My weekly Law Bytes column (Toronto Star version, freely available version, update: the BBC features an internationalized version) examines the controversy surrounding the Sony rootkit and its use of digital rights management. While in the short-term one of the world's best-known brands has suffered enormous damage, the longer-term implications are even more significant – a fundamental re-thinking of policies toward digital locks known as technological protection measures (TPMs).
The column traces the remarkable development of the story – from Halloween-day blog posting to class actions and criminal investigations to spyware labels to half-hearted apologies to risky uninstallers to product recalls to copyright infringement claims – all in three short weeks. While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers.
The incident has alerted millions of consumers to the potential misuse of TPMs as well as to the need for consumer protections from such systems. While policy makers have raced to provide legal protections for TPMs, the real need is to protect against the misuse of this technology.
The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks. The U.S. Computer Emergency Response Team advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD." Moreover, Stewart Baker, the U.S. Department of Homeland Security' s assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property – it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."
Baker' s comments point, as well, to another issue that has been percolating for some time, namely that TPMs not only put users' property at risk, but they also limit use of lawfully-acquired personal property.
Justice Ian Binnie of the Supreme Court of Canada raised this concern in the Theberge copyright case several years ago when he noted that "once an authorized copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it."
The Australian High Court expressed similar sentiments in the Sony v. Stevens decision issued last month. It rejected Sony' s attempt to block the use of "mod chips", utilized by video game players to unlock games with TPMs purchased outside the country, emphasizing that "the right of the individual to enjoy lawfully acquired private property (a CD ROM game or a PlayStation console purchased in another region of the world or possibly to make a backup copy of the CD ROM) would ordinarily be a right inherent in Australian law upon the acquisition of such a chattel."
The incident should also galvanize Canadian regulators and political leaders. The Privacy Commissioner of Canada should use her audit powers to investigate other potentially invasive uses of TPMs, while the Competition Bureau should consider whether Sony violated deceptive practice legislation. Moreover, Industry Minister David Emerson and Canadian Heritage Liza Frulla should reconsider their proposal to protect TPMs, which has the effect of protecting spyware, undermining consumer confidence, and ultimately reducing the sales of Canadian musical artists.
I conclude by arguing that with consumer backlash against deceptive music CDs and licensing agreements, policy maker worries about the privacy and security implications of TPMs, and the courts' concern for personal property rights, the Sony rootkit case is destined to resonate long after the dangerous CDs disappear from store shelves.