Study Says DRM Violates Canadian Privacy Laws

inkslinger77 writes "DRM technology used in consumer media may be violating Canadian privacy laws, according to a new report. The study, done by University of Ottawa's Canadian Internet Policy and Public Interest Clinic, found that a number of services like iTunes, Visio, and Symantec's North SystemWorks require too much personal information in order to verify their users. 'Another issue cited by [study lead investigator David Fewer] concerned the disclosure of DRM-collected personal information from users of Intuit's QuickTax software."It wasn't the use of QuickTax itself that triggered the concern, but rather the use of Intuit's online filing service where we found buried in one of the disclosures the notice that, as an international corporation, Intuit would send information across the border," Fewer said.'"

Sounds like Canada better fix its laws quickly.

[Sheetrock]

Because we all know DRM isn't going anywhere. Sadly.

Re:

[ackthpt]

Because we all know DRM isn't going anywhere. Sadly.

Sure it is, it's going and telling everyone about us, what we like to listen to, how often, that sort of thing so the music and entertainment business can figure out what we like (apparently a lot of utter shite) and they can manufacture more of it. As for software, it's a grand opportunity to pass along our personal information to companies who, through negligence, make it available to crackers.

At every opportunity I deny access to outside sites whene

The law isn't what needs fixing.

[WebCowboy]

Just because DRM isn't going anywhere doesn't mean the law should yield to it. DRM schemes are largely broken on many levels (technologically, legally, etc). That's not saying that DRM is unfixable (though I think the idea itself id flawed), but the correct thing to do is fix the technology, not the law.

Privacy laws, in Canada at least, apply to a much broader scope than digital media, and as such they shouldn't be tailored to it. Furthermore, privacy laws are most likely tied to constitutional rights (c

Could this apply in the European Community too?

[MichaelCrawford]

The EC has quite stringent privacy laws, particularly regarding storage of personal info in databases, and has a record of filing anti-corporate lawsuits.

Re:

[Wowsers]

These "tough" privacy laws you speak of only apply when it suits the EU.

Re:

[Simian Road]

Someone has modded this funny but I don't know why.

A better way to put it would be that the laws only apply when it suits the EU member states. If they don't want to enforce an EU regulation, they don't.

Norman, coordinate...

[$RANDOMLUSER]

DRM violates Canadian privacy laws...
But Canada is the source of all piracy...
But DRM violates Canadian privacy laws...
But Canada is the source of all piracy...
dweeeeeeeeeeee

Re:

[Tribbin]

DRM voilates canadian privacy laws [implies] Canada is the source of all piracy

You know that high profile warez sites seek for countries with laws to their likings.

Nice thought, but...

[allcar]

Who's going to pay to find out if this is true. Just because an academic study says it might be the case, proves nothing. A costly law suit will be needed to do that. Any volunteers?

Re:

[erbmjw]

IANAL but I believe that "noncompliance of PIPEDA (Personal Information Protection and Electronic Documents Act)" does not require a volunteer to take the infringing companies to court.
I believe that the Canadian government ( The Canadian privacy commissioner } can undertake an investigation and {where required} apply significant pressure on the infringing companies.

Re:

[Em Adespoton]

We're talking about Canada, not the US... in Canada things are not decided by suing people, they're decided by people sitting down and discussing the issue until a solution is found... and then debating it for years before putting it into law. Since the PIPEDA already exists, this study will be enough of a deterrent for most individuals and companies -- except maybe some US companies who think they're above the law and can do what they want. At which point, the Canadian Government steps in and sues them o

Re:Nice thought, but...

[technicalandsocial]

This was not just an academic study, this was funded by the federal privacy commissioner [privcom.gc.ca], and CIPPIC [cippic.ca] is a group of lawyers who submitted their findings to the commissioner. The PIPEDA violations will now be investigated by the privacy commissioner.
I'm not sure why, but the original submitted left out the link to the actual report [cippic.ca].

Re:

[allcar]

I know it's not the /. way, but I stand corrected. Clearly my knowledge of the Canadian legal system is somewhat lacking.

Surely...

[OriginalArlen]

...these are just implementation details, rather than matters of principle.

