The Interplay between privacy and copyright is complex. We offer this Background Paper to help clarify privacy implications of proposed changes to the Copyright Act.
BACKGROUND PAPER: CRITICAL PRIVACY ISSUES
IN CANADIAN COPYRIGHT REFORM
MAY 17, 2006
1. EXECUTIVE SUMMARY
Privacy is increasingly threatened by copyright holders’ technological controls and by expanding copyright law. In our information society, some of the most fundamental questions about the appropriate limits of copyright holders’ rights have come to be synonymous or interdependent with questions about the appropriate limits of personal privacy in connection with the enjoyment of copyright works. To date, the product of this conflict has unquestionably been a diminishment of privacy.
Although the conflict between privacy and copyright has received much critical attention, our former government appears to have ignored these criticisms in its proposals to reform copyright law in Canada. The government has never consulted specifically on the privacy implications of copyright reform. In November 2004, for example, the Privacy Commissioner of Canada expressed her concern about copyright reform and stated that her office had not been consulted by the ministries responsible.
This short Background Paper explains why intellectual privacy – the ability to enjoy copyright works in private or anonymously – is so important, both in its own right and in terms of furthering the goals of copyright. This paper then briefly outlines three major
privacy threats posed by copyright reform in Canadaii and explains why critical attention is needed in these areas. This paper also identifies and references proposals for resolving the identified problems.
Ultimately, this paper describes why it is critical that Canada ensure a privacy-preserved means of access to creative works. Protecting personal privacy in this context is essential for our intellectual freedom, freedom of expression, and innovation, all of which are independently important, in addition to complementing the goals of copyright policy.
2. COPYRIGHT SHOULD NOT BE A LICENSE TO INVADE PRIVACY
Some ‘copyright holders’iii increasingly attempt to use copyright as a justification to invade Canadians’ personal privacy. Privacy-invasive ‘digital rights management’ (DRM) technologies, described further below, are one example of this trend; as are the
standard-form licenses that such technologies implement. Some copyright holders have also sought to compel Internet service providers (ISPs) to retain and disclose individuals’ personal information in order to sue them for staggering statutory damages for music downloading.iv As of early 2006, approximately 16,000 individuals had been targeted with lawsuits in the United States and thousands more around the world.
In addition to the need to protect privacy as a fundamental right in and of itself, it is important to note that copyright policy is furthered by protecting privacy. Individuals should be able to access and enjoy copyright works free from the prying eyes of
copyright holders. The American Library Association explains why this kind of privacy is essential:
In all areas of librarianship, best practice leaves the user in control of as
many choices as possible. These include decisions about the selection of,
access to, and use of information. Lack of privacy and confidentiality has
a chilling effect on users’ choices. All users have a right to be free from
any unreasonable intrusion into or surveillance of their lawful library use.
The same rationale applies to copyright policy generally. Access to and enjoyment of existing works is chilled when individuals are forced to do so under copyright holders’ microscope: “Surveillance is inimical to creativity. We cannot expect people to ‘stand on the shoulders of giants’ to create in the full glare of spotlights.” Privacy invasions not only chill and discourage public access to and enjoyment of existing works, but also over the longer term may lead to less creation of new works. New creativity is built on access to and enjoyment of existing creativity.
Not surprisingly in light of the importance of privacy for copyright policy, copyright law was never intended to be used against individuals in ways that affect our intellectual freedom to access and enjoy copyright works in private::
In sum, the invasion of the private sphere is at odds with the history of
copyright… . There was an implicit recognition that copyright did not
apply to end uses, even though formally users were making copies and, in
rarer cases, performing or communicating works.
[On the Internet] copyright has tried to enter deep into the private sphere
of end-users, thus breaking with two centuries of tradition and practice.
