Issue/News: Sony DRM and a few legal precedents

So what's the lowdown on the Sony DRM issue and legal precedent? I'm not sure- in this case, Sony seems fairly quick to cover their own ass, so its doubtful anyone would try to sue them. But its an interesting point for the ongoing balance between commerce and personal privacy on the internet. The Wired.com story I mentioned argues that it may be a crime under the U.S. Computer Fraud and Abuse act. Is it?

Probably not. Two cases that have been tried under this act for not completely unrelated issues, the cases of Pharmatrak, Inc. v. Private Litigation and doubleclick inc. v. private litigation, have not turned out too well for the forces of privacy. In both, the argument is made that the companies in question (Pharmatrak and Doubleclick... the latter a company watched closely by the internet privacy advocacy group EPIC) illegally used internet cookies to collect personal information about consumers. A lot of the discussion in the case is based on the fairly straightforward wording of the Computer Fraud and Abuse Act, as well as the Electronic Communications Privacy Act. Neither I nor any of the hordes of people reading this want me to go through the entirety of the cases, but there are a couple of interesting things to note with relation to DRM, one being that in DoubleClick there is a "simple steps" observation that places more of the burden on the consumer:

Third, DoubleClick will not collect information from any user who takes simple steps to prevent DoubleClick’s tracking. As plaintiffs’ counsel demonstrated at oral argument, users can easily and at no cost prevent DoubleClick from collecting information from them. They may do this in two ways: (1) visiting the DoubleClick Web site and requesting an “opt-out” cookie; and (2) configuring their browsers to block any cookies from being deposited.

There are similarly 'simple' ways you can turn off the autorun program that runs Sony's DRM, although instructions or notification for the 'opt-out' option (in the DRM case you need to stop a process in windows) isn't easy to find (although now Sony has set up an uninstall web site). And this is what disturbs me- if the legal burden shifts to the consumer, corporations will be able to continue to push the line of privacy, and all changes will be retroactive. So far, recourse has really only come from the blogging community (update- the market has also reacted, as antivirus companies are quickly putting Sony's DRM on their hit list)

The Doubleclick case, however, only has so much in common with the Sony DRM issue. At its base, it provides a guide for how the law is interpreted- mostly 'on its face'- and where the burden lies- on the consumer. Other sources of legal precedent may be more telling, as CNET's Declan McCullagh has written today about the potential legal mess Sony is in. He cites two such cases: Soleto v. Directrevenue and the California anti-spyware law.

First, Soleto: In this case the plantiff sued Directrevenue, which bundled spyware with a number of 'free downloads', and did not openly display the EULA (the spyware was bundled and downloading the software did not require the user reading the EULA- in the case of users with Microsoft security settings on low, the software would be downloaded without fixed consent). As McCullagh writes,"U.S. District Judge Robert Gettleman said the company could be sued on trespass, Illinois consumer fraud, negligence, and computer tampering grounds.<
There are a couple of signs in this case that although much of the burden falls on the consumer, there are limitations to the harm that can be created via third party programs. For example at one point in dismissing a claim that users are able to opt-out, Gettleman writes,"Spyware begins consuming computer resources when it is installed, and uninstalling Spyware is significantly more confusing and vexing process than returning a product". This strikes me as a fairly sharp contrast to the logic applied in Doubleclick over the same matter, although then again Doubleclick's cookies signifigantly differ from Directrevenue's spyware.

Second, such harms can be tied to trespass. Gettleman evidences this with legal precedent, writing,

"A series of federal district court decisions, beginning with CompuServe. Inc., has approved the use of trespass to personal property as a theory of liability for "spam e-mails" sent to an Internet service provided ("ISP") based upon evidence that the vast quantities of spam e-mail overburdened the ISP's own computer and made the entire computer system harder to use for computer users, the ISP's consumers."

However, as much as people might make out that Soleto applies to Sony's DRM, there remain glaring disimilarities. For one, the claims in Soleto- particularly consumer fraud and negligence- are based on Directrevenues' disclosure policy. Sony is a lot more open: although the EULA is confusing, a user has to click through it to access material, and with regards to Sony disseminated CD's, there are clear labels (take a look at "Z" on amazon.com, the CD I mentioned in the last post, and notice the COPY PROTECTED CD line in the title). Eric Goldman reinforces this, arguing,

"However, the Sotelo case doesn't offer us much insight here. First, the Sotelo decision was just a denial of a motion to dismiss, so its precedential value is low (especially if the court ultimately finds that there was no trespass to chattels). Second, a properly formed EULA consenting to the install would negate a trespass to chattels claim (and all of the various other related claims, like the Computer Fraud & Abuse Act)."

So that's it for Soleto- what about the California law? Well, the definitions of the law state that:

(h) "Intentionally deceptive" means any of the following:

(1) By means of an intentionally and materially false or fraudulent statement.
(2) By means of a statement or description that intentionally omits or misrepresents material information in order to deceive the consumer.
(3) By means of an intentional and material failure to provide any notice to an authorized user regarding the download or installation of software in order to deceive the consumer

On its face, the Sony's EULA does not meet either the 1st or 3rd criteria. And as far as
"intentially omits or misrepresents material" it sufficiently, if confusingly, represents the
existence of the rootkit. What it might not do, however, is give sufficient notice to how HARD
the damn thing is to remove from Windows (as evidenced in the comments on Ed Felton and
Eric Goldman's site).

Another possibility for legal recourse is in one of the later sections, which reads that a company or individual cannot:

(1) Induce an authorized user to install a software component onto
the computer by intentionally misrepresenting that installing
software is necessary for security or privacy reasons or in order to
open, view, or play a particular type of content.

I can see this one being argued on two counts: first, by the user of the CD, that the EULA doesn't include any opt-out option (i.e. instructions to disable Windows autorun) and therefore appears to be required to play the content, and second, by a user on the network that has an administrator that has downloaded the Sony rootkit. Because the rootkit cloaks any file with $sys$ this cloaking feature can be picked up by other malicious software programs and used to clock their files... in other words the user on the network, which has not downloaded the rootkit, is adversely affected because a malicious program on their system is using the rootkit on the administrators computer to cloak files.

Regardless, Sony is taking a hit with all the furor over the rootkit, and it won't help their already tarnished reputation. What a legal action really needs in order to be pushed through is a very clear claim of damages (i.e. the rootkit specifically hinders this or that operation on this or that system). In the coming weeks, it will likely be resolved through the private actions of Sony- or it might not- either way, it may give us a better sense of how blurry the line is between illegitimate and legitimate software, as well as the balance of burdens between the consumer and the corporation.