HACKING@PRIVACY: Why We Need Protection From The Technologies That Protect Copyright
By: Ian Kerr
June 14, 2005
Why We Need Protection From The Technologies That Protect Copyright
i. proposed anti-circumvention laws
after nearly a decade of indecision, it looks like canada is finally about to board the mothership.
in its recently released government statement on proposals for copyright reform, canada announced that it will comply with the wipo copyright treaty by tabling its own anti-circumvention laws.
the core provision, we are forewarned, will deem “the circumvention, for infringing purposes, of technological measures (most lawyers call these TPMs) applied to copyright material [to] constitute an infringement of copyright.” a second deeming provision will generate the same result for “the alteration or removal of rights management information (RMI) embedded in copyright material, when done to further or conceal infringement…”
in essence, these deeming provisions are meant to add a new legal layer, one that goes beyond existing copyright and contract laws, in order to deter and provide legal remedies against individuals who, with “infringing purposes,” hack past content-protecting technologies that automatically enforce particular uses of digital material. a central aim of the soon-to-be-proposed legislation (it could happen any day now) is “to provide rights holders with greater confidence to exploit the internet as a medium for the dissemination of their material and provide consumers with a greater choice of legitimate material.”
these are certainly laudable goals and the approach adopted has left some cautiously optimistic that canada’s proposed anti-circumvention provisions will do less harm to copyright’s delicate balance than the laws enacted in the US, europe, and elsewhere.
whether or not this is so, there is less reason to enjoy the same optimism regarding the effect of the proposed anti-circumvention law on personal privacy. when it comes to protecting intellectual privacy (the term julie cohen uses to describe the right to experience intellectual works in private, free from surveillance) the recently released gov statement whispers with the sounds of silence.
although ample statutory language is offered to illustrate how the law will protect TPMs from people, the gov statement offers zero indication as to whether the law will also be used to protect people from TPMs.
it is my contention that statutory silence about the permissible scope of use for TPMs risks too much from a privacy perspective. in particular, i am of the view that any law that protects the surveillance technologies used to enforce copyright must also contain express provisions and penalties that protect citizens from organizations using those TPMs to engage in excessive monitoring or the piracy of personal information. if the copyright industries are correct in claiming a legitimate need for new laws to prevent the circumvention of TPMs, then similar provisions are needed to protect citizens from organizations that use TPMs and the law of contract as a kind of circumvention device.
ii. TPMS & DRMS
in order to understand why I think so, one must recognize the role TPMs play within a grander system of intertwining technologies and legal mechanisms that are being used to establish a secure global distribution channel for digital content.
a TPM is a technological method intended to promote the authorized use of digital works, usually by controlling access to such works, or various uses of such works (eg, copying, distribution, performance, display.) TPMs can operate as a kind of ‘virtual fence’ around digitized content and can therefore be used to lock-up content (whether or not it enjoys copyright protection). a TPM can be used on its own, or as a building block in a larger system of technological and legal mechanisms – a digital rights management system (DRM)
if TPM is a digital lock, then DRM is a digital surveillance system. DRM consists of two components. The first is a set of technologies including: encryption, copy control, digital watermarking, fingerprinting, traitor tracing, authentication, integrity checking, access control, tamper-resistant hard- and software, key management and revocation as well as risk management architectures. other technologies are used to express copyright permissions in ‘rights expression languages’ and other forms of metadata that makes a DRM policy machine-readable.
the technological components of most full blown DRMs are linked to a database which enables the automated collection and exchange of various kinds of information among rights owners and distributors about the particular people who use their products; their identities, their habits, and their particular uses of the digital material subject to copyright. the information that is collected and then stored in these databases can be employed in a number of different ways.
the surveillance features associated with the database are crucial to the technological enforcement of the licensing component. it is through the collection and storage of usage information that DRMs are able to “authorize use” in accordance with the terms of the licensing agreement and thereby “manage” copyrights.
together, the database and the license allow owners of digital content to unbundle their copyrights into discrete and custom-made products. and, since they are capable of controlling, monitoring and metering most uses of a digital work, DRMs can be linked to royalty tracking and accounting systems. on this basis, DRM optimists believe that it will offer a secure framework for distributing digital content, one that promises that copyright owners will receive adequate remuneration while enabling a safe electronic marketplace that offers to consumers previously unimaginable business models beyond sales and subscriptions, such as highly individualized licensing schemes with variable terms and conditions
amazingly, the bulk of writing on the subject of DRM has, to date, focused primarily on copyright policy. despite the fact that the capacity to monitor and meter customer habits is an essential feature of DRM, the level of sustained focus on the privacy aspects of DRM in canada is thin and, worldwide, is surprisingly sparse.
although referred to as “rights management” systems, what DRM really manages is information – information about users, which can be gathered 24/7 by way of automated, often surreptitious surveillance technologies. given DRM’s extraordinary surveillance capabilities, it is extremely difficult to imagine why the gov statement mentions no provisions that would directly address any aspects of the privacy implications of DRM in drafting its anti-circumvention laws.
iii. using DRM licences to circumvent privacy
in an automated environment, most informational transactions take place invisibly through software exchanges between machines, about which few humans are aware and fewer still have the technical expertise to alter. bits and bytes of data, not to mention various forms of personal information, are collected and inconspicuously interchanged without human intervention and often without knowledge or consent. automation therefore exacerbates an already problematic inequality in the bargaining power between the licencors and licencees resulting from standard form agreements and mass market licences. the combination of TPMs and contracts in this manner could therefore lead to unfair transactions.
as my european colleague bernt hugenholtz once asked:
Are we heading for a world in which each and every use of information is dictated by fully automated systems? A world in which every information product carries with itself its own unerasable, non-overridable licensing conditions? A world in which what is allowed and what is not, is no longer decided by the law but by computer code
end user licences are becoming the rule and content providers the rulers. with increasing frequency, the terms of these licences are used to override existing copyright limitations.
while most people are of the view that individuals ought to be free to choose which contracts they enter into and that the state has no business interfering with the contracts freely entered into, an unbridled use of TPM with anti-circumvention legislation and contractual practices would permit content owners to extend their surveillance and personal information collection practices far beyond the bounds of what might otherwise be permitted by canadian privacy law. privacy law’s compromise between the needs of organizations and the right of privacy of individuals with respect to their personal information would be put in serious jeopardy if, irrespective of privacy rules, content owners were able to impose their terms and conditions through standard form contracts with complete impunity.
if anti-circumvention laws are to “ensure that Canadians' privacy rights are not reduced or undermined,” then the amendments to the Copyright Act must include a different kind of anti-circumvention provision. in addition to prohibiting the circumvention of TPMs for infringing purposes, there must be a balancing counter-measure that expressly prohibits the use of DRM to circumvent the protection of canadian privacy law. “appropriate balance,” in this sense, requires a legal lock aimed against organizations that would use TPMs, the proposed anti-circumvention law and the law of contract as a means of hacking past PIPEDA or its provincial equivalents.
ian kerr holds the canada research chair in ethics, law & technology at the university of Ottawa, faculty of law and is the principle investigator of on the identity trail. stay tuned for the release of more details of ian’s research on this topic, including recommendations outlining legal solutions to drm & privacy in the copyright reform context