From our courts, Justice LeBel of the Supreme Court of Canada has sounded a warning about why we ought to tread carefully at the intersection of copyright and privacy:
[an individual’s surfing and downloading activities] tend to reveal core
biographical information about a person. Privacy interests of individuals
will be directly implicated where owners of copyrighted works or their
collective societies attempt to retrieve data from Internet Service Providers
about an end user’s downloading of copyrighted works. We should
therefore be chary of adopting a test that may encourage such
Despite such warnings, Canada is proposing to revise copyright law in ways that erode Canadians’ personal privacy rights, with consequent erosion of education, intellectual freedom and freedom of expression. The three areas of proposed reform that currently pose the most threat are: (1) anti-circumvention and DRM, (2) ISP liability and (3) photography.
3. ANTI-CIRCUMVENTION AND DRM
DRM technologies are designed to automatically manage rights in relation to information. This functionality can include preventing copyright works and other information from being accessed or copied without authorization and establishing and
enforcing license terms with individuals.
DRM is used by some copyright holders ostensibly to control access to and use of copyright works. In fact, DRM technology can be used to override fundamental privacy protections. DRM typically uses surveillance to monitor and collect detailed information
about people’s access to and use of copyright works and other information.
In basic terms, DRM implicates privacy because its continuous surveillance function can provide copyright holders with highly detailed information about the reading, browsing, listening and viewing habits of individuals. Both the nature of this information and the level of its detail are unprecedented. This information about people’s browsing, reading, listening and viewing habits is highly sensitive ‘core biographical’ information.
One of the most insidious aspects of DRM’s impact on privacy is the fact that DRM is collecting information while people are engaged in highly private activities in places where they would normally have no expectation that they are being watched. DRM collects information while users are reading, watching or listening to copyright works in the privacy of their homes or other private spaces. In this way, DRM interferes with Canadians’ intellectual freedom to access, explore and use copyright works privately or anonymously. DRM leaves no room to enjoy copyright works in private, free from the prying eyes of copyright holders.
The Information and Privacy Commissioner of Ontario wrote about DRM’s threats to privacy as early as 2002.xi Recognizing the potential privacy implications of DRM, in 2004 the Privacy Commissioner of Canada identified DRM as posing a threat to
individuals similar to the threat posed by ‘spyware’.
Our Federal Privacy Commissioner’s concern came to fruition in 2005 when a major public outcry erupted over Sony BMG’s use of ‘rootkit’ DRM on millions of music CDs. This single instance of DRM, characterized by experts as a form of ‘spyware’, created a
fundamental privacy and security breach for hundreds of thousands of computer networks and for many more governments, businesses and individuals worldwide. Among other consequences, the incident prompted a division of the U.S. Department of Homeland Security to issue a public statement recommending that individuals not install DRM used on music CDs. The Sony BMG case is not an isolated incident of problems with DRM. Class action lawsuits have since been launched against Sony BMG in the United States and Canada. The Texas Attorney General has also commenced an action against Sony BMG, alleging inter alia that the DRM violated the state’s spyware and deceptive trade practices laws.
The privacy threats posed by the Sony BMG DRM were twofold: first, individuals’ personal information was secretly transmitted from their computers to Sony BMG as part of the intended operation of the DRM; second, the DRM (and DRM uninstallers) exposed individuals to privacy violations by making them vulnerable to computer viruses and worms. The Sony BMG controversy is representative of the kinds of problems that can arise with DRM. It is not an isolated incident – similar security and privacy problems have arisen in the use of DRM on DVDs.
Rather than consulting on privacy and considering copyright reforms that would protect Canadians from the use of DRM (as an increasing number of commentators have suggested we should do), Canada’s former government proposed copyright reforms in Bill C-60 that would provide protection for DRM. These are called ‘anti-circumvention’ provisions because they protect DRM by making it illegal for people to circumvent DRM. Anti-circumvention laws that protect DRM (as proposed in Bill C-60) have the
effect of legitimizing and encouraging the use of these privacy-invasive technologies. Such legal provisions could cripple Canadians’ ability to protect their privacy and to enjoy copyright works in private, free from copyright holders’ DRM ‘spyware’.
