Digital rights management (DRM) technology used in MP3s, DVDs, and most consumer software may be violating Canadian privacy laws, according to a new report.
DRM is an access control tool used by publishers or copyright holders and is designed to securely manage access and use of digital information or devices. Its primary purpose is to combat piracy and protect against copyright infringement.
The study, published by the University of Ottawa's Canadian Internet Policy and Public Interest Clinic (CIPPIC), indicated that DRM is being used to collect, use and disclose consumers' personal information for secondary purposes, without giving the user adequate notice or the opportunity to opt-out of collection.
The report investigated DRM systems used in 16 different digital products and services including Apple's iTunes Music Store, Microsoft's Office Visio, and Symantec's North SystemWorks 2006.
"The privacy concerns with DRM are substantiated by what we saw," David Fewer, staff counsel with CIPPIC and the study's lead investigator, said. "In the Canadian marketplace we've found that there is simply widespread noncompliance of PIPEDA (Personal Information Protection and Electronic Documents Act)." CIPPIC found it particularly troubling that companies using DRM to deliver products and content failed to document in their privacy policies the DRM-related collection of personal information.
"If there's personal information collection use or disclosure going on, there has to be consent and the form of consent has to be appropriate to the circumstances," Fewer said.
"We agree that in many cases consent doesn't have to come in the form of expressed consent. But, in other circumstances, particularly where it was unexpected or whether what was being collected was related to core biographical data, we would have thought you would need to see expressed consent."
Fewer said the biggest concern stemming from this lack of disclosure came from the amount of third-party companies and marketers found linked with the DRM systems.
"This was a shock to use because we would have thought that a public library which really values patron privacy would be incredibly careful of the third-party technologies that they're using and make sure that your personal information is being dealt with appropriately," Fewer said. "When you go to the library, if any of your information is going to be sent to an advertiser, you should be aware because it's just so unexpected."
Another issue cited by Fewer concerned the disclosure of DRM-collected personal information from users of Intuit's QuickTax software.
"It wasn't the use of QuickTax itself that triggered the concern, but rather the use of Intuit's online filing service where we found buried in one of the disclosures the notice that, as an international corporation, Intuit would send information across the border," Fewer said.
"Now if you're Canadian and are concerned about your financial data going to the U.S. where it might be vulnerable to the Patriot Act, you may want to know that kind of information up front," he added.