Sony's legal issues
Mark Rasch,
http://www.securityfocus.com/columnists/369?ref=rss

Last month I wrote about a dispute between the Federal Trade Commission and
a spyware distributor where the FTC alleged that an End User License
Agreement, which essentially told downloaders that they were downloading
spyware, was a false and deceptive trade practice. Two events cause me to
revisit this issue. First, the FTC has gone after another spyware
distributor, and second, Sony Corporation has caused the surreptitious
installation of a rootkit-type program to enforce its digital rights
management on its music CDs, claiming authority to do so under an End User
License Agreement.

Not only did Sony's actions raise the ire of the user community and open up
users to undisclosed security vulnerabilities, it also landed Sony in hot
water and a class action lawsuit. The question now is whether the EULA
provides Sony with any cover, and if not, why the Federal Trade Commission
isn't going after companies that cause the installation of programs where we
don't - and can't - know what they do.

Recent developments

On November 10, 2005, the FTC filed a lawsuit in federal court in Los
Angeles against Enternet Media and others. It was your typical anti-spyware
lawsuit - you know, the program was installed without the user's knowledge,
added dozens of other programs, captured personal information, was
impossible to remove - yadda yadda yadda. This fact was considered to
constitute a fraudulent and deceptive trade practice by the FTC. What is
interesting in the complaint is the fact that the FTC argues that the terms
of Enternet Media's End User License Agreement are not enforceable noting
that, "Although the EM defendants do have a EULA, they do not require, let
alone encourage, consumers to review it prior to downloading and installing
the EM code. The EM defendants' installation boxes, when clicked on,
automatically install the EM code, with no requirement that a consumer agree
to terms and conditions."

The FTC complaint goes on to note that "[n]or can a consumer, having
installed the EM code, reasonably avoid its effects by uninstalling or
removing it. In most cases, the EM defendants' own instructions do not
remove all of the EM code, and the EM code does not appear in the Add/Remove
feature of the Windows operating system. Often, all or some of the EM code
remains on consumers' computers even after repeated attempts to uninstall
the code." This, among other things, according to the FTC, constituted a
deceptive representation about the software.

Sony stands in the spotlight

Of course, no large and reputable company would act this way. Enter the Sony
BMG fiasco. As reported in Security Focus Sony made thousands of music CD's
with embedded digital rights management code. People thought they were
buying a music CD with some sort of copy protection. What they were actually
doing was licensing software subject to an End User License Agreement. The
terms of the EULA, like those of the spyware distributor cited by the FTC,
were not visible simply by playing the music, at least not on regular CD
player. The EULA provided that "this CD will automatically install a small
proprietary software program (the "SOFTWARE") onto YOUR COMPUTER" but did
not describe what the software did, where it was installed, or how to get
rid of it. The EULA also provided that your right to listen to the music
existed only for as long as you retained possession of the purchased (or
more accurately, licensed) CD, that you could only make copies of the CD on
personal home computers that you owned (theoretically, leased or borrowed
computers were out), that you could not export the software (hence play the
music) outside the country, that you agreed to install any updates to the
software (sound like spyware?) and that Sony's liability to you was capped
at five bucks - irrespective of what the software does. Other fun provisions
of the EULA as noted by the Electronic Frontier Foundation include the fact
that your right to listen to the music terminates if you file for
bankruptcy, that you can't transfer the music on your computer, even with
the original CD, and that you can't change, alter, or make derivative works
from the music on your computer - all things you ordinarily could do under
copyright law.



Sony's actions have landed them in hot water. First, they issued a "patch"
or removal program to remove the rootkit - a program which may or may not
have actually worked, and which has installed additional programs onto your
computer. Then they abandoned the DRM software entirely, but to date took no
efforts to remove CDs with the DRM rootkit software from the shelves, or to
actively warn consumers NOT to purchase them. Finally, at least one
class-action lawsuit has reportedly been filed against Sony in Los Angeles
Superior Court alleging that the software constitutes an unfair and
deceptive trade practice (under California's equivalent of the FTC Act the
"Consumer Legal Remedies Act"), that it violates consumer protection
statutes under the California Unfair Competition law, and most importantly
that the rootkit violates the California anti-spyware statute, the Consumer
Protection against Computer Spyware Act. This act prohibits, among other
things, software that takes control over the user's computer or
misrepresents the user's ability or right to uninstall the program.

