Study Says DRM Violates Canadian Privacy Laws

inkslinger77 writes "DRM technology used in consumer media may be violating Canadian privacy laws, according to a new report. The study, done by University of Ottawa's Canadian Internet Policy and Public Interest Clinic, found that a number of services like iTunes, Visio, and Symantec's North SystemWorks require too much personal information in order to verify their users. 'Another issue cited by [study lead investigator David Fewer] concerned the disclosure of DRM-collected personal information from users of Intuit's QuickTax software."It wasn't the use of QuickTax itself that triggered the concern, but rather the use of Intuit's online filing service where we found buried in one of the disclosures the notice that, as an international corporation, Intuit would send information across the border," Fewer said.'"

Sounds like Canada better fix its laws quickly.

[Sheetrock]

Because we all know DRM isn't going anywhere. Sadly.

Re:Sounds like Canada better fix its laws quickly.

[ackthpt]

Because we all know DRM isn't going anywhere. Sadly.

Sure it is, it's going and telling everyone about us, what we like to listen to, how often, that sort of thing so the music and entertainment business can figure out what we like (apparently a lot of utter shite) and they can manufacture more of it. As for software, it's a grand opportunity to pass along our personal information to companies who, through negligence, make it available to crackers.

At every opportunity I deny access to outside sites whenever the firewall pops up and squeals on the DRM phoning home. Hasn't stopped anything from working so far.

Could this apply in the European Community too?

[MichaelCrawford]

The EC has quite stringent privacy laws, particularly regarding storage of personal info in databases, and has a record of filing anti-corporate lawsuits.

Re:Could this apply in the European Community too?

[Wowsers]

These "tough" privacy laws you speak of only apply when it suits the EU.

Re:Could this apply in the European Community too?

[Simian+Road]

Someone has modded this funny but I don't know why.

A better way to put it would be that the laws only apply when it suits the EU member states. If they don't want to enforce an EU regulation, they don't.

Norman, coordinate...

[$RANDOMLUSER]

DRM violates Canadian privacy laws...
But Canada is the source of all piracy...
But DRM violates Canadian privacy laws...
But Canada is the source of all piracy...
dweeeeeeeeeeee

Re:Norman, coordinate...

[Tribbin]

DRM voilates canadian privacy laws [implies] Canada is the source of all piracy

You know that high profile warez sites seek for countries with laws to their likings.

Nice thought, but...

[allcar]

Who's going to pay to find out if this is true. Just because an academic study says it might be the case, proves nothing. A costly law suit will be needed to do that. Any volunteers?

Re:Nice thought, but...

[erbmjw]

IANAL but I believe that "noncompliance of PIPEDA (Personal Information Protection and Electronic Documents Act)" does not require a volunteer to take the infringing companies to court.
I believe that the Canadian government ( The Canadian privacy commissioner } can undertake an investigation and {where required} apply significant pressure on the infringing companies.

Re:Nice thought, but...

[Em+Adespoton]

We're talking about Canada, not the US... in Canada things are not decided by suing people, they're decided by people sitting down and discussing the issue until a solution is found... and then debating it for years before putting it into law. Since the PIPEDA already exists, this study will be enough of a deterrent for most individuals and companies -- except maybe some US companies who think they're above the law and can do what they want. At which point, the Canadian Government steps in and sues them on behalf of the people.

Re:Nice thought, but...

[technicalandsocial]

This was not just an academic study, this was funded by the federal privacy commissioner , and CIPPIC is a group of lawyers who submitted their findings to the commissioner. The PIPEDA violations will now be investigated by the privacy commissioner.
I'm not sure why, but the original submitted left out the link to the actual report .

Re:Nice thought, but...

[allcar]

I know it's not the /. way, but I stand corrected. Clearly my knowledge of the Canadian legal system is somewhat lacking.

Well...

[Karl0Erik]

Blame Canada, then?

Surely...

[OriginalArlen]

...these are just implementation details, rather than matters of principle.

Yes, It's Unfortunate

[Nymz]

"It's unfortunate that consumers have been misled by a lot of vocal critics because the truth is DRM is no more evil than the lock and key that's on your door, the alarm on your car, or the authentication system in your cell phone." - Christopher Levy, CEO of DRM solutions provider BuyDRM

Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

Re:Yes, It's Unfortunate

>Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

It's worse than that. Many (including possibly yourself) have locks and alarms on their doors and cars because they WANT them. Most would install them if they didn't come with them. And while consumers don't know they want an authentication system on their phone, take it away and go back to the bad old days of cloning AMPS phones for a few days and they'll come screaming to the providers for it.

