hi, here's my first blog post!
Reviewing the Crunchyroll Incident: Class Action Lawsuit Over Allegedly Disclosing Anime Viewing Habits to a Third Party
Recently in the news, anime giant Crunchyroll has been facing a class-action lawsuit over allegedly disclosing anime viewing habits to a third-party organization. What does this all mean? Is there a security issue? Let’s go over some of the details.
The Incident
From this article:
we can see that Crunchyroll is being accused of violating the Video Privacy Protection Act (VPPA). Why, you might ask?
Well, because of their use of Braze for marketing.
Yes, you read that correctly.
(If you don’t know, Braze is a customer engagement platform that helps companies manage messaging and marketing interactions across mobile apps, websites, email, and push notifications. Its SDKs and APIs allow developers to collect user behavior events and build targeted campaigns. Organizations use it to automate notifications, personalize content, and analyze user engagement.)
To anyone familiar with technology and software development, the use of Braze does not immediately set off alarms. However, in the filing of the lawsuit we can see a clear issue in how the data was passed to Braze as users utilized the platform. Fields exposed in the request allegedly included:
device_idemailepisodeTitle
With this in mind, we can see that (at least in theory) a third party (in this case Braze), could potentially access the viewing preferences of Crunchyroll’s subscriber base. Crunchyroll should ideally be the only entity with access to that level of enriched data (for example: username, anime title, device ID, etc.).
How it worked
User watches episode
↓
Crunchyroll App generates event
↓
Braze SDK sends telemetry
↓
Braze stores user/event data
↓
Notifications, emails, and in-app campaignsAllowing a third party to interact with the pure, unaltered version of such data increases the attack surface of an organization like Crunchyroll, which reportedly has:
“17 million subscribers, 130 million registered users, with tens of billions of hours watched yearly.” (as stated in the aforementioned article)
How Can We Prevent This From Happening Again?
There are several things that need to be considered. First, let’s talk about the Video Privacy Protection Act (VPPA).
The VPPA was created in the 1980s to protect the privacy of people renting movies from stores like Blockbuster. Since then, the law has been applied to numerous lawsuits in our digital-native world involving companies such as Meta, Netflix, Overstock, and even Blockbuster itself.
Naturally, none of us want to:
- Lose the trust of users
- Get sued
- Lose our jobs
So how does a privacy-focused engineer prevent such an outcome?
For starters, if you are using a third-party tool to empower your analytics or marketing teams, the data flow should not look like this:
(PII — user email) + (specific video title — anime name)
{
"user_email": "nate@manga-guy.net",
"event": "video_play",
"content": "Demon Slayer: Episode 22",
"timestamp": 1712640000
}This exposes far too much user information.
What happens if the partner platform experiences a security breach? You still want to be protected, right?
A Safer Architectural Design
Let’s look at a safer architecture.
{
"user_id": "482901", ← email is obscured behind a user_id
"event": "video_play", ← indicates a user watched an episode
"content_id": "1089", ← content MAY be episode 22 of Demon Slayer
"timestamp": 1712640000 ← timestamp associated with the viewing event
}The above represents a simple (easy for me to say, of course) approach to protecting both users and the company while maintaining user trust.
It may seem like extra work or even over-engineering, but small architectural decisions like this add up significantly over time.
If marketing wants to send an email campaign based on viewership:
- Analytics identifies user IDs that meet certain criteria
- Internal systems resolve those user IDs to email addresses
- The email is sent from the platform itself
The third-party partner should never be able to determine who the users are, nor should they receive raw identity information tied to viewing records.
In any case, stay safe online and watch more anime.
Have a wonderful rest of your day.