MPs and peers have called for clarity in the law regarding digital rights management (DRM), to make it clear that companies using technical protection measures (TPM) such as Sony BMG's rootkit-like technology could be prosecuted.
The All Party Internet Group (APIG), a cross-party independent discussion forum, published a report around DRM issues on Monday. Among other recommondations, the report said that communications regulator Ofcom should clarify that companies using invasive TPM technologies could be liable for criminal prosecution.
"[There is] a recommendation that Ofcom publish guidance to make it clear that companies distributing Technical Protection Measures systems in the UK would, if they have features such as those in Sony BMG's MediaMax and XCP systems, run a significant risk of being prosecuted for criminal actions," said Derek Wyatt MP, chair of APIG, at the launch of the report.
Last year, Sony caused outrage when it emerged that the company had included a rootkit-like program on some music CDs to hide its copy-protection technology from users. This was then used by some malware to hide itself, which forced some IT managers to clamp down on the use of music CDs within the workplace.
The APIG report lambasted Sony BMG's use of TPM technology, and claimed that "one system, called MediaMax, installed itself even if a user refused permission, and hid its device driver from standard tools.
"The other, XCP, contained what was rather loosely called a 'rootkit' — it was merely a method of hiding programs so that they did not appear in directory listings (as used by actual rootkits that permit unauthorised access). Besides their copy-protection roles, both systems contacted a Web site whenever the user inserted a protected disc — a gross intrusion of privacy," said the report.
Although no charges were brought in the UK, experts have argued that Sony's rootkit technology would be illegal under Section Three of the Computer Misuse Act 1990, which forbids unauthorised modification of computer systems.
APIG's members are concerned that companies were not aware of the full ramifications of employing such technologies.
"Companies should be made aware that use of this technology is a breach of the law as it stands, and need to know when they are exceeding legal bounds," Merlin, the Earl of Erroll, told ZDNet UK.
Cyber-activists supported the MP's tough stance, calling the recommendations in the report "sensible".
"We are particularly heartened to see APIG take note of the Sony BMG MediaMax and XCP debacle, sending a strong message to companies that they risk prosecution if they use virus-like software which damages consumers' computers," said Suw Charman, executive director of the Open Rights Group, a digital rights advocacy group.
It appears that MPs are keen for Ofcom to play a more centralised role in offering support and guidance to companies regarding Internet issues and in Internet regulation, which is not possible under its current remit.