf35915‐9140‐401d‐a543‐
cf08b05ae9f6/draft/0787e831‐4706‐4541‐822e‐cefa2e7ea2a7.html
• Netflix: The policies state they do not sell personal information.

Devices
• Apple: The policies state they do not sell personal information.
• Google: The policies state they do not sell personal information.
• Amazon: The policies state they do not sell personal information.
• Roku: https://privacy.roku.com/ccpa#!
• Nvidia: The policies state they do not sell personal information.

CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL PUBLIC LICENSE PRIVACY OF STREAMING APPS & DEVICES 59
OUR OFFICES
San Francisco Headquarters
8th Street, Suite C150
San Francisco, CA 94103

New York Office

2160 Broadway, 4th Floor
New York, NY 10024

Washington, D.C. Office

2200 Pennsylvania Avenue NW, 4th Floor East
Washington, D.C. 20037

Los Angeles Office

1100 Glendon Avenue, 17th Floor
Los Angeles, CA 90024

Arizona Office
201 E. Camelback Road, Suite 403B,
Phoenix, AZ 85016

London Office
Exmouth House, 3/11 Pine Street,
Farringdon, London EC1R 0JH,
United Kingdom

www.commonsense.org

© 2021 Common Sense Media. This work is licensed

under a Creative Commons Attribution 4.0 International
Public License Common Sense, associated names,
associated trademarks, and logos are trademarks of
Common Sense Media, a 501(c)(3) nonprofit organization,
FEIN 41‐2024986.

Cover image: © 2021 iStockphoto LP.