Digital rights management (DRM) technology used in MP3s, DVDs, and most consumer software may be violating Canadian privacy laws, according to a new report.

DRM is an access control tool used by publishers or copyright holders and is designed to securely manage access and use of digital information or devices. Its primary purpose is to combat piracy and protect against copyright infringement.

The study, published by the University of Ottawa's Canadian Internet Policy and Public Interest Clinic (CIPPIC), indicated that DRM is being used to collect, use and disclose consumers' personal information for secondary purposes, without giving the user adequate notice or the opportunity to opt-out of collection.

The report investigated DRM systems used in 16 different digital products and services including Apple's iTunes Music Store, Microsoft's Office Visio, and Symantec's North SystemWorks 2006.

"The privacy concerns with DRM are substantiated by what we saw," David Fewer, staff counsel with CIPPIC and the study's lead investigator, said. "In the Canadian marketplace we've found that there is simply widespread non-compliance of PIPEDA (Personal Information Protection and Electronic Documents Act)." CIPPIC found it particularly troubling that companies using DRM to deliver products and content failed to document in their privacy policies the DRM-related collection of personal information.

"If there's personal information collection use or disclosure going on, there has to be consent and the form of consent has to be appropriate to the circumstances," Fewer said.

"We agree that in many cases consent doesn't have to come in the form of expressed consent. But, in other circumstances, particularly where it was unexpected or whether what was being collected was related to core...