Sony DRM rootkit 'legal in the UK'

Sony DRM rootkit 'legal in the UK'

Summary: UK computer users would 'struggle to sue' Sony even if their computer was damaged by its copy-restriction software, according to legal experts

SHARE:
TOPICS: Tech Industry
13

Sony BMG is unlikely to face legal consequences in the UK for the copy-restriction technology it is using on a music CD.

The DRM software, which is contained within a particular Van Zant CD, runs in the background of the computer even when the CD is not being played, and could be targeted by virus writers. The software is difficult to remove and if removed manually could shut off access to the computer's CD player.

But even if your computer is damaged by the Sony CD, either directly or indirectly through the activity of malicious code that takes advantage of Sony's DRM software, Sony would not be criminally liable, according to Peter Sommer, research fellow at the London School of Economics and legal expert on computer security issues.

"You have to click on an agreement before you install the CD," said Sommer. "Once you've clicked on that, in terms of criminal liability, Sony are probably in the clear."

Struan Robertson, a senior associate at Pinsent Masons and the editor of legal Web site Out-law.com, agreed that the CD would not break any criminal law, such as the Computer Misuse Act (CMA).

"For a breach [of the CMA], it would need to be proved beyond any reasonable doubt that access to the computer was unauthorised and that the provider knew that such access was unauthorised. An alternative charge of unauthorised modification of a computer under the Act is also likely to fail because it would be difficult to prove the necessary intent to impair the operation of the computer," said Robertson.

The End-User License Agreement (EULA) on the Van Zant CD states that the "CD will automatically install a small proprietary software program", which is "intended to protect the audio files embodied on the CD". It also limit its liability to $5, "for any loss or damage, either direct, indirect, incidental, consequential or otherwise" caused by Sony (in Article 6 of the agreement), and defends itself against damages arising out of your actions (in Article 7), thereby protecting itself from potential damage caused to the CD player if the software is removed.

The licence agreement probably provides "enough wriggle room" for Sony, as it informs users about the software, the purpose of the software and excludes itself from liability, said Sommer. But, a user could still pursue a case against Sony in the civil courts by arguing that the terms of article 6 and 7 are "so widely drawn as to be unreasonable", he said.

"If there's any fault in the software and it causes consequential damage, for example if it was used by malware, you might be able to sue Sony in the civil courts for that," said Sommer.

"But you would have to demonstrate there was actual damage and you would have to prove the extent of the damage. For example, 'because of damage to my computer I lost a business proposal to an investment bank that would have made me £10m'," he said.

Such a case is unlikely to be pursued, as the legal fees would probably exceed any compensation granted.

"You would have to prove a complex sequence of events and it would depend on complex legal arguments," said Sommer. "The sort of solicitor who handles this stuff would cost around £250 per hour."

Sommer concluded that the likelihood of any legal case being pursued against Sony is so low that the main penalty for Sony has been the bad publicity about the DRM software.

Robertson said Sony could be sued for damage caused by a security risk, but would have to prove loss of money. "If there was a security risk the issue is one of possible negligence. But if a user is unable to show any loss — e.g. prove that his computer was compromised and that he lost valuable data due to Sony's software — he will struggle to sue in this country," said Robertson.

Another potential risk for Sony is government intervention. For example, Robertson said the Office of Fair Trading (OFT) could get involved if it believes that the licence terms on the CD are unreasonable.

"If the licence terms are very unfair to consumers, it is possible that the OFT could get involved, although that seems unlikely in the circumstances of this case," said Robertson.

A spokesman for Sony BMG would not comment on the potential risk of a lawsuit in the civil courts, but said the copy-restricted CD is not available in the UK at present. However, UK customers wishing to buy the particular Van Zant CD can only purchase it as an import from the US, and would therefore get the copy-restricted version.

The licence states that the "validity, interpretation and legal effect" of the EULA is governed by the laws of the State of New York, which means that any UK customer may need to sue in a New York court. However, Sommer said this term can be legally contested in a UK court and Sony could probably be sued for damages in the UK.

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Don't buy SONY, just don't. Do you really think they would be THIS cockey if they couldn't afford it. Show them finantially how to behave, they're already on the way out anyway.
    anonymous
  • Interesting that you quote the EULA after Sony hastily modified it. Prior to this week, the EULA didn't mention the part about installing software on your system. I am at a loss. If I read the license agreement and accept its terms am I, by your assertion here, bound forever to whatever changes that the issuer applies? That is patently ridiculuous.

    As this is unfolding many statements by Sony are unraveling. For example, "Released only in the US" is incompatible with the statement that they press from one master worldwide.

    Whether Sony is civily or criminally liable in the Us, the UK or elsewhere will likely be tested in the courts. As it stand, Sony is alredy condemend in the court of public opinion.
    anonymous
  • Interesting that you quote the EULA after Sony hastily modified it. Prior to this week, the EULA didn't mention the part about installing software on your system. I am at a loss. If I read the license agreement and accept its terms am I, by your assertion here, bound forever to whatever changes that the issuer applies? That is patently ridiculuous.

