Not Allowed to use Hetzner

Guys there is constructive discussion and there is meaningless chatter.

Saying Plex blocking Hetzner IPs is like shops refusing service to gay people is stupid (and look at my post history in this thread to see whose side I’m on here).
However much we disagree with Krazeh, the gay analogy refers to a legally protected characteristic, while the Hetzner/Plex case has nothing to do with that.

That said, I do believe the discussion about Plex’s IP-based blanket banning may have some merit under GDPR processing rules. I am no GDPR expert, however there may be merit to reporting this to a data commissioner for further checking.

I’ve specifically provided him with the sources, yet he still doesn’t bother to read them. What more can one say? It’s clearly a matter of discrimination in the context of Plex’s decision.

And now he’s acting like he’s some kind of legal expert, unashamedly pointing it out to others.

Ok, let’s try this a different way. Let’s assume a hypothetical situation in which you are a software developer that creates a piece of software (let’s call it Plez) that allows user to set up a server and then stream media to client devices.

All is going well until one day when you are contacted by right holders who inform you that a significantly large enough number of servers hosted at a particular hosting company (let’s call it Hetznex) are making their media available for a charge. They may or may not threaten to take action against you if you don’t do anything about it.

You decide that the best (most efficient/effective/expedient, whatever you want to call it) is to simply block all connections from Hetznex to your authentication servers and thereby prevent any of those servers from operating.

Is there any aspect of this decision that you think has been made solely by automated processing of personal data? Or do you think the decision to block Hetznex would need to be made by you (i.e. a human being)?

Having now decided to block Hetznex you consider whether you should contact the users who will be affected by this change. Do you think this decision is made solely based on automated processing? Or, again, has a human being made that decision?

Let’s just agree to disagree about whether you’ve provided anything of any use in explaining your claims about the legality of Plex’s action.

Your hypothetical embellishes some of what’s happening here. For one thing, Plex has made no mention of any third parties (rights holders, for example) involved in the decision. If there were third parties making the automated determinations, it’s arguably worse.

You are still confused about what profiling is under GDPR. Profiling doesn’t require “solely automated processing”:

And the “three distinct stages” correspond exactly to what Plex is likely doing. First, there was data collection on usage patterns; then there was automated analysis to determine the pattern of likely TOS violators (re-sellers of Plex as a service, by all accounts) and finger Hetzner, finally the “correlation” (e.g. you are a Hetzner user, therefore you are a likely violator of the TOS) was made in the email to all customers with IPs in the Hetzner block.

Remember, the purpose of blocking Hetzner is not just to block a portion of the internet. It is to block bad actors. Yes, it may be more expedient to do it that way. But, and this is the key point, doing it that way violates EU data subjects’ rights not to be profiled. Or, as the example given in my last post puts it: “deprived of opportunities based on the actions of others.”

I haven’t violated Plex’s TOS yet I’m being profiled as likely to do so based on my IP.

I’m really not. I get what the definition of profiling is under GDPR (because I’ve read article 4(4)). But Article 4(4) is just a definition, the relevant part of the GDPR is Article 22 which provides the prohibition (as we discussed earlier) and that prohibition is against a decision made solely by automated processing.

You’re basing this on pure conjecture. There is no evidence from any of this to suggest that personal data about users has been used in an automated fashion to profile them. Even if personal data was used (which is debatable as the same decision could’ve been made without it) as soon as a human being was significantly involved in the decision making process (which is undoubtedly going to be the case, you don’t block an entire IP range through an automated process running in the background) then Article 22 isn’t applicable. The decision isn’t made solely on the basis of automated processing.

You might think that, I disagree. There’s nothing to suggest you’re being profiled as being any more or less likely to breach the TOS based on any personal data Plex hold about you. There’s simply no need for Plex to get that complicated about it. They’ve made a decision to blanket block an entire IP range, you don’t need to then get involved in profiling individual customers to reach individual decisions about each one.

