DRM ‘violates Canadian privacy laws’
p2pnet news | DRM:- DRM (Digital Restrictions Management) consumer control applications are violating Canadian privacy laws, says a damning new report.
The federal government wisely decided to backtrack on a lawful access study after Ottawa law professor Dr Michael Geist recently revealed a “hand-picked, secret group” was involved in a “semi-public consultation on one element of lawful access” being studied by Public Safety Canada and Industry Canada.
Now, “DRM is being used to collect, use and disclose consumers’ personal information, often for secondary purposes, without dequate notice to the consumer, and without giving the consumer an opportunity to opt-out of unnecessary collection, use or disclosure of their personal information, as required under Canadian privacy law,” says the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
Consumer groups for a long time now have warned of DRM’s potential to undermine consumer privacy, says CIPPIC executive director Philippa Lawson, going on, “This investigation substantiates those concerns: we observed undisclosed tracking of usage and surfing habits, and unexplained communications with third parties including marketing companies.”
And, “We found non-compliance with even basic requirements of PIPEDA, Canada’s federal private sector privacy law,” states David Fewer, CIPPIC staff counsel and the study’s lead investigator.
Read the full report below >>>
DIGITAL RIGHTS MANAGEMENT AND CONSUMER PRIVACY
An Assessment of DRM Applications Under Canadian Privacy Law – September, 2007This Report provides the results of our study of digital rights management(DRM) technologies in use in the Canadian marketplace and their implications for consumer privacy. We have defined “DRM” in this Report to mean “a system, comprising technological tools and a usage policy that is designed to securely manage access to and use of digital information.” We investigated the DRM technologies used in connection with the following products or services in Canada:
- Apple, iTunes Music Store
- Apple, iTunes Video Store
- Azureus, Zudeo
- eReader, The Da Vinci Code
- Disney/InterActual, Pirates of the Caribbean (DVD)
- Intuit, QuickTax
- Microsoft, Office Visio
- Napster
- Ottawa Public Library, OverDrive digital audio book
- Universal Studios, Ray (DVD)
- Sony BMG, Our Lady Peace, Healthy in Paranoid Times
- Symantec, Norton SystemWorks 2006
- Telus Mobility, Spark
- Ubisoft, Prince of Persia: The Two Thrones
- Valve, Half-Life 2
- Warner Music Group, Nickelback, All the Right Reasons
Using the data collected during our investigations, we assessed whether each application in question complied with the Personal Information Protection and Electronic Documents Act (PIPEDA).
Findings
- Our assessment of the compliance of these DRM applications with PIPEDA led to a number of general findings:
- Fundamental privacy-based criticisms of DRM are well-founded: we observed
- tracking of usage habits, surfing habits, and technical data.
- Privacy invasive behaviour emerged in surprising places. For example, we observed e-book software profiling individuals. We unexpectedly encountered
- DoubleClick – an online marketing firm – in a library digital audio book.
Many organizations take the position that IP addresses do not constitute personal information” under PIPEDA and therefore can be collected, use an disclosed at will. This interpretation is contrary to Privacy Commissione findings. IP addresses are collected by a variety of DRM tools, includin tracking technologies such as cookies and pixel tags (also known as web bugs, clear gifs, and web beacons).
Companies using DRM to deliver content often do not adequately document in their privacy policies the DRM-related collection, use and disclosure of personal information. This is particularly so where the DRM originates with a third party supplier.
Companies using DRM often fail to comply with basic requirements of PIPEDA.
Technical Investigation
Our investigation provided us with the factual basis for our privacy assessments:
Our investigation led us to distinguish “autonomous DRM” from ‘netdependent DRM’:
- Autonomous DRM refers to DRM that needs no outside interaction to fulfill its purpose. Software that requires a CD-Key before becoming useable, DVDs that will only work with DVD players in certain regions and software that deactivates after a given number of uses are all examples of autonomous DRM.
- Net-dependent DRM refers to a growing trend in DRM schemes that involves either internet authentication, internet surveillance of uses and/or the tying of content to an online platform. Online music subscription services that deploy digital licenses to allow the use of locked content, web-enabled software validation and the tying of content to an online platform are all examples of net-dependent DRM.
