The Lasting Impact of Sony’s Rootkit

My weekly Law Bytes column (Toronto Star version, freely available version, update: the BBC features an internationalized version) examines the controversy surrounding the Sony rootkit and its use of digital rights management. While in the short-term one of the world's best-known brands has suffered enormous damage, the longer-term implications are even more significant – a fundamental re-thinking of policies toward digital locks known as technological protection measures (TPMs).

The column traces the remarkable development of the story – from Halloween-day blog posting to class actions and criminal investigations to spyware labels to half-hearted apologies to risky uninstallers to product recalls to copyright infringement claims – all in three short weeks. While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers.

The incident has alerted millions of consumers to the potential misuse of TPMs as well as to the need for consumer protections from such systems.  While policy makers have raced to provide legal protections for TPMs, the real need is to protect against the misuse of this technology.

The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks.  The U.S. Computer Emergency Response Team advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD."  Moreover, Stewart Baker, the U.S. Department of Homeland Security' s assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property – it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Baker' s comments point, as well, to another issue that has been percolating for some time, namely that TPMs not only put users' property at risk, but they also limit use of lawfully-acquired personal property. 

Justice Ian Binnie of the Supreme Court of Canada raised this concern in the Theberge copyright case several years ago when he noted that "once an authorized copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it."

The Australian High Court expressed similar sentiments in the Sony v. Stevens decision issued last month.  It rejected Sony' s attempt to block the use of "mod chips", utilized by video game players to unlock games with TPMs purchased outside the country, emphasizing that "the right of the individual to enjoy lawfully acquired private property (a CD ROM game or a PlayStation console purchased in another region of the world or possibly to make a backup copy of the CD ROM) would ordinarily be a right inherent in Australian law upon the acquisition of such a chattel."

The incident should also galvanize Canadian regulators and political leaders.  The Privacy Commissioner of Canada should use her audit powers to investigate other potentially invasive uses of TPMs, while the Competition Bureau should consider whether Sony violated deceptive practice legislation.  Moreover, Industry Minister David Emerson and Canadian Heritage Liza Frulla should reconsider their proposal to protect TPMs, which has the effect of protecting spyware, undermining consumer confidence, and ultimately reducing the sales of Canadian musical artists.

I conclude by arguing that with consumer backlash against deceptive music CDs and licensing agreements, policy maker worries about the privacy and security implications of TPMs, and the courts' concern for personal property rights, the Sony rootkit case is destined to resonate long after the dangerous CDs disappear from store shelves.


  1. Sony Rootkit EULA offers insights
    It is clear that Sony wishes to extend the limitations consumers enjoy with their media, and likely druels at the possibility of adding licensing limitations usually reserved for software. Such limitations include forcing you to delete all the music if you declare bankruptcy.

  2. Roland Young says:

    And conversely, since the Sony EULA purports to limit Sony’s liability towards anyone harmed by their TPM, the success of any of the suits against them must surely strike a blow against such provisions in other EULAs?

  3. Karl Koelbel says:

    Hi Michael, I read your blog religiously but perhaps I’ve missed it: I’m interested to know what your comments are on the legality of Sony’s DRM mishap.

    For instance, if I were hacker, and did this maliciously or not maliciously I could be charged with a serious crime under Canadian LAW and in jail within a “hollywood minute”.

    I am obviously not a lawyer, but I imagine this sort of activity on Sony’s part (wether they chose to make ammends or not) is in violation of privacy, anti-circumvention and unlawful entry laws already on the books.

    I’m positive this violates American law. Yet the DOJ in both Canada and the US has not charged Sony with a crime.

    It is obvious there is a class-action case here, but isn’t there also a criminal one? This puts all of our information systems at risk, both private/corporate and public.

    This type of happening makes me wonder truly if a lowly citizen and netizen such as myself is protected by any law at all, and if I will be merely attacked by them when it is convenient for profit.

    Again, I’m writing in the hopes that you will comment on this angle in the near future.