My roommate got a Roku TV last year, and since it’s a “smart” TV, I was naturally suspicious. In case you haven’t heard about smart TV’s spying on people, there’s more than a few examples to choose from. But then I remembered I had a wonderful Synology router, complete with fine-grained segmenting and filtering tools.

That means that not only could I block the TV’s access to certain domains, but I could actually watch which domains it connects to!

Now, I know people have already studied the tracking domains TV’s connect to. I know you could block most tracking domains by just dropping a Pi-Hole on your network. In fact, my Synology router already has preset block list for ads. But I don’t want to bother with a Pi-Hole, and it’s more interesting to investigate this stuff myself! Plus, that way I know more about what’s going on and don’t have to wonder if those block lists are missing anything (as they’re known to do).

Qualitative results

The results were fascinating. First off, I actually didn’t observe as much obvious spying as I expected. None of the domains I observed seemed clearly connected to TCL, the manufacturer. In fact, when you’re just in the Roku menus and not in an app, the only domain it seems to connect to is ravm.tv, which seems to be owned by Roku. Perhaps part of the “Roku TV” agreement they made with TCL involves Roku doing all the data collection too, selling it to TCL on the back end. Well luckily it’s not necessary. I’ve blocked it and never noticed anything broken except the ads on the Roku home screen. However, roku.com is necessary so ¯_(ツ)_/¯

As for the apps themselves, well it’s interesting to see that the tracking domains are often pretty obvious. And plentiful. They usually have things like “ad”, “beacon”, “metrics”, or “pixel” in the name. Many don’t, though. I just used trial and error, blocking different ones and checking if the app still works to see what’s necessary.

The data

After going through this process, I thought it might be useful for others if I post my findings. I’ll try to update this list as I learn more. These lists are not exhaustive. There could be more domains these apps connect to that are actually necessary or unnecessary that I haven’t discovered or confirmed. But these are ones I have observed and investigated.

Roku home

Necessary

api.rokutime.com

Unnecessary

os.fandango.com
display.ravm.tv
www-roku.mgo.com
authentication.mgo.com
c-ls.mgo-images.com
c-catalog.mgo-images.com
www-roku.mgo.com

Netflix

Necessary

nflximg.com

Unnecessary

www.yahoo.com
www.google.com

Amazon Prime Video

Necessary

amazon.com
amazonvideo.com
aiv-cdn.net
images-amazon.com
aiv-delivery.net
ssl-images-amazon.com
media-amazon.com
akamaihd.net
d184dfn36gombl.cloudfront.net
d25xi40x97liuc.cloudfront.net
dmqdd6hw24ucf.cloudfront.net

Unnecessary

device-metrics-us-2.amazon.com
ia.media-imdb.com

My filter lists

Most of the time I’ve been staying on the conservative side by just running a blocklist of domains I’ve confirmed are not necessary for the apps to function. I don’t want my roommate to find herself unable to watch a show because I broke something and happen to be not be around to fix it. But I also have a stricter allowlist that I’ve used quite a bit and seems to work. It consists of all the domains that have ever broken something when I block them. I’ll provide both here.

The main apps I use are Netflix, Hulu, Amazon, and HBO. I did test them all, and they’re covered by these lists, even though they’re not all in the data above. I just didn’t have good enough notes to break all of them down like that.

FYI, most of the testing was done in November 2019.

Blocklist

2mdn.net
fbsbx.com
fbcdn.net
facebook.com
doubleclick.net
tclusa.com
imrworldwide.com
fandango.com
googlesyndication.com
ravm.tv
localhost
innovid.com
brightline.tv
device-metrics-us-2.amazon.com
mgo-images.com
mgo.com
conviva.com
w55c.net
everesttech.net
bluekai.com
rlcdn.com
tidaltv.com
spotxchange.com
fwmrm.net
adsafeprotected.com
beacons.extremereach.io
krxd.net
stickyadstv.com
adsrvr.org
adap.tv
extremereach.io
demdex.net
ispot.tv
omtrdc.net
serving-sys.com
agkn.com
doubleverify.com
insightexpressai.com
researchnow.com
scorecardresearch.com
videoamp.com
huluim.com
google-analytics.com
2o7.net
api.segment.io
p.ads.roku.com
ads.aimitv.com
adtag.primetime.adobe.com
ads.adrise.tv
ads.samba.tv
tracking.sctv1.monarchads.com
data.ad-score.com

Allowlist

roku.com
nflxvideo.net
nflxext.com
netflix.com
nflxso.net
api.rokutime.com
amazonvideo.com
d184dfn36gombl.cloudfront.net
media-amazon.com
ssl-images-amazon.com
aiv-delivery.net
images-amazon.com
aiv-cdn.net
amazon.com
hulu.com
hulustream.com
akamaihd.net
youtube.com
gstatic.com
ytimg.com
ggpht.com
googlevideo.com
clients1.google.com
edge.roku-vod.top.comcast.net
dlvr1.net
theplatform.com
play.google.com
googleusercontent.com
hbo.com
hbogo.com
hbomax.com
plex.tv
azure-roku-us.azureedge.net
ustream.tv
ums.services.video.ibm.com
nflximg.com
d25xi40x97liuc.cloudfront.net
fonts.googleapis.com
neutron-api.viacom.tech
s3.amazonaws.com
cc.com
mtvnimages.com
mtvnservices.com
seamless.viacom.com
llnwd.net
dmqdd6hw24ucf.cloudfront.net
api.kanopy.com
api.discovery.com
login.discovery.com
tfuu5214iv4t8c7oka365asfk.litix.io
uplynk.com
pbs.org
showtime.com
www.boomerang.com
playready-license.drm.technology
wbdnbo.net
api.swiftype.com