[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Digital Rights Management

Several companies have developed Digital Rights Management (DRM) systems to prevent the unauthorized use of digital files.[660] DRM technologies can control file access (number of views, length of views), altering, sharing, copying, printing, and saving. These technologies may be contained within the operating system, program software, or in the actual hardware of a device. Some DRM technology can disable users' machines for unauthorized access to files. InTether Point-to-Point, for instance, imposes "penalties" for those who attempt an "illegal use" of a digital file.[661] Penalties include automatic rebooting of the users' machine, or destruction of the file the user is attempting to access.

DRM systems take two approaches to securing content. The first is "containment," an approach where the content is encrypted in a shell so that it can only be accessed by authorized users.[662] The second is "marking," the practice of placing a watermark, flag, or an XrML tag on content as a signal to a device that the media is copy protected. Some systems combine the two approaches. Nevertheless, according to an authority in the field,[663] DRM is vulnerable to cracking by individuals with moderate programming skills.[664]

These technologies have been developed with little regard for privacy protection. DRM technology usually requires the user to reveal his or her identity and rights to access the file. Upon authentication of identity and rights to the file, the user can access the content. Under the Digital Millennium Copyright Act, tampering with or producing "circumvention" tools for copyright control technologies is illegal.

These systems can prevent anonymous consumption of content, and could be employed to profile users' preferences or to limit access to digital books, music, or programs. DRM technologies may "...enable an unprecedented degree of intrusion into and oversight of individual decisions about what to read, hear and view."[665] For instance, a DRM technology called Copyright Agent quietly scans peer-to-peer networks to discover whether users possess illegal content. If a copyright violation is found, the program automatically informs the users' Internet Service Provider (ISP) that his or her service should be severed.[666]

In February 2002, the European Commission Information Society Directorate held a workshop on DRM technologies to examine, among other issues, their effects on privacy.[667] Similar workshops have also been held at the US Department of Commerce Technology Administration[668] and the Berkeley Center for Law and Technology.[669]

In February 2002, Sunncomm, Inc., a DRM systems developer, and Music City Records settled a lawsuit brought by a California woman who objected to their practice of tracking and disclosing personal information to third-parties with no opt-out scheme.[670] The settlement agreement required the companies to provide notice to consumers of their information collection practices and to refrain from requiring consumers to disclose their personal information as a condition of downloading, playing, or listening to a CD.[671]

In June 2002, Microsoft released information regarding its new "Palladium" initiative, which was renamed in 2003 to "Next-Generation Secure Computing Base."[672] Through software and hardware controls, Palladium could place Microsoft as the architect of computer identification and authentication. Additionally, systems embedded in both software and hardware would control access to content, thereby creating ubiquitous DRM schemes that can track users and control their use of media and even access to the Internet. Microsoft experienced a delay in its implementation of Palladium, and, while they expected to have elements of the system in by 2006, the first Palladium related features were actually only introduced with the arrival of Windows Vista in 2007.[673] Given Vista’s current limited use and distribution,[674] the full effect of these features is, as of yet, unknown.

In November 2003, the US Federal Communications Commission (FCC) voted unanimously to create a requirement that consumer products be able to recognize a Digital Broadcast Flag by July 2005. Such a flag would mark digital content as "protected" and direct devices to limit individuals' use of the content. EPIC recommended against the adoption of a Digital Television Broadcast Flag mandate unless it incorporates privacy protections for viewer data.[675] In August 2004, with lawsuits pending, the FCC commenced certification procedures in order to approve of technologies designed to comply with the broadcast flag regulations.[676] On May 6, 2005, however, the a federal appellate court held that the FCC did not have the authority to adopt the regulations, because the Communications Act of 1934 does not grant the FCC authority to regulate broadcast equipment while that equipment is not engaged in communication.[677] The movie industry responded in August 2006 with a bill that would grant the FCC authority sufficient to impose the regulations.[678]

In April 2004, the European Commission (the Commission) advocated legislation that would unify content licensing, arguing that the market for digital content will be ineffective without a single standard for Europe.[679] Specifically, the Commission called for Community-level regulation of collecting societies, the companies that administer royalties and license fees for content owners. DRM systems, too, would have to be interoperable under the plan. The balance struck among rights holders, media players owners, and users will have great effect on users' ability to access digital content and to shield themselves from monitoring.