    As this is unfolding many statements by Sony are unraveling. For example, "Released only in the US" is incompatible with the statement that they press from one master worldwide.

    Whether Sony is civily or criminally liable in the Us, the UK or elsewhere will likely be tested in the courts. As it stand, Sony is alredy condemend in the court of public opinion.
    anonymous
  • I don't buy any CD's with copy-protection, not because I want to copy the CD's, but because I don't want the CD's interferring with my equipment.

    I don't want to copy or distribute copies of my CD's, so why should I be treated as a potential criminal? If the record companies are going to treat me like that, they obviously don't need my money.

    I actually grabbed a pile of CD's the other week and got to the checkout, where I noticed one of them was copyprotected, so I dumped it and double checked the rest of the cases, of the 10 CD's I wanted, I ended up buying just 2...
    anonymous
  • EULA's aren't really legally binding if they violate the rights of the user in some way or allow for those rights to be violated.

    And where in the EULA does it say anything about
    modifying your drivers, kernel, core windows system and killing your machines cd drives or breaking it completely.

    Sony are definetely not in the clear this software is plainly and obviously in breach of SEVERAL sections of the Computer Misuse Act of 1990
    anonymous
  • Whether what Sony has done or proposed to do is legal or not makes very little difference.

    I will NOT buy a CD from them if they persist in treating the customer as a potential criminal and act in a way which most of us would regard as immoral Subterfuge, which is what this amounts to, is just unacceptable.

    You have gone too far this time Sony and I feel sorry for the artists that are signed to your label.
    anonymous
  • Boycott ALL Sony products, right now, right here in the UK. This rootkit is 100% unacceptable.
    anonymous
  • Slight mistake in this article..

    Any EULA or contract that is not taken out AT THE POINT OF SALE is invalid under UK law, otherwise a software manufacturer could sell a 'game' with a EULA that states the game is designed to not work on anyones machine.

    Also as to the 'limiting your liability' thats pretty much an urban myth..you can't just say your not liable for something and get away with it, otherwise I could say I'm not liable for any injuries or limit damages to
    anonymous
  • Sign the Online Petition!
    Probably the best way to show that not all the consumers are as stupid as Sony hopes that we are is to vote with our pockets. Boycott them until they offer a suitable solution to this mess, apologize to the consumers whos computers may have been damaged and change their strategy all together.
    I have started a petition which I hope will make its rounds. You are all welcome to sign it and send it on to everyone you know.
    www.petitiononline.com/sonydrm/
    anonymous
  • I hope to buy some Sony products shortly.
    In their closing down sale.!

    What a sneaky bunch of conniving shites.
    And Symantec - shame on you all.

    I hope the artists lawyers are now planning to sue Sony for loss of sales.

    BTW if you want to stop a CD's autorun...
    Hold down the left-shift key when inserting it
    (Hold it down until windoze has stopped scanning it.)
    You should then be able to use Media Player instead.
    anonymous
  • The article is totally based on wrong assumptions.

    EULA is not excuse to Sony at all, because "small proprietary software" (that is the rootkit) is installed automatically before user has a chance to accept EULA. And it is remains on users computer regardless if he/she accepts EULA or not! Please see comments in Marks Russinovich blog (http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html )

    "They are installing something to stop the CD from playing in a computer, regardless if the user accepts the EULA or not."

    This "something" that gets installed is a filter driver that captures communication between CD player and software installed on users machine (eg. Microsoft Media Player, Winamp etc.). The purspose of this filter driver is to impair the software (thus preventing it from playing the CD) other than the player bundled with the CD, and this is what actually Sony calls "Digital Rights Management". This filter driver is installed together with the rootkit that hides it from eyes of the user. This all happens before user has a chance to refuse the EULA!

    Thus your 2nd point does not apply - dangerous software that Sony installs is *not* subject to EULA, as it is installed even if user refused to accept it. Then only software that semes to be subject to EULA is the player that is not impaired in its communication with the CD by the filter driver that got installed beforehand. If user does not accept the EULA, he will not be able to play the CD using any other software that can be bought "off the shelf", as communication between such software and the CD is impaired by the filter driver. This all can be actually easily verified - just insert the (so called "copy protected") CD into your computer, REFUSE the EULA and try to play the CD using Windows Media Player. Then restart the computer and run RootkitRevealer from Mark Russinovich website http://www.sysinternals.com/Utilities/RootkitRevealer.html to see the rootkit installed.
    anonymous
  • A spokesman for Sony BMG would not comment on the potential risk of a lawsuit in the civil courts, but said the copy-restricted CD is not available in the UK at present.
    --------------------
    Of course it's available - I went to a Bad Plus concert last week and bought the CD. Since I have a Mac I can see all the PC files on the CD as well as the music files, which are now legitimately on my iPod.
    anonymous
  • I personally will never buy a drm protected cd. I have just one, a Kings of Leon. I havn't listened to it and never will. Because I don't own a CD player.

    What I do have is several networked PC's around my flat. When I BUY a cd (of which I have several hundred), I mp3 it and can then listen to it wherever and whenever I want. Including on my mp3 player.

    And isn't that the point of this brave new world of media center pc's etc.
    anonymous