News

The Start of a DRM Protection Act

Reports today indicate that a provisional settlement has been reached in the U.S. Sony rootkit class actions.  While the settlement still requires court approval, it makes for an interesting read since it may provide the starting point for a future statute that protects against the misuse of digital rights management technologies.

Given the Canadian focus on my blog, I should note up front that the settlement does not apply to Canadians, who for the moment are left with no compensation and no protection against ongoing DRM misuse.  This is very troubling given the fact that more than affected 100,000 CDs have been distributed in Canada.  Sony BMG Canada should step up and immediately offer the same terms to Canadian consumers and undertake to abide by the same restrictions found in the settlement agreement.

The settlement has two broad goals: compensate consumers for the harm they suffered from both the XCP and Media Max DRM software and place limits on Sony's use of DRM.  The compensation for XCP purchasers includes the replacement of the CD with a version without copy-protection and the choice of either (i) US$7.50 plus one free album download or (ii) three free album downloads (Sony will select at least 200 eligible titles).  The compensation for Media Max offers fewer free album downloads.  The most notable aspect of this part of the settlement is that Sony will undertake to provide the free downloads from at least three music download services including Apple iTunes.  The irony of Sony being forced to offer Apple iTunes downloads when a prime reason for inserting the DRM software was to combat Apple iTunes should not be lost on anyone.

More interestingly (at least to non-class action lawyers) is the undertakings on Sony's future DRM use.  The company has agreed to the following limitations on the use of copy-protection software until 2008:

  1. No further use of XCP or Media Max
  2. Ensure that the DRM will not be installed on users' computers until the user accepts the end-user license agreement
  3. Ensure that an uninstaller for the copy-protection software is made readily available to consumers
  4. Fully disclose any updates to the copy-protection software
  5. Ensure that the EULA accurately discloses the nature and function of the software in plain English
  6. Obtain comments about the EULA from an independent oversight person
  7. Obtain an expert opinion that the copy-protection software does not create security vulnerabilities
  8. Only collect limited personal information necessary to provide enhanced CD functionality
  9. Include full disclosures of the copy-protection software on the CD jewel case
  10. Fix any software vulnerabilities that may arise from the copy-protection software

While many of these obligations should be standard operating procedure and not require a court approved settlement, the full package provides the starting point for a future Digital Rights Management Protection Act.  Much like the settlement, a DRMPA must include consumer protections, privacy protections, security protections, interoperability, and appropriate oversight.  Rather than pushing for protection for DRMs, it is apparent that we need protection from DRMs and DRMPA would be a smart step in that direction.  Such a statute would be the best legacy of the Sony rootkit fiasco.

12 Comments

  1. Outrage!
    Sony is in a very bad position legally, and they know it. Yet strangely, what do we get?

    * Sony does not have to undo their vandalism to anyone’s computers or provide cash compensation for their victims to do so (although they may have to fix unintentionally created security vulnerabillities)
    * Future similar DRM schemes are legitimized as long as they are disclosed on the jewel case and in the EULA, and an uninstaller is provided
    * The role of the EULA in this fiasco is implicitly legitimized (the entire concept of a “EULA,” for those few who don’t know, is largely an obnoxious legal fiction – sans UCITA, anyway)
    * Collection of personal information in media products is legitimzed (“only for purposes of providing enhanced functionality” – LOL!)

    This is a love letter to Sony, and a “go ahead” signal to expand “open season on your computer” into the entire market. It is a shocking, audacious outrage, and I have no doubt Sony et al would love to see it made the basis for future statute.

    I franklyl don’t understand how a settlement could be equitable if it doesn’t involve repairs on each vandalized computer… and aren’t the punitive damages a little light for one of history’s greatest computer crimes?

    Why is it exactly that the double standard can get so extreme? If I distributed audio CDs that secretly rooted computers in this way, what do you think would happen to me? Do you imagine I could escape prison? Why is it different when a mega-corp does it?

