p2p news view / p2pnet: The Sony
Rootkit controversy, in which the world’ s second largest record
label rendered hundreds of thousands of personal computers vulnerable
to hacker attack by inserting faulty copy-protection software into
dozens of CDs, stands as one of the leading technology law blunders
of 2005.

Sony faced an immediate onslaught of bad
publicity as thousands of consumers awoke to the negative effects of
copy-protection technologies, also known as technological protection
measures (TPMs). Moreover, the company was forced to address the
legal fallout from the case with dozens of class action lawsuits
launched throughout the United States.

Last week Sony took a major step toward
putting the rootkit fiasco behind it by reaching a tentative
settlement that will put a quick end to most of the U.S. lawsuits.
While it still requires court approval, the settlement is significant
since it contains a series of restrictions and conditions on the use
of TPMs. This could create the starting point for a future statute
that protects against the misuse of such technologies.

The settlement seeks to both compensate
consumers for the harm they suffered from the Sony CDs and to place
limits on Sony’s future use of TPMs. It compensates most purchasers
with a copy-protection free replacement CD as well as the choice of
either (i) US$7.50 plus one free album download or (ii) three free
album downloads. Sony will select at least 200 eligible titles for
download.

The most notable feature of this portion
of the settlement is that Sony will undertake to provide the free
downloads from at least three music download services including rival
Apple iTunes. This aspect of the settlement is laced with irony
since one of Sony’ s prime reasons for using the copy-protection
software was to preclude its customers from copying the songs into
MP3 format for playback on Apple iPods (the CDs could be easily
copied into a format compatible with Sony digital audio players).

Sony has also agreed to comply with at
least ten new limitations on its future use of TPMs. These
limitations, which run until 2008, focus on improved disclosure
requirements, security precautions, and privacy safeguards.

The disclosure requirements include a
commitment to fully inform purchasers on its outer packaging when a
CD contains copy-protection software, to ensure that its license
agreements, which must be pre-approved by an independent oversight
party, accurately disclose in plain language the nature and function
of the copy-protection software, and to promptly reveal any updates
or changes to the copy-protection software. The settlement also
includes a prohibition on the installation of any copy-protection
software before the user has accepted the Sony license agreement.

New security precautions play an
important role in the settlement agreement. Sony has agreed to stop
using the technologies that caused the harm; to ensure that an
uninstaller program is made readily available to consumers for any
future TPM; to obtain an expert opinion that the use of any other
copy-protection software does not create security risks; and to fix
any software vulnerabilities that may arise from the use of the copy-
protection software.

The privacy safeguards are noteworthy
since they extend beyond the obligations typically found in privacy
legislation. While privacy laws do not set limits on the use of TPMs
(they merely require disclosure of the data collection and
appropriate consents), the Sony settlement includes express
limitations on the collection and use of personal information.

While the Sony settlement will likely
gain court approval later this week, it is not without its critics.
Opponents of the settlement will argue that a few music downloads is
a small price to pay given the damage that Sony has created to
thousands of personal computers.

Moreover, Canadians are excluded from the
settlement, leaving thousands of consumers without compensation and
protection against ongoing TPM misuse unless Sony Canada agrees to be
bound by the same settlement terms. That appears unlikely, as the
Canadian representatives of the music, movie, and software industries
have been moving in the opposite direction. The leaders of those
industries have used the election campaign to increase their lobbying
pressure for greater TPM protection in recent weeks, culminating in
plans to host a major fundraising event for Toronto-area MP Sarmite
Bulte just four days before the upcoming election.

Notwithstanding its shortcomings, the
Sony settlement does provide a potential starting point for a much-
needed statute that protects consumers from TPMs.

The disclosure requirements provide a
model for treating TPMs much like cigarettes and alcohol, with
appropriate warnings on their potential negative consequences. The
security measures may be the first step toward a comprehensive TPM
approval and licensing system that places the security needs of the
general public ahead of private commercial interests.

The privacy provision acknowledges that
mere disclosure of the privacy impact of TPMs does not provide the
public with adequate privacy protection. Given the shortcomings of
the current law, new statutory limits on the collection and use of
such information that cannot be overridden through license agreements
are needed.

Canada, the U.S., and many European
countries are awakening to the need for consumer protections against
TPM misuse. While the Sony settlement does not address all TPM
concerns - consumers should also be granted product return rights and
should not be placed in the middle of corporate fights over
interoperability - its legacy may provide the starting blueprint for
a TPM consumer protection statute.

Michael Geist
[Geist is the Canada Research
Chair in Internet and E-commerce Law at the University of Ottawa. He
can be reached by email at mgeist[at]uottawa.ca and is on-line at href="http://www.michaelgeist.ca/"
target="_blank">www.michaelgeist.ca.]

This entry was posted on Monday, January 2nd, 2006 at 3:12 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 3257 times