I see that matters have developed quickly in the Sony DRM story that I blogged about earlier. We’ve had a lawsuit filed, viruses developed that take advantage of the Sony rootkit system, instructions proliferating on how to remove the RootKit, and some warnings from US Government officials directed at Sony and others who do this kind of thing. Moreinfo, plus links, plus some thoughts on the legal issues, over the fold.

10 days after the whole storm started, Sony decided to suspend production of CDs with the particular form of copy protection that has caused all the controversy. But that’s really not an adequate answer to the many issues raised by this case. Indeed, according to Ed Felten, the other copy protection still used by Sony – SunComm’s MediaMax – has its own problems and undesirable features).

The most thing is disabling the part of the rootkit that creates the security hole, if it’s there. There are plenty of people out there with good instructions; here are some:

  • Ed Felten’s instructions are here (he’s a computer scientist, he should know!)
  • Fred von Lohmann provides instructions on how to avoid infection here, including a list of the affected CDs that the EFF has identified, and how to spot CDs that might have it

As time has gone on, there is also more and more detail emerging, and more criticism. Here are some more links:

Sony is now the subject of several lawsuits relating to the rootkit, and two of the anti-virus software companies are releasing updates to their Windows security products to detect and remove Sony’s copy-protection software (as well as the Trojan exploiting it).

Even parts of the US government have started to make noises about the fiasco. According to the Washington Post, Stewart Baker, recently appointed Department of Homeland Security’s assistant secretary for policy said:

“I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples’ [and] businesses’ computers are secure. … There’s been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples’ computers that even the system administrators can’t find.

It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.

If we have an avian flu outbreak here and it is even half as bad as the 1918 flu, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is going to be a matter of life and death and we take it very seriously.’

OK, so the avian flu thing is probably going a little far. But the issue about making users’ computers more vulnerable is a serious issue.

And the ultimate irony? To anyone who asks, Sony will send instructions on how to get songs from these discs into iTunes, an iPod, or anywhere else you can legally put them. Having followed these instructions, you will then have a copy of the CD that is unencumbered by copy protection. You can then proceed to make any lawful use of the music, including ripping it into iTunes and downloading it onto your iPod. You could also do anything else with it. Including infringe. Bizarre? Indeed.

So what about the legal issues? What about the legalities of what Sony is doing?

Here are some of the possible legal issues, it seems to me:

  1. Criminal breach? I mentioned in my last post the possible issue of criminal breaches – infringement of the Cybercrime provisions, in particular. The question is whether the disclosure in the EULA – and the user’s acceptance of that EULA – is sufficient ‘authorisation’ to avoid liability for unauthorised impairment of the security of the user’s computer. Some of my commenters think it may not be enough; Ed Felten agrees (although HINAL (he is not a lawyer)). As Felten puts it,

    ‘it’s awfully hard to see how, from a common-sense viewpoint, SonyBMG could be said to have disclosed that they might be installing rootkit-like software. Surely the user’s consent to installing “a small proprietary software program … intended to protect the audio files embodied on the CD” does not give SonyBMG free rein to do absolutely anything they like to the user’s computer. Whether, as a legal matter, Sony exceeded their user-granted authorization to modify the user’s computer would ultimately be for a court to decide.’

    Eric Goldman, on the other hand, thinks there might be sufficient disclosure. Particularly valuable is this second post by Eric Goldman, in which he explains how he sees the legal problems: that Sony’s software is ‘ineptware’ rather than ‘spyware’, but that some of the comments made by Sony could be said to be misleading and hence more problematic in a legal sense. My gut sense is that the Sony actions would be unlikely to be criminal, if only because the interpretation of a criminal law will be stricter – it would be harder for the prosecution to show this isn’t, in fact, authorised.

