DRM and Google’s threat DRM and Google’s threat to Privacyto Privacy

Presented by: Presented by:

Aqila DissanayakeAqila Dissanayake

What is Privacy?What is Privacy?

Privacy “is the ability of an individual or Privacy “is the ability of an individual or group to keep their lives and personal group to keep their lives and personal affairs out of public view or to control the affairs out of public view or to control the flow of information about themselves” [1].flow of information about themselves” [1].

Internet Privacy “is the ability to control Internet Privacy “is the ability to control what information one reveals about what information one reveals about oneself over the Internet, and to control oneself over the Internet, and to control who can access that information” [2].who can access that information” [2].

Digital Rights Management (DRM)Digital Rights Management (DRM)

DRM is a technology that attempts to control the DRM is a technology that attempts to control the use of digital media by preventing access, use of digital media by preventing access, copying or conversion to other formats [3]. copying or conversion to other formats [3].

Why DRM?Why DRM? Even before the arrival of digital media copyright holders opposed Even before the arrival of digital media copyright holders opposed

the copying technologiesthe copying technologies Ex-: audio/video tape recordingEx-: audio/video tape recording BetaMax CaseBetaMax Case

With the invention of digital media their concerns skyrocketed. With the invention of digital media their concerns skyrocketed.

Not only is digital media easier to replicate it is much cheaper as Not only is digital media easier to replicate it is much cheaper as well.well.

Unlike copying from analog media, a computer can be used to copy Unlike copying from analog media, a computer can be used to copy digital media without any data loss. digital media without any data loss.

DRM was invented to prevent this from taking place. DRM was invented to prevent this from taking place.

Why is DRM bad?Why is DRM bad?

To be effective, DRM methods have evolved into To be effective, DRM methods have evolved into tracking personal information and the usage of the media tracking personal information and the usage of the media that they protect, as well as enforce usage rules [4]. that they protect, as well as enforce usage rules [4].

When trying to enforce usage rules, these technologies When trying to enforce usage rules, these technologies may restrict legally permitted use of that content as may restrict legally permitted use of that content as allowed by copyright law [4]. allowed by copyright law [4].

This is evident in some music CD’s that contain DRM This is evident in some music CD’s that contain DRM which prevent the CD from playing in computers. which prevent the CD from playing in computers.

Also, certain CD’s prevent the user from ripping it to the Also, certain CD’s prevent the user from ripping it to the computer or even if it supports ripping the ripped music computer or even if it supports ripping the ripped music won’t transfer to a personal music player. won’t transfer to a personal music player.

This kind of behavior conflicts with a user’s privacy This kind of behavior conflicts with a user’s privacy known as personal autonomy. known as personal autonomy.

After all the user pays for the CD he or she buys, which After all the user pays for the CD he or she buys, which should give them the right to play it on any player they should give them the right to play it on any player they want. want.

Also, if they want to transfer the music to a digital music Also, if they want to transfer the music to a digital music player such as the Ipod, it should be allowed.player such as the Ipod, it should be allowed.

Unfortunately DRM does not stop at that; certain DRM software go Unfortunately DRM does not stop at that; certain DRM software go further and monitor user’s activity on the computer. further and monitor user’s activity on the computer.

This is done mainly for market research, advertising or simply This is done mainly for market research, advertising or simply because the architecture allows such activity.because the architecture allows such activity.

DRM can record things such as the music played and their time of DRM can record things such as the music played and their time of use, IP/MAC address of the computer, how frequently a file is use, IP/MAC address of the computer, how frequently a file is played.played.

This kind of behavior by DRM can be used for user profilingThis kind of behavior by DRM can be used for user profiling Ex-: Apple iTunes 6.0.2 MiniStore makes recommendations on similar Ex-: Apple iTunes 6.0.2 MiniStore makes recommendations on similar

music available for purchase from iTunes based on the songs initiated music available for purchase from iTunes based on the songs initiated with a “double-click” [2]. with a “double-click” [2].

