News

The Daily Digital Lock Dissenter, Day 21: Privacy Commissioner of Canada

The Privacy Commissioner of Canada has not spoken out on the recent copyright bills, but in 2008 she wrote a public letter to then-Industry Minister Jim Prentice expressing concern “about possible changes to the Act authorizing the use of technical mechanisms to prevent copyright infringement that could have a negative impact on the privacy rights of Canadians.” The Stoddart letter, which came in the aftermath of the Sony rootkit case, stated:

If DRM technologies only controlled copying and use of content, our Office would have few concerns. However, DRM technologies can also collect detailed personal information from users, who often do no more than access the content on a computer. This information is transmitted back to the copyright owner or content provider, without the consent or knowledge of the user. Although the means exist to circumvent these technologies and thus prevent the collection of this information, previous proposals to amend the Copyright Act contained anti-circumvention provisions.

Commissioner Stoddart has not commented on the adequacy of the personal information exception in Bill C-11, but there is reason for concern.

The exception permits circumvention to verify whether personal information is being collected and to prevent it (where there is a no notice of collection or a notice that does not allow an opt-out) , but the ability to exercise this exception is rendered difficult by virtue of the inability to legally obtain devices (ie. software programs) for this very purpose. The bill states that a person can offer circumvention devices or services for the protection of personal information only “to the extent that the services, technology, device or component do not unduly impair the technological measure.”

In other words, you can use a circumvention device to protect your privacy but it cannot allow you to simultaneously access the underlying content.  Of course, once most circumvention devices circumvent a technological measure, the protected content will be in the clear.  Distribution of this form of device is therefore illegal under Bill C-11 and service providers will be likely be unwilling to use this provision for fear of facing liability. In light of the approach in Bill C-11, the Privacy Commissioner’s concerns about privacy and digital lock rules remain as valid today as they did in 2008.

Previous Daily Digital Locks: Provincial Resource Centre for the Visually Impaired (PRCVI) BC, Canadian Consumer Initiative, Retail Council of Canada, Canadian Council of Archives, Canadian Teachers’ Federation, Canadian Federation of Students, Canadian Civil Liberties Association, Documentary Organization of Canada, Canadian Library Association, Council of Ministers of Education Canada, Business Coalition for Balanced Copyright, Canadian Association of Research Libraries, Canadian Historical Association, Canadian National Institute for the Blind, Canadian Bookseller Association, Canadian Home and School Federation, Film Studies Association of Canada, Canadian Bar Association, Canadian Federation for the Humanities and Social Sciences, Appropriation Art

14 Comments

  1. pat donovan says:

    DRM
    plus there’s ANOTHER encryption method being made obsolete today..
    and that trashed (it’s now unsupported) everything you ever bought with THAT method.

    http://www.techdirt.com/articles/20111031/13425616573/ding-dong-another-drm-is-dead-with-it-all-files-you-thought-you-bought.shtml

  2. James Gannon says:

    What I find strange is one of the main criticisms of the use of DRM is that they are “pointless” because hackers are so sophisticated, they will find ways to disable it within seconds.

    However, when Bill C-11 contains perfectly balanced circumvention exceptions saying you can disable, or create devices to disable, technologies that violate personal privacy protections so long as the underlying content protection is unaffected, all of a sudden it’s an insurmountable challenge to these to these otherwise techno-prodigies.

    Also, the Privacy Commissioner fails to mention that devices that violate Canadian federal or provincial privacy law will remain illegal, regardless of what’s in Bill C-11. The copyright bill doesn’t legalize any otherwise illegal technology. Last year, Canada passed the most restrictive anti-spyware law in the world. Bill C-11 doesn’t legalize any program or device that would violate those or other laws.

  3. @James Gannon
    You are under the false assumption that all DRM that violates the privacy laws are created in a way that does not tie into the underlying content protection. Even when that is the case, the companies will simply change the DRM scheme to tie into the underlying content so that it becomes illegal no matter what you do.

    I don’t share your belief that C-11 is perfectly balanced. C-11 doesn’t legalize anything that isn’t already legal but it does make a lot of what I use on legally owned materials every day illegal. Even if I’m not `caught` for watching my DVDs, should I be breaking the law in doing so? As it stands, the C-11 bill will make more people `infringers` and will make the general public less respectful of the law. Intellectual Property – which I depend on for my livelihood – will be even more undervalued.

