Following on my earlier posting, my Law Bytes column (Toronto Star version, freely available version) advances my thoughts on how the Sony rootkit settlement could create the starting point for a model statute that protects against the misuse of TPMs.
The column repeats my overview of the settlement including the ten new limitations on its future use of TPMs. These limitations, which run until 2008, focus on improved disclosure requirements, security precautions, and privacy safeguards.
I again note that Canadians are excluded from the settlement, leaving thousands of consumers without compensation and protection against ongoing TPM misuse unless Sony Canada agrees to be bound by the same settlement terms. That appears unlikely, as the Canadian representatives of the music, movie, and software industries have been moving in the opposite direction. The leaders of those industries have used the election campaign to increase their lobbying pressure for greater TPM protection in recent weeks, culminating in plans to host a major fundraising event for Toronto-area MP Sarmite Bulte just four days before the upcoming election.
Notwithstanding its shortcomings, the Sony settlement does provide a potential starting point for a much-needed model statute to protect consumers from TPMs. The European Union Copyright Directive, the U.S. Digital Millennium Copyright Act, and Bill C-60 in Canada establish legal protections for TPMs by establishing anti-circumvention measures, however, the rootkit incident illustrates that there is the need for parallel consumer legal protections from TPMs.
The disclosure requirements provide a model for treating TPMs much like cigarettes and alcohol, with appropriate warnings on their potential negative consequences. The security measures may be the first step toward a comprehensive TPM approval and licensing system that places the security needs of the general public ahead of private commercial interests.
The privacy provision acknowledges that mere disclosure of the privacy impact of TPMs does not provide the public with adequate privacy protection. Given the shortcomings of the current law, new statutory limits on the collection and use of such information that cannot be overridden through license agreements are needed.
Canada, the U.S., and many European countries are awakening to the need for consumer protections against TPM misuse. While the Sony settlement does not address all TPM concerns – consumers should also be granted product return rights and should not be placed in the middle of corporate fights over interoperability – its legacy may provide the starting blueprint for a TPM consumer protection statute.