The results of our investigations demonstrated that many, but not all, autonomous DRMs connect to and communicate with external computers during the course of the operation of the DRM. Conversely, all of the netdependent DRM systems that we investigated communicate with external computers.
• Six of the products that we investigated used autonomous DRM. Four of these showed no communications. Since autonomous DRM does not appear to need to communicate to fulfill rights management purposes, it is natural to ask questions regarding those that do engage in external communications. Our investigations revealed that these communications appeared in most cases to be linked to advertising and web metrics.
• All of the online products and services with net-dependent DRM that we investigated disclosed communications to third parties such as Akamai Technologies, and DoubleClick. Our research informs us that these businesses partner with e-businesses to, among other things, process information, deliver content, offer web analytics services or deliver advertising. We were unable to identify the type of information we observed being disclosed to third parties.
• Some of the net-dependent products that we investigated involved products purchased from bricks-and mortar stores. With regard to these products, we observed DRM deployed in some cases to limit the number of uses or limit functionality. Others simply impaired functionality until authenticated via the internet or sometimes by telephone.
PIPEDA Assessments
Our privacy assessments of the DRM publishers and distributors engaged in third party communications disclosed a wide range of practices and varying degrees of compliance with PIPEDA:
Inappropriate purposes
• A number of organizations used DRM to collect, use and disclose personal information for inappropriate purposes (e.g., Napster indiscriminately monitors its customers’ communications to “check for …abusive language”).
Excessive collection, use and disclosure of personal data
• Several organizations engaged in open-ended and indiscriminate collection, use and disclosure of personal information.
Inadequate notice
• Some organizations did not adequately specify the types of personal information they collected, the uses to which it was put and the entities to whom it was disclosed.
• Vague wording was a common problem across the privacy policies, as were privacy provisions that were spread across multiple documents for the same organization.
• We identified poorly disclosed or undisclosed tracking behaviour – both in our technical investigations and disclosed in privacy policies – and unexpected use of personal information.
• We identified undisclosed communications to third parties.
• We noted contradictions between observed behaviour and statements in the governing privacy policy.
• We encountered particular problems in the area of “technical information” – personal information of a technical nature, such as IP addresses – collected, used or disclosed through DRM, much of which was observed during the technical investigations. Sometimes neither the collection nor the purposes for it were disclosed.
• In several cases, although the organization acknowledged that it collects automatically collects “technical information” about users, most stated that this information (which almost always includes IP addresses) was not “personal information.” Differing views on what does and does not constitute “personal information” is one of the most significant areas of potential divide between the DRM practices observed and the requirements of PIPEDA. This represents one of the most challenging privacy issues in relation to DRM because PIPEDA is only triggered when “personal information” is at issue.
No opt-out of unnecessary collection, use or disclosure
• Where organizations engage in DRM-enabled privacy invasive behaviours, they generally do not offer consumers the ability to opt-out of the unnecessary collection, use and/or disclosure of personal information.
Failure to appreciate reach of privacy law
• We noted consistent difficulty in addressing the privacy implications of DRM technology. Only one organization properly identified IP addresses as the personal information of users, and so subject to PIPEDA.
Failure to respond to Access to Information requests
• Almost half of the assessed organizations failed to even acknowledge our inquiry, much less respond substantively.
• None of the organizations we tested provided us with our personal information held by them.
• Only two organizations – Microsoft and the Ottawa Public Library – complied with requests to identify specific third parties to whom they had disclosed personal information.
• Only one firm gave a direct answer to the simple question, “Do you consider an IP address to be ‘personal information’?”
We identified a number of third party communications during our technical investigations that were not easily explained by the organizations’ privacy policies.
These communications occurred at a variety of points, including in some cases while enjoying content. Some of these communications resolved to IP addresses belonging to known third parties such as Verisign, Akamai, Omniture and DoubleClick. We understand that some of these third parties collect personal information such as IP addresses in performing their services. We did not find that the organizations’ privacy policies adequately explained these third party communications.
In addition, we did not find that any organization referred to Akamai or Omniture in the privacy policy and related documents that we reviewed. While it is possible that some of these communications amount to outsourced functionality, others appeared to involve third party services. Responses to specific inquiries about these communications were generally unsatisfactory – only Microsoft and the Ottawa Public
Library identified some of these organizations when presented with proof of the communications and a specific request to identify the third party. We know very little about these third-party communications; they raise important questions.
