Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Sony's legal issues
Mark Rasch, 2005-11-14

Story continued from Page 1


Sony's actions have landed them in hot water. First, they issued a "patch" or removal program to remove the rootkit - a program which may or may not have actually worked, and which has installed additional programs onto your computer. Then they abandoned the DRM software entirely, but to date took no efforts to remove CDs with the DRM rootkit software from the shelves, or to actively warn consumers NOT to purchase them. Finally, at least one class-action lawsuit has reportedly been filed against Sony in Los Angeles Superior Court alleging that the software constitutes an unfair and deceptive trade practice (under California's equivalent of the FTC Act the "Consumer Legal Remedies Act"), that it violates consumer protection statutes under the California Unfair Competition law, and most importantly that the rootkit violates the California anti-spyware statute, the Consumer Protection against Computer Spyware Act. This act prohibits, among other things, software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program.

The legal issues

These cases present many interesting legal issues. First, let's say that Sony or even Enternet Media wanted to get consumers' genuine consent to the installation of these programs. Could they do so under a EULA? Are the terms of an EULA which permit the installation of software that is intended to be for the benefit of the software distributor (and not directly of the consumer) ever enforceable? Certainly I can agree to install any software onto my computer - even software that will be difficult if not impossible to fully remove. Only a small percentage of the programs on my desktop machine are removable anyway using the "ADD/REMOVE" feature in Windows XP. For my Palm-based phone, the number is even smaller. And even these programs are generally not fully uninstallable. Remember, under the law, you "signed" a "contract" where you agreed to limit what you would do with the music you were leasing. If you uninstall the software, not only do you run the risk that you won't be able to hear the music, but assuming you can bypass the copy protections, you, rather than the music company, may be violating the terms of the contract. In fact, bypassing the copy protections (before Sony agreed to withdraw them) may land you in criminal hot water under the provisions of the Digital Millennium Copyright Act, and other countries' versions passed under the World Intellectual Property Organization treaty. So much to the surprise of many people, uninstalling this software may be a violation of the law.

What about the argument that the EULA is not enforceable because you didn't read/understand/agree to it? Typically, that won't fly. If the terms of the EULA are readily available to you, not hidden, and at least somewhat understandable to the average person (legalese, anyone?) then you typically are bound, even if you have no ability to negotiate the contract. This is what the law calls a "contract of adhesion." The exceptions are where the terms of the contract are "unconscionable," such as by downloading this software, you give up your first born male child - or are void against public policy, such as this software authorizes us to kill you in an immediate and painful death. The fact that the terms of the agreement are unfair, disagreeable, or that you didn't bother to read them however are typically not defenses.

The FTC and Sony

The juxtaposition of the FTC case and the Sony case makes for a strange law. Are EULAs that limit liability for the installation of software enforceable or not? How much must they tell you about what the software does (in relation to spyware, virus, and malicious code) before you can make an informed decision about whether to install the code? With each case filed, the law becomes less clear, rather than more.

The next problem with the Sony code was the fact that in order to install on the user's machine and not be detected and easily removed, the software essentially had to create and/or exploit a security vulnerability. The vulnerability created by the rootkit has already been reportedly piggybacked by virus writers as a vector for targeting "infected" computers. Although Microsoft and other anti-viral vendors have announced plans to update their software to look for the rootkit, should a court enforce the provisions of the EULA limiting Sony's liability to five bucks, where the software opens a potentially devastating security hole? If this truly is a contract between consumer and corporation, should the courts get involved in saying, "paragraph 1 is fine, but we want to renegotiate paragraphs 7-11?"

Finally, the Sony case represents a disturbing trend among owners of intellectual property. This is the tendency to misuse copyright law to obtain other non-copyright rights, and to severely limit copyright rights of users. Copyright law grants the owner of the copyright a "bundle or rights" to control - for an increasingly long period of time - how the work is displayed, reproduced, performed, etc. It also allows the public to make certain uses of the work, either by express or implied contract, or under the doctrine of "fair use." So things like "private performances" of copyrighted works are permitted under copyright law.