But I've never talked to anyone who wanted to add DRM to anything they bought.

Re:Yes, It's Unfortunate

Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

Unless you have On*Star or similar.

Re:Yes, It's Unfortunate

[Simply+Curious]

Methinks he says it's his car/door/cell phone and he therefore can lock it.

*sarcasm*Ah, the joys of an unregulated market.*sarcasm*

Re:Yes, It's Unfortunate

[Wowsers]

Except that when I unlock my door, and disable the alarm on my car, I don't need permission, and it doesn't spy on where I'm driving.

No spying yet, but this is the reason the European Union want their own version of GPS.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004L0052R(01):EN:HTML

Re:Yes, It's Unfortunate

[Kazoo+the+Clown]

DRM is like a lock on your door that someone ELSE owns the key to.

Re:Yes, It's Unfortunate

[DDLKermit007]

That would be called the dealership who sold you the car. They keep on file what keys go to whos cars. Now the crux is what happens when you want to change the locks on your music?

Re:Yes, It's Unfortunate

[Propaganda13]

Yes, yes, yes, but you've only bought a license to use the door. You don't actually own the door.

DRM

[Ethanol-fueled]

DRM is almost always a bad idea -- but I wouldn't mind it so much if it only prevented copied stuff from being played...as opposed to it collecting and phoning home my life story so big brother can sell it to ad companies.

The line between DRM/registration and spy/adware is being blurred. Soon legal extortion will be the norm.

Wrongheaded View

This view of DRM as 'evil' is totally wrongheaded. DRM allows consumers more choice in the market place, making music and other valuable content available on great devices. DRM allows interoperability, without sacrificing the rights of content owners.

DRM can be used to protect your files. Set the read-only bit lately? that's DRM! It's simple, non intrusive, and protects you and me, how simple can it get?

Re:Wrongheaded View

[ScrewMaster]

DRM can be used to protect your files. Set the read-only bit lately? that's DRM! It's simple, non intrusive, and protects you and me, how simple can it get?

You know, I'd mod you +5 Funny if I had the points.

Re:Wrongheaded View

[hedwards]

While his implementation was screwed, he does have a point. Spiralfrog is a good example of how DRM can be used in a way which is useful for people. I haven't had a chance to try it yet, and it is presently available only for windows users in the US and Canada, but it is potentially a very good idea.

If I don't have to pay for the songs to listen to them, then for all I care they can be DRMed to the hilt. I just don't want to have to pay for DRMed files.

Re:Wrongheaded View

[speaker+of+the+truth]

I just don't want to have to pay for DRMed files. The thing is, you never have to pay for DRMed files. With many indie bands releasing their stuff online its never been easier to get their stuff, and they rarely, if ever, DRM it.

Re:Wrongheaded View

[MikeBabcock]

DRM is not the same as file security. Encrypting my personal files with a private password is not necessarily DRM. DRM is about protecting my rights on a file I no longer control, while still allowing SOME rights to it. That is almost impossibly difficult to guarantee on unmanaged computers as any Comp Sci major or hacker should know by now, and why DRM is stupid. Also, if DRM is going to continue, we need governments to enforce that it actually be DRM and not digital-wishful-thinking-management ... wheres the timeout in my WMV file that makes it public domain 120 years after the author's death? Seriously, in 200 years, people are going to recover data from our era and not be able to read/listen/view it? That's just insane. Historians should be against DRM in its current form too.

DRM != Privacy

Terrible summary. While it's a national pastime of Slashdot to bash DRM, and also feared privacy violations, the two aren't the same thing.

DRM can't "collect" your private data or report it. DRM just blocks access to information you already have.

Various sorts of malware might violate your privacy by collecting data you don't want them to, or requiring too much sensitive data for authentication. But that's not DRM.

You need to keep your evils separate to make sure you have the right counterspells for each. Blur everything together and you sound ignorant and hysterical, and will thus be ignored.

Silly report

[drhamad]

They're talking about notice requirements... this is not a principled paper, this is not anything that will change or harm DRM in any way. Worse comes to worse for the companies is just them putting a notice somewhere saying they're doing this. Look elsewhere if you want news.

Canadian Tariffs & International Jurisdiction?