    The biggest questions your article raises are, how could Sony potentially escape justice? Who is involved in this settlement and why? Has there been any coercion or bribery?

  2. Great, safe and effective DRM
    I feel so much better now.
    This little incident is an embarassment for Sony/BMG and just enough of a wake-up call for the industry to guarantee that DRM will simply be rolled into Vista. We will ‘agree’ to accept the industry’s terms when we first boot our new Vista PCs; the spyware will be neat, secure and transparent; both the publishers and the consumers will be paying monopoly rents to Uncle Bill and everyone will be happy.

  3. Ban DRM!
    The legislative response that would make me happiest would be to outlaw DRM. Make it illegal to copy-protect music, movies, software, or anything else. Copyright laws should be enforced by the legal system, not by turning people’s computers into hacker battlegrounds.

  4. Hacking is computer terrorism
    One set of strengthened laws should be developed and applied to ALL who engage in activities that penetrate or intrude and impede an individual’s, or an organization /employer’s computer system(s) without permission, and /or uninvited and/or under any guise of secrecy or surveillance and without having obtained an order from the court (judge). Hacking is hacking – it is in every respect computer hijacking or computer terrorism, and it should be dealt with according to the maximum extent the law will allow.

    In Canada our police forces – local to RCMP – must adhere to some of the most stringent process and wire/cable tapping laws in order to garner access to communications or data flow(s) for gathering evidence. Police must endeavour to follow these strictest of privacy rules. The same diligence (process) along with significantly tougher hacking laws should apply to ALL invaders, no matter who is msterminding and conducting such invasive or destructive activities – be them hardened cyber-criminals, or major corporations… And, yes severe penalties must be levied or there is no justice – online or off.

  5. Worried Consumer says:

    What about a right to refuse the EULA?
    What happens if you do not agree to the terms of the EULA? Most retail stores will not allow customers to return an opened CD package.

    There needs to be an effective mechanism for the customer to refuse the EULA without losing money. This means either
    1) the entire text of the EULA must be printed on the product package, or
    2) retailers and the company must allow full refund returns of any copy-protected CD, opened or unopened.

  6. Now wait a sec…
    Let’s take a level-headed look at things first, here.

    1. XCP and MediaMax –whether supervised by Sony or not– were the ones responsible for making the DRM software secure. Sure if Sony had a hand in it, then they do owe some responsibility as well. The simple fact that they’ve even agreed to these terms states that they’re willing to take some of the blame and attempt to make it right. Sony is, after all, big enough to basically tell us all to “go take a flying leap.”

    2. Not all programmers are absolutely security proficient. Look at some of the gaping security flaws that have been found over the years in Microsoft Windows, and –even though I hate to admit it sometimes– Linux. Hell, I doubt a single ONE of the coders INTENDED XCP or MediaMax to be insecure, they just didn’t think thier actions through to a logical end.

    3. Justice? First off, let me explain something to y’all… Which do you think hurts Sony more; having to spend the money to fix a few thousand machines who’s CD driver linkages got turned to hamburger? Or paying for EVERY SINGLE user (at least in the U.S.) to get up to three full albums worth of songs from systems that frankly don’t make Sony a whole lot of money at all? Basically, by agreeing to do so, Sony is paying out roughly one and a half times what they actually managed to sell in XCP/MediaMax protected CDs. (Not to mention that they probably paid a pretty stiff price to purchase/develop the DRM applications that they used, and will likely pay a whole lot more for a new one that actually DOESN’T bend someone’s machine over.)