Yes, It's Unfortunate

[Nymz]

"It's unfortunate that consumers have been misled by a lot of vocal critics because the truth is DRM is no more evil than the lock and key that's on your door, the alarm on your car, or the authentication system in your cell phone." - Christopher Levy, CEO of DRM solutions provider BuyDRM

Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

Re:

[Anonymous Coward]

Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

Unless you have On*Star or similar [engadget.com].

Re:

[Simply Curious]

Methinks he says it's his car/door/cell phone and he therefore can lock it.

*sarcasm*Ah, the joys of an unregulated market.*sarcasm*

Re:

[Wowsers]

Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

No spying yet, but this is the reason the European Union want their own version of GPS.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004L0052R(01):EN:HTML [europa.eu]

Re:Yes, It's Unfortunate

[Kazoo the Clown]

DRM is like a lock on your door that someone ELSE owns the key to.

Re:

[DDLKermit007]

That would be called the dealership who sold you the car. They keep on file what keys go to whos cars. Now the crux is what happens when you want to change the locks on your music?

Re:

[Propaganda13]

Yes, yes, yes, but you've only bought a license to use the door. You don't actually own the door.

Owning the house but not the door

[Geof]

Right. In Philip K. Dick's Ubik, the main character is denied access to the apartment he owns until he pays the door:

The door refused to open. It said, "Five cents, please."

He searched his pockets. No more coins; nothing. . . . "What I pay you," he informed it, "is in the nature of a gratuity. I don't have to pay you."

"I think otherwise," the door said. "Look in the purchase contract you signed when you bought this conapt."

Warning!!

[sponga]

You are being spied on by your speedometer
As your attorney I advise you to immediately destroy it.

Re:

[pluther]

I think you mean "odometer".

Your speedometer doesn't keep any records.

And, you can use your car with a broken odometer - you just have to disclose that fact when/if you sell it. Or, in some areas, re-register it.

DRM

[Ethanol-fueled]

DRM is almost always a bad idea -- but I wouldn't mind it so much if it only prevented copied stuff from being played...as opposed to it collecting and phoning home my life story so big brother can sell it to ad companies.

The line between DRM/registration and spy/adware is being blurred. Soon legal extortion will be the norm.

Wrongheaded View

[Anonymous Coward]

This view of DRM as 'evil' is totally wrongheaded. DRM allows consumers more choice in the market place, making music and other valuable content available on great devices. DRM allows interoperability, without sacrificing the rights of content owners.

DRM can be used to protect your files. Set the read-only bit lately? that's DRM! It's simple, non intrusive, and protects you and me, how simple can it get?

Re:

[ScrewMaster]

DRM can be used to protect your files. Set the read-only bit lately? that's DRM! It's simple, non intrusive, and protects you and me, how simple can it get?

You know, I'd mod you +5 Funny if I had the points.

Re:

[hedwards]

While his implementation was screwed, he does have a point. Spiralfrog is a good example of how DRM can be used in a way which is useful for people. I haven't had a chance to try it yet, and it is presently available only for windows users in the US and Canada, but it is potentially a very good idea.

If I don't have to pay for the songs to listen to them, then for all I care they can be DRMed to the hilt. I just don't want to have to pay for DRMed files.

Re:

[speaker of the truth]

I just don't want to have to pay for DRMed files.

The thing is, you never have to pay for DRMed files. With many indie bands releasing their stuff online its never been easier to get their stuff, and they rarely, if ever, DRM it.

Re:

[MikeBabcock]

DRM is not the same as file security. Encrypting my personal files with a private password is not necessarily DRM. DRM is about protecting my rights on a file I no longer control, while still allowing SOME rights to it. That is almost impossibly difficult to guarantee on unmanaged computers as any Comp Sci major or hacker should know by now, and why DRM is stupid. Also, if DRM is going to continue, we need governments to enforce that it actually be DRM and not digital-wishful-thinking-management ... whe

Square != Rectangle

[WebCowboy]

...but they're both quadrilaterals.

In the name of DRM, we have CDs equipped with rootkits, we have personally-identifiable information being sent over international borders, we have music players phoning home to say what they're playing or storing...of COURSE DRM technology can collect private data. If the implementors of Digital Rights Management want to MICRO-manage those rights they obviously have to know exactly who's rights they're managing. That obviously means having to demand a certain level of disclosure from end users.