[aldheorte]

Somewhat unrelated questions of curiosity: Since if you buy blank media in Canada, you apparently pay a tariff to make up for sharing, does that mean you could buy blank media from Canada from another country and distribute whatever you want on it, claiming that you paid the copyright fee by virtue of the Canadian tariff, especially if you were giving it away for free? In similar fashion, does Canadian privacy law extend to non-Canadian citizens buying DRMed items? If so, what's the thing that determines what is a purchase that is "Canadian"? Location of server in Canada? Use of Candadian domain or online store customized to Canada? Physical location of purchaser? Billing address of purchaser? ISP or IP address of user (and what about proxy or VPN services)? All of the above? Seems like on the Internet whatever country creates the most beneficial tax and rights protection to the consumer could rapidly find itself with a whole lot of virtual citizens if there's an easy way to extend its jurisdiction.

Re:Canadian Tariffs & International Jurisdicti

[adoll]

This is why so many ships are registered in Panama and Liberia. Also why so many people migrate from basket-case country X to first-world country Y.

Commerce and free people seek countries with the best conditions, and then migrate. Thus the requirement for the Berlin Wall to limit both.

So that means that it's legal to crack Intuit DRM?

[biggknifeparty]

The fact is that Intuit is ignoring Canadian's right to privacy of information. Therefore I call upon the will of the Canadian people to ignore Intuit's right to intellectual property.

Fight for your rights! Download the .torrent of Quicktax next year.

Re:Canadian Tariffs & International Jurisdicti

[biggknifeparty]

You're all welcome to be "Web Permanent Residents" of Canada. All you have to do is pay taxes so we get healthcare and top notch Universities for next to nothing! In exchange you can Pirate all the American crap you want!

Re:Canadian Tariffs & International Jurisdicti

[mark-t]

The tariff applies to media that is distributed to all resellers within Canada's borders. If someone in Canada buys media overseas or in the US, they do not have to pay the tariff, as neither the post office nor customs are authorized to collect it.

Re:Canadian Tariffs & International Jurisdicti

[Antony.Muss]

From the Blank CD-R Tax FAQ

A non-Canadian visiting Canada can make a private copy of a CD (even one he brought with him from a foreign country) and he will not be infringing copyright in Canada. His home state might consider the copied CD an infringing copy when he returns.

A Canadian making a private copy of a CD in another country could be infringing copyright in that country.
...
Can I legally copy music CDs for my friends?

The simple answer is NO, but you can legally copy your friend's music CD for YOUR OWN use.

Re:Canadian Tariffs & International Jurisdicti

[c]

• does that mean you could buy blank media from Canada from another country and distribute whatever you want on it, claiming that you paid the copyright fee by virtue of the Canadian tariff
  
• In similar fashion, does Canadian privacy law extend to non-Canadian citizens buying DRMed items?
  

Absolutely. Canadian law applies to everyone, anywhere in the world. We're generous that way.

Unfortunately, unlike certain other countries, we do have some logistical issues with enforcing our laws outside the Canadian border.

We can offer you some really nice red and white "Get out of jail free, eh" cards. You have a colour printer handy?

c.

Re:Canadian Tariffs & International Jurisdicti

[Pig+Hogger]

The blank media fee simply legitimizes private copy. Distribution is still illegal. However, courts have ruled that since P2P protocols compel you to upload (distribute) so you can download, then uploading is legal.

Foreign media companies are lobbying hard to have a "new" copyright law passed, but since the governments we have had for the last 3 years are minority governments, that law is not exactly a very high priority of politicians who are more inclined to do what people want...

And since the RCMP has admitted pulling piracy figures out of it's arse, the government is likely to be very sceptical about figured losses by any content industry, ever since it was foolish enough to railroad a law punishing camcording movies...

Borders

[multisync]

as an international corporation, Intuit would send information across the border

Yeah, that's an interesting bit.

The "free enterprise" party who govern the province I live in contracted the maintenance of our health care records out to a US firm, completely oblivious of the fact that - thanks to the PATRIOT ACT - the company could be compelled to turn our information over to the eff-bee-eye or the en-essay or one of those other alphabet agencies they've got down there, and it's illegal for them to tell us (their customer) when this takes place.

I know this will sound like "well duh" to those in the US, but my Canadian brain has a hard time wrapping itself around the concept.

Re:Borders

[Jah-Wren+Ryel]

I know this will sound like "well duh" to those in the US, but my Canadian brain has a hard time wrapping itself around the concept. Most in the US don't even know those alphabetics can pull those stunts on us either, we are still the land of the free and the home of the brave as far as anyone who regularly watches cnn/fox knows.

Re:Borders

[GNU(slash)Nickname]

...the company could be compelled to turn our information over to the eff-bee-eye or the en-essay or one of those other alphabet agencies they've got down there, and it's illegal for them to tell us (their customer) when this takes place.
I used to work for a Global 50 company. We had a project underway to consolidate all of the Exchange mailboxes in North America into a single data centre in the US, but wound up pulling out of the project and building a smaller Canadian data centre instead for exactly this reason.

