WARNING HEALTH AND SAFETY NOTICE STUFF WHATEVER: This Reddit post has a lot of technology speak, so if you're not really familiar on how web browsers work, telemetry/tracking or JavaScripts, I advise you to turn around before you get lost here.
So, after using some privacy-monitoring extensions (and playing around with the app), I have made the discovery that the Roblox website isn't.. well, that kid-privacy-friendly.Let's start off by the Roblox website's start, or the plain website,
roblox.com without being logged into any account. Right off the bat, I can already notice some suspicious activity going on with JavaScripts.
Google's tracking service, detected in an extension called NoScript Why does Google want to know what I'm doing on the webpage? If there's anything, Google should not be on a platform oriented towards children, so why are they here? There's also Arkose Labs being on the webpage, which is half-reasonable.Roblox uses their captchas. The unreasonable part though is their tracking. hCAPTCHA is a better alternative, since it works in the same way reCAPTCHA does but actually doesn't give Google an excuse to track you.
SIDE NOTE*: I'm not trying to throw Arkose Labs off the bus here, they seem to do a good job at, well, what they're supposed to do. It's just that I find it weird that they are being used on a child platform and with Arkose's tracking/telemetry services.*And it doesn't just end there, it also continues to the login page.
NoScript detecting JavaScripts from Gigya What's Gigya, you ask? An account management service, which gotta be the most BS excuse to know what you're doing on there since you don't even NEED the JavaScript enabled to sign in or do anything important. They also use trackers.
Privacy Badger, another privacy extension developed by EFF, detecting Gigya as a tracker So, is Gigya really necessary here? Not quite.Once signing in (I'll be using an alternative account that is meant to be underage for the test, to clearly see what
web.roblox.com's tracking services are compared to
www.roblox.com and thus seeing the trackers those who are under the age of 13 have), ScorecardResearch wants to know what I'm doing!
NoScript (yes, again) detecting scorecardresearch.com as a JavaScript service. The red text means that it's not passing through a secure HTTPS connection (!) Yes, you see that right. A tracker.
THAT ISN'T PASSING THROUGH HTTPS ENCRYPTION, RENDERING TRACKING DATA HIJACKING EASIER. It was also included inside Peter Lowe's Ad and tracking server list (as seen below here).
https://preview.redd.it/bxhzcs0fta251.png?width=1365&format=png&auto=webp&s=7f72132276ac77ca65334de7cc596359fe45648d Now, what actually is Scorecard Research doing? "
Collecting data through 2 main sources: surveys and
web tagging. (...) For web tagging, participating websites agree to
deploy a special code throughout their sites (that would lead to tracking what you're doing in the Roblox website, in this specific case). (...) ScorecardResearch, a service of
Full Circle Studies, Inc., is part of the Comscore, Inc.
market research community, a leading global market research effort that
studies and reports on Internet trends and behavior."What are they doing here? In Roblox? I don't know, tracking 7 year old Timmy's behavior and selling it to god-knows-where? Sketchy as all hell.They also like to put YouTube scripts on game pages that don't even have YouTube videos and ad services (AdChoices which has, you guessed it, telemetry/tracking!).
Going on checkout pages, I also noticed a service called Vantiv, which I think doesn't
track you but rather is the service that passes the payment.There's also the fact that
anyone that has access to the Admin Panel (even hackers) can see
all of your private information, such as names, email addresses, billing informations, whatever you decide to give to Roblox.
Whenever you play Roblox in VR (Oculus Rift, HTC Vive, Windows Mixed Reality, Valve Index, Pimax, you name it), you allow them (heck, you're not even ALLOWING them to do that, you're unknowingly being forced to do so!) to check
every device you have plugged in your computer at the time of launching the game. That is to "detect if you have a VR headset". In addition to
collecting your physical movement that your VR system can track. Sketchy as f**k. Why do they even NEED to know all this!? Why not just pass through SteamVR's service, detect if it's running and having any sort of VR headset plugged in or going inside Oculus, seeing if there's any device then passing through? Why checking EVERY USB DEVICE PLUGGED IN FOR SEAMINGLY NO REASON?
You can't even RUN Roblox IN A VIRTUAL MACHINE! WHY NOT? (I have made another Reddit post in the past about this, but I feel the need to talk about it here). Roblox is supposed to be a kid-friendly game that ISN'T sketchy. If they weren't sketchy why can't we run the game in a VM, let alone in Sandboxie (a sandboxing program that is supposed to monitor programs that you run on your system)? That's right, you can't! Not even in Wine on Linux! Their VMProtect is so severe it WANTS (and forces) you to run it raw, unmonitored, unvirtualized, on your precious computer with all your family pictures bank account japanese folder whatever people have on their computer these days.
Now for
www.roblox.com? Trackers on there are more reasonable since you're now over the age of 13, but still under the age of 16, so not TOTALLY reasonable. So anyways what difference is there, once you're actually 13 or older
(or if you lied about your age)? A new tracker, guess what!
ns1p.net, YET ANOTHER TRACKING SERVICE, is on Roblox. This website is also included in Peter Lowe's Ad and tracking server list. Now what actually is
ns1p.net? Actually NS1.
Going to ns1p.net redirects you to this website, which apparently is \"managed and private DNS that's smart efficient and fast\" What? Why wasn't it ALSO in
web.roblox.com, if that's all what it was? Why was it included in Peter Lowe's Ad and tracking server list? Very sketchy.There also used to be Facebook trackers however I think they are gone. I haven't realized if there were any.
So, in the end, should you really trust Roblox or let your kids use the service? Well, not quite, in my opinion. 8 year old Jimmy probably doesn't know how JavaScripts work, so just giving them NoScript, Privacy Badger and uBlock Origin won't get them anywhere (or it'll get them too far).How do you protect yourself? It's a very VERY complicated thing to explain.
I'll be posting updates to this post if I feel the need to. UPDATE: The website does use Facebook trackers, however you need to be on a game page for them to take effect.
please excuse my poor choice of game for this example 
