Reports today indicate that a provisional settlement has been reached in the U.S. Sony rootkit class actions. While the settlement still requires court approval, it makes for an interesting read since it may provide the starting point for a future statute that protects against the misuse of digital rights management technologies.
Given the Canadian focus on my blog, I should note up front that the settlement does not apply to Canadians, who for the moment are left with no compensation and no protection against ongoing DRM misuse. This is very troubling given the fact that more than affected 100,000 CDs have been distributed in Canada. Sony BMG Canada should step up and immediately offer the same terms to Canadian consumers and undertake to abide by the same restrictions found in the settlement agreement.
The settlement has two broad goals: compensate consumers for the harm they suffered from both the XCP and Media Max DRM software and place limits on Sony's use of DRM. The compensation for XCP purchasers includes the replacement of the CD with a version without copy-protection and the choice of either (i) US$7.50 plus one free album download or (ii) three free album downloads (Sony will select at least 200 eligible titles). The compensation for Media Max offers fewer free album downloads. The most notable aspect of this part of the settlement is that Sony will undertake to provide the free downloads from at least three music download services including Apple iTunes. The irony of Sony being forced to offer Apple iTunes downloads when a prime reason for inserting the DRM software was to combat Apple iTunes should not be lost on anyone.
More interestingly (at least to non-class action lawyers) is the undertakings on Sony's future DRM use. The company has agreed to the following limitations on the use of copy-protection software until 2008:
- No further use of XCP or Media Max
- Ensure that the DRM will not be installed on users' computers until the user accepts the end-user license agreement
- Ensure that an uninstaller for the copy-protection software is made readily available to consumers
- Fully disclose any updates to the copy-protection software
- Ensure that the EULA accurately discloses the nature and function of the software in plain English
- Obtain comments about the EULA from an independent oversight person
- Obtain an expert opinion that the copy-protection software does not create security vulnerabilities
- Only collect limited personal information necessary to provide enhanced CD functionality
- Include full disclosures of the copy-protection software on the CD jewel case
- Fix any software vulnerabilities that may arise from the copy-protection software
While many of these obligations should be standard operating procedure and not require a court approved settlement, the full package provides the starting point for a future Digital Rights Management Protection Act. Much like the settlement, a DRMPA must include consumer protections, privacy protections, security protections, interoperability, and appropriate oversight. Rather than pushing for protection for DRMs, it is apparent that we need protection from DRMs and DRMPA would be a smart step in that direction. Such a statute would be the best legacy of the Sony rootkit fiasco.