Well, you could design an open API that others can use, too (server-side, not client side!). So the device can work with competitors, too, meaning it won't require an account at only one company. That would be a compromise - at least in theory others could replace the server parts.

I feel you're ignoring the subtle point - these devices are designed as an extension of their service not as general computing devices. I can easily replace "Roku" with "RSA SecureID keyfob" and have the same conversation - it is not a generic device; it is a targeted hardware extension of their core business model. An "online account" (an account with RSA the company) is required for this keyfob to be of any value other than a LED screen displaying random numbers.

Fundamentally, I don't see a difference there. They are general computing devices, which are then restricted to talk only to a subset of computers, and only on a subset of protocols. Similarly, the RSA SecureID keyfob can be a public/private key, where the private key is secure on the keyfob, used to generate the digits shown, and the public key is printed on the outside. Anyone with the public key can verify that the private key was used to generate it. An "online account" is not required for the keyfob to be of value.

> Fundamentally, I don't see a difference there. They are general computing devices, which are then restricted to talk only to a subset of computers, and only on a subset of protocols.

I would choose to disagree on this concept; from a business perspective, the hardware engineering design going into making the device has a targeted purpose from the outset, and is (cost) subsidized by that company specifically for their service (meaning, they could take a loss on the hardware and make up for it on the Service). Roku and RSA are extracting money for their service, not for their hardware - just like the Amazon Prime TV stick, or imagine if you will a Netflix stick made and sold by Netflix directly. The value to these companies is your service fee month over month, not the hardware they're providing - the hardware is just a delivery vehicle.

That does not mean the devices cannot technically do something other than what their primary intended purpose is; the alternative "TV in a box" projects can run on things like an Amazon Stick with a bit of work (I did it myself to mine, was neat to play with) just that it's not their primary purpose from the OEM. So can you use a RSA key without RSA? Maybe, but that's not what our primary argument is about here. The GP to this thread stated:

> Hardware requiring an online account to work must be outlawed.

This is what I'm discussing - the GP would have the government require a device which is designed to work with a very particular online service be able to work... without their service. "Netflix, your Netflix TV stick which is designed to work with the Netflix service must also be able to work without Netflix service." That is what the GP is proposing be made a law, which I very much don't agree with - it literally ignores the entire point for the existence for certain types of hardware such as a Netflix TV stick.

Yeah, we get it. If the Roku won't work without a Roku account, then forget it, someone else can make a generic TV set top box device

My YubiKey works just fine without an RSA account, go figure

I don't understand your reply or what you're trying to disagree with; comparing a Yubikey - a product intentionally designed to interoperate with many other services and hardware platforms at it's core - is being compared to a RSA SecureID key which is a singular, targeted Enterprise solution ($$$) which does not intend to interoperate with other competing solutions (TOTP e.g.). RSA SecureID and Yubikey have different core business models.