In September 2004, BEUC, a European consumer organization, released its position on digital rights management.[680] BEUC outlines four potential outcomes resulting from the widespread use of DRM technology: 1) A wider range of choices for consumer to access and use digital media in a greater number of ways; 2) Better and more effective means to combat commercial piracy and unauthorized file sharing; 3) More information for rights holders about consumers’ use of digital material; 4) More control for rights holders over the use by consumers of digital material – to limit uses that are currently legitimate and/or to support and enshrine existing restrictions that are unjustified.[681] The third outcome is identified as the possibility most hostile to user privacy,[682] and BEUC cites the need to balance the needs of rights holders and consumers of digital content when making policy and enacting legislation on this matter.[683]

BEUC expressly rejects the notion that the rights of those who own digital content trump the privacy rights of consumers,[684] and asserts that contracts governing the use of digital content should not require users to jettison their right to privacy concerning personal information. To that end, BEUC recommends that DRM schemes be minimally intrusive, requiring no more user information than is necessary and that they retain that information for no longer than is necessary to verify legitimate use of the incident digital content.[685] The organization warns that the current European approach to DRM could allow content providers to include click-wrapped privacy terms that would bypass existing privacy regulations through appeal to false user consent.[686] Other groups have similar concerns that consent-powered DRM schemes might force users with limited bargaining power to sign away their privacy rights in order to gain access to desirable digital content.[687]

BEUC concludes its discussion of the privacy implications of DRM by offering a framework for privacy friendly DRM schemes. First, DRM schemes should avoid creating electronic footprints for user data and, as such, should appropriately limit retention time.[688] Second, DRM schemes should provide accurate and visible notice to consumers concerning the disclosure and use of their personal information.[689] Third, DRM schemes should limit disclosure of personal information collected only to those individuals and processes necessary to the verification of valid usage. Finally, DRM schemes should be not be used only where necessary and should not universally replace anonymous access to digital content.

In June 2007, it was discovered that even some DRM-free music tracks had some user information embedded into them.[690] Apple’s iTunes plus service, which launched the first week of June, offers users the opportunity to download high quality DRM-free music tracks at an increased price.[691] Those users who download these more expensive tracks will be able to transfer and use the music freely for their own purposes; however, these tracks have the name and e-mail address of the user who purchased them embedded into the file.[692] As a result, if these users chose to distribute the marked files anonymously over the Internet in violation of copyright laws, then the file itself serves as evidence of piracy. Furthermore, the tagging facilitates surveillance of a user’s content consumption by anyone who receives the file. Although it is unclear whether the tagging present on the new file type was added as part of the new service or was simply a file element that had been shrouded by the DRM protection that was removed, this experience indicates the dangers inherent even in recent attempts to work around the need for DRM by introducing higher cost alternatives.

Windows Vista, which launched in January 2007, incorporates several DRM features that had not previously been seen. Although it is too early to discern the privacy implications of these new DRM features,[693] their existence is worthy of note. Vista incorporates Intel’s Trusted Platform Module (TPM), which is built directly into a computer’s hardware.[694] TPM provides DRM-like protection for data on a user’s hard drive by encrypting it at a hardware level.[695] Vista also incorporates Output Protection Management (OPM), which is another type of hardware based DRM technology. OPM is currently employed mostly in connection with Protected Video Path (PVP) technology.[696] PVP is designed to encrypt high quality video at a hardware level in order to prevent it from being copied and reproduced by the user.[697] In essence, Vista supports DRM technologies at the hardware level and has in place a framework that would allow even more pervasive use of DRM technology.

