Digital Rights Management Technologies and Consumer Privacy: A Canadian Market Survey and Privacy Impact Assessment
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Canadian Internet Policy and Public Interest Clinic
Digital Rights Management (DRM), as defined in this study, is “a system comprising technological tools and a usage policy, which is designed to securely manage access to and use of digital information”. This study observes the behaviour of a number of DRM technologies with a view to assessing the impact of these technologies on consumers’ privacy, and assessing the DRM distributors’ compliance with PIPEDA.
The researchers divide the DRM technologies analyzed in this study into two categories: autonomous DRM and net-dependent DRM. Autonomous DRM requires no outside interaction for the DRM system to operate (for example, software that requires a CD-key to become useable or that deactivates after a certain number of uses). Net-dependent DRM, in contrast, involves Internet authentication or Internet surveillance of uses, such as web-enabled software validation or online music subscription services that deploy digital licenses to access locked content. All net-dependent DRM communicates with external computers.
The researchers consider how DRM is changing the ways individuals interact with digital content by tracking and controlling individuals’ access and use of copyrighted works, and in the process is eroding privacy rights. The study assesses the use of DRM in the Canadian marketplace and how PIPEDA may apply to DRM. They examine the chilling effect that DRM, as a form of surveillance, may have on individuals’ access to controversial or unconventional information and the legal right to speak anonymously or receive information anonymously – instrumental in exercising an effective right of freedom of expression.
Based on a survey of the Canadian marketplace, the researchers undertook a technical assessment of 18 selected DRM applications from different market sectors between January and March 2007. These included Apple iTunes Music Store and iTunes Video Store, Azureus Zudeo, eReader (The Da Vinci Code), InterActual (Disney’s Pirates of the Caribbean), Intuit QuickTax, Microsoft Office Video, Napster, Symantec Norton SystemWorks 2006 and Telus Mobility Spark.
The assessments were carried out using a controlled test-bed setup consisting of a testing computer and gateway computer configured to emulate a typical user environment. University of Ottawa law students and CIPPIC counsel, acting as ordinary users, carried out the testing.
The report contains detailed research analysis of each DRM application, and a detailed assessment of 12 net-dependent DRM technologies that researchers observed engaging in automatic communications of information through DRM against the requirements of PIPEDA. This assessment considered privacy policies, related documentation and organizational responses to access requests. The researchers considered that none of these organizations were compliant with CSA privacy principles.
The research also discovered that several third parties, particularly Akamai Technologies, Omniture and Doubleclick, were frequently involved in the DRM applications tested. These third parties collect considerable user information, including IP addresses, browser type, operating system, ISP, bandwidth and time of day. In the case of at least two of these companies, the researchers state they were never informed of their existence or their role in the DRM system. At least one organization failed to properly secure personal information and communicated the user’s username, password and email over the Internet without encryption.
This document is available in the following language(s):
OPC Funded Project
This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.
CIPPIC, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic
University of Ottawa, Faculty of Law - Common Law Section
57 Louis Pasteur St.
Ottawa, Ontario, K1N 6N5
- Date modified: