CIRCUMVENTING PRIVACY: WHEN TECHNOLOGICAL MEASURES BECOME SPYWARE
posted by:Greg Hagen // 11:59 PM // December 06, 2005 // ID TRAIL MIX
It has become well known by now that if you purchased the Van Zant brothers, Get Right with the Man CD, or any of 51 other recordings from Sony BMG on or after 2003, Sony BMG may have surreptitiously installed spyware incorporated into its Extended Copyright Protection (“XCP”) software onto your computer. “Surreptitious” because XCP and its operations are cloaked using the SecurityRisk.First4DRM rootkit, which is designed to hide system objects and operations that start with $sys$ from diagnostic and security software, including spyware detectors. The implication is that user privacy could be breached not only by XCPs tracking functionality, but by any unwanted malware that begins with $sys$. The fact that the spyware was embedded in XCP should give pause to those who support Bill C-60, which lends legitimacy to technological measures (to protect copyright) that embed spyware.
A number of lawsuits in the U.S., including one commenced by the Electronic Frontier Foundation, complain that Sony BMG did not disclose the possibility that XCP can track the use of Sony BMG CDs, either in its packaging, the installation process, or its End User License Agreement (“EULA”). The EULA merely provides that “a small proprietary software program” will be automatically installed which is “intended to protect the audio files embodied on the CD.” It did not, however, disclose that the “small proprietary software program” increases the risk that third party malware will be hidden by the rootkit. Nor did it disclose that it can “monitor the CD drives in order to enforce any digital rights.” As a result, most information security companies now consider XCP a security risk. Microsoft has accordingly labeled XCP as spyware.
Spyware is considered to be objectionable primarily because of the notorious lack of adequate consent provisions in accompanying EULAs and installation procedures. Suppose, however, that Sony BMG attempted to modify its EULA and installation procedures in order to accord with Canadian privacy legislation. Among other requirements, Sony BMG would have to ensure that, pursuant to the applicable consent provisions such as PIPEDA Principle 4.3, any collection, use and disclosure of personal information of an individual is obtained with the knowledge and consent of the individual. The question that immediately arises is whether the supply of CDs can be conditioned upon such consent, permitting Sony BMG to thereby circumvent privacy protections.
Principle 4.3.3 of PIPEDA requires that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes. Does the collection of personal information by XCP serve a “legitimate purpose?” The Canadian Government’s Spam Task Force recommendation to prohibit spyware suggests that the use of XCP to protect copyright is not legitimate. If that is correct, then consent that is a precondition to the supply of CDs should be considered vitiated, and one should be able to use a spyware uninstaller to remove XCP with impunity.
On the other hand, certain provisions contained in Bill C-60, introduced in Canada’s 38th Parliament but not passed at its dissolution, suggest that XCP serves legitimate purposes. Under section 34.02 of Bill C-60, it is generally forbidden to circumvent technological measures designed to protect works and other subject matter. While that section excepts acts of circumvention in order for persons to exercise rights provided under copyright law, it does not except acts of circumvention to further the exercise of rights, per se, including rights of privacy and expression. Yet, the implicit rationale for excepting acts which do not infringe copyright or moral rights –the recognition that technical measures can interfere with the legitimate exercise of rights - should lead to the conclusion that an exception to the circumvention prohibition should exist in respect of the legitimate exercise of all rights provided by law.
The lack of a broader exception to the anti-circumvention provisions in Bill C-60 is fuelled by a misconception, expressed in a number of cases, that intellectual property interests always trump other interests such as privacy and freedom of expression. For example, in BMG Canada Inc. v. Doe, 2005 FCA 193, the Federal Court of Appeal, considered whether ISPs should reveal the identity of individual peer to peer file sharers who were accused of copyright infringement. The Court stated at paragraph 41 that “[a]lthough privacy concerns must also be considered, it seems to me that they must yield to public concerns for the protection of intellectual property rights in situations where infringement threatens to erode those rights.”
This bias runs counter to the supremacy of the constitutional provisions protecting rights such as privacy and expression over intellectual property rights as provided by s. 52 of the Canadian Constitution Act, 1982. While the rights guaranteed by the Charter of Rights and Freedoms are subject to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society, such limitations - even those designed to provide a just reward for creators - are exceptions to the broad rights guaranteed by the Charter. It follows that, if Bill C-60 is to comply with the Charter, a much broader exception to the anti-circumvention provisions is required. Circumvention should be permitted where it furthers the legitimate exercise of rights guaranteed by the Charter.
Greg Hagen is an Assistant Professor at the Faculty of Law, University of Calgary.
I posted my comment here:
I went to post to this site, but it seems that paragraph breaks are stripped out which makes it hard to read.
Posted by: Russell McOrmond at December 10, 2005 05:32 PM