Though well-intentioned, data protection law is inadequate for addressing the privacy threats of DRM, principally because it permits the circumvention of privacy by ‘agreement’. Non-negotiable standard-form terms of service implemented by DRM
sometimes reference this surveillance, for example: “[i]f you are a registered user, you also acknowledge, understand and hereby agree that you are giving us your consent to track your activities…”. However, not surprisingly, people are frequently unaware of
this and unwittingly ‘agree’ to the surveillance.
Related to the threats to privacy, some commentators have pointed out that DRM and anti-circumvention restrictions compromise Canadians’ constitutional right of freedom of expression. In response, they suggest that copyright must infringe on freedom of expression “only insofar as is necessary to serve the public interest in a robust marketplace of ideas.” Access to information, freedom of expression and the exchange of ideas are essential to the promotion of innovation, which is a core element of the purpose of copyright. These are compromised by DRM and anti-circumvention laws.
It is difficult to reconcile the use and legal protection of DRM with individuals’ rights to personal privacy, intellectual freedoms and freedom of expression. One might ask whether DRM technologies ought to receive legal protection at all, and for more than just the privacy reasons raised here. However, if DRM is to receive the protection of law at all, then individuals’ privacy rights and the public interest in those rights must be accounted for and protected. Proposals for addressing these rights have already been
made and could be adopted by the Canadian government, including, for example:
- Include an express provision prohibiting the circumvention of privacy by TPM/DRM, notwithstanding licence provisions to the contrary;
- Include an express provision stipulating that a DRM licence is voidable when it violates privacy law; and
- Include an express provision permitting the circumvention of TPM/DRM for personal information protection purposes.
In addition, it is important that Canada ensure a privacy-preserved means of access to creative works. For example, Canada might legally enshrine the rights of Canadians to access and enjoy copyright works in private by enacting a legal requirement for
anonymous or pseudonymous access to and use of copyright works, just as we have in the real world when we visit libraries and engage in other activities. Protecting personal privacy in this context is essential for intellectual freedom, freedom of expression, and innovation, all of which complement copyright policy goals.
4. INTERNET SERVICE PROVIDER LIABILITY
Bill C-60 proposed a ‘notice-and-notice’ system to address ISP liability. Under this system, copyright holders could issue notices of alleged copyright infringement to ISPs. ISPs would be required to forward these notices to the relevant subscriber. They would
also be required to retain identity data about their customers for six months. If the copyright holder commenced a lawsuit within that time, then the ISP would have to retain the identity data for a further year.
The ISP proposals in Bill C-60 raise a number of questions regarding privacy. For one, requiring ISPs to retain customer data for six months conflicts with the courts’ view regarding the reliability of personal information held by ISPs. In BMG Canada v. John
Doe,xxvi the court refused to order disclosure of identity information where there had been a delay of approximately six months between the copyright holders’ investigation and the filing of the application in court. Based on the evidence of the ISPs, the court confirmed that the delay gave rise to a risk that the identity information would be inaccurate. Anxious to avoid violating the privacy of innocent people and exposing them to lawsuits, the court declared that “the greatest care should be taken to avoid delay between the investigation and the request for information.” Use of unreliable information may lead to lawsuits improperly being filed against innocent people and is more likely to result in unjustified privacy violations. Bill C-60 is also silent about precisely what information ISPs must retain, leaving privacy protection in doubt.
In addition, Bill C-60’s regime for ISP data retention in response to copyright infringement allegations is inconsistent with our understanding of Justice Canada’s proposed regime for ISP data retention under judicial “Preservation Orders” for criminal
law enforcement purposes. We understand that retention in such cases would be for 90 days. If 90 days is sufficient for criminal law enforcement purposes, why is a longer period required for civil actions under copyright law?
Bill C-60 could help address the privacy implications of ISP data retention by minimizing the time period for the retention of data and requiring ISPs to retain only the name and last known address of the subscriber. Further, to help ensure that privacy is consistently protected, Bill C-60 could specifically spell out a privacy-respecting test for courts to apply in determining whether to order ISPs to release subscribers’ information in copyright disputes.