Re:Borders

[technicalandsocial]

CIPPIC filed a complaint a month ago with the federal privacy commissioner a month ago, in regards to the transfer of canada.com. (and the personal information contained there) to US soil. There are several complaints with the commissioner on information being moved to US soil, it will be interesting to see what precedence is set with the results of her findings.

Re:So that means that it's legal to crack Intuit D

[Dunbal]

Therefore I call upon the will of the Canadian people to ignore Intuit's right to intellectual property.

      Ugh, I'd gladly set up a torrent if it wasn't (drumroll) tax software... real pirates don't pay tax anyway!

Re:Canadian Tariffs & International Jurisdicti

[Dunbal]

Also why so many people migrate from basket-case country X to first-world country Y.

      I dunno, I migrated from first world country Y to basket-case country X. You can keep your first world. I'd rather keep my money.

Owning the house but not the door

[Geof]

Right. In Philip K. Dick's Ubik, the main character is denied access to the apartment he owns until he pays the door:

The door refused to open. It said, "Five cents, please."

He searched his pockets. No more coins; nothing. . . . "What I pay you," he informed it, "is in the nature of a gratuity. I don't have to pay you."

"I think otherwise," the door said. "Look in the purchase contract you signed when you bought this conapt."

Free mytaxexpress - better than paying Inuit

For one thing, there is free tax filling software. It is not as polished. Once you have done a few, you can get by with this. I used it last year. Prior to that I used one that cost http://www.mytaxexpress.com/

Screw Inuit!

Warning!!

[sponga]

You are being spied on by your speedometer
As your attorney I advise you to immediately destroy it.

Re:Warning!!

[pluther]

I think you mean "odometer".

Your speedometer doesn't keep any records.

And, you can use your car with a broken odometer - you just have to disclose that fact when/if you sell it. Or, in some areas, re-register it.

Link to the study.

[callmevinny]

http://www.cippic.ca/uploads/CIPPIC_Report_DRM_and_Privacy.pdf

Re:Canadian Tariffs & International Jurisdicti

[camperdave]

every person who, for the purpose of trade, manufactures a blank audio recording medium in Canada or imports such a medium into Canada is liable to pay a levy on selling or otherwise disposing of that medium in Canada,...

It is the importer/manufacturer who actually pays the levy. The cost is merely passed on to the consumer. If you are a consumer, you can freely buy blank media without levy charges from offshore sources. The same would apply to mp3 players which may fall under the tarriff soon.

3. (1) Subject to subsection (2), the levy rates shall be
(a) 29 for each audio cassette of 40 minutes or more in length;
(b) 29 for each CD-R or CD-RW;
(c) 85 for each CD-R Audio, CD-RW Audio or MiniDisc;
(d) for removable electronic memory cards in the Secure Digital, MultiMedia, and Memory Stick formats with more than 256 MB of memory, $2 for each card with no more than 1 Gigabyte (GB) of memory,
$5 for each card with more than 1 GB and no more than 4 GB of memory,
and $10 for each card with more than 4 GB of memory;
(e) for digital audio recorders, $5 for each recorder with no more than 1 Gigabyte (GB) of memory,
$25 for each recorder with more than 1 GB and no more than 10 GB of memory,
$50 for each recorder with more than 10 GB and no more than 30 GB of memory,
and $75 for each recorder with more than 30 GB of memory.

Quotes from the Copyright board of Canada website.

The law isn't what needs fixing.

[WebCowboy]

Just because DRM isn't going anywhere doesn't mean the law should yield to it. DRM schemes are largely broken on many levels (technologically, legally, etc). That's not saying that DRM is unfixable (though I think the idea itself id flawed), but the correct thing to do is fix the technology, not the law.

Privacy laws, in Canada at least, apply to a much broader scope than digital media, and as such they shouldn't be tailored to it. Furthermore, privacy laws are most likely tied to constitutional rights (charter of rights and freedoms). Collection and distribution of personal information itself is not illegal, however doing so without disclosure or consent of the person involved is probably more than illegal--it would probably be ruled unconstitutional by our judiciary. Therefore, if the laws were relaxed to accommodate DRM they'd most likely be suspended by the courts if challenged.

Square != Rectangle

[WebCowboy]

...but they're both quadrilaterals.

