But according to Christopher Levy, CEO of DRM solutions provider BuyDRM, the study presents a flawed view of DRM technology.
"The focus of the DRM system is to encrypt a piece of media, manage the licence key, profile to that licence, and deliver it -- that's it," Levy said. "It's unfortunate that consumers have been misled by a lot of vocal critics because the truth is DRM is no more evil than the lock and key that's on your door, the alarm on your car, or the authentication system in your cell phone."
In regards to the study's third-party communications, Levy said that based on his experiences, he's never heard of a case where a user's privacy has been compromised from purchasing digital content.
"I was shuddering as I was reading this report because I'm not aware of any company that sells digital media that sells their data to third parties," Levy said. "If you look at iTunes who've sold a couple of billion tracks, I don't think anyone's ever complained that somebody contacted them offering a promotion that they weren't opted in on. It's not in the best interest of companies selling this digital media to sell their data to third parties, because it's really all about the customer and you don't want an outside party to have access to that."
Another major concern from the study dealt with the collection of IP addresses by DRM tools, including tracking technologies such as cookies and pixel tags.
CIPPIC said many organizations take the stance that IP addresses do not constitute "personal information" under Canadian privacy laws and can therefore be freely collected, used and disclosed.
However, a number of Canadian courts, as well as the privacy commissioner, have released decisions that interpret IP addresses as personal information, Fewer said.
"The truth of the matter is that IP addresses are being used to link back to identifiable individuals and they should be treated as private information," Fewer said. "And this should make sense to a lot of these organizations. Sony BMG, who have said that IP addresses are not personal information, are suing people in the file sharing lawsuits on the basis of IP addresses and linking them to activities.
They are actually asking the court to disclose people's identities based on the IP address."
From Levy's perspective, however, this debate is not related to DRM at all. He said that everybody uses common Web code and scripting to collect data about users and that is not at the heart of what DRM is about.
"DRM systems themselves do not invade privacy, as all it really does is encrypt a piece of media and issue a licence for it," Levy said. "Of course, there are other processes around that which are kind of linked to the DRM system that involve collecting data, but those systems have been in place on the Web for awhile and for some reason their remote attachment to DRM is what everybody is sensitive about."
While this issue is still being debated in many countries, Levy weighed in saying that unlike telephone numbers, which users can take around with them, IP addresses are not owned by the user. He said that users are buying access to an Internet connection. He also said that because IP addresses can be spoofed and faked, equating them to individuals can be quite difficult.