    4. They escape jail because corporations are designed to protect the owners and employees from the negligence of the company. Now, I’m not saying that Sony was negligent. In fact, by conciously applying the specific DRM software, knowing full well that it probably wasn’t legal (or at least having some inkling to such an effect) they weren’t negligent at all, but that’s not it. The point I’m trying to express here; is that Sony thought that this would protect thier property. Would you slap a child across the room for trying to keep his from someone who was going to take it from him? You as an individual, are responsible for your actions. The “entity” Sony, Inc. or whatever, is not responsible for the bad choices of it’s board and/or management. That could ptentially take the entire company down, costing lots of good people, artists and many other companies’ employees thier jobs. It’s now up to Sony to also take part in a voluntary investigation (which could end up just some witch hunt in the end, but hey) and to discipline the persons responsible within the company for the DRM decisions, and discipline them properly.

    5. This is not a crime. It’s simply sheer ignorance and stupidity on the part of someone (or several someones) at Sony. This is only a small part of the hurt that Sony will feel for years to come, especially right now with the “Blue Ray” vs. “HD-DVD” battle going on. Anyone remember how Betamax vs. VHS turned out? My suggestion, don’t buy Blue Ray, it’s probably not going to be very popular after the dust settles from all this.

    6. We, as the online community have it easy. DRM is still a kneejerk reaction to the ability to share information on the internet. I’m a businessman, I write software. My father is a businessman as well, he’s a professional photographer. If I write a piece of software, and I say, “You can use it on one computer.” I pretty much have to take your word for it that’s what you’ll actually do. I can’t tell if you’ve put it on several other machines, or someone stole your copy and used it, or whatever. My father on the other hand, says, “You’re licensed to use this for x amount of time.” or “x amount of prints.” or so on, and if even one more is printed, or printed after x amount of time, he can tak up to one million U.S. per copy. Copyrights and Trademarks and Patents are there to protect you, too. How many times have you come up with some idea and had to watch someone else get rich off it and sit back on thier private island?

    All in all, you all (excluding Geist, obviously) are turning this into just as much of a witchhunt as the MPAA and RIAA are doing with P2P.

    But hey, who am I to argue?

    Go ahead, cut your noses off, despite your faces, see if I care.

    But definately don’t f**k over MY enjoyment of what Sony and others bring to the world. If it weren’t for them, lots of people’s favorite artists would never have gotten off lonely street corners singin’ for dimes.

  7. David Sanftenberg says:

    Consumer vs Customer
    I’m a customer, not a consumer.

  8. Dwight Williams says:

    Unconvinced
    Suffice to say, I have to yet to be convinced that this is over, or a victory for sanity in the issues under dispute. Sony — and the rest of Big Entertainment — will remain under *very* close scrutiny until further notice.

    No surveillance without warrants, please. And that specifically excludes private corporations from conducting their own self-appointed surveillance of whomever buys their product.

  9. Excuse me?
    “This is not a crime.”

    Oh yes it is. And if you did it, they would haul your ass to prison, just like they have hundreds of others who’ve tried this stunt who didn’t happen to be as rich or as well-represented as Sony.

    Basically says it all as far as that post is concerned…

  10. Dwight again says:

    A fair reminder
    “Concern” has a legitimate point here. Wealth and standing should NOT put one above the reach of the consequences of criminal actions. There are certainly specific mitigating circumstances for reducing or waiving penalties, but high corporate rank should not be among them.

    We — in Canada, the USA, the EU nations or wherever else — need to see at least one of these suits or prosecutions reach the trial stage. This sort of thing has to be answered for.

  11. Alton Naur says:

    not the end of the story
    well, maybe for Canadians, but not for Sony or for Texans. The Texas Attorney General has added more charges of fraud to his case, since if the user answers “no” to the license agreement, the rootkit is still invisibly installed. See http://www.scmagazine.com/us/news/article/533782/?n=us

  12. Now wait a sec…
    Response:

    “1. XCP and MediaMax — ”
    Sony commissioned the work, paid for it, manufactured it and distritbuted it. That makes them responsible.

    “2. Not all programmers are absolutely security proficient.”

    Well, they should be and most are. You jsut aren’t, and don’t seem to want to be either. That is your choice.

