Sony's legal issues Mark Rasch, http://www.securityfocus.com/columnists/369?ref=rss
Last month I wrote about a dispute between the Federal Trade Commission and a spyware distributor where the FTC alleged that an End User License Agreement, which essentially told downloaders that they were downloading spyware, was a false and deceptive trade practice. Two events cause me to revisit this issue. First, the FTC has gone after another spyware distributor, and second, Sony Corporation has caused the surreptitious installation of a rootkit-type program to enforce its digital rights management on its music CDs, claiming authority to do so under an End User License Agreement. Not only did Sony's actions raise the ire of the user community and open up users to undisclosed security vulnerabilities, it also landed Sony in hot water and a class action lawsuit. The question now is whether the EULA provides Sony with any cover, and if not, why the Federal Trade Commission isn't going after companies that cause the installation of programs where we don't - and can't - know what they do. Recent developments On November 10, 2005, the FTC filed a lawsuit in federal court in Los Angeles against Enternet Media and others. It was your typical anti-spyware lawsuit - you know, the program was installed without the user's knowledge, added dozens of other programs, captured personal information, was impossible to remove - yadda yadda yadda. This fact was considered to constitute a fraudulent and deceptive trade practice by the FTC. What is interesting in the complaint is the fact that the FTC argues that the terms of Enternet Media's End User License Agreement are not enforceable noting that, "Although the EM defendants do have a EULA, they do not require, let alone encourage, consumers to review it prior to downloading and installing the EM code. The EM defendants' installation boxes, when clicked on, automatically install the EM code, with no requirement that a consumer agree to terms and conditions." The FTC complaint goes on to note that "[n]or can a consumer, having installed the EM code, reasonably avoid its effects by uninstalling or removing it. In most cases, the EM defendants' own instructions do not remove all of the EM code, and the EM code does not appear in the Add/Remove feature of the Windows operating system. Often, all or some of the EM code remains on consumers' computers even after repeated attempts to uninstall the code." This, among other things, according to the FTC, constituted a deceptive representation about the software. Sony stands in the spotlight Of course, no large and reputable company would act this way. Enter the Sony BMG fiasco. As reported in Security Focus Sony made thousands of music CD's with embedded digital rights management code. People thought they were buying a music CD with some sort of copy protection. What they were actually doing was licensing software subject to an End User License Agreement. The terms of the EULA, like those of the spyware distributor cited by the FTC, were not visible simply by playing the music, at least not on regular CD player. The EULA provided that "this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER" but did not describe what the software did, where it was installed, or how to get rid of it. The EULA also provided that your right to listen to the music existed only for as long as you retained possession of the purchased (or more accurately, licensed) CD, that you could only make copies of the CD on personal home computers that you owned (theoretically, leased or borrowed computers were out), that you could not export the software (hence play the music) outside the country, that you agreed to install any updates to the software (sound like spyware?) and that Sony's liability to you was capped at five bucks - irrespective of what the software does. Other fun provisions of the EULA as noted by the Electronic Frontier Foundation include the fact that your right to listen to the music terminates if you file for bankruptcy, that you can't transfer the music on your computer, even with the original CD, and that you can't change, alter, or make derivative works from the music on your computer - all things you ordinarily could do under copyright law. Sony's actions have landed them in hot water. First, they issued a "patch" or removal program to remove the rootkit - a program which may or may not have actually worked, and which has installed additional programs onto your computer. Then they abandoned the DRM software entirely, but to date took no efforts to remove CDs with the DRM rootkit software from the shelves, or to actively warn consumers NOT to purchase them. Finally, at least one class-action lawsuit has reportedly been filed against Sony in Los Angeles Superior Court alleging that the software constitutes an unfair and deceptive trade practice (under California's equivalent of the FTC Act the "Consumer Legal Remedies Act"), that it violates consumer protection statutes under the California Unfair Competition law, and most importantly that the rootkit violates the California anti-spyware statute, the Consumer Protection against Computer Spyware Act. This act prohibits, among other things, software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The legal issues These cases present many interesting legal issues. First, let's say that Sony or even Enternet Media wanted to get consumers' genuine consent to the installation of these programs. Could they do so under a EULA? Are the terms of an EULA which permit the installation of software that is intended to be for the benefit of the software distributor (and not directly of the consumer) ever enforceable? Certainly I can agree to install any software onto my computer - even software that will be difficult if not impossible to fully remove. Only a small percentage of the programs on