Weekly review emails data leak

The main thing keeping me on Plex is the lack of good music apps for other systems like Jellyfin. Plexamp is just unbeatable at the moment. Maybe I’ll switch to Jellyfin for movies and TV and only use Plex for music.

It was, here is a post of a user discussing the week in review email from last year in the beta feedback topic

My first installation of Plex was v0.7. Fifteen years, with a chunk of them being a Plex Pass subscriber. In those 15 years I don’t think I’ve ever seen such an empty headed, rushed and ill conceived idea for a feature as this.

I did not download Plex to host my own social network. Please, default these settings to off for all users. Or at least give server owners an option to change/opt in for anyone using their server.

It’s possible to fix this, but honestly… With things like the constant notifications asking for reviews of movies, the general push to having “Discover” on the home screen despite taking it off, and now this? It’s a good job the alternative platforms aren’t as mature. Otherwise there’d be an exodus. (Or Plexodus, if you will).

Honestly, you went from “we don’t keep tabs on what you’re watching” to “whoops, we emailed all the people you opened your server to” in a few short years. Not a good look.

I agree it’s reasonable to ask “how much responsibility should be placed on the end user?” Having considered that for myself throughout the day, let me now posit that the answer in this case is “none”, for these reasons:

• Users who read carefully when first activating sync playback say last year would have no reason to think that meant “with my friends”. They would rightfully believe they were activating a data share feature for their own use only.

• Users who read carefully when creating accounts for streaming access in the past would have no reason to think those accounts would silently and automatically become social media profile accounts publishing activity feeds.

• Users who are knowledgeable about privacy would know that EU’s GDPR requires that data sharing be opt-in only, with all presented defaults being opt-out. They’d also know that these laws are now typically respected even outside of the EU because mainstream products are designed for global audiences, because other jurisdictions have now or may soon have similar laws, and even when the law does not exist the “expected good behavior” for a formerly reputable company like Plex is opt-in required. So again, even a carefully reading user, who encountered a confusing dialog, referencing Friends they didn’t think they had any of, and concerning watch history they believed Plex had none of, would have been in the right to conclude the most reasonable effect of hitting Finish having made no modifications would be that their data would remain private as required by law (at least in EU.)

Finally, to me at least the jury is still out on whether there is or isn’t a bug in the email generating software. Until conclusively proven otherwise I think the large number of complaints from users saying they never opted-in may in fact indicate a technical problem where the email generation software did not properly apply the chosen settings, and/or did not properly handle the “null” case (where the user had yet to provide any input at all.) I believe there have been references even in this forum to a mistake that may have been made.

Unfortunately this is pretty much the response I expected. At its core the announcement update reads like Plex inc blaming its users for either not understanding or not using its new social platform the way they expect. Its your fault folks, not theirs!

sigh

I think the damage and resentment to Plex as a product is only growing with this one. I think Plex needs to read the room on this and remove the entire feature ASAP. They can then re-evaluate and poll users going forward on how such a feature ‘should’ have been implemented. Imposing a very controversial feature that was never wanted or asked for and arrogantly pushing on loyal users is not the best business model my guy.

If the official Plex line is to press forward with this and just get us to change settings and hope for the best you will lose a LOT of users. I’ve been a Plex customer for over 10 years and even just bought a lifetime pass but will not personally use it ever again unless this diabolical change is rescinded. You guys lost a lot of trust from your core user base today. You will need to do some work to get it back before this becomes a serious problem for Plex as a product.

Like many others I am deactivating my Plex server with immediate effect until Plex has FULLY removed this ‘feature’.

I think while I agree with the general sentiment of your points - I do think a line needs to be drawn between these two features. I think its fair (and should be mandatory) for when a new feature uses data from another is such away it would impact a users decision on if that would use either should require a re-prompt for consent.

I have two concerns:

• I feel like that “You Choice” prompt was quiet misleading - I would def sit in the more paranoid camp - but even then after rereading that prompt from the KB I certainly wouldn’t have thought emails would be going out.
• Users who haven’t proceeded through the “Your Choice” prompt - if their friends are getting emails (with your stats) - does that mean plex as moved from “explicit consent” to “hell its on until you tell me otherwise”

The post clearly states “As noted on the page, everyone’s privacy settings are PRIVATE at the time this page is viewed.”. Assuming your not set to private before viewing that page (or passing it) and no action is taken until you proceed past that prompt - to me personally that’s pretty scary.

Honestly even if its a bug - they had plenty of time to QA test this - if they didnt account for that in the workflow (when they accounted for the prompt being closed during app closure) that also says alot.

Edit: I do wonder if this is going to be another Reddit API stunt with the “Let it blow over” mentality. I honestly just wish there was real alternative with good apps =S

Edit2: Just re the sync thing - Personally I use tautulli for my watch history but I could’ve seen myself maybe using sync’d feature (It def has its use cases) without all this social BS.