To say DRM and privacy are not at least related is naive. DRM might only be tracking your usage of digital media so it can allow or deny access, but it's still tracking you, and that leaves the technology open to abuse by people who wish to turn DRM into something more than it was intended to be.

Re:

[geminidomino]

Actually, a square IS a rectangle, by definition...</nitpick>

Re:

[amRadioHed]

He knows that, but since rectangle does not imply square they are not equivalent.

Silly report

[drhamad]

They're talking about notice requirements... this is not a principled paper, this is not anything that will change or harm DRM in any way. Worse comes to worse for the companies is just them putting a notice somewhere saying they're doing this. Look elsewhere if you want news.

Canadian Tariffs & International Jurisdiction?

[aldheorte]

Somewhat unrelated questions of curiosity: Since if you buy blank media in Canada, you apparently pay a tariff to make up for sharing, does that mean you could buy blank media from Canada from another country and distribute whatever you want on it, claiming that you paid the copyright fee by virtue of the Canadian tariff, especially if you were giving it away for free? In similar fashion, does Canadian privacy law extend to non-Canadian citizens buying DRMed items? If so, what's the thing that determines what is a purchase that is "Canadian"? Location of server in Canada? Use of Candadian domain or online store customized to Canada? Physical location of purchaser? Billing address of purchaser? ISP or IP address of user (and what about proxy or VPN services)? All of the above? Seems like on the Internet whatever country creates the most beneficial tax and rights protection to the consumer could rapidly find itself with a whole lot of virtual citizens if there's an easy way to extend its jurisdiction.

Re:

[adoll]

This is why so many ships are registered in Panama and Liberia. Also why so many people migrate from basket-case country X to first-world country Y.

Commerce and free people seek countries with the best conditions, and then migrate. Thus the requirement for the Berlin Wall to limit both.

Re:

[Dunbal]

Also why so many people migrate from basket-case country X to first-world country Y.

      I dunno, I migrated from first world country Y to basket-case country X. You can keep your first world. I'd rather keep my money.

Re:

[biggknifeparty]

You're all welcome to be "Web Permanent Residents" of Canada. All you have to do is pay taxes so we get healthcare and top notch Universities for next to nothing! In exchange you can Pirate all the American crap you want!

Re:

[mark-t]

The tariff applies to media that is distributed to all resellers within Canada's borders. If someone in Canada buys media overseas or in the US, they do not have to pay the tariff, as neither the post office nor customs are authorized to collect it.

Re:

[camperdave]

every person who, for the purpose of trade, manufactures a blank audio recording medium in Canada or imports such a medium into Canada is liable to pay a levy on selling or otherwise disposing of that medium in Canada,...

It is the importer/manufacturer who actually pays the levy. The cost is merely passed on to the consumer. If you are a consumer, you can freely buy blank media without levy charges from offshore sources. The same would apply to mp3 players which may fall under the tarriff soon.

3. (1) Su

Re:Canadian Tariffs & International Jurisdicti

[c]

• does that mean you could buy blank media from Canada from another country and distribute whatever you want on it, claiming that you paid the copyright fee by virtue of the Canadian tariff
  
• In similar fashion, does Canadian privacy law extend to non-Canadian citizens buying DRMed items?
  

Absolutely. Canadian law applies to everyone, anywhere in the world. We're generous that way.

Unfortunately, unlike certain other countries, we do have some logistical issues with enforcing our laws outside the Canadian border.

We can offer you some really nice red and white "Get out of jail free, eh" cards. You have a colour printer handy?

c.

Re:Canadian Tariffs & International Jurisdicti

[Pig Hogger]

The blank media fee simply legitimizes private copy. Distribution is still illegal. However, courts have ruled that since P2P protocols compel you to upload (distribute) so you can download, then uploading is legal.

Foreign media companies are lobbying hard to have a "new" copyright law passed, but since the governments we have had for the last 3 years are minority governments, that law is not exactly a very high priority of politicians who are more inclined to do what people want...

And since the RCMP has admitted pulling piracy figures out of it's arse, the government is likely to be very sceptical about figured losses by any content industry, ever since it was foolish enough to railroad a law punishing camcording movies...

So that means that it's legal to crack Intuit DRM?