In the area of ISP liability, it is important to be aware that some copyright holders are expected to lobby for a ‘notice-and-takedown’ regime or even a ‘notice-and-termination’ regime. These regimes would require ISPs to take down individuals’ content, block their communications or even terminate their Internet access when a copyright holder issued a
mere allegation of infringement to an ISP. Such extra-judicial ‘self-help’ regimes have obvious negative implications for individuals’ rights of privacy and freedom of expression. These proposals should be rejected as the government has done to date.
A court order should always be required before an ISP discloses the personal information of its customers or takes any other actionxxix on the basis of a mere allegation from a copyright holder. As one Ontario court has pointed out, there are good public policy reasons for protecting the privacy of individuals’ online activities:
In keeping with the protocol or etiquette developed in the usage of the
internet, some degree of privacy or confidentiality with respect to the
identity of the Internet protocol address of the originator of a message has
significant safety value and is in keeping with what should be perceived as
being good public policy.
5. PHOTOGRAPHS AND CONSUMERS
Bill C-60 proposed changes to copyright in two key areas of photography that would take away consumer rights in their photographs and negatively impact their privacy interests.
First, the bill would have repealed section 10 of the Copyright Act. This change would mean that (1) photographers would always be the first author and owner of copyright in photographs (unless they took the photos in the course of their employment) and (2) that the term of copyright protection would run for their life plus 50 years. This proposed amendment does not account for the fact that individuals often hand their camera to strangers and ask them to take a picture of, for example, the person and their spouse or family at Niagara Falls. The repeal of section 10 would mean that the stranger, not the consumer, would own copyright in the resulting photographs in such circumstances for their life plus 50 years. They could also sell copyright in the photographs. The current version of section 10 does not give rise to these copyright and privacy problems.
Second, today consumers own copyright in personal photographs that they hire and pay a photographer to take, including but not limited to their wedding photos, babies’ first photographs, portraits, and pet portraits. Bill C-60 would have changed this. Under the bill, photographers would automatically own copyright in consumers’ personal photographs, including the right to sell copyright. Consumers who commission photographs would have to bargain for copyright in their own photographs and could be
at the mercy of the photographer (or whomever the photographer sold copyright to) for decades.
There is no justification for altering the Copyright Act in the area of consumercommissioned photographs – there is no problem in need of addressing in this area. The Chair of the Senate Committee that studied the issue arrived at a similar conclusion when
it looked at a virtually identical reform proposal in the area of photographs: “… [in repealing section 10 and subsection 13 (2) of the Copyright Act, Bill S-9] has been written so broadly that it sweeps in consumers which — trust me — it was not intended
to do, but nevertheless does.”
Bill C-60 did not provide consumers with sufficient control over personal photographs that they commission and pay for. Although privacy law would provide consumers with some limited rights of restraint where personal information is at issue, default copyright ownership under the current Copyright Act provides consumers with protections in critical areas where privacy laws do not (e.g. non-commercial or artistic uses of consumer-commissioned photographs by a photographer). It is also important to note that the definition of “personal information” found in Canada’s privacy laws would leave consumers with no rights in cases where their photographs are private but do not fit the legal definition of “personal information”.
Proposals for addressing privacy issues in the area of photography have already been made and could be adopted by the government. For example, Canada might adopt a model for commissioned works currently use in Australia. This common sense model vests copyright in all photographs commissioned for private or domestic purposes with the commissioner (i.e. the consumer) but allows the photographer to restrain uses (e.g. commercial uses) not contemplated at the time of commissioning.
This short paper has outlined several of the ways that Canada’s proposed copyright reform threatens individuals’ rights of privacy, intellectual freedom, and freedom of expression. It is not only critical that these threats be addressed in the current reform proposals, but also that Canada resist the pressure that some copyright holders are expected to apply in pursuit of laws that would be even more damaging.