Continued: Sony Rootkit, ect. ect.

A lot of flak is given to Microsoft for being the dark side as far as open and closed source code goes- namely, they steal open source code, and then make it closed source. However, in the last week, I believe the rightful bearer of the closed source code goes to Sony, for the rootkit issue mentioned in the last post. Not that this wasn't a long time coming... Sony's business model is pretty much 'you can't have it' (remember minidisk players- and all of the other Sony music players that JUST started natively playing MP3? no? what about memory sticks? in fact, check out the section called 'proprietary formats' under Wikipedia's entry for Sony and see how many are followed soon after with the words "failed" and or "miserably") Notably, while Sony's come under such attack, Microsoft has reworked its code sharing plan to allow more access to code that was previously protected, and even more recently has called for a law granting broader privacy protection from the government.

But back to Sony. A lot of legal theorists like to explain fairly complicated issues with analogies, here's my sorry attempt:

Bobby is walking home. On his way home, Bobby decides to buy a compact disc from the local CD-O-Rama, lets say, My Morning Glory's new acclaimed album, "Z". He pays his 10 dollars, and off he goes. But what Bobby didn't bargain for was that CD-O-Rama sent an invisible dog after him, a rotweiller in fact, that followed him home. When Bobby played the CD, it played fine. When he tried to burn the CD onto his computer, that was ok too... but when he tried to burn the songs onto a new CD, or download the songs to his i-Pod (Bobby's hip), all he hears is loud barking when he listens.

The invisible dog, as it were, had been trained to bark loudly whenever Bobby tried to do certain things with the CD. Bobby couldn't understand why. And soon, other things began to happen. One day Bobby comes home and his room has been torn apart, another day and there are claw marks on the walls. Bobby begins slowly going insane, while the dog continues to rummage around unabated. To make matters worse, Bobby used to be tormented by several cats in the neighboorhood as well, but the cats found out that if they came into Bobby's room with the invisible dog, they too would turn invisible!

Legally speaking, sucks to be Bobby. Eric Goldman writes,

Accordingly, I'm a little perplexed about what Sony has done wrong from a legal perspective. (I have mixed views about the propriety of Sony's behavior from other perspectives). Sony has the right to protect its music via DRM. Doing so may require the installation of client-side software. Sony has disclosed the install in the EULA. It seems like everything is legally kosher.

Goldman is, unfortunately, right as far as I know. Wired.com's story on the subject argues that a crime has been committed, and may be punishable in the courts, but their claims are a little thin on specifics (although it DOES have a good summary of what's going on, just in case the Bobby and the dog analogy doesn't work for you). The Wired News Staff argues,

Sony may even have committed a crime under the U.S. Computer Fraud and Abuse Act, which can carry fines and prison terms for anyone who "knowingly causes the transmission of a program ... and as a result of such conduct, intentionally causes damage, without authorization, to a protected computer." Corrupting Windows so it misreports the contents of a hard drive sounds a lot like "damage," and the click-wrap license agreement on the Sony disk amounts to pretty thin "authorization" -- disclosing only that "this CD will automatically install a small proprietary software program ... intended to protect the audio files embodied on the CD."

No, simply no. "Intentionally cases damage?" Sony has a right to protect its material, and in doing so, has a legitimate concern to alter the DRM (Digital Rights Management) with its program. As Goldman points out, even if it didn't do a particulary good job of disclosing the rootkit, it DID disclose it. And the authorization is a bit thicker than Wired claims, as part of the full disclosure reads:

"this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT."

Ommiting "May also facilitate your use of the DIGITAL CONTENT"? BAD JOURNALIST. BAD! So how can a better system be created as far as allowing users to control their systems? After all, even if the disclosure is there, most consumers won't read it. Furthermore, if you do accidentally download it, the program has lots of neato features that keep it there long after you want it to be gone, and compromises the security of your computer. So Sony has issued a patch, and over the last couple of days different actions have been taken to mitigate the rootkit (one of which involves using a different rootkit, which Ed Felton rightly haranges).

Back to the law: What is the precedent for legal disclosure of invasive software? And what values are in play - are we dealing with the privacy of a consumer versus the ability of a company to protect intellectual property? Does the invasion involve a tresspassing-like violation (how much consent is needed), or in the case of an iPod, an economic concern (facilitating the use of digital content doesn't really disclose that the material may not be compatable with say, the digital audio player that controls roughly 80 percent of the market). Next post will be a breakdown of such issues.