CIPPIC Studies Privacy Implications of DRM Drew Wilson | September 25, 2007 The Canadian Internet Policy & Public Interest Clinic (CIPPIC) released the results of a study on DRM’s (Digital Rights Management) impact on Canadian law. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes The study looks at various well known DRM methods which is suppose to prevent unauthorized copying. Many privacy advocates have long suspected that DRM does more than just prevent unauthorized copying. They suspect that the DRM might also be “phoning home” in some instances, thus violating Canadian privacy laws. While it was a generally held belief that DRM violated Canadian privacy laws, it wasn’t until Sony launched the infamous rootkit and MediaMax encoded albums (which was generally considered to be illegal in Canada) that such a conviction went from a niche belief to the mainstream. The study comes at an interesting time. Canadian privacy has been an issue of debate with the privacy commissioner asking tough questions about Google’s “Street View” project possibly coming to Canada. Another more controversial privacy issue was the recent push to implement something known as “lawful access” which would, as many suggest, put in place a warrentless wiretapping which has been the subject of hot and bitter debate in the United States. The report states, “Of the 20 organizations deploying DRM technologies we reviewed, only 12 were found to have engaged in internet communications. […] A number of organizations used DRM to collect, use and disclose personal information for inappropriate purposes (e.g., Napster indiscriminately monitors its customers’ communications to ‘check for …abusive language’).” Among other findings, the study revealed that there was inadequate notice to what the organizations were doing with the DRM that “phoned home.” In some cases, there were contradictions between what the EULA claims and what the program actually did. In turn, the study also found that there was no ‘opt-out’ feature for some DRM implementations on the collection of personal information such as an IP address. The study also noted, “We noted consistent difficulty in addressing the privacy implications of DRM technology. Only one organization properly identified IP addresses as the personal information of users, and so subject to PIPEDA.” When the companies implemented the DRM, none of the organizations would hand over the personal information being held by them. Only one firm even answered the question, “Do you consider an IP address to be ‘personal information’?” Two firms out of the 20 tested (Microsoft and the Ottawa Public Library) complied with requests to identify the third parties the information was being disclosed to. Only half of the firms responded to inquiries about their products. The 67 page study concludes, “As DRM technologies evolve, and as our collective appreciation for DRM’s challenges to privacy matures, we hope that policy-makers, market participants and technologists will respond to these challenges with policies and tools that are more respectful of privacy. We already see this dynamic operating in the marketplace. However, our study’s results suggest that there remains room for progress.” Drew Wilson on Twitter: @icecube85 and Google+.