It's a pleasure to be here at the invitation of Jonathan and Steve to discuss one of the many great issues you have before you today. I know the folks at ACT have been working very hard to make all of this week's events interesting and informative, so I'm glad I made the cut to appear here today.
I am Jim Harper, the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. Along with the think-tankery I do, I also run an Information Age lobbying and consulting firm called PolicyCounsel.Com, where I specialize in technology, telecommunications, and e-commerce. And I stand resolutely by the ".com" in the firm's name. I am also an Adjunct Fellow at the Progress & Freedom Foundation. PFF and ACT don't agree on everything, so I'm happy to say that I'm a uniter, not a divider — on the privacy issue, at least.
Let me describe what I try to do with Privacilla and encourage you to visit the site, sign up for the mailing list, or make it a resource in any way you choose. Even if privacy isn't a particular interest of yours, you could study up and correct the misinformation that floats around at cocktail parties. If you ever wanted to stop getting invited to parties, there's your way to do it.
Privacilla.org is a Web site that attempts to capture "privacy" as a public policy issue from top to bottom. We deal with fundamental privacy concepts, privacy from government, and privacy in the private sector, including financial, medical, and online privacy. Anyone may submit ideas, information, and links for potential inclusion on the site. It's an exercise in "open" policy-making. The folks in this room may recognize the allusion to Mozilla, the open-source browser project at Netscape. Well, good, because nobody else does.
Usually when I'm talking about the pitfalls of regulation, I describe how legislation or regulation aimed at privacy will fail to protect true privacy while undermining other important interests. This is almost always true.
But today, we'll look at how regulation of technology aimed at other interests can negatively impact privacy. All kinds of regulations frustrate privacy, and we have an entire section on Privacilla devoted to anti-privacy law and regulation. Our focus today is government-mandated digital rights management.
What has driven the debate here in Washington, it's fair to say, has been the introduction of the CBDTPA. This is an acronym heavy town, and I'm not sure of all of them, but I think that stands for "Copyright Black-market and Digital Television Promotion Act." But let me start with the privacy implications of voluntary, market-negotiated DRM.
The privacy implications of DRM solutions made available in the marketplace are clear. Consumers have the power to say "Yes" and consumers have the power to say "No." A DRM solution offered in the marketplace may be the subject of criticism on the basis of how it uses information about consumers. Privacy activists and the press may motivate consumers to avoid one product or use another one based on how they use information, but that's the market at work. Those are appropriate market tests.
A DRM solution that requires tracking of users may be too invasive of privacy to be accepted. A DRM solution that does not rely on information about users will not have this problem. It's simple: DRM solutions that use less consumer information have a marketplace advantage over solutions that use more information. That's one of several vectors along which DRM solutions should compete. If consumers can choose, they can choose the amount of privacy they want. There is no privacy problem in that.
Let's also be clear that there's no "fair use" problem. People are free to contract away "fair use" of copyrighted content. If the movie industry says "We'll only deliver movies to DRM-compliant systems that don't allow any copying," people who agree to use these systems will get to watch movies. Will that bargain work in the marketplace? I don't know, and I don't have to.
So when I was first asked about the implications of DRM, I did not see privacy as a first-tier issue. But government-mandated DRM has gotten to be a privacy issue very quickly. Government-mandated DRM would be extremely bad for privacy.
Any legislation has to make it illegal to defeat a DRM system. People will not, and should not, give up control of their ability to configure and reconfigure the technology they own. The only way to stop them would be a fairly massive and ineffective enforcement regime, reminiscent of the drug war.
Like it or not, the drug war is one of the great drivers of government surveillance we've got. "Suspicious activity reporting" by banks; intrusive physical searches of both persons and places; high-tech search devices like heat sensors; monitoring of mail and parcels — these all grow out of the drug war, and they erode the privacy of all Americans.
As with drug laws, the privacy issues in government-mandated DRM are derivative. The law itself would not erode privacy. Only the enforcement would — with copyright cops snooping around the Internet to watch for unusual uploads and downloads, spying on people suspected of owning non-DRM equipment, etc. It would be weird. And it won't happen if I've got anything to do with it. Copyright enforcement already promises to have privacy implications, even without a DRM mandate.
If you needed any proof, look no further than the Magistrate's order in Paramount Pictures v. ReplayTV. As many of you know, a coalition of movie studios has sued SonicBlue, the parent of ReplayTV, to stop it from selling their personal video recorder, the ReplayTV 4000. This is because consumers can virtually eliminate video spam — I mean, commercials — and send copies of recorded material to friends.
The case is in the discovery phase and, to successfully carry out discovery, the magistrate is creating a miniature Digital Rights Management regime. The "law of the case" — if you'll indulge the legal jargon — is shaping up to be a little experiment in what would happen if DRM were the law of the land.
The magistrate's order tells ReplayTV to "gather all available information about how users . . . employ the devices, including all available information about what works are copied, stored, viewed with commercials omitted, or distributed to third parties with the ReplayTV 4000, when each of those events took place, and the like."
In other words, "Big Brother."
Now a quibble in this case is whether ReplayTV 4000 users have contracted away privacy in this information to SonicBlue. That's an issue on which users themselves should have some voice, rather than just the parties and the court.
But I think the unintended consequence of the government-mandated DRM in Paramount v. SonicBlue is what you would see as soon as you move away from market-based DRM: Consumers deprived of privacy — again — by government action in pursuit of other interests.
When you have government-mandated DRM, and not something individual consumers have agreed to, the result is privacy-invasive monitoring by the government.
This point doesn't end the discussion. Privacy is one of many considerations. But if someone tells you that government-mandated DRM is not a privacy problem, what they probably mean is that protecting copyrights is more important than privacy. That is an argument that should be made out loud and allowed to stand or fall on its own merits.
All content subject to the Privacilla