  2. Misleading and deceptive conduct? Civil liability, of course, would be easier to show (liability need only be proved on the balance of probabilities rather than beyond reasonable doubt; laws won’t be interpreted quite so strictly/to the benefit of the defendant. Our law prohibits ‘conduct that is misleading or deceptive or is likely to mislead or deceive’. If Goldman’s analysis of Sony’s actual conduct and statements is correct, then there may well have been misleading conduct, including in the EULA.
  3. Defective Product? What about other parts of the consumer protection law? Could consumers argue that the CDs with this software are not of ‘merchantable quality’? That’s not clear. As Ian Lloyd notes in his textbook Information Technology Law (4th ed) of UK law in this area,

    ‘To date, comparatively few cases concerned specifically with issues of software quality have reached the stage of court proceedings. A variety of explanations may be proposed for this state of affairs. Althought parties may not wish to litigate when teh answer is certain, excessive uncertainty as to the very basis upon which a court may decide will itself inhibit litigation. Some of the most basic questions concerning the application of provisions of contratcual and non-contractual liability in the information technology field admit of no easy or certain answer.’

  4. Anti-Spyware legislation? At the moment, Australia has no anti-spyware legislation. While the Democrats recently released a bill in the area, the Australian government slammed it, saying that no new legislation in this area was required, following a government review which found (pdf) that most spyware scenarios were covered by Australian legislation already. In short, the conclusion of the government’s review was that:

    ‘The advice received during the review indicates that spyware-related malicious activities are covered by existing laws. The responsibility for the enforcement of existing laws considered under the review falls within the jurisdiction of the relevant enforcement agencies.
    The malicious behaviours typically associated with spyware such as fraud, industrial espionage, privacy invasion and anti-competitive conduct are covered by legislation including the Criminal Code, the Privacy Act and the Trade Practices Act.’

    Of course, note the emphasis on ‘malicious’ here. Is it the case that Sony’s conduct was ‘malicious’? On an Oxford English Dictionary definitiom (‘given to malice; addicted to sentiments or acts of ill will; full of hate’), I would say no. It’s interesting, because if you look at the government’s definition of spyware, the Sony conduct appears to fit. But of the provisions the government review considers, they are the ones above – which means that probably only the misleading/deceptive laws would fit here, not the criminal ones. Which may be appropriate, but shows the difficult of defining and regulating ‘spyware’ sensibly.

  5. What about under anti-circumvention laws? Any liability? In short, no. The Copyright Act provisions are concerned with the legal rights of the copyright owner, not their duties, which arise under ordinary consumer protection laws. It’s quite possible, as Kerr et al suggested (pdf), and as I mentioned in my last post, that the government ought to pay more attention to the limits on DRM, not just on the rights of DRM users. Ordinarily, and even ideally, I would say that that kind of stuff should stay in Consumer Protection law, rather than in the Copyright Act. But having had a bit of a dig around on the concept of merchantable quality, and how it might relate to software, I wonder whether the uncertainty about the scope of the law will mean that consumer protection law is ineffective here? I’m a bit torn on this one – any thoughts?

A quick perusal of the possibly relevant laws suggests that misleading/deceptive conduct is about as far as it goes at the moment. I can’t help but feel that (a) this is not entirely satisfactory, although (b) perhaps it is appropriate given the low levels of liability we ordinarily impose on software providers for the problems caused by their bugs etc. Ordinarily, we don’t impose liability on Microsoft because it has bugs or vulnerabilities.

But wait. It would be appropriate to treat Sony the same as we’ve generally treated software providers if Sony were acting like an ordinary software providers. Big software providers like Microsoft do tend to issue patches when problems/bugs/vulnerabilities are shown to exist in their software. Sony has not, it appears, reacted the same way – the uninstall instructions are long, complex, and involve requests for unnecessary information, according to Russinovich and Felten. If Sony (and other users of DRM) are not going to act promptly to offer easy-to-use solutions to the problems their software causes, then maybe more active intervention by regulators, or more clear lines of liability are required. Just a thought.