  4. @James Gannon: You seem to be missing the main point that most objectors to C-11 have been making. While I acknowledge that you are right that C-11 does contain exceptions to circumvention where issues of correcting security flaws are at stake, the point that objectors are making is not that making their recommended exceptions to outlawed circumvention suddenly makes it more difficult for hackers to break the law… it’s that the lack of any exceptions for fair dealing create an significant challenge to *HONEST* consumers who only wish to engage in fair dealing privileges… in particular, personal and private copying, or format shifting. C-11 figuratively throws the baby out with the bathwater by making practically any and all circumvention illegal, regardless of any underlying legitimate intent, and the only significant reduction in copying that can even hope to arise from it will be that which would have been wholly permissible under a fair dealing provision anyways. The result, quite simply, is that there is no justifiable reason for the digital lock provisions of C-11 to not contain exceptions that would legally permit fair dealing. The concern that any such exception will somehow make it easier for people to break the law is actually a red-herring, because if people are actually intent on breaking the law, a piece of paper saying something is illegal is not liable to stop them. The result being that we will end up with essentially the same number of people breaking the law… actually more, because people aren’t going to simply agree to these new provisions with regards to how they impact things like private copying or format shifting for personal use, assuming they even know about them, and are only liable to ignore them. Particularly since, by a Conservative representative’s own admission, Canadians would not typically be liable for any damages if they circumvented a digital lock to copy it for personal reasons anyways. In addition to such a policy smacking entirely of considering it acceptable that Canadians be closet lawbreakers (a wholly deplorable notion that I am nothing less than appalled was *ever* suggested by a representative of a supposedly lawful government), the net effect of such a policy is going to be *EXACTLY* the same as what would happen if the law contained exceptions to circumvention being illegal that explicitly permitted fair dealing. It thus simply makes the most sense to adopt fair dealing exceptions to the prohibitions on digital lock circumvention.

    In the long run, such exceptions would be the most beneficial to the public.

  5. @James Gannon
    You seem to be missing the main point that most objectors to C-11 have been making. While I acknowledge that you are right that C-11 does contain exceptions to circumvention where issues of correcting security flaws are at stake, the point that objectors are making is not that making their recommended exceptions to outlawed circumvention suddenly makes it more difficult for hackers to break the law… it’s that the lack of any exceptions for fair dealing create an significant challenge to *HONEST* consumers who only wish to engage in fair dealing privileges… in particular, personal and private copying, or format shifting. C-11 figuratively throws the baby out with the bathwater by making practically any and all circumvention illegal, regardless of any underlying legitimate intent, and the only significant reduction in copying that can even hope to arise from it will be that which would have been wholly permissible under a fair dealing provision anyways. The result, quite simply, is that there is no justifiable reason for the digital lock provisions of C-11 to not contain exceptions that would legally permit fair dealing. The concern that any such exception will somehow make it easier for people to break the law is actually a red-herring, because if people are actually intent on breaking the law, a piece of paper saying something is illegal is not liable to stop them. The result being that we will end up with essentially the same number of people breaking the law… actually more, because people aren’t going to simply agree to these new provisions with regards to how they impact things like private copying or format shifting for personal use, assuming they even know about them, and are only liable to ignore them. Particularly since, by a Conservative representative’s own admission, Canadians would not typically be liable for any damages if they circumvented a digital lock to copy it for personal reasons anyways. In addition to such a policy smacking entirely of considering it acceptable that Canadians be closet lawbreakers (a wholly deplorable notion that I am nothing less than appalled was *ever* suggested by a representative of a supposedly lawful government), the net effect of such a policy is going to be *EXACTLY* the same as what would happen if the law contained exceptions to circumvention being illegal that explicitly permitted fair dealing. It thus simply makes the most sense to adopt fair dealing exceptions to the prohibitions on digital lock circumvention.

    In the long run, such exceptions would be the most beneficial to the public.

  6. Digital locks and privacy.
    The big question is whether DRM protected technologies violate privacy concerns. When it becomes illegal to break the DRM, yes encryption is a form of DRM, even if one discovers a company like Sony has installed a DRM that transmits private data, one cannot report it without implicating themselves in breaking the law. This gives free reign to big media. This heavily shifts the balance of power over to big media and potentially gives them legal standing to violate privacy rights and get away with it. Even the act of removing the software or reformatting your computer potentially becomes illegal since something even as routine as reformatting your hard drive effectively disables the DRM…which is, of course, illegal. It sounds ridiculous, right? Of course it is…for the average consumer, but companies like Best Buy, with their “Geek Squad” PC maintenance group, or any other professional PC service provider, should be seriously looking at how this affects them.

    Once DRM has legal protection, only FOOLS would think big media does not intend to use it to track us. Why lobby for and fight so hard for something you have no intent to use?

    Someone recently told me that the new game Diablo 3 from Blizzard will REQUIRE an Internet account and central authentication every time you play the game…even in single player. I guess this is the ultimate form of DRM, and God only knows what information they’re going to require/collect. This is unfortunate, and I loved the first two, but I will not be locked in to such restrictive requirements. Much like with Bioshock, I will only consider buying the game if someone releases a crack to disable the DRM. Flexible DRM, yet still very effective, such as Steam, I’m fine with, but not this. They’ve lost a customer with me…solely due to DRM.

  7. I have absolutely no love for this bill at all, but why do people keep bringing up the hypothetical situation of somebody using digitally locks maliciously, and think that this law would actually protect them?

