[IP] more on Sony rootkit fiasco

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Sony rootkit fiasco
From: David Farber <dave@xxxxxxxxxx>
Date: Tue, 3 Jan 2006 20:19:35 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <p06200725bfe02f4fb7c2@[192.168.1.101]>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Michael Geist <mgeist@xxxxxxxxx>
Date: January 3, 2006 6:40:15 PM EST
To: dave@xxxxxxxxxx
Subject: more on Sony rootkit fiasco

Dave,

Last week you published my first take on the Sony rootkit settlementand the argument that the terms could serve as the basis forstatutory protections from DRM misuse. I've expanded on thatanalysis in a piece with an international perspective for the BBC anda Canadian perspective for the Toronto Star. I've posted the BBCversion below.


Toronto Star version at
http://geistdrmcpa.notlong.com

BBC version at
http://news.bbc.co.uk/2/hi/technology/4577536.stm

Freely available version at

http://www.michaelgeist.ca/index.php?option=com_content&task=view&id=1054



Legal fallout from Sony's CD woes

Sony's settlement over the rootkit fiasco represents a blueprint forlegislative action, argues law professor Michael Geist.

The Sony Rootkit controversy, in which the world's second largestrecord label rendered hundreds of thousands of personal computersvulnerable to hacker attack by inserting faulty copy-protectionsoftware into dozens of CDs, stands as one of the leading technologylaw blunders of 2005.

Sony faced an immediate onslaught of bad publicity as thousands ofconsumers worldwide awoke to the negative effects of copy-protectiontechnologies, also known as technological protection measures (TPMs).

Moreover, the company was forced to address the legal fallout fromthe case with dozens of class action lawsuits launched throughout theUnited States, a criminal investigation called for in Italy, and theprospect of further legal claims in dozens of additional jurisdictions.

Last week, Sony took a major step toward putting the rootkit fiascobehind it by reaching a tentative settlement that will put a quickend to most of the US lawsuits.

While it still requires court approval, the settlement is significantsince it contains a series of restrictions and conditions on the useof TPMs. This could create the starting point for a future statutethat protects against the misuse of such technologies.

The settlement seeks to both compensate US consumers for the harmthey suffered from the Sony CDs and to place limits on Sony's futureuse of TPMs.

It compensates most purchasers with a copy-protection freereplacement CD as well as the choice of either $7.50 (£4.30) plus onefree album download or three free album downloads. Sony will selectat least 200 eligible titles for download.

The most notable feature of this portion of the settlement is thatSony will undertake to provide the free downloads from at least threemusic download services including rival Apple iTunes.

This aspect of the settlement is laced with irony since one of Sony'sprime reasons for using the copy-protection software was to precludeits customers from copying the songs into MP3 format for playback onApple iPods (the CDs could be easily copied into a format compatiblewith Sony digital audio players).

Consumer protection

Sony has also agreed to comply with at least ten new limitations onits future use of TPMs in the United States. These limitations, whichrun until 2008, focus on improved disclosure requirements, securityprecautions, and privacy safeguards.

The disclosure requirements include a commitment to fully informpurchasers on its outer packaging when a CD contains copy-protectionsoftware, to ensure that its license agreements, which must be pre-approved by an independent oversight party, accurately disclose inplain language the nature and function of the copy-protectionsoftware, and to promptly reveal any updates or changes to the copy-protection software.

The settlement also includes a prohibition on the installation of anycopy-protection software before the user has accepted the Sonylicense agreement.

New security precautions play an important role in the settlementagreement.

Sony has agreed to stop using the technologies that caused the harm;to ensure that an uninstaller program is made readily available toconsumers for any future TPM; to obtain an expert opinion that theuse of any other copy-protection software does not create securityrisks; and to fix any software vulnerabilities that may arise fromthe use of the copy-protection software.

The privacy safeguards are noteworthy since they extend beyond theobligations typically found in privacy legislation.

While privacy laws do not set limits on the use of TPMs (they merelyrequire disclosure of the data collection and appropriate consents),the Sony settlement includes express limitations on the collectionand use of personal information.

While the Sony settlement will likely gain court approval at ahearing in New York later this week, it is not without its critics.

Opponents of the settlement will argue that a few music downloads isa small price to pay given the damage that Sony has created topersonal computers around the world.

Moreover, consumers living outside of the United States are excludedfrom the settlement, leaving thousands without compensation andprotection against ongoing TPM misuse.

The Sony CDs found their way onto computers in more than 100countries, with thousands of consumers throughout the UK and Europeamong the victims.

While it remains possible that Sony will provide similar compensationto consumers worldwide, that appears unlikely. The major recordlabels began experimenting with copy-protected CDs in Europe monthsbefore introducing those same technologies in North America.

Moreover, the music, movie, and software industries have beenpressing for stronger TPM protections in many other countries.

For example, France is debating tougher copyright controls, Australiais likely to introduce new legal protections for TPMs within the nexttwo years, and the entertainment industry leaders are using thecurrent Canadian election campaign to increase the pressure for TPMlegal protections.


Blueprint for future

Notwithstanding its shortcomings, the Sony settlement does provide apotential starting point for a much-needed model statute to protectconsumers from TPMs.

The European Union Copyright Directive and the US Digital MillenniumCopyright Act has set up legal protections for TPMs by establishinganti-circumvention measures, however, the rootkit incidentillustrates that there is the need for parallel consumer legalprotections from TPMs.

The disclosure requirements provide a model for treating TPMs muchlike cigarettes and alcohol, with appropriate warnings on theirpotential negative consequences.

The security measures may be the first step toward a comprehensiveTPM approval and licensing system that places the security needs ofthe general public ahead of private commercial interests.

The privacy provision acknowledges that mere disclosure of theprivacy impact of TPMs does not provide the public with adequateprivacy protection. Given that national privacy legislation does notprovide sufficient privacy safeguards, new statutory limits on thecollection and use of such information that cannot be overriddenthrough license agreements are needed.

Countries worldwide are awakening to the need for consumerprotections against TPM misuse.

While the Sony settlement does not address all TPM concerns -consumers should also be granted product return rights and should notbe placed in the middle of corporate fights over interoperability --its legacy may provide the starting blueprint for a model TPMconsumer protection statute that finds a place on the legislativeagenda of governments around the globe.Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law.

--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa, Faculty of Law
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist@xxxxxxxxx              http://www.michaelgeist.ca


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] "Junk Science" 2005
Next by Date: [IP] more on Bogus bird-flu drugs flood the Internet
Previous by thread: [IP] "Junk Science" 2005
Next by thread: [IP] Summarized -- Forecast for Google Put at $600 a Share - New York Times
Index(es):
- Date
- Thread