DRM violates Canadian privacy law

The University of Ottawa's Canadian Internet Policy and Public Interest Clinic has just released a huge, deep report on the privacy implications of various DRM systems. They examine 16 different systems in depth and conclude that DRM is a grave threat to personal privacy.

Our assessment of the compliance of these DRM applications with PIPEDA led to a
number of general findings:

• Fundamental privacy-based criticisms of DRM are well-founded: we observed
tracking of usage habits, surfing habits, and technical data.

• Privacy invasive behaviour emerged in surprising places. For example, we
observed e-book software profiling individuals. We unexpectedly encountered
DoubleClick – an online marketing firm – in a library digital audio book.

• Many organizations take the position that IP addresses do not constitute
"personal information" under PIPEDA and therefore can be collected, used
and disclosed at will. This interpretation is contrary to Privacy Commissioner
findings. IP addresses are collected by a variety of DRM tools, including
tracking technologies such as cookies and pixel tags (also known as web
bugs, clear gifs, and web beacons).

• Companies using DRM to deliver content often do not adequately document
in their privacy policies the DRM-related collection, use and disclosure of
personal information. This is particularly so where the DRM originates with a
third party supplier.

• Companies using DRM often fail to comply with basic requirements of
PIPEDA.

PDF Link

(via Michael Geist)