p2pnet.net News:- Jennifer Stoddart, Canada’s privacy commissioner, says she’s about to, “become involved in the process to amend Canada’s copyright laws”.

Her statement came in response to a CIPPIC (Canadian Internet Policy and Public Interest Clinic) request to address privacy implications of proposed copyright legislation.

In it, Stoddart said she would, “oppose legislation or legislative amendments that conferred unjustified privacy-invasive surveillance powers upon digital copyright holders,” going on:

“However, we have not as yet been consulted by either Heritage Canada or Industry Canada officials regarding the proposed legislation referred to in your letter. I have instructed my staff to initiate a dialogue with these departments to ensure that privacy risks are identified and addressed.”

The CIPPIC letter reads >>>>>>>>>>>>>>>>>>>>>>>>

Re: Critical privacy issues regarding digital rights management (DRM) technology
We are writing to request that the Office of the Privacy Commissioner of Canada (“OPCC”) take prompt action regarding the privacy threats posed by DRM technology. Timely action on this issue is particularly important because the Canadian government may soon enact legal protection for DRM in the digital copyright context, without considering or addressing DRM’s severe privacy implications. The legal protection for DRM that the government is contemplating is likely to encourage and entrench the privacy-invasive practices that DRM enables.

In this letter, we describe the background context of our request, a basic description of the privacy threats posed by DRM and why it is incumbent on OPCC to take action.

Background
Like an electronic security guard who never takes a break, DRM is a form of permanent technological protection that protects copyright works. DRM systems are typically comprised of an array of technological components, including encryption tools, surveillance tools, databases of works, owners and individual users, and license management tools. Copyright industries are increasingly using DRM to control public access to and use of digital works. Beyond simple copy-control mechanisms, DRM is designed to automatically manage and enforce contractual terms in relation to copyright works and other types of information.

Heritage Canada and Industry Canada are currently drafting legislation that will provide legal protection for DRM. There are strong indications that these ministries will recommend that Canada prohibit the circumvention of DRM for the purpose of copyright infringement. The Standing Committee on Canadian Heritage specifically made such a recommendation in May of this year.

Based on the result of similar initiatives in other countries, particularly the United States, it is no secret that legal protection for DRM can be fraught with danger. The dangers inherent in DRM and laws that protect it include vesting excessive control in copyright industries over how the public can access and use works, denying fair use of copyright works, imposing unfair contract terms on consumers, enabling anti-competitive practices, stifling creation and innovation and reducing national security by chilling encryption and other scientific research. In addition to these important dangers, which CIPPIC is addressing in other forums, DRM poses a severe threat to personal privacy.

DRM poses an unprecedented threat to privacy
While DRM’s impact on privacy has not yet received the mainstream media attention that other impacts have received, it has probably become trite to assert that DRM implicates user privacy. The EU Copyright Directive, for example, recognizes that DRM can have an impact on privacy and provides that DRM should be designed in accordance with the EU Data Protection Directive.iii Even the DMCA in the United States permits circumvention of DRM for the protection of privacy.

In basic terms, DRM implicates privacy because its continuous information collection and surveillance functions can provide owners with highly detailed and previously unavailable information about the reading, listening and viewing habits of end users. Both the nature of this information and the level of its detail are unprecedented. Even Microsoft’s definition of DRM hints at this potential: “DRM is a set of technologies copyright owners can use to protect their copyrights and stay in closer contact with their customers”.

In addition to the nature and detail of the information collected by DRM, one of the most insidious aspects of DRM’s impact on privacy is the fact that DRM is collecting information while people are engaged in highly private activities in places where they would likely have no expectation that they are being watched – DRM collects information while users are reading, watching or listening to content, typically in the privacy of their homes or other private spaces. In this way, DRM interferes with and chills Canadians’ most private and personal intellectual freedom to access, explore and use copyright works, often privately and anonymously.

There are many real-world examples of DRM’s threat to privacy, including the following statement from a recent Berkeley study of DRM-enabled content delivery services:

The ways that information is collected and processed during use of the services examined is almost impenetrably complex. It is difficult to determine exactly what data a service collects, and merely discovering that separate monitoring entities sit behind the services requires a careful reading of the services’ privacy policies.

