EU investigates DRM privacy threat

Digital rights management (DRM) -- the technology that could dictate everything from who can read your documents to what music player you can put your tunes on and a whole host of other things -- could be a threat to your privacy, according to the EU.

An EU working party is looking into the implications of the spread of DRM which is often used to protect copyrighted material such as software and music. The EU believes that the way DRM can be combined with tags that uniquely identity individuals could lead to people being unfairly or unnecessarily tracked.

The 'working document on data protection issues related to intellectual property rights' says: "As regards the development of digital rights management, the WP [working party] notes that new technologies to identify and/or trace users are being established at the level of exchange of information as well as at platform level," i.e. verifying software and hardware.

The working document adds that where information is exchanged over the internet, more and more digital watermarks tags are being used to track users and their preferences -- for example, when a music track is purchased online, the purchaser has to enter their account information and unique identifier. That information -- identity and musical taste -- is then used in some cases for targeting marketing information.

The report says: "Electronic copyright management systems (ECMS) are being devised and offered which could lead to ubiquitous surveillance of users by digital works. Some ECMS are monitoring every single act of reading, listening and viewing on the internet by individual users thereby collecting highly sensitive information about the data subject concerned."

One such example of where data has been collected and then used to track individuals, the report says, is that of file-swappers. Music pirates have found their identities shared with record industry watchdogs as a result of information gathered by their ISPs.

"The research conducted by rights holders is usually based on the collection of the IP address of the users. This information is then combined with users' data as detained by ISPs; in some cases the rights holders directly request the identity of the user to the ISP in order to send cease and desist letters to the users," the report continues.

This practice, the EU notes, varies from country to country.

The working party "deems it necessary, in this changing context, to recall the main data protection principles and the extent to which they apply in the framework of digital right management".