DRM violates Canadian privacy law

from Boing Boing by Cory Doctorow

The University of Ottawa's Canadian Internet Policy and Public Interest Clinic has just released a huge, deep report on the privacy implications of various DRM systems. They examine 16 different systems in depth and conclude that DRM is a grave threat to personal privacy.

Our assessment of the compliance of these DRM applications with PIPEDA led to a number of general findings:

• Fundamental privacy-based criticisms of DRM are well-founded: we observed tracking of usage habits, surfing habits, and technical data.

• Privacy invasive behaviour emerged in surprising places. For example, we observed e-book software profiling individuals. We unexpectedly encountered DoubleClick - an online marketing firm - in a library digital audio book.

• Many organizations take the position that IP addresses do not constitute "personal information" under PIPEDA and therefore can be collected, used and disclosed at will. This interpretation is contrary to Privacy Commissioner findings. IP addresses are collected by a variety of DRM tools, including tracking technologies such as cookies and pixel tags (also known as web bugs, clear gifs, and web beacons).

• Companies using DRM to deliver content often do not adequately document in their privacy policies the DRM-related collection, use and disclosure of personal information. This is particularly so where the DRM originates with a third party supplier.

• Companies using DRM often fail to comply with basic requirements of PIPEDA.

PDF Link (via Michael Geist)

Read More...

Summary only...

Apple conceals buyer data in DRM-free iTunes tracks

May 31, 2007 (Computerworld) -- A security researcher warned iTunes customers today that Apple Inc. encodes the buyer's account name and e-mail address in the new DRM-free tracks that debuted yesterday.

The data added to noncopy protected files purchased on iTunes can be viewed after the track is played by pulling up its File Info dialog in Mac OS X, said "mordaxus," one of the regulars who writes on the security blog Emergent Chaos.

"They [Apple] aren't the only one to watermark the files," said mordaxus, who pointed out that eMusic does something similar.

All iTunes files include the name on the buyer's account and the associated e-mail address -- not just the new DRM-free tunes. But their inclusion on noncopy protected songs is significant, mordaxus said, because some people might be tempted to share bought music on a peer-to-peer (P2P) network.

"If you're going to put music files up a P2P network, you cannot be paranoid. They are out to get you," said mordaxus. "It would be folly to take any music you bought from any service and serve it up."

The Unofficial Apple Weblog posted a three-step set of instructions on how Mac OS X users can use Terminal to dig into an iTunes Plus file.

Apple did not returns calls asking why iTunes tracks, whether protected by DRM or not, contain buyer data.

Read More...

Summary only...