Roku didn't ban mass arbitration. They use the same legal playbook as the NYT itself.
The Daily Error: The NYT misread a Roku legal update, connected it to a data breach Roku had nothing to do with, and failed to mention their own nearly identical policies.
In this series I challenge myself to find a New York Times error within an hour and explain it within 500 words. FAQ, rules, and motivations here. This is about awareness, not bashing.
I’ve adjusted the format a bit. The 500-word cap will stay, but for a TLDR summary. A longer breakdown will then follow for those who want deeper understanding.
The story
The NYT put out a column last Wednesday with a rather aggressive title:
Why Tech Companies Are Not Your Friends: Lessons From Roku
The gist of its claims:
Roku recently strong-armed customers into a new legal policy
This policy had the effect of “shielding” Roku from customers pursuing mass arbitration for corporate wrongdoing
If a customer didn’t accept this new policy, their Roku devices would be “essentially brick[ed]” (though the NYT waffles on this point later on)
This all may or may not have had something to do with a recent data breach
The errors
The NYT misread Roku’s new policy, perhaps confusing “class arbitration” with “mass arbitration”, which are two completely distinct things
Not only did the policy not shield Roku from mass arbitration, its entire point was to explicitly allow it (we’ll cover pros and cons later on)
The NYT left out that their own legal terms also ban class action suits and class arbitration (and their approach to mass arbitration is only very mildly different from Roku’s, which we’ll also cover later in detail)
Though they acknowledge that the data breach wasn’t at Roku (it had nothing to do with them), they still anchored their story on it and chose a custom slug/URL of “/roku-data-breach-companies”, influencing Google’s search results
They left out the obvious motivation for Roku’s change (a Samsung court case), and gave readers no real sense of how to judge these new policies
They claimed that Roku “collects much more information than it needs to provide a device that runs streaming apps”, but never considers if that’s actually true, nor where the classic consumer tradeoffs are
Why it matters
Explicitly telling people “tech companies are not your/our friends” in relation to Roku — in both the headline and main text — is deeply provocative. And their only justification offered was a mistaken reading and a few misleading asides.
This kind of hollow aggression poisons the well a lot. And it keeps happening.
The column also included an explicit recommendation:
I suggest that Roku customers follow those steps to opt out of the new terms and hold on to what little power they have.
But they conveniently recommend this while not asking that customers take the same step in response to the NYT’s own legal terms. I wonder why.
(The NYT’s terms are also considered binding by the act of you using their website or apps. They profess no obligation to inform you when these terms change. “It is your responsibility to review these Terms of Service prior to each use of the Site.”)
Anyway, the full breakdown continues after these housekeeping notes.
Spot something wrong or misleading? Get a corrections bounty to keep or donate. Details here.
Time to find and confirm today’s error: 12 minutes
Stories I looked at first where I didn’t find an error: 1
An NYT story worth reading: this opinion piece on the shameful state of accessibility within the NYC’s subway system for those with physical handicaps
Deeper dive
Table of contents:
Roku devices and “bricking”
A mass arbitration crash course, in four parts
The misleading data breach inclusion
Roku’s “terrible privacy policy”
Roku devices and bricking
(Note: I’m less focused on Roku’s streaming devices here. It’s true that they get fully “bricked”, ie. unusable, if you refuse new legal terms. But this is true for all such devices, as they have no non-software function — unlike TVs.)
Roku’s business model is simple. They sell TVs at a loss, making that money back by taking cuts on the ads you watch and the subscriptions you buy.
Some customers may not want this. And that’s fine! But Roku sells decent TVs at extremely reasonable prices, and many customers appreciate that. You always have the option of paying more for a different TV, including a “dumb” TV that doesn’t come with streaming software preinstalled. It’s the same as picking which class to fly. More options is better, to each their preference.
But the core thing here is that the TV and the software are separable. You could buy a Roku TV at their subsidized price and just bypass the Roku software in favor of an alternate streaming device or none at all. This is easy to do! You more or less just press a button on the back of the TV, then do whatever you want with it.
So there really isn’t any obvious objection to bricking here, as either:
You don’t care about the software (only valuing the TV), in which case just reset the TV, don’t connect the software, and you’re golden
You do care about the software, but just don’t want to accept’s the software’s terms, which isn’t a viable option for virtually 100% of internet-connected software and has nothing special to do with Roku
(I guess if you bought a Roku dongle or set-top under the old terms, you might rightfully cry foul if you think these new terms are bad, which they aren’t really. But, crucially, you likely agreed to waive class arbitration and lawsuits years ago. You would have had to just send a letter at the time to opt out, which is standard practice.)
Mass arbitration crash course: the backstory
(Note: What follows is about mass arbitration for consumer contracts, not employment contracts. The latter is messier and totally outside our scope.)
The main principle to understand here is that there’s an age-old cat-and-mouse game between corporations and litigators. All western governments more or less allow that companies do bad things sometimes and ought to be held accountable, including payments for damages. But the how is always shifting as both sides try to maximize their interests and governments step in to referee. The lawyers want structures that give them more money, and companies want the opposite. Both sides care about fairness to customers, but would prefer it achieved on their own terms.
In older days, litigators often used class-action lawsuits. A company did something wrong that affected a lot of people with a shared situation, and litigators would ask courts to recognize these people as a “class”. This was inherently an opt-out approach. If you wanted to pursue your own claim individually, you had to actively tell the court(s) that you didn’t want to be party to the class or their lawsuit(s).
Class-action suits are somewhat infamous for going on forever, which is good for legal billables, and good for forcing companies to release documents etc, but generally a bad deal financially for consumer suits against tech companies. The trial might go on for years, though many appeals, and your ultimate share might be like $30.
Crucially, the total costs here are always passed back onto customers and shareholders. So one new tactic that companies tried was adding in new legal terms that required customers to forgo their rights to these lawsuits in favor of mandatory arbitration, which they argued drove the same outcomes in a cheaper way. The US Supreme Court has since blessed this approach via a few major cases (eg. here, here).
While we’ll get into the pros and cons of arbitration in the next section, it’s important to note that this change itself wasn’t inherently better or worse for consumers. There are tradeoffs, and you really have to look at each company’s policies individually.
Mass arbitration crash course: the pivot
As companies began asking customers to opt out of class-action suits, they also often asked them to opt out of class arbitrations. Which is to say that each aggrieved consumer had to make their own unique claim, often (at least now) after going through a preliminary dispute process where you first FYI the company of your concern and give them a set number of weeks to resolve it privately.
Before we get into the big wrinkle here, some pros and cons of this for consumers:
PRO: Arbitration is generally a lot faster than a class-action suit.
CON: One reason it’s faster is a much more limited right of appeal.
PRO: Each claimant can typically pursue a higher payout.
CON: Consumers have to do administrative things to assert eligibility, like eg. mailing a certified letter and attending a zoom call.
PRO: Companies might be more willing to settle knowing that they don’t have to admit public guilt in the same way as in a highly publicized trial.
CON: Evidence about wrongdoing is less likely to enter the public record.
PRO: Consumers (often) can still go to a small claims court instead.
CON: A lawyer might care less about taking on a single small-dollar case.
PRO: Companies usually cover your filing fees, or at least the vast majority.
CON: This fact incidentally led to the big wrinkle, which we’ll cover next.
So a mixed bag, though subjectively I think better for consumers in cases of less serious misdeeds. If the goal is maximally punishing a company for major wrongdoing, a trial is likely better. But if the goal is just compensation, less so. I’d rather get more money and faster, which arbitration is better at.
Anyway, some clever lawyers spotted an opportunity here: while consumers had to file their claims individually, there was nothing in most rules against lawyers aggregating thousands of similar cases and filing copy/paste claims.
Hence our current situation, where mass arbitration is the expected norm, which isn’t the same as class arbitration in that it works on an opt-in principle instead. If you don’t make your own claim early, no one is fighting for you. But you’re also under no obligation to join your claim with anyone else’s, including their settlement.