The legal issues

These cases present many interesting legal issues. First, let's say that
Sony or even Enternet Media wanted to get consumers' genuine consent to the
installation of these programs. Could they do so under a EULA? Are the terms
of an EULA which permit the installation of software that is intended to be
for the benefit of the software distributor (and not directly of the
consumer) ever enforceable? Certainly I can agree to install any software
onto my computer - even software that will be difficult if not impossible to
fully remove. Only a small percentage of the programs on my desktop machine
are removable anyway using the "ADD/REMOVE" feature in Windows XP. For my
Palm-based phone, the number is even smaller. And even these programs are
generally not fully uninstallable. Remember, under the law, you "signed" a
"contract" where you agreed to limit what you would do with the music you
were leasing. If you uninstall the software, not only do you run the risk
that you won't be able to hear the music, but assuming you can bypass the
copy protections, you, rather than the music company, may be violating the
terms of the contract. In fact, bypassing the copy protections (before Sony
agreed to withdraw them) may land you in criminal hot water under the
provisions of the Digital Millennium Copyright Act, and other countries'
versions passed under the World Intellectual Property Organization treaty.
So much to the surprise of many people, uninstalling this software may be a
violation of the law.

What about the argument that the EULA is not enforceable because you didn't
read/understand/agree to it? Typically, that won't fly. If the terms of the
EULA are readily available to you, not hidden, and at least somewhat
understandable to the average person (legalese, anyone?) then you typically
are bound, even if you have no ability to negotiate the contract. This is
what the law calls a "contract of adhesion." The exceptions are where the
terms of the contract are "unconscionable," such as by downloading this
software, you give up your first born male child - or are void against
public policy, such as this software authorizes us to kill you in an
immediate and painful death. The fact that the terms of the agreement are
unfair, disagreeable, or that you didn't bother to read them however are
typically not defenses.

The FTC and Sony

The juxtaposition of the FTC case and the Sony case makes for a strange law.
Are EULAs that limit liability for the installation of software enforceable
or not? How much must they tell you about what the software does (in
relation to spyware, virus, and malicious code) before you can make an
informed decision about whether to install the code? With each case filed,
the law becomes less clear, rather than more.

The next problem with the Sony code was the fact that in order to install on
the user's machine and not be detected and easily removed, the software
essentially had to create and/or exploit a security vulnerability. The
vulnerability created by the rootkit has already been reportedly piggybacked
by virus writers as a vector for targeting "infected" computers. Although
Microsoft and other anti-viral vendors have announced plans to update their
software to look for the rootkit, should a court enforce the provisions of
the EULA limiting Sony's liability to five bucks, where the software opens a
potentially devastating security hole? If this truly is a contract between
consumer and corporation, should the courts get involved in saying,
"paragraph 1 is fine, but we want to renegotiate paragraphs 7-11?"

Finally, the Sony case represents a disturbing trend among owners of
intellectual property. This is the tendency to misuse copyright law to
obtain other non-copyright rights, and to severely limit copyright rights of
users. Copyright law grants the owner of the copyright a "bundle or rights"
to control - for an increasingly long period of time - how the work is
displayed, reproduced, performed, etc. It also allows the public to make
certain uses of the work, either by express or implied contract, or under
the doctrine of "fair use." So things like "private performances" of
copyrighted works are permitted under copyright law.

Issues with copyright law and DRM

The problem is, to obtain access to the copyrighted work these days, you
tend to have to agree to a EULA. Ellen Barkin's character Beth told Daniel
Stern's "Shrevie" in the movie Diner, "I just want to listen to the music."
You can't just do that anymore. You have to sign a contract before you can
listen. The contract purports to limit your right to make fair uses of the
copyrighted works. For example, both the software game mod chip cases and
the Michael Lynn dispute with Cisco revolve around terms of EULAs which
purport to limit users' rights to reverse engineer software they have
purchased and licensed. Lexmark and Chamberlin went one step further, using
the terms of EULAs to attempt DMCA prosecutions of those who refilled ink
cartridges or created cloned garage door openers. Increasingly, copyright
owners are increasing their "bundle of rights" under contract, having you
agree to this practice through a click through EULA, and then attempting to
enforce these "rights" not under breach of contract law, but under copyright
law itself.

The law recognizes a concept called a "misuse" of a patent. That is, I get a
patent to a process or technology, and under what purports to be a license,
I get you to agree not to compete with me - an antitrust violation. Patents
and copyrights are intended to protect legitimate intellectual property
rights of creators - not to bludgeon the unsuspecting consumer.

Increasingly, commercial software is looking like malicious code - both in
what it does and how it does it. At the same time, authors of malicious code
are taking a cue from the commercial software developers, and writing long
"click wrap" contracts which purport to inform the user of the damage done
by, and limit the remedies for, the malicious code. For now, courts should
require all intellectual property providers to provide clear and conspicuous
notice about what the limitations of the use of the IP are, and what the
software will do. Contract provisions that extend the rights of IP holders
beyond that in copyright law, and which consequently limit the rights of IP
users should be looked on dubiously.

Now, if anyone can help me get this CD to play. 



You are a subscribed member of the infowarrior list. Visit 
www.infowarrior.org for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to