• Fundamental privacy-based criticisms of DRM are well-founded: we observed
tracking of usage habits, surfing habits, and technical data.
• Privacy invasive behaviour emerged in surprising places. For example, we
observed e-book software profiling individuals. We unexpectedly encountered
DoubleClick – an online marketing firm – in a library digital audio book.
• Many organizations take the position that IP addresses do not constitute
“personal information” under PIPEDA [Personal Information Protection and
Electronic Documents Act] and therefore can be collected, used
and disclosed at will. This interpretation is contrary to Privacy Commissioner
findings. IP addresses are collected by a variety of DRM tools, including
tracking technologies such as cookies and pixel tags (also known as web
bugs, clear gifs, and web beacons).
• Companies using DRM to deliver content often do not adequately document
in their privacy policies the DRM-related collection, use and disclosure of
personal information. This is particularly so where the DRM originates with a
third party supplier.
• Companies using DRM often fail to comply with basic requirements of
This, sadly, should not be a surprise. Copyright organizations have shown themselves to be actively hostile to concerns about information security and data privacy (see, e.g., the discussion of concerns related to watermarking here, or Sony's now infamous fondness for installing rootkits). Indeed, the only time when copyright and information security are (supposedly) aligned is when copyright is trying to piggyback on security concerns to achieve its own ends (e.g., the destruction of P2P networks, as described here).
The happy news though, is that the study came out in the first place. It is possible that this examination of the impact of DRM on privacy could be a reflection of some sort of backlash against the copyright industry's current tactics - something that, if supported by legislation, could result in significant benefits for privacy and security of individual data.