But you know what. Contact your local data protection authority and raise a complaint with them. See how far that goes. I’m willing to bet they might not even bother contacting Plex at all, and even if they do it’ll be very unlikely they reach a conclusion that Article 22 has any relevance to this situation or that Plex are in breach of it. However, if they do I will happily recant everything I have said on this topic and publicly agree with your previous comments.

A couple of things.

All of this discussion is being conducted in more or less a vacuum and this speaks to the other part of my complaint about Plex’s behavior: in no way are they in compliance with GDPR. If they were, there would have to be some kind of transparency about how they arrived at this decision and, importantly, the right of the data subjects affected by it to dispute it. Neither you nor I have any idea what the legal basis under GDPR is for this action and, one suspects, they don’t know themselves because they haven’t thought about it. Under Article 5, data processing as occurred here has to be lawful, fair, and transparent. There is no indication that this action is any of those things and, as an EU citizen, I’m entitled to know the legal basis. According to Recital 71, such processing should be:

subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

None of that is in place here.

Because of this complete lack of transparency, what is pure conjecture in both our arguments is whether Plex relied “solely” or only partially on automation in making the determination. You don’t know that it wasn’t 100% algorithmically determined and I don’t know that it was. A data protection policy in keeping with GDPR would clear that up. But bear in mind that just because humans are involved, doesn’t mean the process isn’t “solely automated.” And bear in mind, as WP29 makes clear: superficial human involvement doesn’t mean the process isn’t solely automated.

Finally, you keep using “personal data” in a way not consistent with the GDPR definition in order to claim I’m not being profiled. I’ve explained why that’s not correct: an IP is personal data and the fact that they knew who to email about my IP is proof. Here’s the definition from Article 4:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[emphasis mine]

And if you look at Plex’s privacy policy they list “IP address” explicitly under “personal data.”

I fully intend to contact the Data Protection Commissioner. In my experience, they take all such reports extremely seriously and, whether Article 22 in the end is applicable or not, I don’t think there’s any doubt that Plex’s public-facing documents are in no way compliant with GDPR, which is both what makes their recent decision an abuse and enables that abuse to take place.

In the context of GDPR that assumes that personal data had any involvement in the decision making. Which isn’t necessarily the case. They could’ve made a commercial decision to block Hetzner without recourse to any of the personal data they hold.

Which assumes (as does your later comment about Recital 71) that the processing of personal data (which is in no way guaranteed to have occurred) involved decisions being made by solely automated processing. It wouldn’t apply if there has been human involvement (beyond token involvement) in the decision making.

I disagree (and not just because I don’t necessarily believe their current privacy policy is insufficient). If they don’t make decisions about users based solely on automated processing then they’re not going to need to put anything about that in their privacy policy or GDPR statement etc. So you’re still going to be in this exact same situation.

I’ve never said an IP address isn’t personal data. What I said is that there’s no evidence they are using that personal data to profile you or make a decision about you based solely on automated processing. They have decided to block all IPs belong to Hetzner. That is not a decision that is individual to you (even though the impact might be). Or to put it another way, the decision about whether your server’s access to Plex’s systems would be blocked was probably already made before they looked at any personal data about you. It has nothing to do with you as an individual.

However, I will happily concede that if they had made a decision to only block certain Hetzner users (which they haven’t) based on criteria they determined and they used automated algorithms to identify relevant users then you might have had a point.

But if you are convinced that you have been individually profiled using your personal data and that a decision has been made specifically about you, then answer me this: If you move your server to anywhere else (i.e. an IP range not controlled by Hetzner) without making any other changes or contacting Plex to contest a decision do you think it will work post-12th October?

This GDPR debate in the context of Plex banning Hetzner IPs in due to continuing abuse issues on Hetzner IPs is honestly comical at it’s best but truthfully nothing more than a waste of time. Plex simply queried for plex media servers hosted using Hetzner IPs and sent a courtesy e-mail to the owners of those plex media servers that Plex will no longer work as is on October 12th.