Issues with copyright law and DRM

The problem is, to obtain access to the copyrighted work these days, you tend to have to agree to a EULA. Ellen Barkin's character Beth told Daniel Stern's "Shrevie" in the movie Diner, "I just want to listen to the music." You can't just do that anymore. You have to sign a contract before you can listen. The contract purports to limit your right to make fair uses of the copyrighted works. For example, both the software game mod chip cases and the Michael Lynn dispute with Cisco revolve around terms of EULAs which purport to limit users' rights to reverse engineer software they have purchased and licensed. Lexmark and Chamberlin went one step further, using the terms of EULAs to attempt DMCA prosecutions of those who refilled ink cartridges or created cloned garage door openers. Increasingly, copyright owners are increasing their "bundle of rights" under contract, having you agree to this practice through a click through EULA, and then attempting to enforce these "rights" not under breach of contract law, but under copyright law itself.

The law recognizes a concept called a "misuse" of a patent. That is, I get a patent to a process or technology, and under what purports to be a license, I get you to agree not to compete with me - an antitrust violation. Patents and copyrights are intended to protect legitimate intellectual property rights of creators - not to bludgeon the unsuspecting consumer.

Increasingly, commercial software is looking like malicious code - both in what it does and how it does it. At the same time, authors of malicious code are taking a cue from the commercial software developers, and writing long "click wrap" contracts which purport to inform the user of the damage done by, and limit the remedies for, the malicious code. For now, courts should require all intellectual property providers to provide clear and conspicuous notice about what the limitations of the use of the IP are, and what the software will do. Contract provisions that extend the rights of IP holders beyond that in copyright law, and which consequently limit the rights of IP users should be looked on dubiously.

Now, if anyone can help me get this CD to play.


Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:
Sony's legal issues 2005-11-14
fatman (2 replies)
Re: Sony's legal issues 2005-11-15
Mark D. Rasch (2 replies)
Re: Re: Sony's legal issues 2005-11-17
Anonymous
Re: Re: Sony's legal issues 2005-11-17
Yvan Boily
Re: Sony's legal issues 2005-11-22
R Simard
Sony's legal issues 2005-11-15
Anonymous (2 replies)
Re: Sony's legal issues 2005-11-16
Anonymous
Re: Sony's legal issues 2005-11-16
Anonymous (1 replies)
Re: Re: Sony's legal issues 2005-11-17
Anonymous
Sony's legal issues 2005-11-15
Anonymous (1 replies)
Re: Sony's legal issues 2005-11-16
Anonymous
Sony's legal issues 2005-11-16
norgan
Here's how you get the CD to play... 2005-11-16
Gordon Fecyk
Sony's legal issues 2005-11-16
dreq
Sony's legal issues 2005-11-16
Alexey Vesnin
Sony's legal issues 2005-11-16
ChiRaven
May be illegal in UK 2005-11-16
Anonymous
Sony's legal issues 2005-11-16
Steve (1 replies)
Re: Sony's legal issues 2005-11-19
Mark Rasch (1 replies)
Re: Re: Sony's legal issues 2005-12-01
Anonymous
Sony's legal issues - EULA and DELL 2005-11-16
Anonymous (1 replies)
Sony's legal issues 2005-11-16
Steve
But what are the consumer's remedies? 2005-11-17
HavaCuppaJoe (2 replies)
Sony's legal issues 2005-11-21
Anonymous
You Missed Something Big! 2005-11-22
Anonymous
Validity of the EULA 2005-11-22
Stephan Schulz
Sony's legal issues 2005-11-22
JCD
What recourse does a buyer have? 2005-11-22
Jaywalk (1 replies)
Sony's legal issues 2005-11-22
Capt Chas
Sony's legal issues 2005-11-29
Thaddy de Koning


 

Privacy Statement
Copyright 2010, SecurityFocus