[660] See EPIC's DRM web page <http://www.epic.org/privacy/drm/>.
[661] InTether Point to Point Product Page <http://www.infraworks.com/p2p.html>.

[662] Professor Edward Felten, Address at the Boalt Hall Copyright Workshop (March 22, 2002).
[663] Princeton University Computer Science Professor Ed Felten.
[664]Id.

[665] Julie Cohen, A Right to Read Anonymously: A Closer Look at "Copyright Management" in Cyberspace, 28 Connecticut Law Review 981 (1996); see also Chris J. Hoofnagle, Digital Rights Management: Many Technical Controls on Digital Content Distribution Can Create A Surveillance Society, 5 Columbia Science and Technology Law Review (Spring 2004).
[666] Dawn C. Chmielewski, "Stealth Software Robot Puts Bootleggers on Notice," San Jose Mercury News, March 19, 2001, available at <http://web.archive.org/web/20010626223307/http://www.chicagotribune.com/business/printedition/article/0,2669,SAV-0103190188,FF.html>.

[667] More information and the final report of the workshop are available at <http://europa.eu.int/information_society/topics/multi/digital_rights/events/index_en.htm>.
[668] See EPIC's Comments to the Department of Commerce <http://www.epic.org/privacy/drm/tadrmcomments7.17.02.html>.
[669] See <http://www.law.berkeley.edu/institutes/bclt/>.

[670] DeLise v. Fahrenheit, No. CV-014297 (Cal. Sup. Ct. Sept. 6, 2001)(Pl. Comp. at ¶ 1), available at <http://www.techfirm.com/mccomp.pdf>.
[671] Press Release, SunnComm, Inc., "Sunncomm and Music City Records Agree to Resolve Consumer Music Cloqueing Law Suit by Providing Better Notice and Enhancing Consumer Privacy," February 22, 2002 <http://www.xenoclast.org/free-sklyarov-uk/2002-February/001580.html>.

[672] See EPIC's Palladium web page <http://www.epic.org/privacy/consumer/microsoft/palladium.html>.
[673] PCStats, Windows Vista, HDCP, and Digital Rights Management, July 10, 2007 <http://www.pcstats.com/articleview.cfm?articleID=1871>.
[674] “Windows Vista Makes Limited Impact on PC Sales,” Information Week, July 10, 2007 <http://www.informationweek.com/windows/showArticle.jhtml?articleID=200001577>.

[675] EPIC comments in the Matter of Digital Broadcast Copy Protection, MB Docket No. 02-230, December 6, 2002 <http://www.epic.org/privacy/drm/broadcastflagcomments.html>.
[676] “FCC Certifies Broadcast Technologies,” Public Knowledge, August 2004 <http://www.publicknowledge.org/issues/broadcastflag>.
[677] American Library Association v. Federal Communications Commission, 406 F.3d 689 (D.C. Cir. 2005). See also Communications Act of 1934, 47 U.S.C. §§ 151,152.
[678] Public Knowledge, supra at August 2006.

[679] "Europe Demands Open-to-All DRM Tech," The Register, April 20, 2004 <http://www.theregister.co.uk/2004/04/20/european_union_drm/>.

[680] BEUC, Digital Rights Management, September 15, 2004 <http://www.consumersdigitalrights.org/mdoc/DRMBEUCX0252004_59695.pdf>.
[681] Id.
[682] Id.
[683] Id.

[684] Id. at number 3.
[685] Id.
[686] Id.
[687] Kerr and Bailey, supra.

[688] Id.
[689] Id.

[690] Rhys Blakely, Personal Data Found Hidden in iTunes tracks, June 1, 2007 <http://business.timesonline.co.uk/tol/business/industry_sectors/media/article1871173.ece>.
[691] Id.
[692] Id.

[693] Information week, supra.
[694] Matt McKenzie, Vista and More: Piecing together Microsoft’s DRM Puzzle, November 15, 2006 <http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9005047>.
[695] Id.
[696] Id.
[697] Id.