In the name of DRM, we have CDs equipped with rootkits, we have personally-identifiable information being sent over international borders, we have music players phoning home to say what they're playing or storing...of COURSE DRM technology can collect private data. If the implementors of Digital Rights Management want to MICRO-manage those rights they obviously have to know exactly who's rights they're managing. That obviously means having to demand a certain level of disclosure from end users.

To say DRM and privacy are not at least related is naive. DRM might only be tracking your usage of digital media so it can allow or deny access, but it's still tracking you, and that leaves the technology open to abuse by people who wish to turn DRM into something more than it was intended to be.

Re:Square != Rectangle

[geminidomino]

Actually, a square IS a rectangle, by definition...

Re:Square != Rectangle

[amRadioHed]

He knows that, but since rectangle does not imply square they are not equivalent.

Credit card purchases

[cdrguru]

This would seem to outlaw the collection of information in the course of purchasing products using credit cards.

I am going to have to review this to see if it is legally permissible to sell things to Canadian residents. I think it is entirely possible that all purchase records need to be purged to eliminate the data held to allow product updates and such.

Holding on to information to permit updates to products may be illegal under this law. This would make it impossible to add fixes to Microsoft products, or to process subscriptions for products like Norton Antivirus.

If people do not want information held by companies, absolutely their wishes should be respected. However, when such wishes are codified into laws companies should take the most draconian view possible of how these laws could be enforced. Under no circumstances should any requests "please keep my information" be granted. Any form of commerce that requires information should be kept should be blocked for countries with laws like this.

Certainly, any US company should not process credit card transactions from Canadian residents because this might allow sensative financial information to fall into the hands of other US companies, the US government or identity thieves exploiting the insecure nature of the US credit card processing companies.

For Canadians I would offer advice: cash only.

For all US businesses which deal with consumers in Canada it would seem impossible to now assure such consumers that their information cannot be disclosed through either security breaches and/or government action. Therefore, any information supplied to a US company violates the Canadian privacy laws. It would not surpise me that Canadians could be charged with violating this law if they supply anyone's information (including their own) to a US company.

Re:Credit card purchases

[hajus]

About a week ago, I attempted to order a barebones from the US and tried to use a credit card. Most places I called wouldn't accept a credit card. One shop required payments via paypal. But even paypal won't accept any payments from a canadian credit card by itself; you have to have a bank account registered with them. Apparently, the credit card companies will not verify residential addresses for the credit cards, so a business cannot find out if the shipping address is the same as the billing address. Most US companies are unwilling to ship something because they are used to being able to easily acquire a person's address and they use this to make sure it's not a stolen card. I did find a place to get my system from eventually, but it was a pain in the neck. On the other hand, we get very little snailmail spam compared to what I got in the US.

I'm thinking US companies may change their requirements for this personal data soon as with the canadian dollar reaching parity, more canadians are going to want to buy stuff from the US and with a larger demand from canada, business won't turn away an increasing customer source so much.

Re:Credit card purchases

[Silvrmane]

PIPEDA allows for consent. People buying things online with their credit cards are giving implicit consent to the buyer to have the information provided necessary for the sale. However, people buying things online with their credit cards should have their heads examined, and should use "one off" numbers for transactions, or use a proxy like Pay Pal so that they are not divulging personal information to a buyer they do not know or trust.

People buying software from Intuit are not givng implicit consent to everything in the "shrinkwrap" license which is why the idea that they are using datacenters outside of the country is trouble. I gave up using Intuit software ages ago anyway, and I use the other Canadian tax software instead - Ufile.

Nice generalization

You shouldn't confuse DRM with traditional spyware. Point of DRM is to control access and usability. It's the spyware that gathers and sends private information without notice.

AMEN BROTHA! Canada == DEMOCRATIC && USA

[SauroNlord]

AMEN!!

Oh canada

[sh3l1]

it's at times like this when i wish i lived in canada. P2P may be legal... DRM against the law!

Re:So that means that it's legal to crack Intuit D

[mOdQuArK!]

There is no such thing as a "right to intellectual property". People can be granted the PRIVILEGE of intellectual proeprty protection with the goal of encouraging creativity/innovation, but it is not a right.

Re:So that means that it's legal to crack Intuit D

[canuck57]

The fact is that Intuit is ignoring Canadian's right to privacy of information. Therefore I call upon the will of the Canadian people to ignore Intuit's right to intellectual property.

I go one better. I haven't used them for 7 years and unload it every time I buy a new PC or Windows re-install. I even do this before my data moves on.

FOSS is where it is at. Less Spyware and no DRM (unless it is decoding/striping it out).