Congrats!

You wanted it and you got it. I didn’t want it and I got it too.

Huh stand corrected then - but I haven’t received any emails like the one last week until last week - which seems to be common for many people (I’m always on beta versions)? Something must have been a little unclear or easily skippable for so many to only be picking up on it now.

Plex team, Disable this feature asap. It’s creepy and no one on my server asked for it.

You RECEIVE those mails even with YOUR settings set to private. Those mails contain the things your FRIENDS are sharing.

If you don’t want to RECEIVE those mail, dou have to deactivate this mailing channel.

I think he means it’s set to private up until the point where that page is viewed and confirmed.

#1 - Thanks for pointing that out - I meant if people are receiving emails with “my data” if I haven’t progressed through the prompt yet.
#2 - I would hope so (that the default state when the feature went live was private) - but my interactions with other have made me question if that’s true.

But like I said further up - How many yelling hit next-next-next through the prompt and are now regretting it?

This is a beyond f’d up privacy violation Plex. It needs to be opt out by default on the server level.

Just bought the life time sub on Plex, and now discovering they are messing with my and my friends privacy. Charge back from Paypal will be requested - because this is completely unacceptable.

maybe we should be looking closer at who is investing in Plex.
are they VC/companies that have a history of data collection etc?

The thing is, we are past the point as a civilized society where that should be a legitimate question.

While we’re all entitled to our personal opinions of how we think this should be, the LAW* is that all of us - including the least knowledgeable – is to be protected from our own lack of sophistication. Any user protected by EU’s regulations, or any jurisdiction with similar, should have been able to rely upon the most basic training that “when in doubt - just go with the default - that is the privacy safe option”. Plex did not live up to that requirement.

*I am not a lawyer in any jurisdiction and it’s possible my layman’s understanding is off, although it seems clear from various online sources like this one:

image696×318 32.8 KB

I think the problem is - GDPR is great in all - but it only covers part of the user base.

For transparency - I work for a company that does in-house programming and handles user data (Including EU) - A discussion we had very early on in the GDPR debate was do we use the one rule fits all approach or different per region.

Here we mostly agreed when it was not blown out hugely by costs - we would use the most restrictive rule set “as the baseline” for other regions. This is the short term caused all sort of issues but I think (personally) for the user this was a big win.

I really wish a reasonable GDPR baseline covered the internet - unfortunately for us poor souls there isn’t one =( Im also not holding my breath with how policy making happens and the people involved.

Edit: getting abit of track - but I enjoyed this conversation never the less.

Ill reply here for posterity, as this is in the other thread

Yeah we saw that post. Heres the problem you face

1. Plex’s explanation shows clearly that you put onto a player screen these ‘choices’. While I don’t personally remember seeing that myself or clicking on it any member of our household, including children, could have done that. The method you chose could not have ensured the explicit consent of the account holder. and and consent given by a minor is not binding in nearly every decent jurisdiction int he world.

2. Plexs explanation is also not jiving with your userbase. Why? You changed the default options for privacy so that, in order to continue watching, users were effectively tricked to ‘opt in’. You cant say people explicitly opted in when you made the default values a change from the users existing settings, while also putting a nice padlock there and telling people ‘you are in control’ (with these settings). Its a bait n switch, plain n simple.

3. You tricked your userbase by doing the same things as marketers who put “tick this box if you DO want marketing materials” - as most people expect that ticking the box says no to marking materials. The explanation post just serves as a confirmation that Plex grossly violated your userbases trust and tricked them into “opt in” to it at the same time.

Again, read a room. You can say people opted in, but your spectacularly tricked your userbase and did not consider that there is not a 1:1 mapping of viewing user to account holder when you flashed up that opt in screen. I, as account holder, never saw it. I, as account holder, never agreed to a change to the privacy policy.

Plex is most definitely not reading the room and seems happy to lose 75% of its user base to prove a point.

Saw the email first time today and almost choked on my coffee. Im so happy to see im not alone being outraged and feeling betraid.

Never ever did i think i sent data to plex for them to store iton thier servers. I was under the belif that it was stored on my server and the discover and information was stored locally. I belived what plex usually says privacy is important, but guess trusting companies in 2023 was not the right choice.
Now i have to tell everyone i know to turn everythign of, just the headache this caused. But made a word how-to that i have to send out to the non-tech savy people.

I just feel this was 100% implemented to trick people, even I fell for it, and all the other even less tech people will most likley share thier data.

Only saving grace for Plex atm is jellyfins bad apps and Plexamp, otherwise i would be gone.
Im so mad that anyone though this was a good idea…its mind-boggling, what happened to the plex i loved back in 2010?
This is just so sad.