my desktop machine are removable anyway using the "ADD/REMOVE" feature in Windows XP. For my Palm-based phone, the number is even smaller. And even these programs are generally not fully uninstallable. Remember, under the law, you "signed" a "contract" where you agreed to limit what you would do with the music you were leasing. If you uninstall the software, not only do you run the risk that you won't be able to hear the music, but assuming you can bypass the copy protections, you, rather than the music company, may be violating the terms of the contract. In fact, bypassing the copy protections (before Sony agreed to withdraw them) may land you in criminal hot water under the provisions of the Digital Millennium Copyright Act, and other countries' versions passed under the World Intellectual Property Organization treaty. So much to the surprise of many people, uninstalling this software may be a violation of the law. What about the argument that the EULA is not enforceable because you didn't read/understand/agree to it? Typically, that won't fly. If the terms of the EULA are readily available to you, not hidden, and at least somewhat understandable to the average person (legalese, anyone?) then you typically are bound, even if you have no ability to negotiate the contract. This is what the law calls a "contract of adhesion." The exceptions are where the terms of the contract are "unconscionable," such as by downloading this software, you give up your first born male child - or are void against public policy, such as this software authorizes us to kill you in an immediate and painful death. The fact that the terms of the agreement are unfair, disagreeable, or that you didn't bother to read them however are typically not defenses. The FTC and Sony The juxtaposition of the FTC case and the Sony case makes for a strange law. Are EULAs that limit liability for the installation of software enforceable or not? How much must they tell you about what the software does (in relation to spyware, virus, and malicious code) before you can make an informed decision about whether to install the code? With each case filed, the law becomes less clear, rather than more. The next problem with the Sony code was the fact that in order to install on the user's machine and not be detected and easily removed, the software essentially had to create and/or exploit a security vulnerability. The vulnerability created by the rootkit has already been reportedly piggybacked by virus writers as a vector for targeting "infected" computers. Although Microsoft and other anti-viral vendors have announced plans to update their software to look for the rootkit, should a court enforce the provisions of the EULA limiting Sony's liability to five bucks, where the software opens a potentially devastating security hole? If this truly is a contract between consumer and corporation, should the courts get involved in saying, "paragraph 1 is fine, but we want to renegotiate paragraphs 7-11?" Finally, the Sony case represents a disturbing trend among owners of intellectual property. This is the tendency to misuse copyright law to obtain other non-copyright rights, and to severely limit copyright rights of users. Copyright law grants the owner of the copyright a "bundle or rights" to control - for an increasingly long period of time - how the work is displayed, reproduced, performed, etc. It also allows the public to make certain uses of the work, either by express or implied contract, or under the doctrine of "fair use." So things like "private performances" of copyrighted works are permitted under copyright law. Issues with copyright law and DRM The problem is, to obtain access to the copyrighted work these days, you tend to have to agree to a EULA. Ellen Barkin's character Beth told Daniel Stern's "Shrevie" in the movie Diner, "I just want to listen to the music." You can't just do that anymore. You have to sign a contract before you can listen. The contract purports to limit your right to make fair uses of the copyrighted works. For example, both the software game mod chip cases and the Michael Lynn dispute with Cisco revolve around terms of EULAs which purport to limit users' rights to reverse engineer software they have purchased and licensed. Lexmark and Chamberlin went one step further, using the terms of EULAs to attempt DMCA prosecutions of those who refilled ink cartridges or created cloned garage door openers. Increasingly, copyright owners are increasing their "bundle of rights" under contract, having you agree to this practice through a click through EULA, and then attempting to enforce these "rights" not under breach of contract law, but under copyright law itself. The law recognizes a concept called a "misuse" of a patent. That is, I get a patent to a process or technology, and under what purports to be a license, I get you to agree not to compete with me - an antitrust violation. Patents and copyrights are intended to protect legitimate intellectual property rights of creators - not to bludgeon the unsuspecting consumer. Increasingly, commercial software is looking like malicious code - both in what it does and how it does it. At the same time, authors of malicious code are taking a cue from the commercial software developers, and writing long "click wrap" contracts which purport to inform the user of the damage done by, and limit the remedies for, the malicious code. For now, courts should require all intellectual property providers to provide clear and conspicuous notice about what the limitations of the use of the IP are, and what the software will do. Contract provisions that extend the rights of IP holders beyond that in copyright law, and which consequently limit the rights of IP users should be looked on dubiously. Now, if anyone can help me get this CD to play. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.