Mass arbitration crash course: the wrinkle
While companies were initially happy to post in their legal terms that they’d take on the lion’s share of any fees (in part to satisfy governments that they were being pro-consumer), most didn’t see mass arbitration coming, at least at the scale it did. And one quirk of mass arbitration is that companies generally have to prepay a lot of (often non-refundable) fees before any claims are even heard on their merits.
So when lawyers started blanketing Facebook with ads saying eg. “did you use this company’s products between these dates; if so you might have free money coming”, this led to some mass arbitrations growing very large in number, where a company would be on the hook for many millions before the arbitration even began.
From a corporate point of view, this opened the door for less ethical lawyers to pursue fringe cases, knowing that mass-filing claims was a great way to leverage a quick settlement, sometimes regardless of any actual wrongdoing.
There have been a bunch of big cases about this over the last five-ish years (eg. here), where companies have argued that this development unfairly penalizes them. Some of the more prominent arbitration firms also responded by lowering their fees for mass claims above certain thresholds (though it’s still quite expensive).
The most relevant case here is Samsung’s. There was a concern a few years ago that they may have violated an Illinois state law on data privacy, leading to them getting slapped with some 50,000 arbitration claims. Samsung refused to prepay the fees, arguing in part that this gang-up was unfair, and in part that the tactic used to sign up claimants was too broad and spotty. While they’ve since whittled down the number of claimants, the case is ongoing, with oral arguments having resumed in the Seventh District Court of Appeals on February 15th.
Not by coincidence, Roku pushed their revised legal terms five days later.
Mass arbitration crash course: bellwether cases
One common feature of class-action suits has long been a thing called a bellwether trial. The idea is that there might be dozens of related suits happening in different states or venues on the same issue, and it doesn’t make sense for all of them to press forward at the same time. So litigators and defendants agree to let one of them go first to test the waters, with feedback from that case then informing the rest.
In response to the Samsung case and others like it, companies have had basically four options:
Go back to class-action suits (as Amazon has)
Attempt to ban both class-action and mass arbitration outright (as the Wall Street Journal’s parent company did last week)
Allow mass arbitration, but via the new generic standards set by your preferred arbitration firm (as the NYT does)
Allow mass arbitration, but via your own rules for bellwethers atop those standards (as Roku just did, with the same preferred arbitration firm)
The basic idea of Roku’s approach is a compromise where:
Lawyers can collect as many cases as they want
Instead of Roku agreeing to blindly prepay fees for all those claims, they and the plaintiffs will agree on a small subset to be heard first (with 20 individual arbitrators each reviewing a share of said cases to get a good range of opinions)
Once this initial set of claims is heard, all the other related claims will be put into a joint mediation informed by those initial findings
Assuming the core case isn’t found to be frivolous, Roku will pay most of the fees involved
If an agreement isn’t struck in mediation, all qualified claimants are then free to then file in court, as a class-action if they wish
This seems enlightened to me. It forces lawyers to be pickier about which claims they choose to take on, no longer able to rely on using numbers as leverage in forcing an advance settlement. And consumers still retain all their essential rights. Everyone’s claim counts, so long as they opt in within the rules. And it’s still both faster than a class action suit and more likely to lead to larger individual payouts.
(The NYT’s policy of deferring to the AAA’s mass arbitration rules is harder to summarize. These rules allow for bellwethers to be agreed upon without actually demanding them. They also include other improvements to discourage frivolous claims, though they’re still being tested. As a consumer I’d be happy with either, and they’re substantially the same in most respects. All claims still count, either way I can join a group filing or not, and initial filings still work the same way. It’s also going to the same arbitration firm, and results should be roughly identical.)
All said, it’s disappointing to see this coverage from a paper as prominent as the NYT. People were searching for good information on how to understand all this, and it’s a real shame to me that virtually no major newspapers seem to have done this justice. (If any readers have a great example they can point me to, I’m happy to link it!)
Anyway, let’s move on from the arbitration stuff to the other issues.
The unrelated data breach
At some unknown point in time, an unknown company had some data stolen. The net effect was that bad actors gained a trove of usernames and passwords. As it typical, they likely sold these stolen credentials to buyers happy to pay a trivial fee to get to squat on someone’s streaming account (where the trick is that many people will have used the same email/password on the hacked service as on Roku, Netflix, etc).
