That latter item is of particular concern to many users who have amassed media collections through illegal means, like torrenting or ripping copy-protected DVDs. They’re worried that allowing Plex to collect data about their media and its consumption would allow the company to deduce what sort of files they have.
Plex, in a post published to its website, admitted that its new policy didn’t go far enough to clarify that it didn’t have interest in knowing what’s in users’ libraries or collecting data to that effect. It said it would make changes to the new policy ASAP to assuage users’ fears in this area.
The company explained that it would be difficult to figure out the identify of a file based on certain media information, like duration, but also acknowledged it’s more than a “theoretical possibility” that this could be done. In other words, the indication here is that this is an almost paranoid concern on users’ parts.
“We have ZERO interest in knowing or being able to know what is any of your libraries,” wrote Plex CEO Keith Valory, ahead of detailing how the new policy would further protect users’ against having files identified.
To address this problem, Plex is updating the policy with three main changes, he said.
To start, Plex will now “generalize” playback statistics so it won’t be able to create any sort of fingerprint to identify a file in a user’s library. This will allow the company to still gain insights it needs to improve its service – like server performance when combined with specific hardware, codecs, bit rate and resolution; if a given feature is being used; if users are having trouble finding a certain button; and other items.
Another of the key concerns with the new policy is that Plex was removing the ability to opt out of data collection, which confused users who believed this change was about allowing Plex to amass data that could later be sold to third parties or used against them in other ways.
However, Plex said that its decision to remove opt out during setup was because it gave users a “false sense of privacy” because there were so many exceptions to the opt out clause as is. The company said a lot of data is transmitted already in order for its service to function.
For example: Plex servers connect to the cloud to receive updates; clients talk to the cloud to connect to remote servers; third-party services like Alexa and Sonos such that metadata must be available to Plex’s cloud services; Plex has to know if you’re a subscriber to premium features; it has to communicate various playback requests or commands through its cloud infrastructure at times; its relay service has to hand off data between your server and a remote device; and it has to provide reporting to licensors about trailers, extra, photo tagging, lyrics, licensed codecs and more (which is anonymized data).
These were all carved out as “exceptions” in the original policy, but Plex came to believe that wasn’t as clear as simply removing opt out altogether, and then changing the policy to be more transparent about what’s done and not done with user data. That is, the policy states that Plex is prohibited from selling user data.
Because of user feedback related to the opt out removal, Plex will introduce a new opt out mechanism, allowing users to opt out of playback statistics, alongside crash reporting and marketing communications. This new opt out will prevent Plex from gathering data like duration, bit rate and resolution – the specific stats that worried users who believed this could be turned into a way to fingerprint (identify) their media files.
In addition, a new privacy tab in server settings will provide a full list of all product events that Plex collects. That way users can see exactly what’s being collected, then opt out of the playback data they’re not comfortable with, the company says.
It’s not likely that Plex itself wanted to gather metrics like duration, bit rate and resolution in order to identify users’ pirated files for its own purposes.
But, as several angry customers on Reddit and Plex’s user forums pointed out, Plex’s intent here didn’t matter. If Plex amassed that data and stored it, it could be sued in the future to out those with illegal, pirated media collections, these users said. To be fair, that’s a valid concern: once the data exists, it could be used. It could be subpoenaed. Users feel more comfortable when the data isn’t collected in the first place.
The user backlash was harsh enough for Plex to take an immediate action to correct its policy. Many users were threatening to unsubscribe, or switch to competitors’ media player software instead.
It remains to be seen if Plex’s changes will bring those users’ back, and if it stems the tide of cancellations. It’s also unclear to what extent the backlash represented the larger Plex user base’s thoughts, or if was a vocal minority.
There were some ten pages of posts on Plex’s forums, representing several dozen users’ opinions. But Plex has grown its customer base to nearly 14 million paying users as of August, and more often than not, users ignore legalese updates like this.