Furthermore the Apple ID is linked to your credit card, address, and Furthermore the Apple ID is linked to your credit card, address, and your purchasing habits with Apple.your purchasing habits with Apple.

Apple iTunes – a track costs $0.99 US which includes Apple iTunes – a track costs $0.99 US which includes Apple’s FairPlay DRM system [3].Apple’s FairPlay DRM system [3].

With the use of iTunes plus, a user can download DRM-With the use of iTunes plus, a user can download DRM-free music for extra 30 cents a track [3].free music for extra 30 cents a track [3].

Napster music store offers a subscription-based Napster music store offers a subscription-based approach to DRM alongside permanent purchases. approach to DRM alongside permanent purchases. Users of the subscription service can download and Users of the subscription service can download and stream an unlimited amount of music [3].stream an unlimited amount of music [3].

But as soon as the user misses a payment, the service But as soon as the user misses a payment, the service renders all of the downloaded music unusable [3]. renders all of the downloaded music unusable [3].

Music with DRMMusic with DRM

Napster also charges users who wish to use the music on their Napster also charges users who wish to use the music on their portable device an additional $5 per month [3]. portable device an additional $5 per month [3].

Furthermore, Napster requires users to pay an additional $0.99 per Furthermore, Napster requires users to pay an additional $0.99 per track to burn it to CD or listen to it after the subscription expires [3]. track to burn it to CD or listen to it after the subscription expires [3].

Songs bought through Napster can be played on players carrying Songs bought through Napster can be played on players carrying the Microsoft PlaysForSure logo (which, notably, do not include the Microsoft PlaysForSure logo (which, notably, do not include iPod’s or even Microsoft's own Zune) [3]. iPod’s or even Microsoft's own Zune) [3].

Wal-Mart Music Downloads, another online music download store, Wal-Mart Music Downloads, another online music download store, also uses DRM. It charges $0.88 per track for all non-sale also uses DRM. It charges $0.88 per track for all non-sale downloads. All Wal-Mart Music Downloads are able to be played on downloads. All Wal-Mart Music Downloads are able to be played on any Windows PlaysForSure marked product [3]. any Windows PlaysForSure marked product [3].

The music does play on the SanDisk's Sansa mp3 player, but must The music does play on the SanDisk's Sansa mp3 player, but must be copied to the player's internal memory. It can not be played be copied to the player's internal memory. It can not be played through the player's Micro SD card slot, which is a problem that through the player's Micro SD card slot, which is a problem that many users of the mp3 player experience [3]. many users of the mp3 player experience [3].

GoogleGoogle Google is the search engine with the world’s largest user Google is the search engine with the world’s largest user

base. base.

Google states that their user base “is in the millions” and Google states that their user base “is in the millions” and a recent media report estimates that they receive 380 a recent media report estimates that they receive 380 million visitors each month [5].million visitors each month [5].

Today, it is thought that Google is capable of keeping the Today, it is thought that Google is capable of keeping the entire internet in RAM [5]. entire internet in RAM [5].

With the ever decreasing cost of the storage devices it is With the ever decreasing cost of the storage devices it is highly likely that the information we provide will be never highly likely that the information we provide will be never thrown away. thrown away.

Even though Google is concerned about providing long-term value Even though Google is concerned about providing long-term value for their end users, they do have to act in the best interests of their for their end users, they do have to act in the best interests of their shareholders to maximize profits [5]. shareholders to maximize profits [5].

Therefore Google has adopted a business model that uses Therefore Google has adopted a business model that uses customized advertising which makes it necessary to track and store customized advertising which makes it necessary to track and store each user’s activity while using its search engine. each user’s activity while using its search engine.

““When aggregated individual and organizational data is combined When aggregated individual and organizational data is combined with Google’s top tier intellectual talent and world class information with Google’s top tier intellectual talent and world class information processing resources it arguably gives them the information processing resources it arguably gives them the information resources of a nation-state and constitutes a significant threat if not resources of a nation-state and constitutes a significant threat if not properly managed” [5].properly managed” [5].

““Google already knows more about you than the National Security Google already knows more about you than the National Security Agency ever will. And don’t assume for a minute it can keep a Agency ever will. And don’t assume for a minute it can keep a secret” [6]. secret” [6].

In many years of operation Google has collected a monumental In many years of operation Google has collected a monumental amount of data and the company admits that it has never knowingly amount of data and the company admits that it has never knowingly erased a single search query [6].erased a single search query [6].

It already attracts hackers, crackers, online thieves and many other It already attracts hackers, crackers, online thieves and many other evil doers. But most worrisome of all it attracts governments intent evil doers. But most worrisome of all it attracts governments intent on finding convenient ways to spy on its own citizenry [6]. on finding convenient ways to spy on its own citizenry [6].

With Google’s unquenchable thirst for personal data, it has become With Google’s unquenchable thirst for personal data, it has become the “greatest threat to privacy ever known” [6].the “greatest threat to privacy ever known” [6].

The US government has already asked Google The US government has already asked Google to turn over every query typed into its search to turn over every query typed into its search engine over the course of one week without engine over the course of one week without providing personally identifying information providing personally identifying information about the people who conducted searches.about the people who conducted searches.

Even though Google refused to comply with the Even though Google refused to comply with the US government, it is entirely possible that they US government, it is entirely possible that they may do so in the future. may do so in the future.

The 4th amendment of the US constitution states that The 4th amendment of the US constitution states that ““The right of the people to be secure in their persons, houses, papers, and The right of the people to be secure in their persons, houses, papers, and

effects, against unreasonable searches and seizures, shall not be violated, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons affirmation, and particularly describing the place to be searched, and the persons or things to be seized” [8]. or things to be seized” [8].

What saved Google this time was that the government did not explain What saved Google this time was that the government did not explain exactly what they are going to do with this much information and they did exactly what they are going to do with this much information and they did not state exactly why they need it for? not state exactly why they need it for?

After all, Google does stack up more than a billion queries a week. So, if the After all, Google does stack up more than a billion queries a week. So, if the government were able to come up with a good enough reason to subpoena government were able to come up with a good enough reason to subpoena Google, they will do so and Google will not be so lucky next time. Google, they will do so and Google will not be so lucky next time.

Ironically the same Google that refused to turn in data to the US Ironically the same Google that refused to turn in data to the US government complied with a Brazilian court's orders to turn over data that government complied with a Brazilian court's orders to turn over data that could help identify users accused of taking part in online communities that could help identify users accused of taking part in online communities that encourage racism, pedophilia and homophobia [9].encourage racism, pedophilia and homophobia [9].

The Fingerprinting threatThe Fingerprinting threat Another threat posed by Google is their ability to Another threat posed by Google is their ability to

fingerprint users. fingerprint users.

It is theoretically possible to fingerprint users It is theoretically possible to fingerprint users who over a period of time use Google or tools who over a period of time use Google or tools offered by Google to do their work.offered by Google to do their work.

It won’t be long before Google can uniquely It won’t be long before Google can uniquely identify most of its users depending on what identify most of its users depending on what services they use and what searches they services they use and what searches they conduct.conduct.

Given that they already have saved everything since Given that they already have saved everything since 1998, most probably they have already fingerprinted 1998, most probably they have already fingerprinted some of its users and by all probability deliver targeted some of its users and by all probability deliver targeted advertisements. advertisements.

Sure they need to make money but is it at the cost of Sure they need to make money but is it at the cost of people’s privacy? I don’t think so! people’s privacy? I don’t think so!

I think the governments should toughen the privacy laws I think the governments should toughen the privacy laws in order to accommodate the peoples right to not to be in order to accommodate the peoples right to not to be fingerprinted unless there is a valid reason to the fingerprinted unless there is a valid reason to the contrary.contrary.

The problem is today’s governments are as much The problem is today’s governments are as much addicted to Google’s jaw dropping amount of data as addicted to Google’s jaw dropping amount of data as much as Google is.much as Google is.

Google and DoubleClickGoogle and DoubleClick In 2007 April, Google announced that it would pay 3.1 billion dollars In 2007 April, Google announced that it would pay 3.1 billion dollars

to acquire the online advertising giant DoubleClick. to acquire the online advertising giant DoubleClick.

DoubleClick Coordinates targeted Internet advertising campaigns DoubleClick Coordinates targeted Internet advertising campaigns for advertisers, and provides ad management services, software, for advertisers, and provides ad management services, software, and sales for publishers. and sales for publishers.

So, what’s so dangerous about this acquisition? So, what’s so dangerous about this acquisition?

Google has a vast database of data it has acquired over the years Google has a vast database of data it has acquired over the years about its customers. about its customers.

DoubleClick has a huge database of its own that contains a huge DoubleClick has a huge database of its own that contains a huge amount of data. By acquiring DoubleClick, Google will merge its amount of data. By acquiring DoubleClick, Google will merge its database with DoubleClick’s database. database with DoubleClick’s database.

This will result in analyzing of personal search and surf behavior. This will result in analyzing of personal search and surf behavior.

DoubleClick tracks a whole lot of web trafficDoubleClick tracks a whole lot of web traffic

Google tracks a lot of web traffic using sites running its AdSense service, Google tracks a lot of web traffic using sites running its AdSense service, combine this and you will have most of the web covered. combine this and you will have most of the web covered.

Furthermore, Google is DoubleClicks most significant competitor. Furthermore, Google is DoubleClicks most significant competitor.

Google is the dominant player in the online search advertisements. Google is the dominant player in the online search advertisements.

DoubleClick is the dominant player in non-search based online DoubleClick is the dominant player in non-search based online advertisements.advertisements.

If Google and DoubleClick are allowed to merge it could potentially kill off If Google and DoubleClick are allowed to merge it could potentially kill off any other advertising based companies raising anti-trust issues.any other advertising based companies raising anti-trust issues.

CountermeasuresCountermeasures It’s quite possible that people’s behavior is It’s quite possible that people’s behavior is

altered by knowing that they are being altered by knowing that they are being monitored. monitored.

““Countermeasures seek to disrupt our online Countermeasures seek to disrupt our online signature and reduce the likelihood that such signature and reduce the likelihood that such fingerprinting will occur” [5].fingerprinting will occur” [5].

““If properly executed, countermeasures will deny If properly executed, countermeasures will deny certain key elements required for fingerprinting certain key elements required for fingerprinting and increase the adversary’s fingerprinting and increase the adversary’s fingerprinting threshold.” [5]. threshold.” [5].

Instead of downloading music with DRM, Instead of downloading music with DRM, people can choose to download music people can choose to download music from DRM free stores like from DRM free stores like Amazon MP3Amazon MP3eMusic, eMusic, LiveDownloads, LiveDownloads, Audio Lunchbox Audio Lunchbox

Users can choose to distribute data disclosure across Users can choose to distribute data disclosure across multiple accounts [5]. multiple accounts [5].

This includes using multiple e-mail addresses and other This includes using multiple e-mail addresses and other online accounts to spoof the real identity of the user.online accounts to spoof the real identity of the user.

However this is not a very effective solution to the However this is not a very effective solution to the problem since maintaining and managing multiple problem since maintaining and managing multiple addresses and accounts could prove to be cumbersome addresses and accounts could prove to be cumbersome and it is quite possible the fingerprinting can still be and it is quite possible the fingerprinting can still be effective because of the small number of accounts a effective because of the small number of accounts a user will use. user will use.

Also, this is not a practical solution since most users will Also, this is not a practical solution since most users will be reluctant to switch between various accounts.be reluctant to switch between various accounts.

Network ProxiesNetwork Proxies Users can also choose to use Network anonymization proxies [5]. Users can also choose to use Network anonymization proxies [5].

Proxies can mask network addresses and make web browsing Proxies can mask network addresses and make web browsing appear to come from random locations. appear to come from random locations.

There are many online websites that allow your IP address to be There are many online websites that allow your IP address to be hidden when browsing the web.hidden when browsing the web. Unblocked.orgUnblocked.org Cantbustme.comCantbustme.com Proxymafia.netProxymafia.net BoratProxy.comBoratProxy.com Invisiblesurfing.comInvisiblesurfing.com Anonymizer.com Anonymizer.com

The user need only visit the site to hide their IP address.The user need only visit the site to hide their IP address.

A full list of these proxies can be obtained from A full list of these proxies can be obtained from “http://www.privax.us/”. “http://www.privax.us/”.

The adoption of these techniques still seems to be low simply The adoption of these techniques still seems to be low simply because users are not aware of the threat posed by Google and because users are not aware of the threat posed by Google and DRM.DRM.

As far as avoiding fingerprinting goes, proxies bear the greatest As far as avoiding fingerprinting goes, proxies bear the greatest promise. [5] promise. [5]

Cryptography can be used to encrypt the contents of e-mails which Cryptography can be used to encrypt the contents of e-mails which would prevent Google from reading your e-mail. would prevent Google from reading your e-mail.

Currently cryptography does not provide many uses when it comes Currently cryptography does not provide many uses when it comes to counter attacking the fingerprinting threat since security to counter attacking the fingerprinting threat since security mechanism such as SSL consider Google to be a trusted party in mechanism such as SSL consider Google to be a trusted party in our communication.our communication.

[1] Privacy, Wikipedia.com, [1] Privacy, Wikipedia.com, http://en.wikipedia.org/wiki/Privacyhttp://en.wikipedia.org/wiki/Privacy [2] Internet Privacy, Wikipedia.com [2] Internet Privacy, Wikipedia.com http://en.wikipedia.org/wiki/Internet_privacyhttp://en.wikipedia.org/wiki/Internet_privacy [3) Digital Rights Management, Wikipedia.com [3) Digital Rights Management, Wikipedia.com

http://en.wikipedia.org/wiki/Digital_rights_managementhttp://en.wikipedia.org/wiki/Digital_rights_management [4] Janice Y. Tsai, Lorrie Faith Cranor, Scott Craver, “Vicarious Infringement Creates [4] Janice Y. Tsai, Lorrie Faith Cranor, Scott Craver, “Vicarious Infringement Creates

a Privacy Ceiling”, Proceedings of the ACM workshop on Digital rights management a Privacy Ceiling”, Proceedings of the ACM workshop on Digital rights management DRM, 2006DRM, 2006

[5] Gregory Conti, "Recipes for disaster: Googling considered harmful," Proceedings [5] Gregory Conti, "Recipes for disaster: Googling considered harmful," Proceedings of the 2006 workshop on New security paradigms NSPW, 2006.of the 2006 workshop on New security paradigms NSPW, 2006.

[6] Is Google Evil? MotherJones.com October 10, 2006[6] Is Google Evil? MotherJones.com October 10, 2006 ““http://www.motherjones.com/news/feature/2006/11/google.html”http://www.motherjones.com/news/feature/2006/11/google.html” [7] Google to Give Data To Brazilian Court, WashingtonPost.com , September 2, [7] Google to Give Data To Brazilian Court, WashingtonPost.com , September 2,

2006 2006 http://www.washingtonpost.com/wp-dyn/content/article/2006/09/01/AR200609010060http://www.washingtonpost.com/wp-dyn/content/article/2006/09/01/AR2006090100608.html8.html

[8]The United States Constitution, Bill of Rights[8]The United States Constitution, Bill of Rights [9] Google censors itself for China. BBC News, January 25 2006.[9] Google censors itself for China. BBC News, January 25 2006.

http://news.bbc.co.uk/2/hi/technology/4645596.stm.http://news.bbc.co.uk/2/hi/technology/4645596.stm.