I am setting up my first jellyfin server via docker, and I am offered the option to either use TMDB or OMDB. I have jellyfin on a LAN-connected device w/o VPN connection, and I am concerned queries to those DBs with file names of torrented files can get tracked and reported to my ISP. Could that be the case? And if so what to do about it? Are there more privacy-preserving metadata services than others?
I’m currently using the default metadata downloaders including some made for Anime and I never had any problem with them. Maybe consider that most network traffic with these sites is encrypted. As long as you are not using the default DNS servers provided by your ISP and using DNS over TLS or HTTPS the ISP does not have a high chance of knowing what you are sending to these API’s
Firstly connections to those API should be encrypted, so parameters such as the filename shouldn’t be visible by a MitM. Also, as someone else pointed, you could rename the file beforehand to something neutral.
Another alternative is run Jellyfin and all of your *arr apps as docker containers and run them through a docker container called gluetun. Essentially this will route all incoming traffic (tvdb, torrents, etc) through a vpn and all outgoing (sonarr, Jellyfin, etc web gui) can be accessed locally.
I didn’t know about this, this sounds great! My question then is, can I still access jellyfin on LAN after it connects to the internet via the VPN?
Yes. You have to mount a port on the Gluetun container instead of the jellyfin container. As an extreme example, here is my docker-compose for my *arr apps and qbit torrent behind gluetun with traefik as a reverse proxy. I have sanitized this to remove any private info, and as such one or two necessar lines from Gluetun are missing. Do not try to copy/paste this.
gluetun: image: qmcgaw/gluetun container_name: gluetun
I have been renaming files with filebot and then scraping the nfos, images, and posters with MediaElch for years and never had a problem.
Based on a quick glance of the API documentation it looks like TMDM/OMDB doesn’t receive your filenames, they use unique IDs assigned to their shows and potentially searches based on titles/episode numbers that Jellyfin is already aware of.
Even if Jellyfin used the filename to search OMDB/TMDB, the headers, body, and the path of the URL (api.themoviedb.org/<path>) are all encrypted by the TLS connection so would not be visible to your ISP.First, change your DNS servers to something like Quad 9 so your ISP can’t track you that way. Then maybe consider switching to usenet, which is more secure in that you’re downloading from a server (or servers) over an encrypted connection instead of via torrent, where you’re both uploading (distributing) and downloading, and your IP address is available to anyone else downloading.
With usenet, all copyright-holders can really do is issue a takedown request to the indexer or host, neither of which is you.
His problem isn’t the part where he downloads parts. Jellyfin queries 3rd party metadata providers, such as TMDB. What he’s concerned with is JF sending the filename to TMDB and getting spied on by the ISP.
I know. But it’s not illegal to look up stuff from TMDB. It only becomes a problem if the copyright holder already has your IP address, knows what you’ve downloaded, and also subpoenas a list of addresses you’ve visited, which could provide them with additional evidence that you did in fact download their IP in a court case against you.
“See, Judge? He downloaded Shrek 12: The Enshrekening AND he also downloaded movie posters and a plot synopsis from TMDB for this same movie, which proves that he was in possession of our property.”
If they don’t already have evidence that you’ve “stolen” from them, a TMDB query won’t be evidence of anything useful.
It’s pretty easy to get flagged for illegal downloads with torrents, but almost impossible to do the same with usenet downloads.
How does the usenet work exactly?