Appeared in the Toronto Star on January 2, 2006 as Rootkit Fiasco Shows Stronger Laws Needed
The Sony Rootkit controversy, in which the world’ s second largest record label rendered hundreds of thousands of personal computers vulnerable to hacker attack by inserting faulty copy-protection software into dozens of CDs, stands as one of the leading technology law blunders of 2005.
Sony faced an immediate onslaught of bad publicity as thousands of consumers awoke to the negative effects of copy-protection technologies, also known as technological protection measures (TPMs). Moreover, the company was forced to address the legal fallout from the case with dozens of class action lawsuits launched throughout the United States.
Last week Sony took a major step toward putting the rootkit fiasco behind it by reaching a tentative settlement that will put a quick end to most of the U.S. lawsuits. While it still requires court approval, the settlement is significant since it contains a series of restrictions and conditions on the use of TPMs. This could create the starting point for a future statute that protects against the misuse of such technologies.
The settlement seeks to both compensate consumers for the harm they suffered from the Sony CDs and to place limits on Sony’s future use of TPMs. It compensates most purchasers with a copy-protection free replacement CD as well as the choice of either (i) US$7.50 plus one free album download or (ii) three free album downloads. Sony will select at least 200 eligible titles for download.
The most notable feature of this portion of the settlement is that Sony will undertake to provide the free downloads from at least three music download services including rival Apple iTunes. This aspect of the settlement is laced with irony since one of Sony’ s prime reasons for using the copy-protection software was to preclude its customers from copying the songs into MP3 format for playback on Apple iPods (the CDs could be easily copied into a format compatible with Sony digital audio players).
Sony has also agreed to comply with at least ten new limitations on its future use of TPMs. These limitations, which run until 2008, focus on improved disclosure requirements, security precautions, and privacy safeguards.
The disclosure requirements include a commitment to fully inform purchasers on its outer packaging when a CD contains copy-protection software, to ensure that its license agreements, which must be pre-approved by an independent oversight party, accurately disclose in plain language the nature and function of the copy-protection software, and to promptly reveal any updates or changes to the copy-protection software. The settlement also includes a prohibition on the installation of any copy-protection software before the user has accepted the Sony license agreement.
New security precautions play an important role in the settlement agreement. Sony has agreed to stop using the technologies that caused the harm; to ensure that an uninstaller program is made readily available to consumers for any future TPM; to obtain an expert opinion that the use of any other copy-protection software does not create security risks; and to fix any software vulnerabilities that may arise from the use of the copy-protection software.
The privacy safeguards are noteworthy since they extend beyond the obligations typically found in privacy legislation. While privacy laws do not set limits on the use of TPMs (they merely require disclosure of the data collection and appropriate consents), the Sony settlement includes express limitations on the collection and use of personal information.
While the Sony settlement will likely gain court approval later this week, it is not without its critics. Opponents of the settlement will argue that a few music downloads is a small price to pay given the damage that Sony has created to thousands of personal computers.
Moreover, Canadians are excluded from the settlement, leaving thousands of consumers without compensation and protection against ongoing TPM misuse unless Sony Canada agrees to be bound by the same settlement terms. That appears unlikely, as the Canadian representatives of the music, movie, and software industries have been moving in the opposite direction. The leaders of those industries have used the election campaign to increase their lobbying pressure for greater TPM protection in recent weeks, culminating in plans to host a major fundraising event for Toronto-area MP Sarmite Bulte just four days before the upcoming election.
Notwithstanding its shortcomings, the Sony settlement does provide a potential starting point for a much-needed statute that protects consumers from TPMs.
The disclosure requirements provide a model for treating TPMs much like cigarettes and alcohol, with appropriate warnings on their potential negative consequences. The security measures may be the first step toward a comprehensive TPM approval and licensing system that places the security needs of the general public ahead of private commercial interests.
The privacy provision acknowledges that mere disclosure of the privacy impact of TPMs does not provide the public with adequate privacy protection. Given the shortcomings of the current law, new statutory limits on the collection and use of such information that cannot be overridden through license agreements are needed.
Canada, the U.S., and many European countries are awakening to the need for consumer protections against TPM misuse. While the Sony settlement does not address all TPM concerns – consumers should also be granted product return rights and should not be placed in the middle of corporate fights over interoperability – its legacy may provide the starting blueprint for a TPM consumer protection statute.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.