    From the text of the bill:
    “41.15 (1) Paragraph 41.1(1)(a) [the paragraph prohibiting circumvention of digital locks] does not apply to a person who circumvents a technological protection measure that is subject to that paragraph for the sole purpose of, with the consent of the owner or administrator of a computer, computer system or computer network, assessing the vulnerability of the computer, system or network or correcting any security flaws.”

    If some DRM were used to track without the person’s explicit consent, then that would definitely constitute a breach in security, owing to existing privacy laws, and under the above quoted section, circumventing any locks that exist to correct the issue would not be considered a violation of the provisions of the bill.

    Again, I don’t like this bill in the slightest, and my reasons are entirely surrounding the legal protections that this bill offers digital locks, so nobody needs to convince me that this bill is tripe. But I do know what it cannot be used to do, and I would wholeheartedly encourage people unfamiliar with it to read the text of the bill. At the very least, it will give people who wish to criticize aspects of it an informed perspective, so that they can objectively point out the specific problems.

    It’s hard enough convincing the government to see what’s really wrong with this bill… let’s not cloud the issue by making things up that can’t ever actually happen.

  8. @James Gannon
    …”What I find strange is one of the main criticisms of the use of DRM is that they are “pointless” because hackers are so sophisticated, they will find ways to disable it within seconds.”

    What I find strange, is the assumption the TPM protections in C-11 are intended to reduce copyright infringement. You are correct that anyone bent on copyright infringement will bypass TPM measures readily. C-11 won’t have any affect on the dishonest people.
    You are incorrect in your implication that everyone is intent on copyright infringement. There are honest people out here. Most of us are. People that really don’t like the way that C-11 is laid out *because* it will turn generally accepted, and honest, actions into illegal ones.

    James, I ask a question that I would like you to answer:
    Do you really want to turn honest citizens into dishonest ones? Especially when doing so is no real impediment to the dishonest ones?

    That’s what C-11, in it’s current form, will do.

  9. @Mark
    While I agree with you in principle, there is still the matter of exactly what 41.15 (1) actually allows. It does not address how to obtain the tools or services to carry out this exception. Restriction of those tools and services is covered in 41.1 (1)(b) and 41.1 (1)(c), while the exception in 41.15 (1) specifically refers to 41.15 (1)(a)..

    Does everyone have to write their own tools to stay within the letter of the law? I know I can, can you? Can every administrator of systems or networks?

  10. @Mark
    Thanks for the clarification. I missed that in my reading. That’s what I like about forums such as this, incorrect assumptions can quickly be rectified.

    BUT the exception only apples to vulnerabilities and security issues. My point stands on removing the DRM or cleaning a drive for the sole purpose of disabling the DRM. A good example might be, again, a DRM a legally purchased game installs on your PC. Would it be still be considered illegal to remove/disable it, even after the game has been removed? Like the Sony rootkit, the DRM on Bioshock, made both the game and the entire system unstable. The cracked version fixed both issues. Could this be justified as a form of vulnerability or should we be expected to simply tolerate such shoddy products?

    If we buy a product, we should be able to modify it for personal use in any way shape or form that we see fit. It’s not illegal for me to write in a book or, even burn it…I can even copy it for my own use as many times as I see fit. It’s not illegal for me to cut up a CD or smash a DVD player with a hammer and use it’s components to build something new…NONE of which are uses intended by the copyright owner. As long as I’m not selling it or distributing it, why should it be illegal for me to rewrite a piece of code to change it’s use. At worst, I should be in breach of the EULA and my warranty be void. Voiding my warranty is one thing and a risk one must accept, BUT, IT SHOULD NEVER BE ILLEGAL FOR ME TO TINKER AND EXPERIMENT WITH SOMETHING I’VE LEGALLY PURCHASED!!!!

  11. No, oldguy… from the text of the bill, 41.15(2) and 41.15(3) have exemptions for the prohibitions described in 41.1(1)(b) and 41.1(1)(c), respectively, in much the same way as 41.15(1) clearly exempts the prohibitions in 41.1(1)(a).

    In summary, even under C-11, it will not be illegal to create or distribute circumvention tools which aid people in correcting security flaws (although if that was not its stated purpose, and especially if it could not actually be practically utilized for that purpose [yet], it would probably not qualify for the exemption afforded under 41.15).

  12. @Mark
    I stand corrected. Thanks..

  13. @IamMe: Yes, DRM that remains after the product has been allegedly uninstalled could easily be considered a legitimate security vulnerability if you had no intention to further utilize the product.

    The biggest threat in C-11 is by far its impact on the legitimacy of actions that the consumer will continue to expect to be reasonable and legotimate… in particular, activities such as private copying and format shifting, which under C-11, the consumer would have to break the law to accomplish it if the work happens to contain a digital lock. Even though private consumers probably would not have any real liability for such actions (indeed, the conservatives actually made a statement to that effect recently, which both appalled and shocked the heck out of me), they would still be illegal, and creates a path to an ethical dilemma where one questions whether it is acceptable to do something illegal when they assuredly happen to know they will not get caught or pay any penalty.