Managing Rights Management

InfoWorld reports that the Swiss government has warned Logistep, a company that tracks file sharers, that its tactics may be illegal under Swiss law. Identifying file sharers is part of global antipriracy efforts that in the view of some compromises the privacy of individuals.

Logistep, which supplies information on suspected file sharers to law firms around the world for use in copyright violation cases, has until Feb. 9 to respond to the Federal Data Protection and Information Commissioner (FDPIC), said Marc Schaefer, the agency's legal advisor.

Under Swiss law, the identity of a subscriber to an ISP can only be revealed during the course of a criminal case, not a civil one, Schaefer said. The IP address of a computer controlled by the subscriber is considered "personal" information.

[tip o' the hat to Digital Freedom Campaign] Jeremy Reimer writes on ArsTechnica that the Bavarian government sought assistance from software vendor Digitask in snooping on Skype conversations. So much for privacy.

The method outlined involved the installation of malware referred to as the "Skype Capture Unit" that would be delivered in an executable file that "can for instance be attached to an e-mail or directly be installed on the target machine." This software would then transfer unencrypted conversations to a remote Skype Recording Server that can record and replay 10 Skype interceptions in parallel. The Recording Server then sends the conversations through to Skype and their intended destination, a classic "man in the middle" attack that is difficult for the compromised user to detect.

Privacy is a touchy subject. For nearly 20 years, I have advocated that consumers be informed in advance and "opt in" to any collection of usage information by DRM technologies. The reason is that this information has value. In some business models, it's perfectly reasonable to provide compensation to consumers for access to their usage information. Compensation might be in the form of discounts or free digital goods.

These and related issues are now being discussed in Canada. Jennifer Stoddart, Privacy Commissioner of Canada, has sent a letter to Jim Prentice, Minister of Industry, and Josée Verner, Minister of Canadian Heritage, regarding the privacy implications of proposed changes to Canadian copyright law. Ms. Stoddart is most concerned about the use of DRM implementations that collect user related information without their consent:

If DRM technologies only controlled copying and use of content, our Office would have few concerns. However, DRM technologies can also collect detailed personal information from users, who often do no more than access the content on a computer. This information is transmitted back to the copyright owner or content provider, without the consent or knowledge of the user. Although the means exist to circumvent these technologies and thus prevent the collection of this information, previous proposals to amend the Copyright Act contained anti-circumvention provisions.

Dennis McDonald posted a comment on my DRM 3.0 blogicle asking, "Did any of the industry folks you talked with say anything about possible privacy implications for "DRM 3.0" applications?" The direct answer is "yes and no."

Privacy issues turn, in my view, on what is done with information relating to user behavior. However, privacy is not the only issue raised by DRM 3.0 models.

Some ISPs are threatening to interdict and prevent the transfer of copyrighted media content (especially if that content belongs to large companies). If ISPs provide user specific information to the RIAA, MPAA, or other stakeholders that then becomes the basis for civil litigation or criminal prosecution, then privacy is obviously a major concern to all.

Privatunes announced software that removes the identifying information that Apple includes in each music file, including those sold without FairPlay DRM. However, the Electronic Frontier Foundation says the removal is not complete:

Chris Maxcer has written an informative article on iTunes embedding buyer information in each file and on the possible consequences of sharing such files with others.

It's been recently discovered, though, that each song sold through iTunes Plus --the section of iTunes that sells the higher-quality, DRM-free music -- is marked with the name and e-mail address of the user who bought it....

The EFF has taken a closer look at iTunes music files that lack Apple's FairPlay DRM. As part of what appears to be their ongoing investigation, they concluded:

We've found that there isn't a watermark in the compressed audio signal itself, but there are surprisingly huge differences in the encoded files. Much bigger differences than just different tags, or even different signed/encrypted tags.

The LA Times [registration required] is reporting that the Motion Picture Association of America and the Recording Industry Association of America are lobbying the California legislature for an exemption to proposed laws that would outlaw pretexting, the practice of misrepresenting one's identity in order to gain access to confidential or private information. Pretexting was at the core of the recent Hewlett Packard board brouhaha.

The trade groups are arguing that they need to use pretexting to pursue pirates of physical and digital goods and that the proposed legislation would deprive them of an import tool in combating piracy.

Writing in TG Daily, Wolfgang Gruener notes in a very informative article that Intel's Legrande security platform is unlikely to come to home PCs any time soon largely out of Intel's concerns around privacy implications. Snippets:

Yesterday I noted the terrific paper by Alexander Halderman and Ed Felton that provides an in-depth look at the technologies underlying the Sony-BMG rootkit fiasco. As with the fiasco itself, this paper is certain to gather substantial attention in the blogosphere.  Here is a quasi- random selection of commentary that may be of interest.

According to a blog posting by Alex Eckelberry on the Sunbelt Software blogsite, a preliminary settlement in a lawsuit against Sony has been filed in court. The proposed settlement is outlined in the blogicle. The 42 page court document is also available on the Sunbelt site here.

As of the 23rd, at least some stores still had Sony CDs with DRM on them, this according to the Consumerist and other sites.

Tim Jarrett has established the boycott Sony blog, apparently to provide a forum for comment and discussion. Among the more recent observations is that the provider of the DRM technology that is the root cause of the Rootkit problem, first4internet, has apparently taken down their web site.

As of yesterday afternoon, most of the content was gone as observed by Jarrett and others.

According to an article in Ecommerce Times, the Sony Rootkit chickens have come home to roost in the form of lower CD sales, at least in Canada. Snippets:

It's becoming a regular occurrence in CD shops across the country [Canada]: an irate customer comes in complaining the CD they bought won't play on their computer, and worse yet, they can't transfer the tunes to their iPod.

The culprit is copy-protected or copy-controlled CDs -- something many Canadian music retailers say they would like to see pulled from store shelves.

"This is just another really, really ridiculous way of telling our customers, 'We don't want your business,'" said Tim Baker of Sunrise Records, which has 31 shops in southern Ontario. "It's so stupid."

A number review articles have covered the evolving Sony BMG rootkit rumpus, including Bill Rosenblatt's piece, Dennis McDonald's blogicle, and Jefferson Graham's story on the possible roots of Sony's troubles in their merger with BMG. Well written, Graham might be correct.

Still, it's often hard for senior executives to understand the implications of, and to ask the right questions concerning complex technologies that may be out of their competence zones.  That said, Sony management is clearly culpable for poor public relations, a point also made in the Graham story.

The odds are pretty good, in my view, that over the next year  Sony BMG will recover and sales will not be greatly affected. By Xmas time 06, only the DRMigerati and lawyers will care.

Dennis McDonald has started a blog on personal data here [ok, he mentions this blog favorably, but reciprocity drives the blogosphere].

His thinking seems aligned with the notion expressed in my writings that consumer choice and market forces should play an important role in how personal information is used.

In the context of DRM, maybe I'm willing to share information regarding my music or video use and preferences in exchange for free music. Or not.

Marketing Shift has an article and comments regarding a data structure relating to Microsoft's DRM. One of the fields is "law_association_area". Applying Occam's Razor--that the simplest explanation is best--this field probably reflects the fact that many, if not most, rights are territorial.  One example is the DVD region code.

Another is that different companies may have the rights for the same  book or CD for different countries. One well-known example is that Scholastic has the US rights for Harry Potter while Bloomsbury has the United Kingdom Rights.

In this instance, at least, paranoia seems unwarranted.