It seems like some 15,000 Roku accounts were affected this way. In some of these cases the squatters also charged new paid subscriptions. Though Roku spotted this, and both proactively reset passwords for the affected accounts and refunded said payments. (It’s likely they didn’t catch all of them, as these credential data dumps are super common and at any given time there are tons of these squatters out there. But Roku identified one major group and did the right thing in response.)
It’s hard to know what to object here to? Lots of people are likely squatting on NYT subscriptions too, using the same methods. It’s a very hard thing to police! While I credit the NYT for rightfully recommending here that people don’t use the same password in multiple places, including this story in a column titled “Why Tech Companies Are Not Your Friends: Lessons From Roku” seems just insanely unfair and prejudicial. This is happening constantly, everywhere. And not every company bothers to be as proactive about it. Roku shouldn’t get penalized for that!
Notably, this column had a negative effect on Roku’s search results. When I searched for “Roku data breach”, this column was the second result, despite there being no Roku data breach. And the NYT failed to give context or mention the refunds!
Roku’s data policy
Setting aside that we have no evidence of any stolen data, the NYT decided to add to their prosecution by closing with these four paragraphs:
But any successful business exists to make money, not friends, and Roku’s aggressive moves this month should make that crystal clear.
With Roku and similarly inexpensive streaming products like Google’s $30 Chromecast and Amazon’s $40 Fire TV stick, you are largely subsidizing the purchase of the product by sharing your data with advertisers, said Jen Caltrider, a director at Mozilla who researches companies’ privacy policies.
But Roku is a bigger offender, as it collects much more information than it needs to provide a device that runs streaming apps, including information about your employment, education and religious beliefs, she said.
“Their privacy policy is a shining example of a terrible privacy policy for a consumer,” Ms. Caltrider said. “They are a data-hoovering company.”
So, two things:
They think Roku hoovers more data than Google or Amazon????
While it’s true in some bare and meaningless sense that Roku doesn’t need to collect a lot of data to run a streaming service, this is entirely separate from the data required to run a streaming service that people want to use
While I’ve never worked for a streaming company, I have worked for a social media company, and have dozens of peers who’ve worked for either. The universal finding is that these customers claim to want privacy, while approximately 100% of user data suggests that they absolutely prefer data-rich products, by just insane margins.
(There are some products where data privacy is a much bigger deal. Knowing how many episodes of Love is Blind you’ve watched lately is not such a case, and is only really useful in one context: making your feeds and ads more relevant.)
Startups will sometimes sell on the trend of “just like this other product, except ours collects way less data”. If this were a true preference, those companies would be wildly successful. But the market has spoken on this time and time again. Apart from cases involving unusually sensitive data, few people actually want this. They want services to be personalized, lower in price, and richer in features. And the way that companies design exactly these products is by using your data.
Roku wants to infer your religious beliefs, not because this information is meaningful to them, and not because it’s overly valuable to some third party. They want to infer it because you will watch longer and more happily if they can license and recommend content relevant to your identity and interests. This isn’t terrible policy. This is how you design algorithmic products that people want to use.
And once again, the NYT does a lot of this too.1 If the point of this column was to call data hoovering bad on some universal and absolutist grounds (silly imo, but sure), they should have at least pointed out that this practice also helps pays their salary.
While the NYT collects a bit less data, it’s worth noting that what they don’t collect isn’t that useful to them. They don’t need to infer and label all your identity markers, as there are only ~230 new NYT pieces a day to promote and they’re already curated by section. There are rapidly diminishing returns here on algorithmic personalization. And if you’re an advertiser who wants to eg target liberal Christians, you can just target anyone reading articles that fit that reader profile. This is much, much easier to do on a small scale. When your content library is the size of eg. TikTok’s or Netflix’s or Roku’s, the equation is just very different. You need more automated precision. While it’s true that this extra labelling does expose the downside of data theft exposing more about you, this data is already out there in a dozen other places. That toothpaste left that particular tube many years ago.