Privacy guide
GDPR
PeerTube core (without installed plugins) is GDPR compatible:
- It doesn't send personal data to any third party if P2P is disabled
- Users can delete their account and all their data will be deleted
- Users can export their data and import it into another instance (in PeerTube >= 6.1)
- Admins can fill in the Terms section of the PeerTube instance that users must accept to register
Below are the details details of personal data processed by PeerTube without plugins installed.
PeerTube logs
PeerTube records in its logs for each HTTP request. This can be disabled in PeerTube configuration.
Persons concerned
- Any visitor
Purpose:
- Legal obligation
Processed data:
- Client IP (can be anonymized in PeerTube configuration)
- User agent
- URL of the visited page
- Date and time of visit
Data source
- User web browser/web client
Data retention:
- Depends on the server configuration
Recipients
- System administrators
- PeerTube administrators
PeerTube database
No personal information is stored in the database for anonymous users. PeerTube only stores data from registered users.
Persons concerned
- Registered users
Purpose:
- Manage user account (login, password recovery): legitimate interest
- Automatically resume videos/retrieve previously viewed videos: legitimate interest
- Manage user videos (upload/watch): legitimate interest
Collected data:
- User Email, Username, Password
- Video history (can be disabled by the user)
- Published videos
Data source
- Information provided by the user
Data retention:
- As long as the account is not deleted
Recipients
- System administrators
- PeerTube administrators
Player P2P
PeerTube uses the P2P-media-loader protocols to share bandwidth between users to help lower the load on the server.
This feature can be disabled by the PeerTube admin or directly in users settings.
Persons concerned
- Any visitor that is watching a video
Purpose:
- Reduce server load: legitimate interest
- Improve playback quality: legitimate interest
Processed data:
- IP address
Data source
- User web browser/web client
Data retention:
- As long as the user is watching the video
Recipients
- System administrators
- Other peers that are watching the video, and so potentially with remote peers outside the European Union
Data stored in web browser
Cookies
Here is a list of cookies used by PeerTube:
clientLanguage
: remember the user's manually selected page language (3 months)
Local storage
Here is a list of data stored in web browser local storage (without time limit):
Anonymous & logged-in users:
app-broadcast-message-dismissed
: remember the user closed the message broadcasted by the adminvideo-watch-privacy-concern
: remember the user closed the P2P related privacy message in video watch pageclient_id
&client_secret
: OAuth2 tokens generated globally for the instance used to do HTTP requests to the PeerTube REST API. These tokens are the same for all users (logged-in/anonymous) on the instancepeertube-hotkeys-disabled
: remember the used disabled keyboard shortcutsnsfw_policy
: remember user preferences about NSFW videos to filter videosvideo_languages
: remember video languages selected by the user to filter videostheme
&last_active_theme
: remember the interface theme selected by the userpeertube-videojs-*
&auto_play_video
&auto_play_next_video
&auto_play_video_playlist
: remember user preferences about the playerpeertube-videojs-video-watch-history
: remember videos with their last watched time code to automatically resume videos
Logged-in users only:
access_token
&refresh_token
&token_type
: OAuth2 tokens generated for the user after a successful login and used to do HTTP requests to the PeerTube REST APIid
,username
,email
,role
: user attributes after successful login to retrieve user state after returning to the websitevideo-redundancies-list-display-type
: remember user redundancy display type in adminadmin-user-list-selected-columns
: remember selected columns by the adminjobs-list-state
&jobs-list-type
: remember jobs list table state/typeadmin-logs-log-type-choice
: remember logs type choicerest-table-sort-*
: remember tables column sortno_account_setup_warning_modal
: remember the user don't want to see the welcome modal againno_welcome_modal
: remember the admin don't want to see the welcome modal againno_instance_config_warning_modal
: remember the admin don't want to see the instance warning modal again
Session storage
Here is a list of data stored in web browser session storage (deleted when the page session ends):
Anonymous & logged-in users:
redirect-latest-session-url
: track the last page visited to redirect the user on the previous page in some situation (login for example)peertube-videojs-session-id
: track the web browser session by randomly generating an identifier that is sent to the server to identify the user as a unique viewer. The server doesn't keep this session ID in its database and only uses it to anonymously track the viewer's progress through a particular video.
PeerTube P2P & privacy
To reduce server load and improve playback quality, PeerTube uses the P2P-media-loader protocols to share bandwidth between users that are watching the same video.
P2P can be disabled by the PeerTube admin or directly in users settings.
If enabled, the main threat to user privacy is that the IP address is stored in the instance's BitTorrent/WebTorrent tracker as long as the user is downloading or watching the video.
What are the consequences?
In theory, someone with enough technical skills could create a script that tracks which IP is downloads which video. In practice, this is much more difficult because:
- An HTTP request must be sent to each tracker for each video to spy. To spy all the videos on PeerTube, we need to send as many requests as there are videos (so potentially a lot)
- For each request sent, the tracker returns a limited number of random peers. For example, if there are 1000 peers in the swarm and the tracker only sends 20 peers for each request, there must be at least 50 requests sent to know every peer in the swarm
- These requests need to be sent regularly to know who is starting/stopping a video. It is easy to detect that kind of behaviour
- If an IP address is stored in the tracker, it doesn't mean that the person behind the IP (if they exist) has watched the video
- The IP address is a vague information: it usually changes regularly and can represent many persons or entities
- Web peers are not publicly accessible: because we use the websocket transport, the protocol is different from classic BitTorrent trackers. Peers in a web browser send a signal containing the IP address to the tracker, which randomly selects other peers to forward the information to. More details can be found in this document
The worst-case scenario of an average person spying on their friends is quite unlikely. There are much more effective ways to get this kind of information.
How does PeerTube compare with YouTube?
YouTube's privacy threats are different from PeerTube's. In the case of YouTube, the platform collects a huge amount of your personal information (not just your IP) to analyze and track you. In addition, YouTube is owned by Google/Alphabet, a company that tracks you across many websites (via AdSense or Google Analytics).
What can I do to limit the exposure of my IP address?
Your IP address is public so every time you visit a website, there are a number of actors (in addition to the final website) that see your IP in their connection logs: ISP/routers/trackers/CDN and more. PeerTube is transparent about this: it warns you that if you want to keep your IP private, you must use a VPN or Tor Browser. It doesn't make sense to think that removing P2P from PeerTube will give you back your anonymity.
What is PeerTube doing to mitigate this privacy issue?
PeerTube wants to provide the best possible countermeasures:
- PeerTube sets a limit to the number of peers sent by the tracker
- PeerTube sets a limit on the request frequency received by the tracker
- PeerTube warns admins when it detects suspicious requests
- PeerTube admins can disable P2P from the administration interface
- Anonymous and registered users can disable P2P in their settings