Plex changes its new privacy policy after backlash, clarified it’s not trying to see what’s in your library

Popular media player software maker Plex has had a rough weekend. The company alerted users via email on Friday about an updated privacy policy due to go into effect in September. The new policy would remove users’ ability to opt out of data collection, said Plex. This move quickly resulted in much user backlash, with many subscribers concerned that their data would be shared or sold to third parties, or that Plex would now be able to identify the media files housed in their library.

That latter item is of particular concern to many users who have amassed media collections through illegal means, like torrenting or ripping copy-protected DVDs. They’re worried that allowing Plex to collect data about their media and its consumption would allow the company to deduce what sort of files they have.

Plex, in a post published to its website, admitted that its new policy didn’t go far enough to clarify that it didn’t have interest in knowing what’s in users’ libraries or collecting data to that effect. It said it would make changes to the new policy ASAP to assuage users’ fears in this area.

The company explained that it would be difficult to figure out the identify of a file based on certain media information, like duration, but also acknowledged it’s more than a “theoretical possibility” that this could be done. In other words, the indication here is that this is an almost paranoid concern on users’ parts.

“We have ZERO interest in knowing or being able to know what is in any of your libraries,” wrote Plex CEO Keith Valory, ahead of detailing how the new policy would further protect users’ against having files identified.

To address this problem, Plex is updating the policy with three main changes, he said.

To start, Plex will now “generalize” playback statistics so it won’t be able to create any sort of fingerprint to identify a file in a user’s library. This will allow the company to still gain insights it needs to improve its service — like server performance when combined with specific hardware, codecs, bit rate and resolution; if a given feature is being used; if users are having trouble finding a certain button; and other items.

Another of the key concerns with the new policy is that Plex was removing the ability to opt out of data collection, which confused users who believed this change was about allowing Plex to amass data that could later be sold to third parties or used against them in other ways.

However, Plex said that its decision to remove opt out during setup was because it gave users a “false sense of privacy” because there were so many exceptions to the opt out clause as is. The company said a lot of data is transmitted already in order for its service to function.

For example: Plex servers connect to the cloud to receive updates; clients talk to the cloud to connect to remote servers; third-party services like Alexa and Sonos such that metadata must be available to Plex’s cloud services; Plex has to know if you’re a subscriber to premium features; it has to communicate various playback requests or commands through its cloud infrastructure at times; its relay service has to hand off data between your server and a remote device; and it has to provide reporting to licensors about trailers, extra, photo tagging, lyrics, licensed codecs and more (which is anonymized data).

These were all carved out as “exceptions” in the original policy, but Plex came to believe that wasn’t as clear as simply removing opt out altogether, and then changing the policy to be more transparent about what’s done and not done with user data. That is, the policy states that Plex is prohibited from selling user data.

Because of user feedback related to the opt out removal, Plex will introduce a new opt out mechanism, allowing users to opt out of playback statistics, alongside crash reporting and marketing communications. This new opt out will prevent Plex from gathering data like duration, bit rate and resolution — the specific stats that worried users who believed this could be turned into a way to fingerprint (identify) their media files.

In addition, a new privacy tab in server settings will provide a full list of all product events that Plex collects. That way users can see exactly what’s being collected, then opt out of the playback data they’re not comfortable with, the company says.

It’s not likely that Plex itself wanted to gather metrics like duration, bit rate and resolution in order to identify users’ pirated files for its own purposes.

But, as several angry customers on Reddit and Plex’s user forums pointed out, Plex’s intent here didn’t matter. If Plex amassed that data and stored it, it could be used in the future to out those with illegal, pirated media collections, these users said. To be fair, that’s a valid concern: once the data exists, it could be used. It could be subpoenaed. Users feel more comfortable when the data isn’t collected in the first place.

The user backlash was harsh enough for Plex to take an immediate action to correct its policy. Many users were threatening to unsubscribe, or switch to competitors’ media player software instead.

It remains to be seen if Plex’s changes will bring those users back, and if it stems the tide of cancellations. It’s also unclear to what extent the backlash represented the larger Plex user base’s thoughts, or if it was a vocal minority.

There were some 10 pages of posts on Plex’s forums, representing several dozen users’ opinions. But Plex has grown its registered user base to nearly 14 million as of August, and more often than not, users ignore legalese updates like this.

Correction: 14 million refers to registered users, not paid users. The article has been updated.