CIPPIC study says DRM violates Canadian privacy law

Digital rights management (DRM) technology used in MP3s, DVDs, and most consumer software may be violating Canadian privacy laws, according to a new report.

DRM is an access control tool used by publishers or copyright holders and is designed to securely manage access and use of digital information or devices. Its primary purpose is to combat piracy and protect against copyright infringement.

The study, published by the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC), indicated that DRM is being used to collect, use and disclose consumers’ personal information for secondary purposes, without giving the user adequate notice or the opportunity to opt-out of collection.

The report investigated DRM systems used in 16 different digital products and services including Apple’s iTunes Music Store, Microsoft’s Office Visio, and Symantec’s Norton SystemWorks 2006.

“The privacy concerns with DRM are substantiated by what we saw,” David Fewer, staff counsel with CIPPIC and the study’s lead investigator, said. “In the Canadian marketplace we’ve found that there is simply widespread non-compliance of PIPEDA (Personal Information Protection and Electronic Documents Act).” CIPPIC found it particularly troubling that companies using DRM to deliver products and content failed to document in their privacy policies the DRM-related collection of personal information.

“If there’s personal information collection use or disclosure going on, there has to be consent and the form of consent has to be appropriate to the circumstances,” Fewer said.

“We agree that in many cases consent doesn’t have to come in the form of expressed consent. But, in other circumstances, particularly where it was unexpected or whether what was being collected was related to core biographical data, we would have thought you would need to see expressed consent.”

Fewer said the biggest concern stemming from this lack of disclosure came from the amount of third-party companies and marketers found linked with the DRM systems.

The most surprising example for him involved the online marketing firm DoubleClick, which showed up in a digital audio book at the Ottawa Public Library. CIPPIC said the library’s privacy policy did not adequately explain this third-party communication.

“This was a shock to use because we would have thought that a public library which really values patron privacy would be incredibly careful of the third-party technologies that they’re using and make sure that your personal information is being dealt with appropriately,” Fewer said. “When you go to the library, if any of your information is going to be sent to an advertiser, you should be aware because it’s just so unexpected.”

Another issue cited by Fewer concerned the disclosure of DRM-collected personal information from users of Intuit’s QuickTax software.

“It wasn’t the use of QuickTax itself that triggered the concern, but rather the use of Intuit’s online filing service where we found buried in one of the disclosures the notice that, as an international corporation, Intuit would send information across the border,” Fewer said.

“Now if you’re Canadian and are concerned about your financial data going to the U.S. where it might be vulnerable to the Patriot Act, you may want to know that kind of information up front,” he added.

But according to Christopher Levy, CEO of DRM solutions provider BuyDRM, the study presents a flawed view of DRM technology.

“The focus of the DRM system is to encrypt a piece of media, manage the licence key, profile to that licence, and deliver it – that’s it,” Levy said. “It’s unfortunate that consumers have been misled by a lot of vocal critics because the truth is DRM is no more evil than the lock and key that’s on your door, the alarm on your car, or the authentication system in your cell phone.”

In regards to the study’s third-party communications, Levy said that based on his experiences, he’s never heard of a case where a user’s privacy has been compromised from purchasing digital content.

“I was shuddering as I was reading this report because I’m not aware of any company that sells digital media that sells their data to third parties,” Levy said. “If you look at iTunes who’ve sold a couple of billion tracks, I don’t think anyone’s ever complained that somebody contacted them offering a promotion that they weren’t opted in on. It’s not in the best interest of companies selling this digital media to sell their data to third parties, because it’s really all about the customer and you don’t want an outside party to have access to that.”

Another major concern from the study dealt with the collection of IP addresses by DRM tools, including tracking technologies such as cookies and pixel tags.

CIPPIC said many organizations take the stance that IP addresses do not constitute “personal information” under Canadian privacy laws and can therefore be freely collected, used and disclosed.

However, a number of Canadian courts, as well as the privacy commissioner, have released decisions that interpret IP addresses as personal information, Fewer said.

“The truth of the matter is that IP addresses are being used to link back to identifiable individuals and they should be treated as private information,” Fewer said. “And this should make sense to a lot of these organizations. Sony BMG, who have said that IP addresses are not personal information, are suing people in the file sharing lawsuits on the basis of IP addresses and linking them to activities. They are actually asking the court to disclose people’s identities based on the IP address.”

From Levy’s perspective, however, this debate is not related to DRM at all. He said that everybody uses common Web code and scripting to collect data about users and that is not at the heart of what DRM is about.

“DRM systems themselves do not invade privacy, as all it really does is encrypt a piece of media and issue a licence for it,” Levy said. “Of course, there are other processes around that which are kind of linked to the DRM system that involve collecting data, but those systems have been in place on the Web for awhile and for some reason their remote attachment to DRM is what everybody is sensitive about.”

While this issue is still being debated in many countries, Levy weighed in saying that unlike telephone numbers, which users can take around with them, IP addresses are not owned by the user. He said that users are buying access to an Internet connection. He also said that because IP addresses can be spoofed and faked, equating them to individuals can be quite difficult.