New Privacy Policy - not compliant with new European laws

Dear Plex devs,

I received an email today about your new privacy policy. The provided information states the following:

Plex will continue to collect usage statistics, such as device type, duration, bit rate, media format, resolution, and media type (music, photos, videos, etc.). We will no longer allow the option to opt out of this statistics collection.

The statement seems incompatible with the EU General Data Protection Regulation. This new regulation demands that all personal data (defined as any data that is capable of identifying a single person) must be protected as good as possible. This includes:

• having to avoid personal data if not strictly required
• getting consent for the collection of personal data (see below)
• processing it only in “trusted countries”. Which means that for processing outside of the EU special action needs to be taken.
• you need to have a data protection officer in a European country

Take for instance the following (taken from wikipedia for ease of reading):

Consent
Valid consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children[15] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.

I take it that your removal of an opt-out means you are going to provide us with an opt-in as specified by the European law. Just to make sure that there are not any doubts: I do not consent with your collection of this data.

Consent also needs to be given freely. Which basically means that you cannot take away a service from someone if they don’t consent with your data collection. So cancelling my plex subscription, does not solve your problem.

In case you think this regulation has no effect on your company, you are wrong:

Scope
The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.

Since the fines attached to this regulations are to be taken seriously, I really recommend you read the following information:
https://www.gdpr.associates/data-breach-penalties/

Please take our privacy seriously, I know you have in the past. I would really hate it, if I need to remove plex from my life.

Regards,

SingleServingSociety

Finally someone who is attacking this from the current and upcoming data protection stand points! @elan as CTO you have to provide us with a response…

Also we need to be informed as to the correct procedure for s freedom of information request

I would really hate it, if I need to remove plex from my life.

This. Most of us love using Plex, don’t screw it up for us.

Good wrap-up of GDPR and the consequences to Plex’s privacy policy!

So, it’s not that I don’t understand the basic issue here, but how is device type, duration, bit rate, media format, resolution, and media type (music, photos, videos, etc.) considered to be personal information?

I guess what I’m wondering is, if you’re trying to build a legal argument, is any of that information actually personal? I honestly don’t know the answer to that.

That’s a discussion Plex’s data security officer will have to lead with European authorities!

GDPR is quite clear on that only neccessary data should be gathered, that all means have to be taken to secure this data and mostly that the user has to give his consent.

@mdnitoil said:
So, it’s not that I don’t understand the basic issue here, but how is device type, duration, bit rate, media format, resolution, and media type (music, photos, videos, etc.) considered to be personal information?

I guess what I’m wondering is, if you’re trying to build a legal argument, is any of that information actually personal? I honestly don’t know the answer to that.

Good question. We know from Snowden’s leaks that six pieces of metadata are enough to identify someone. Which is one of the facts that were taken into account while writing the GDPR.

There is a relatively easy way to judge whether information is private or not: would you mind having it out there in a huge dump after someone breached the plex analytics servers? If you answer is “yes” or “maybe” you know we are talking private information.

As an example, let’s assume the following: every Monday at around 20:00 someone watches a “movie” type media with a length varying between 55 and 65 minutes. He does that ten times in a row, from the end of July to the beginning of September. Shall we guess it is Game of Thrones? Combined with any form of identifiable data (server hash / IP / account), I would consider this to be pretty private information. Even more if you think about certain types of adult content. With Plex moving into TV, we can probably make a very nice picture of all the media and news you are consuming.

Anonymised data just isn’t alway as anonymous as proclaimed. Hence the EU specifically gives us an opt-in. Plex is not the only company running into this issue either. I speak to a lot of clients who are currently getting their heads around this issue.

Just a note, eve n if Plex is US based, they are selling to the EU, thus have to comply or stop all service to Europe…

Nice write-up, I do agree, that this requires an answer.
I neither agree you collecting this data. Seems Plex is starting to to drift away from from KODI in light speed! - or at least their lawyers do…

@mdnitoil said:
So, it’s not that I don’t understand the basic issue here, but how is device type, duration, bit rate, media format, resolution, and media type (music, photos, videos, etc.) considered to be personal information?

