Boxee is an application for streaming video from the Internet and from machines on your local network. I run it on my HTPC . I recently noticed some strange HTTP traffic originating from my HTPC. Whenever you attempt to watch a programme with Boxee, a HTTP POST request is made to http://app.boxee.tv/action/add containing XML in the POSTed data, of the following format:

< message type = "watch" > < timestamp > 1306583038 </ timestamp > < object type = "tv_show" > < boxee_id > [Numerical ID Scrubbed] </ boxee_id > < episode > 2 </ episode > < func_ref > new </ func_ref > < name > Tis Better to Have Loved and Flossed </ name > < season > 1 </ season > < show_id > 891118 </ show_id > < show_name > Breaking In </ show_name > < thumb > http://boxee-proxy.appspot.com/400x0x85/?url=http%3A%2F%2Fthetvdb.com%2Fbanners%2Fepisodes%2F206751%2F4033031.jpg </ thumb > </ object > </ message >

I’m not 100% comfortable with them having a list of everything I watch, and the date/time that I watch it. I emailed privacy@boxee.tv three weeks ago to ask them how they store this data and why they’re collecting it. They ignored me and didn’t reply. Not the sort of behaviour you’d expect from a company that should be concerned with their users privacy. Their privacy policy doesn’t state that they collect this data.

As a temporary fix, I have modified my networks transparent web proxy to block requests to http://app.boxee.tv/action/add and I haven’t noticed any negative impact or loss of functionality in Boxee.

One of the things Boxee does is scan your media and fetch thumbnail images. This also potentially leaks the content of your library, but is unavoidable if you want to fetch images. They don’t provide an option to disable this. I would like Boxee to come out and state that they simply don’t log requests for thumbnail images, or that it at least is anonymised and purged on a very regular basis. I doubt this is the case though.