20070921

Study: Clandestine DRM communications may violate Canadian privacy law

By Nate Anderson

DRM is certainly unpopular, but does it also break the law? A new report from the Canadian Internet Policy and Public Interest Clinic (PDF) finds that many DRM technologies appear to violate Canadian privacy laws by gathering inappropriate personal information, including IP addresses.

CIPPIC is part of the University of Ottawa, and the study's authors set up a lab at the University to monitor DRM transmissions sent by programs like iTunes, Zudeo, Half-Life 2, and even Intuit's QuickTax. All applications were installed on a Windows XP machine, and all network traffic was routed through a Kubuntu box running the Ethereal sniffing software and the Squid proxy. Researchers did their best to figure out what information was being gathered by each DRM scheme and where it was sent.

Every DRM scheme that was "net-dependent" (i.e., relies on the presence of an Internet connection to keep the license current) turned out to send data to third parties like Akamai, Omniture, and DoubleClick. Although the researchers note that "it is possible that some of these communications amount to outsourced functionality, others appeared to involve third-party services." Privacy policies for the products in question generally failed to disclose these third-party transmissions, and no vendors except Microsoft and the Ottawa Public Library would even identify third parties to whom they had disclosed personal information.

Attempts to have vendors answer questions about the software were generally met with total silence; half of the organizations surveyed didn't even bother to respond to questions.

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), consumers have broad rights over the collection and storage of personal information, including the right to see what information a company has compiled on them. Not one company offered up this information when it was requested with an Access to Information request.

Many of the DRM schemes that CIPPIC examined also appeared to violate PIPEDA by failing to treat IP addresses as personal information and and engaging in "open-ended and indiscriminate collection, use and disclosure of personal information."

This sort of behavior showed up in applications that one might not expect; downloading and playing an audio book offered by the Ottawa Public Library turned out to send information to DoubleClick, for instance.

The report's conclusion is that "fundamental privacy-based criticisms of DRM are well-founded: we observed tracking of usage habits, surfing habits, and technical data." So if loathing DRM for its restrictions wasn't enough, you can now add "loathing DRM for its privacy problems" to your list of reasons to go DRM-free.

No comments: