At the risk of sounding equivocal, the answer has to be yes and no. 

But to be much clearer – NO if it just records that a customer has registered to be able to use DRM controlled products from a publisher.

But YES if the DRM is then used to track the times/dates at which the customer uses specific DRM controlled products.

WHY?  Very simply, a matter of commonly held beliefs that may be backed up by law. 

When you buy a book in a bookstore you reasonably expect that the seller will record who you are and what you bought.  That seems fair enough.  But you don’t expect the bookseller to also have the right to know where you were when you read chapter 1, or what time it was when you printed out chapter 35 because you didn’t want to take the laptop to bed with you.

So why is it that some DRM sellers think that suddenly they have a divine right to ‘audit’ access and use?  Or that this right exists merely because they are able to do it. 

Lessig is widely quoted with his statement that, “Code is law” because he is correct in the assertion that what actually happens in a computer is what the programmer implemented.  And if the programmer didn’t know the law (in the UK they still cling to the fascinating idea that ignorance is no defence – now when it comes to things like the 10 Commandments I could probably go along with the idea, but, to be totally honest, to expect every person to have a detailed understanding of such things as, say, the Taxes Management Act 1970, is patently absurd) then he would do what logically appeared elegant in order to provide the best technical solution.  Of course you must also bear in mind that if the programmer is not in your country, but in India or China, their approach to implementing the requirements of law may not be the law that you had in mind – and who is to say whose law should prevail on the Internet?

But back to our real question.  Can DRM prejudice privacy and does it matter? 

Well, in many nation states in the EU, for instance, law exists that states very clearly that you may not collect information for the purpose(s) of a contract unless it is necessary for the carrying out of that contract.  Now I suspect that very few DRM suppliers would be able to show to a Court that the information they collected following the registration of a license to use was material to or essential to the conduct of the contract.

In fact, I wouldn’t mind taking a bet that most companies totally fail to put the customer on notice as to what is happening, or give them an opt-out capability.  After all, if product suppliers deliver something that’s free if you can put up with the advertisements but offer a more highly paid service without, then why is it that DRM using companies think they can collect information without agreement? 

Lessig is obviously right at one level.  What the programmers write is indeed what happens.  But that doesn’t actually make it lawful!  If you don’t believe me then just see what happens if you sell products over the Internet to EU countries and fail to collect their VAT correctly.  Of course, if you are big enough you can try to persuade authorities that what you are doing is either outside of their jurisdiction, or that you’re jolly nice really.  But even the greatest (Microsoft?) have not had it all their own way toughing it out with the European Commission. 

So maybe DRM suppliers (and the customers buying their products) want to think very carefully indeed about what information they think they are entitled to collect, and whether their targets (or do I mean customers?) have the ability to opt out, either by contract or by choice.

Now we at LockLizard take the view that collectable information should only be available where there is informed consent (or, no opt-out).  Naturally this is a very controversial view to take.  But then, DRM is actually a highly controversial subject – and if you don’t believe me ask Sony.