Sony DRM rootkit 'legal in the UK'

Summary:UK computer users would 'struggle to sue' Sony even if their computer was damaged by its copy-restriction software, according to legal experts

Sony BMG is unlikely to face legal consequences in the UK for the copy-restriction technology it is using on a music CD.

The DRM software, which is contained within a particular Van Zant CD, runs in the background of the computer even when the CD is not being played, and could be targeted by virus writers. The software is difficult to remove and if removed manually could shut off access to the computer's CD player.

But even if your computer is damaged by the Sony CD, either directly or indirectly through the activity of malicious code that takes advantage of Sony's DRM software, Sony would not be criminally liable, according to Peter Sommer, research fellow at the London School of Economics and legal expert on computer security issues.

"You have to click on an agreement before you install the CD," said Sommer. "Once you've clicked on that, in terms of criminal liability, Sony are probably in the clear."

Struan Robertson, a senior associate at Pinsent Masons and the editor of legal Web site Out-law.com, agreed that the CD would not break any criminal law, such as the Computer Misuse Act (CMA).

"For a breach [of the CMA], it would need to be proved beyond any reasonable doubt that access to the computer was unauthorised and that the provider knew that such access was unauthorised. An alternative charge of unauthorised modification of a computer under the Act is also likely to fail because it would be difficult to prove the necessary intent to impair the operation of the computer," said Robertson.

The End-User License Agreement (EULA) on the Van Zant CD states that the "CD will automatically install a small proprietary software program", which is "intended to protect the audio files embodied on the CD". It also limit its liability to $5, "for any loss or damage, either direct, indirect, incidental, consequential or otherwise" caused by Sony (in Article 6 of the agreement), and defends itself against damages arising out of your actions (in Article 7), thereby protecting itself from potential damage caused to the CD player if the software is removed.

The licence agreement probably provides "enough wriggle room" for Sony, as it informs users about the software, the purpose of the software and excludes itself from liability, said Sommer. But, a user could still pursue a case against Sony in the civil courts by arguing that the terms of article 6 and 7 are "so widely drawn as to be unreasonable", he said.

"If there's any fault in the software and it causes consequential damage, for example if it was used by malware, you might be able to sue Sony in the civil courts for that," said Sommer.

"But you would have to demonstrate there was actual damage and you would have to prove the extent of the damage. For example, 'because of damage to my computer I lost a business proposal to an investment bank that would have made me £10m'," he said.

Such a case is unlikely to be pursued, as the legal fees would probably exceed any compensation granted.

"You would have to prove a complex sequence of events and it would depend on complex legal arguments," said Sommer. "The sort of solicitor who handles this stuff would cost around £250 per hour."

Sommer concluded that the likelihood of any legal case being pursued against Sony is so low that the main penalty for Sony has been the bad publicity about the DRM software.

Robertson said Sony could be sued for damage caused by a security risk, but would have to prove loss of money. "If there was a security risk the issue is one of possible negligence. But if a user is unable to show any loss — e.g. prove that his computer was compromised and that he lost valuable data due to Sony's software — he will struggle to sue in this country," said Robertson.

Another potential risk for Sony is government intervention. For example, Robertson said the Office of Fair Trading (OFT) could get involved if it believes that the licence terms on the CD are unreasonable.

"If the licence terms are very unfair to consumers, it is possible that the OFT could get involved, although that seems unlikely in the circumstances of this case," said Robertson.

A spokesman for Sony BMG would not comment on the potential risk of a lawsuit in the civil courts, but said the copy-restricted CD is not available in the UK at present. However, UK customers wishing to buy the particular Van Zant CD can only purchase it as an import from the US, and would therefore get the copy-restricted version.

The licence states that the "validity, interpretation and legal effect" of the EULA is governed by the laws of the State of New York, which means that any UK customer may need to sue in a New York court. However, Sommer said this term can be legally contested in a UK court and Sony could probably be sued for damages in the UK.

Topics: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.