I guess what I’m wondering is, if you’re trying to build a legal argument, is any of that information actually personal? I honestly don’t know the answer to that.

It’s not all they’re collecting either, although that’s not the root argument here. It’s that they violate EU law if they’re going through with this (and no I am not expecting an opt in to replace the disappearing opt out either)

@Wiidesire said:

I must have misread that part of your post earlier. How the heck are you going to notify me about my server version on my IP address on my logged in server … if it’s “anonymous” data you’re collecting?
Nowhere in the “Usage Statistics for Personal Content”, “Device Information” and “Application Information” section any anonymization is mentioned.

Usage Statistics for Personal Content. We may collect usage statistics for Personal Content. This includes information about your interaction with the Services, such as device information, duration, bit rate, media formats, resolution, and media type (music, photos, videos, etc.). Usage statistics do not include specific content titles or filenames. We may use information related to your usage to run and improve our Services, to provide, customize, and personalize communications and other content that we deliver or offer to you.

Device Information. Like many online services, we may collect information about the devices that are used to access our Services, such as the IP address of the device, the operating system and version of the device, the browser that you use to access a Plex web page, and the versions of the Plex technologies being used. We may also collect location information about the devices that access our Services.

Application Information. When a request for information or content is sent to a Plex Media Server, we may collect an application identifier that identifies which application sent the request. An application identifier uniquely identifies a particular copy of an application. For example, if you download an application from Plex, fully uninstall the copy of the application, and then re-download the application from Plex, the new copy of the application will be associated with a different application identifier than the uninstalled copy of the application. Note that simply deleting the app without fully uninstalling may not reset the application identifier.

As such you can assume this data is tied to your account

@Night said:
Just a note, eve n if Plex is US based, they are selling to the EU, thus have to comply or stop all service to Europe…

This is the same in Canada. Just because they are US based, to do business here they must adhere to Canada’s PIPEDA laws.

They are extremely stringent on what data is collected and why. They must legally clarify why they are collecting any identifiable information. They must legally give an opt out. They must legally provide that data to me on request. They must legally destroy that data on request and when the purpose of collecting is complete. They are legally compelled to destroy the data and cannot keep it just for the sake of it. They must legally not sell that data or release it to any 3rd party. They must legally anonymize any identifiable data that is used in metrics.

Canadian law allows for criminal charges against corporations executives for violation. Fines may be upwards of 50,000 or higher depending on severity. If the company refuses to comply they use also withdraw from the Canadian market.

Facebook themselves have been threatened by PIPEDA for many of their privacy policies and forced to change them

All cases before he OPC (office of the privacy commissioner) are publicly disclosed and kept on their site for he public to view.

We take privacy extremely seriously here. As is, I have forwarded the privacy policy to the OPC for inquiry (Although I haven’t lodged a formal complaint yet)

In addition. He organization must have designated privacy agent who must respond and answer with specifics all aspects of privacy. In fact, I should ask to talk to this person. They Must disclose all our privacy questions.

@mdnitoil said:
So, it’s not that I don’t understand the basic issue here, but how is device type, duration, bit rate, media format, resolution, and media type (music, photos, videos, etc.) considered to be personal information?

I guess what I’m wondering is, if you’re trying to build a legal argument, is any of that information actually personal? I honestly don’t know the answer to that.

It really depends if it’s identifiable to you in some way.

For example if it’s just anonymous meta data that cannot be linked back to you, it wouldn’t necessarily fall under personal information.

However if that data somehow can be directly linked to your persons, it would be personal data. So, for example, if the record contains your ID alongside the meta data, it would qualify as your personal information as it can be directly linked to you.

@Night said:
Canadian law allows for criminal charges against corporations executives for violation. Fines may be upwards of 50,000 or higher depending on severity. If the company refuses to comply they use also withdraw from the Canadian market.