Also, what do you guys debating GDPR think? Do you think that bringing a GDPR claim will stop Plex from blocking Hetzner IPs because of continuous ToS abuse issues? Unless I am mistaken the remedy for GDPR violations is a fine, not specific performance, so what’s the point in debating if GDPR is applicable anyway?

As someone who maintains a plex media server with less than 10 users hosted by OVH (my upload bandwidth is crap on Spectrum cable, a SoYouStart aka cheaper OVH dedicated box, although expensive, is a viable alternative) I find this whole situation concerning, as many of the guys who made money from their Plex servers in the past may attempt to flee to OVH as an alternative, potentially putting OVH IP ranges at risk.

Personally, I hope this whole thing spurs the media server community to put more time into developing better media player apps for Jellyfin, making Jellyfin a more viable alternative to both Plex and Emby.

To be 100% blatantly honest, I think those with plex media servers on Hetzner IPs are better off using their time determining if Emby or Jellyfin could be a viable replacement for their use cases than debating the legality of GDPR within Plex’s actions. That’s my “rainy day plan,” to start looking into Emby and Jellyfin as alternatives to Plex, in the event Plex decides to bring their ban hammer to OVH.

You guys are pretty much talking alone here, echoing all this hate, well theres only one official reply from a Plex employee here and its pretty much clear that the decision is made and they won’t change it. Whining here won’t help, just migrate to emby/jellyfin I’ve already did to emby and it’s pretty much the same, tbh, just need to get used with the subtitles… Good bye Plex, but I won’t leave my decade old server because of you.

If some of you think PLEX has broken some law then go engage a lawyer and see what they say. They will charge you for the consult but at least you will know for sure and not be beating a dead horse on an internet forum (again). Put your money where your opinion is and hire an attorney and see if they agree with you. If not, sit down.

Sadly, as @weedserver mentioned, I am the only one in the thread who’s received a response from a Plex employee.

Proper communication with the (overwhelmingly legitimate remote server) user base should have been key here. Discussing options for those affected, including perhaps somehow validating their accounts, a form of whitelisting, or something we haven’t thought of. Certainly a sticky thread at the top of the forum would have been appropriate, but I truly believe that Plex did not anticipate that so many of us choose to host our servers off-site. For that reason alone, I think a second official response is long overdue. I don’t expect Plex to backtrack on this decision, but I sincerely hope that @chrisc and others have read each and every post in here and perhaps learned a thing or two about why a seemingly large part of the community does what they do.

Booh! Very unhappy with this.

That’s what I’m missing here, too. Even unity picked up the communication again recently after the game-devs backlashed

Well, I certainly hope they are able to see how many mails they sent out. If they are able to identify the ‘bad apples’, that’s something I don’t know yet.

In the meantime I installed emby and jellyfin (leaning towards emby for now, because of the better apps (read: my kinda old mother needs to be able to use them, too) and will miss plex and foremost plexamp deeply. Well, there"s finamp for jellyfin, maybe I will use both servers…

Plex is still chugging along nicely for the time being, but if they pull the plug for me in October that’s sadly something that’s out of my control. Still the best media server out there for me, but I’m not willing to change my infrastructure for one service.

A server which isn’t allowed to be installed on a server…

Very frustrating to have someone continually repeat the same false claim about personal data.

I’ll put it as simply as I can: did you get an email telling you that your chosen hosting provider is involved in suspected violations of TOS? No, I’m guessing, you did not. On what basis did they send such an email to me and not to you? Any clues? Because my IP (personal data, by Plex’s own privacy policy) was in the pool they want to block and yours was not.

They didn’t just “decide to block Hetzner.” They decided to block Hetzner based on the profile of the users (determined by unknown means and, by the way, they didn’t mention Hetzner and we don’t know that it’s limited to them). It is exactly as if they denied service to people in a certain neighbourhood because there was a high proportion of bad actors in it.

That’s profiling by the relevant definition. It might not be solely automated and thereby run afoul of Article 22, but we have no way of making that determination because Plex has not been at all forthcoming in telling us what they are doing, how they are using our data, etc. all in violation of GDPR.