Definitely stay tuned.
Also See:
wisely decided to backtrack – Canada privacy scandal averted, September 14, 2007
Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.
September 18th, 2007 at 9:20 pm
I’ve sort of expected this and wondered either when the major labels would think of something like this or when it would be reported that they were doing such. I mean look at Sony and think a minute about it while I give you another example that lead me to this conclusion when the Sony Rootkit came out.
There was a big deal over paying for tickets and live concerts where the singers weren’t actually singing. They were spending all their energy in dancing for the show and no one seemed to remember that the thing the fans came for was to hear the music. The dance routine was secondary. Yet another occurred in a TV broadcast live where the wrong music was played and the group wasn’t playing to the tune and the singer wasn’t mouthing the right words. (I think that was Ashley?)
When it came down to the reasons, no one on the technical staff understood why it was such a big deal. They had done it so long in the studio that it was considered standard practice. None of the technical staff had a clue why anyone was upset to find out that the singers and the group weren’t actually performing live but rather acting live.
Well, this may be what you consider circular logic in a way but Sony had the same troubles as to why anyone would have a problem with their rootkit. They had taken the next standard practice step in their path. Done so long on the other stuff that they could not “get it”.
I’ve gotten to where I sort of expect this sort of behavior from corporations and freebees. Because of that, you won’t catch me on a social site. I’m sure it’s a lot of fun but I resent the spying that goes on and the datamining for sites and for programs.
If and when I use something like this it’s on a computer that will not connect to the net. It won’t be calling home, it won’t be datamining and sending back results, and it won’t be getting on the net for some trojan or bot net. It seems to be the only solution. I surf with an econo box that is a cheap machine while my better box never sees the net.
September 20th, 2007 at 5:37 am
AMAZING, ISN’T IT?
While the source of income of the drug lords and other racketeers are “protected” because of “right to privacy issues”, music companies can collecte all kinds of information, even when there is no justification or reason, such as when a personal computer Internet use is investigated to see if tou share or download certain types (today music, tomorrow, who knows what type) of files.
September 20th, 2007 at 5:56 am
If you eat the sh*t, and agree to pay money, why someone have to improve their products?Just stop buying DRMed crap.Problem will disappear then.
P.S. it is strange to see but democracy miserably fails.Those with lots of moneys are allowed to invade into the privacy, perform racket-like actions, bribe(argh, they calling this giving gifts), spying, …
Actually some of these things are serious crime so it is often DRM creators or RIAA-like media gangsters who is REALLY should get jailed.However looks like law works in simple way: “These who pays lots of moneys to right persons are legal no matter whatever they doing.They can’t be illegal.So these semi-criminal companies are going on.
September 20th, 2007 at 6:16 am
As for me, it looks like copyright laws are rather being ABUSED these days to perform racket-like actions, keep illegal sound-recording monopolies alive, etc.
Sound recording companies are dinosaurs of pre-digital era and should die by horrible death.However they’re inventing crippled stuff like DRM, invading to the privacy and trying to slow down the progress instead.Effectively harming everyone.Why somebody have to pay for zero-cost duplication many years again and again?Yse, 20 years ago it was a problem to record CD-ROM on my own and sound recording monsters were reasonable.Now everyone can record CDs on his own.So what they’re doing?Performing racket-like actions to continue old-style business which is not needed today?Great, yep.We do need bunch of racketeers and technology saboteurs for sure, othervice life is too boring!Great methods!Racket instead of honest competition.Sounds cool, yep?:)
Why they’re allowed to brutally break into private life?If I bought something it is up to me on which device to watch\listen it.Directing me “you can not use this on device X because we decided so” is breaking into my private life! :E.Argh, I can pirate then, you say?I’ll reply: innocent unless proven guilty.That’s how law works.So DRM is really semi-illegal itself.
September 28th, 2007 at 6:06 am
In reviewing your source, we find that you are tracking from wordpress.com
and they are tracking from google
_uacct = “UA-98756-11″;
Boy is this the kettle calling the pot black? guess p2pnet.new may want to block all traffic from Canada, as they may be breaking a law