[biggknifeparty]

The fact is that Intuit is ignoring Canadian's right to privacy of information. Therefore I call upon the will of the Canadian people to ignore Intuit's right to intellectual property.

Fight for your rights! Download the .torrent of Quicktax next year.

Re:So that means that it's legal to crack Intuit D

[Dunbal]

Therefore I call upon the will of the Canadian people to ignore Intuit's right to intellectual property.

      Ugh, I'd gladly set up a torrent if it wasn't (drumroll) tax software... real pirates don't pay tax anyway!

Re:So that means that it's legal to crack Intuit D

[mOdQuArK!]

There is no such thing as a "right to intellectual property". People can be granted the PRIVILEGE of intellectual proeprty protection with the goal of encouraging creativity/innovation, but it is not a right.

Re:So that means that it's legal to crack Intuit D

[canuck57]

The fact is that Intuit is ignoring Canadian's right to privacy of information. Therefore I call upon the will of the Canadian people to ignore Intuit's right to intellectual property.

I go one better. I haven't used them for 7 years and unload it every time I buy a new PC or Windows re-install. I even do this before my data moves on.

FOSS is where it is at. Less Spyware and no DRM (unless it is decoding/striping it out).

Borders

[multisync]

as an international corporation, Intuit would send information across the border

Yeah, that's an interesting bit.

The "free enterprise" party who govern the province I live in contracted the maintenance of our health care records out to a US firm, completely oblivious of the fact that - thanks to the PATRIOT ACT - the company could be compelled to turn our information over to the eff-bee-eye or the en-essay or one of those other alphabet agencies they've got down there, and it's illegal for them to tell us (their customer) when this takes place.

I know this will sound like "well duh" to those in the US, but my Canadian brain has a hard time wrapping itself around the concept.

Re:

[Jah-Wren Ryel]

I know this will sound like "well duh" to those in the US, but my Canadian brain has a hard time wrapping itself around the concept.

Most in the US don't even know those alphabetics can pull those stunts on us either, we are still the land of the free and the home of the brave as far as anyone who regularly watches cnn/fox knows.

Re:

[GNU(slash)Nickname]

...the company could be compelled to turn our information over to the eff-bee-eye or the en-essay or one of those other alphabet agencies they've got down there, and it's illegal for them to tell us (their customer) when this takes place.

I used to work for a Global 50 company. We had a project underway to consolidate all of the Exchange mailboxes in North America into a single data centre in the US, but wound up pulling out of the project and building a smaller Canadian data centre instead for exactly this reason.

Re:

[technicalandsocial]

CIPPIC filed a complaint [cippic.ca] a month ago with the federal privacy commissioner a month ago, in regards to the transfer of canada.com. (and the personal information contained there) to US soil. There are several complaints with the commissioner on information being moved to US soil, it will be interesting to see what precedence is set with the results of her findings.

Link to the study.

[callmevinny]

http://www.cippic.ca/uploads/CIPPIC_Report_DRM_and_Privacy.pdf [cippic.ca]

Credit card purchases

[cdrguru]

This would seem to outlaw the collection of information in the course of purchasing products using credit cards.

I am going to have to review this to see if it is legally permissible to sell things to Canadian residents. I think it is entirely possible that all purchase records need to be purged to eliminate the data held to allow product updates and such.

Holding on to information to permit updates to products may be illegal under this law. This would make it impossible to add fixes to Microsoft products,

Re:

[hajus]

About a week ago, I attempted to order a barebones from the US and tried to use a credit card. Most places I called wouldn't accept a credit card. One shop required payments via paypal. But even paypal won't accept any payments from a canadian credit card by itself; you have to have a bank account registered with them. Apparently, the credit card companies will not verify residential addresses for the credit cards, so a business cannot find out if the shipping address is the same as the billing address.

Re:

[Silvrmane]

PIPEDA allows for consent. People buying things online with their credit cards are giving implicit consent to the buyer to have the information provided necessary for the sale. However, people buying things online with their credit cards should have their heads examined, and should use "one off" numbers for transactions, or use a proxy like Pay Pal so that they are not divulging personal information to a buyer they do not know or trust.

People buying software from Intuit are not givng implicit consent to e

Oh canada

[sh3l1]

it's at times like this when i wish i lived in canada. P2P may be legal... DRM against the law!