As for the privacy policy and its putative adequacy, if you look at it you’ll see that these are the purposes for which they collect personal data (they offer no legal bases for any of them):

• To provide the Services
• To improve and enhance the Services
• Product development
• To respond to your requests
• To consider your application for a job
• To communicate with you about Plex (as permitted by applicable law)
• To personalize marketing, advertising, recommendations, and other content and experiences delivered or offered to you through the Services (as permitted by applicable law)
• To facilitate your payment for any products and services we sell

None of those purposes cover this case. None of it fulfils the obligations under Article 5. And please don’t tell me that this blanket blockade is about “improving and enhancing the Service.” That’s laughable.

Response Hetzner sent:

Dear client,

Thank you for your message.

We are currently in contact with Plex, we don´t have any news yet besides the announcement from Plex.

Should you have any further questions, please feel free to contact us.

Mit freundlichen Grüßen / Kind regards

Simon Albrecht

I’m not disputing that. Nor am I disputing that your personal data was used to send you an email. But that is vastly different to your personal detail being used to profile you and make a specific decision about you and your ability to access Plex’s systems. The former (i.e. sending an email) has happened, the latter has only happened in your conjecture. It is also processing that is entirely unnecessary for their objective. They don’t need to make individual decisions about users to block an IP range belonging to a hosting company and, if I’m honest, I’m not entirely sure why you’re so fixated on a belief that they have done so.

There is absolutely nothing in anything that has been said by Plex (as limited as it is) to suggest that individual users are having their accounts blocked. It would, on the contrary, appear that simply moving the server to a different IP range will be sufficient. This would strongly suggest that the decision is (as previously mentioned) a blanket policy and not decisions made on individual users by way of profiling. If it were the latter then you would expect, at the minimum, some necessity to contact Plex to unblock your account even if you moved your server.

I’d think that both ‘provide the services’ and ‘communicate with you about Plex’ cover the use of personal data to tell you about a change that will affect your use of the service.

I really don’t think they will end up blocking the providers when time comes. I suspect this because they are racing to change the auth, and require servers to be claimed in future updates as mentioned here:

I bet all hands on deck @ChuckPa mentioned is focusing on this to attempt t to appease the strongly worded letter they got that sparked this.

Thing is, are they also going to block VPN companies, too going forward? Why not stand up a front VPN service and still resell plex from that. Plex will never win at this. There are too many ways around this.

I have no skin in the game, but I’m watching with plenty of popcorn.

You seem to think that sending an email is nothing under GDPR. It isn’t. It’s where the blanket block becomes personalised, where the link is drawn between the personal data that they collected (my IP address, collected for entirely different purposes, not deciding who to block) and my natural person.

Here is illegal profiling in the EU:

This neighbourhood has a lot of insurance claims in it. The personal data we have on this person indicates he lives in this neighbourhood. Therefore we won’t insure him.

Similarly:
This hosting company has a lot of violations of our Terms of Service. The personal data we have on this person (his IP address) indicates he uses this hosting company. Therefore, we’ll block him.

They don’t have to block the account to be in violation of the regulation. Having people change servers is not trivial and, in the terms of the WP29 document is something that “significantly affects the circumstances, behaviour or choices of data subjects.”

I give up. Please just say that after you’ve been to your local data protection authorities and they also explain that your understanding is incorrect that you’ll come back here and admit that.

That is literally all speculation. For all you know a Plex employee signed up for an advertised PlexShare on Reddit, paid for an “account” to find out who is hosting the server, and when Hetzner refused to do anything about the known paid PlexShare, Plex decided to ban all Hetzner IPs.

My speculative conclusions are just as valid as your speculative conclusions and prove the one thing we know for certain, you can not prove if Plex profiled anything, so stop acting like you can.

Under that logic, in the EU, car insurance companies could not charge someone more for their vehicle insurance for owning a theft prone vehicle and living in a neighborhood prone to theft. Logically your example makes zero sense.