Although further study of DRM’s impact on privacy is required, especially as new systems are developed, there is a growing body of literature addressing its critical impact on privacy. The Information and Privacy Commissioner of Ontario has written on the issue, confirming DRM’s threats to privacy. Highly regarded privacy groups such as EPIC have also documented these threats, and EDRI (European Digital Rights Initiatives) is pursuing analysis under EU law, and are making their case with the Article 29 Committee.

Responding to the privacy threats posed by DRM
The privacy threats posed by DRM clearly fit within the mandate of the OPCC and the provisions of PIPEDA. The kind of information processed by DRM is sensitive personal information. Crown action in this area, through legislation which authorizes the collection of this information in the privacy of one’s own home, and sanctions the lack of transparency to users, may well give rise to a Charter challenge.

It is difficult to reconcile the operation of DRM with PIPEDA’s requirements. Here are a few immediate questions, which leap to mind upon examination of the CSA principles:

1. Who is accountable, in the event the copyright control mechanism malfunctions? How does the individual get redress? Who controls the data once it is gathered by the mechanism, and how does the individual keep track of the dataflow?

2. The stated purposes of DRM are to protect copyright, but the information thereby collected will be ripe for data mining for other purposes. Such function creep will be difficult, if not impossible to detect. Further, because DRM is designed to implement and enforce copyright industries’ licenses, there is a real risk that privacy rights will be rewritten in the one-sided consent terms of these licenses.

3. The collection limitation principle has been egregiously violated, because there are other ways and means to enforce copy control. As a surreptitious and continuous surveillance system, DRM tends to maximize, not limit, the collection and use of sensitive personal information.

4. Under DRM, personal data is gathered on an assumption of the guilt of the holder. Attempts to circumscribe the further disclosure of the personal information of the individual may be countered by contravention of agreement or possible theft of property arguments. Have we let loose in society a set of robotic police that will spy on innocent individuals regardless of probable cause?

5. Safeguards: If the right and ability of users to reverse engineer products is not protected, independent software experts will be unable to assess the protection of information inherent in DRM. What privacy impact assessment has been done on the data gathering mechanisms which the tools employ? What audit has been done on the companies involved? What about transborder dataflow, a timely issue in today’s privacy discussions?

6. Openness: It has been hard for experts in the field to understand what is going on. At a minimum, better disclosure of the operations of the technology is required. There are particular issues with certain groups, such as children, the elderly, recent immigrants, etc.

7. Challenge: We anticipate your office and those of your colleagues in the data protection community will be swamped with complaints when the truth about the surveillance capacity of these technologies becomes better known. Far better to demand putting the brakes on now, and have a full public debate on the implications of the technology.

DRM’s privacy harms will be entrenched if Canada enacts legal protection for DRM without a full privacy impact assessment. You have the power to table a special report to Parliament, we would respectfully urge you to consider such an action. This is about nothing less than the right to read, write, and appreciate art anonymously. We have encouraged Canadian Heritage and Industry Canada to perform a full analysis of the costs and benefits of adopting an anti-circumvention law prior to proceeding further toward draft legislation. We have specifically stated that a full analysis should include the privacy implications of DRM and any proposed law. Despite our requests, these ministries are pushing ahead toward legislation, seemingly without considering or addressing any of the privacy implications of DRM.

If privacy is to be protected in this critical context, the privacy implications of DRM must be addressed prior to any possible anti-circumvention law being passed. Indeed, the passage of an anti-circumvention law in Canada is not a foregone conclusion. To the extent that the absence of such a law would help minimize incentives for a pervasive uptake of DRM, privacy would be better protected in Canada. There are a number of proposals for addressing privacy issues in DRM at a technical level and there might also be steps that could be taken at a policy level.xi It is incumbent on the OPCC to act in this matter as Canada’s policy on DRM takes shape.

Philippa Lawson Executive Director
Alex Cameron, Associate

Go here for a copy of Stoddardt’s letter to CIPPIC.

This entry was posted on Monday, December 6th, 2004 at 6:53 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 4350 times