    The item purchased was MUSIC, not software. The software was not only inherently defective in several different ways (overreaching EULA, defective acceptance screens, missing removal software, ability to corrupt newer versions of windows such as Vista, creation of security holes with the DRM software, plus creation of security holes in unrelated and previously tested drivers and operating systems), but at least one CD didn’t even have a label on it that the music was copy protected.

    The point is, Sony did it on PURPOSE, and didn’t come out to deal with the issue until they were publicly forced to.

    “3. Justice? First off, let me explain something to y’all…”
    Been arrogant long?

    “3a. Which do you think hurts Sony more; having to spend the money to fix a few thousand machines who’s CD driver linkages got turned to hamburger? Or paying for EVERY SINGLE user (at least in the U.S.) to get up to three full albums worth of songs from systems that frankly don’t make Sony a whole lot of money at all?”

    All of the above are reasonable, plus punative fines, since all of the above are direct consequences of their actions, and the actions are intentional and far reaching (see the Sunncomm corporate Prospectus).

    “4. They escape jail because corporations are designed to protect the owners and employees from the negligence of the company.”

    No, they are not designed to avoid criminal prosecution of creating security breaches intentionally. Corporations are in no way above the law.

    “Would you slap a child across the room for trying to keep his from someone who was going to take it from him?”

    Sony isn’t a child, it shouldn’t be treated like one.

    5. This is not a crime.

    Yes, it is. Tampering with someones core operating system and drivers that were produced and purchased from other parties for the sole purpose of hiding their functionality is against the law in many countries.

    “6. We, as the online community have it easy. DRM is still a kneejerk reaction to the ability to share information on the internet. I’m a businessman, I write software. My father is a businessman as well, he’s a professional photographer.”

    DRM is protection for a small portion of the recording industry, typically old style corporations that can’t adapt to the internet. Smaller, newer, fresher recording labels don’t suffer from this. Its protection for them, by giving up consumer rights.

    “All in all, you all (excluding Geist, obviously) are turning this into just as much of a witchhunt as the MPAA and RIAA are doing with P2P.”

    Actually, the recording labels are on teh witchhunt. They claim all people are crooks, and need policing inherently, and that they should have all control over all computer based actions for all people at all times. I don’t agree, I made the LEGAL purchase of SonyBMG software only to be punished; none of the DRM has any effect whatsoever on piracy. In fact, piracy is safer since it doesn’t inlcude defective DRM.

    “But definately don’t f**k over MY enjoyment of what Sony and others bring to the world. If it weren’t for them, lots of people’s favorite artists would never have gotten off lonely street corners singin’ for dimes.”

    Thats fine, you are free to do so, but I don’t wish your lower standards to overwrite mine. You are willing to sell your fair use rights for a song (literally), and you are free to do so. SonyBMG LOVES people like you.

    * Me, I want to know the EULA before I pay.
    * I want to know the scope of the DRM.
    * I want to know if I have to repurchase my entire music collection when Vista comes out, since the DRM on CD’s I bought won’t work on it.
    * I want want protection FROM the record labels, I want DRM that proves that I bought my music, without corrupting my operating system.
    * I don’t want 50 different DRM programs withing my computer, each using 2% of my CPU time because they “poll” the CD drive continuously to monitor what you are doing
    * I don’t want undisclosed and encrypted information to leave my computer even once, let alone continuously; all in the name of “protecting the record labels”.
    * I want a more direct link to the artists. I want to know how much of MY money goes to them, verses how much goes to DRM related issues (legal costs, software costs ….). After all, I am paying the artist for access to their creative works. Everyone (especially the record labels) are a barrier between those transactions.
    * I want to support the artists, and not the massive administration of an obsolete recording label system

    * I am pretty sure I care more about the artists, than the recording labels themselves.

    * Being against SonyBMG’s demented DRM system does not imply people are against DRM or are for piracy. It means that people don’t want to sell their rights as fast as you do. They want to know what they are buying up front.