They can provide great service regardless of who the client is. Just because you wear a white hat doesn’t mean everyone they do business with does.
Or do you think Plex is just deciding to block them for ■■■■■ & grins?
2 Likes
If it’s that simple then why bother having ToS at all? Or taking any action now? If they’re immune from any legal consequences of users using their software to commit copyright infringement then surely it’d be far simpler to just do nothing and let those users just get on with it?
But, let’s assume for a second you are correct and Plex have complete legal immunity, are they not entitled as a business to take actions where they think users are using their software unlawfully? Even if it has no direct consequences on them? Or if not doing something harms their ongoing business activities/relationships with other commercial parties? Should they be forced to allow users to use their software to facilitate copyright infringement?
Interesting take on Plex looking at the data they already have (and collected in line with the agreed privacy policy) to identify the users who will be affected by an upcoming change so they can let them know about it. Perhaps they shouldn’t have committed such a gross violation and just not let anyone know, would that have been better?
As other have pointed out below, this happens all the time in the IT world. For example, it’s very common for large IP ranges to end up blocked from sending emails due to the actions of email spammers. It’s not an unusual approach to a problem like this and is infinitely more effective for the intended purpose than playing whack-a-mole with individual IP addresses. It’s not great for those innocent users caught up in it, but that unfortunately is how things often go.
And how do you propose that works when the server software is free and you can spin up as many instances of it as you like? The required resource for a plex server, especially if there’s little or no transcoding, is very little. It would hardly be difficult for the nefarious users to be using multiple plex servers to provide content to their ‘users’ rather than having them all accessing a single server instance. As soon as that happens (which I understand is already the case) then such a ‘solution’ is worthless.
I genuinely believe some people in this thread do think that is the case. That Plex just decided a few days ago that it would be great fun to piss off a load of users for absolutely no reason whatsoever.
2 Likes
I saw the most interesting post on Reddit yesterday that seems very topical to this discussion, about situations where someone had to remove a user they were sharing their server with.
There was this guy, who shared with a co-worker, only to have that co-worker turn around and start reselling the access to his server to strangers.
What’s amusing is these responses here:
So, the idea of cutting out that guy and taking over the selling-access business for profit gets at least 19 upvotes over base score (+1). But someone pointing of this is a violation of the Plex ToS gets downvoted to -20. A fascinating insight into the moral compass of the community, if I do say so.
And then folks wonder why Plex is coming down on a VPS host they are aware of running multiple servers doing this. 
3 Likes
And you and others who don’t use cloud storage felt the need to show off your “Plex Shill” credentials.
Yeah I get it now.
Try reading entire paragraphs of people’s posts instead of just the first sentence.
Go ahead… I’ll wait here.
Comparing the reddit community with the folks on this forum is a major insult in my book, even if there is an ever so slight overlap. Most of us have been here long enough to know the difference.
1 Like
That’s fair. But Reddit does garner more traffic than these forums simply by being a social media site and not one tied to a specific product so it could be argued that their attitudes on it more closely reflect society as a whole.
While that may be, this forum has always been used to communicate directly with the devs and (hopefully) some of the decision makers at Plex. And that’s what this thread has been and should be about.
That’s if they are a willing party. There is a reason why Plex is giving ToS violations as a reason, and not piracy for financial gain.
There is a big difference between “knowing” and knowing in a way that can be shown in a court of law.
This doesn’t make it right, it’s still wrong to do that, and a big reason why Google and Microsoft are sort of succeeding in cornering the email market, which should otherwise be free to all who want to provide an email service. It’s deplorable that they operate in that way.
I am not sure which post you saw that said or implied that. Most if not all posts that try to assume the reasons behind this basically propose that the Plex team did not want to bother with finding actual solutions and just did whatever was easiest, without much regard as to the consequences.
The difference is that you can whitelist your own IP addresses at any time. As a rule, however, not a few million IP addresses are blocked, but only a block of 255 addresses.
1 Like
Further to this, I just got a renewal document from my motor insurance company here in Ireland. It includes a 6-page single-spaced Data Protection Notice that is required and expected from any EU company that processes personal data. Included in it are a full table of the purposes for which they use personal data and their legal basis (under GDPR and Irish legislation) for doing so.
It also includes a section on “Profiling and automated decision making” to comply with Article 22 of the GDPR. This describes the reasons and purposes for which they might profile you. “Profiling” is defined in GDPR article 4 as follows:
- ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
My insurance company’s profiling section looks like this:
Two things are very clear to me now:
- Plex is not in compliance with GDPR: they provide none of the information required by the regulation and the Privacy Policy is inadequate to that purpose.
- What Plex is doing with regard to their customers who host Plex on Hetzner boxes is profiling and automated decision making under Article 22 of the GDPR. They are engaged in automated profiling those affected by the policy by using personal data (their IP) to profile their likely behavior and reliability and withholding their service on that basis. This is illegal in the EU.
Would any Plex employees like to comment on the subject of Plex’s GDPR compliance (or apparent lack thereof) and how they plan to justify this act of profiling under the regulation? Or should I just raise the issue with the Data Protection Commissioner here in Ireland? To be clear, my questions are:
For what purpose did you process my personal data (the IP address of my host) and what was your legal basis under GDPR for doing so?
What was your purpose in engaging in automated profiling of me by means of the IP address of my host and in what way was this automated profiling consistent with Article 22 of the GDPR?
2 Likes
It’s not. There’s nothing to suggest they’re evaluating any personal aspects of any natural persons (in an automated fashion or otherwise) to determine whether to offer them a service.