The EU does not believe a 50K fine will impress a company like Facebook or Google, hence they have raised the fines to a max of €20 mln or 4% of the the company’s global turnover.

This includes infringements relating to:

• The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
• Rights of the data subject
• Transfer of personal data to a recipient in a third country or an international organisation

It really depends if it’s identifiable to you in some way.
For example if it’s just anonymous meta data that cannot be linked back to you, it wouldn’t necessarily fall under personal information.

Keep in mind that proof of concepts have shown that you can be identified by the way you enter data into captchas. The way you handle your keyboard can be a unique fingerprint. What I am trying to say is that the anonymization or pseudomyzation of data is hard and we have seen a lot of systems that, while looking good at first glance, caused major privacy issue.

The easiest solution against privacy breaches is to not collect the data in the first place. So unless you need the data for your system to operate (think login information) you should refrain from collecting data. The EU calls this privacy by design.

Seems the Plex team is listening as well, they have posted an update to the first version:
https://www.plex.tv/about/privacy-policy-changes/

I can’t seem to find a date on that post, so it might be older information, but if this is the way the team is thinking today I definitely applaud it.

To me (the guy that just renewed my annual payment) is if they are going to change the rules AFTER THEY BILLED, then what is next? IOW _ they sold me the service that I had been using (including the opt out option) and then they changed it shortly after my payment.
While I would be INSANE to think that this was done to impact me directly, I am merely pointing out that they had agreed to a contract, then changed it (in my mind substantially).

Also cancelled my recurring subscription, but I am in for a year (ok 10 more months :-))

On to searching for my replacement in home service.

Of note - SingleServingSociety also posted a link to a (possibly) more recent update of the change of policy. And while there are clearly some backing off of some of the things that people seem to find objectionable, I think that the change in direction is the main concern. For instance, they have not indicated knowing how many minutes of Plex content I watch from my local library per day can be of any value to them. What if the reason is to revise their billing measures? Charging per gig may be another way to generate revenue. Or per hour, or __________ <— fill in the block with whatever nasty reasons that you can come up with for why they ‘need’ this data.

@ump14 said:
Of note - SingleServingSociety also posted a link to a (possibly) more recent update of the change of policy. And while there are clearly some backing off of some of the things that people seem to find objectionable, I think that the change in direction is the main concern. For instance, they have not indicated knowing how many minutes of Plex content I watch from my local library per day can be of any value to them. What if the reason is to revise their billing measures? Charging per gig may be another way to generate revenue. Or per hour, or __________ <— fill in the block with whatever nasty reasons that you can come up with for why they ‘need’ this data.

Let’s not forget now that data is collected on how much time you spend watching media, that data will now be available to government and legal entities!

• They’ll need to raise prices just for their new legal department that will be needed.

~Raptor

I’ve always hated EU privacy laws when dealing with standard IT practices, but this now makes me want to connect my Plex server to a VPN terminating in the EU from now on! LOL

~Raptor

@RaptorCon said:
I’ve always hated EU privacy laws when dealing with standard IT practices, but this now makes me want to connect my Plex server to a VPN terminating in the EU from now on! LOL

~Raptor

I think EU laws are at least pretending to care about the privacy of their citizens, the GDPR legislation is a good step IMHO even though it’ll take a lot of effort for us at work as well to comply. Some companies, mostly US based tech giants, seem to have little concern about or privacy and huge profiles of everything we do are being generated for greater revenue and data mining. With the current US government I don’t see that improving much either, so yes it might be a good idea to switch to an EU endpoint early next year.

OH NOEZ!1!!!11 THE SKY IS FALLING!111!

You people have that tinfoil wrapped WAY too tight around your heads. NOTHING that they are collecting is personally identifiable, and it is ALL NECESSARY for the system to work. It was ALL being sent whether you opted in or not before. Otherwise how else would the system know which devices are connected to your server. How would the system know what length the movie is or the bitrate it is playing at or the codec it is using? How would it know if you are a Plex Pass sub or not? Not everything is a f’ing conspiracy.