EU Warns of DRM Privacy Threat

A European Union government advisory body calls for the development of tools that protect users from digital rights management technology.

An influential European Union government advisory body has called for better protection of users privacy, which it says is being eroded in the midst of efforts to crack down on piracy.

While copyright holders have a right to protect themselves from infringement, the EU Working Party on Data Protection in a new draft document expressed concern that "the legitimate use of technologies to protect works could be detrimental to the protection of personal data of individuals." One step that could help is the development of tools that protect the users anonymity from DRM (digital rights management) technology, according to the group.

"Users should have the option to access the Internet without having to reveal their identity where personal data are not needed to provide a certain service," the group wrote.

The Working Partys paper—which is currently in a consultation period, with public comment invited until March 31—bears a certain amount of legal weight. In the EU, data protection legislation governs the way in which companies can gather and use personal data, and any company operating in the region must comply with these rules. U.S. Internet companies with European Web sites, for example, must meet data protection requirements when they want to transfer user data back to the United States.

The Working Partys draft paper gives an indication of the EUs position on how data protection policy is evolving to deal with new copy-protection technology, and with legal actions taken by copyright holders against alleged pirates over the past few months. The situation is complex because while companies have a right to implement copy-protection technology and take alleged infringers to court, they must still respect individual privacy, something the Working Party says has fallen to the sidelines of the debate.

The Working Party is concerned that copyright-protection systems are able to build an increasingly detailed picture of a users background, tastes and purchasing activities through the use of unique identifiers included in, for example, downloaded music tracks. "In addition to the claimed purpose of control of the use of the information by the individual in compliance with DRM, the tagging is often used to profile and target advertisements to the users," the paper said.

At the platform level, the use of TPMs (Trusted Platform Modules), designed to build DRM directly into PC hardware, could become a routine way for the content industry to "regain the control of the distribution and use of digital content (including software) that they have lost with the advent of Internet and peer-to-peer applications." TPMs are "likely to become ... a necessary feature to participate in the information society," the group said.

Besides asserting users right to anonymity, the Working Party questioned the growing use of unique identifiers in copyrighted documents, which helps companies create a profile of individual users. "The tagging of a document should not be linked to an individual except if this link is necessary for the performance of the service or if the individual has been informed and has consented to it," the group said.

/zimages/3/28571.gifClick here for more on the DRM debate.

Another problematic area is the use of information compiled in a database, such as the Whois database, for uses other than the databases original purpose. For example, EU data protection law doesnt allow companies to collect a users name and address during a credit card transaction, then link this information to user preferences collected through monitoring their purchases, for marketing purposes, the Working Party said.

This principle—called "compatibility" or "original purpose"—also applies to the way companies compile data to be used in prosecuting alleged pirates. It isnt currently clear whether companies should be allowed to use Whois data in such cases, because the original purpose of Whois isnt well-defined. "From the data protection viewpoint it is essential to determine in very clear terms what is the purpose of the Whois and which purpose(s) can be considered as legitimate and compatible to the original purpose," the Working Party said.

ISPs obligations are limited where it comes to providing information to copyright holders in infringement cases, the group said. Under data protection principles, ISPs that have gathered billing data should delete the information when its no longer needed for that purpose; ISPs arent justified in storing all user data "in the possible eventuality of alleged misuse of copyright information by a specific user."

DRM use is growing rapidly, with 20 percent of the top 2,000 global organizations expected to implement it by next year, according to a Meta Group Inc. report. The health industry is also investigating using DRM to control who has access to medical information. Microsoft Corp. is making DRM the linchpin of its Next Generation Secure Computing Base technology, or "Palladium," which is expected to tie in with TPM hardware.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.