- Firstly, Plex aren’t offering the online service, that’s Hetzner.
- Secondly, the media software is still freely available to anyone affected by this block.
- Thirdly, and most importantly, they’re not making decisions on individual users. They’re blocking an entire IP range belonging to a hosting provider. The only use of your personal data (i.e. your IP address) is to identify those users who will be affected by this change so they can be notified.
Also, article 22 is a right that you can exercise by telling the data controller to not make a decision about you based solely on automated processing. But the onus is on you to tell the data controller, it doesn’t mean they have to seek your consent to use automated decision making. And there are circumstances in which a data controller could still make automated decisions even if you exercised your right under article 22 (or equivalent in local law). For example, in the case of your motor insurance they’ll still be able to make automated decisions about you, even if you said you didn’t want them to, as long as they provide you with the ability to contest the decision(s) and have a human review it (although this will always be after the fact).
1 Like
It is under my reading of GDPR Article 22 and this article which explains the EU Advocate General’s opinion on Article 22 for a case before the European Court of Justice. It seems to me that even to collate the Hetzner IP addresses and send out emails to the Plex users whose addresses they are is an automated profiling process under the article.
Furthermore, they are likely in breach of GDPR by collating and using this personal data (an IP is personally identifying information under GDPR) without specifying the purpose for which it is gathered and the legal basis (under Article 6 of the GDPR) for doing so. And seeking to ban people from the service based on the suspicion that they might be violating the TOS based on their IP address hardly qualifies as a legal purpose even if they’d listed it in advance.
They are blocking individual users. That is why the individual users to be blocked all received an email saying as much. Those who are not being blocked received no email.
They took all the IP addresses in the Hetzner block and tied them to the people whose addresses they are in order to send them the emails. That’s automated profiling.
And it doesn’t matter that Plex aren’t offering the hosting. Article 22 says that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
This decision undeniably produces legal effects or similar on anyone subject to it.
You’re also wrong about the whom the onus of raising the issue falls upon. According to the EU Advocate General (see the link in my last comment), Article 22 describes a general prohibition (something a data processor cannot do) and not a right that a data subject would have to claim.
They discriminate against users who choose to use shared hosting. That’s like saying people who are gay can’t come into my store and buy cake.
Monetary compensation at the very least for people who paid for a lifetime of support.
I want something else: whitelisting of the IP of any blocked user who asks for it. I don’t believe they have a legal leg to stand on with this, at least for EU citizens/residents.
My point was they’re not blocking individual users based on decisions they have made specifically about that user. Yes, individual users are being affected but only because of something completely unrelated to their personal data or anything about them as a person.
Plex haven’t gone through the personal data they hold (or there is no evidence to suggest they have) to evaluate users and determine whether to allow them access to the authentication servers etc. or not. They are blocking a company (Hetzner) from accessing their systems. Having made that decision (which doesn’t need them to consider or make any decisions on user’s personal data) they obviously need (or at least should) make the affected users aware. This is the only bit that requires use of personal data to identify those user and contact them. But you’re still not profiling users by that use. Not to mention that it’s pretty inconceivable that the decisions to block Hetzner and then to contact affected users was not made by a human and therefore any decisions wouldn’t have been made solely on the basis of automated processing.
To go back to your analogy of motor insurance, having a blanket policy to not insure anyone under 25 (and yes I know such a policy could potentially have other legal issues such as age discrimination but it’s just an example) would not be automated decision making, nor would writing to everyone you currently insure who is under 25 to let them know you won’t be continuing their insurance. However, if you were to use an applicant’s age (most likely along with other information about them) to build a risk profile and then use that to determine whether to insure them that could be automated decision making (and would potentially need other safeguards such as having a system to allow the applicant to contest it and have a human review the decision).
I think we’ll have to agree to disagree on this point. Even if we assumed that automated decision making using personal data has taken place, I think you’d have a hard time convincing a data protection authority (or a court if you took it that far) that the decision ‘produces legal effects concerning him or her or similarly significantly affects him or her’.
There’s quite a difference in magnitude between the impact of the sort of automated decision making referenced in recital 71 of the GDPR (automatic refusal of an online credit application or e-recruiting practices without any human intervention) and not being able to use a particular online hosting provider.
But who knows, maybe you (or someone else) could put together a convincing case that a) Plex has used personal data to make a decision about you solely based on automatic decision making and b) that said decision produces legal effects concerning him or her or similarly significantly affects him or her.
Well I defer to the EU Advocate General. Not that it actually matters in this case as there isn’t automated processing/decision making/profiling going on.
It really isn’t. One is a protected characteristic with legislation that prohibits discrimination based on that characteristic, the other isn’t.
It’s the same thing and to sit here and ride Plex is concerning.
You don’t understand what profiling is under GDPR. Manifestly what they’ve done is profiling under GDPR: using personal data (IP addresses) to analyse or predict that person’s performance (particularly with regard to the TOS). They don’t have to go through any more personal data than that: any personally identifying piece of information suffices. And the IP is definitely personally identifying since they were able to send me an email on the basis of mine!
They are not simply “blocking a company”; they are profiling users based on them having contracted with that company. The automated component of all of this likely involved determining the Hetzner IP block, linking Hetzner IPs with Plex users, sending those Plex users emails. “Automated processing” under Article 22 doesn’t have to be entirely automated as this set of official guidelines (called WP29) makes clear. That same document makes clear what “legal effects” or “similar effects” are:
And here’s an example they give that is directly analogous to the current situation with Plex:
