November 22, 2005

"What's wrong about all this is that in an effort to protect against illegal copying, it was Sony BMG that engaged in illegal conduct."

Said the Texas attorney general, Greg Abbott.
In separate legal actions yesterday, the Electronic Frontier Foundation, an influential digital rights advocacy group in California, and the Texas attorney general filed lawsuits against the music publisher Sony BMG, contending that the company violated consumers' rights and traded in malicious software.

They are the latest in a series of blows to the company after technology bloggers disclosed this month that in its efforts to curb music piracy, Sony BMG had embedded millions of its music CD's with software designed to take aggressive steps to limit copying, but which also exposed users' computers to potential security risks.

The copy-protection software, called XCP, was bought by Sony BMG from a British company, First 4 Internet, and was installed on 52 recordings, totaling nearly five million discs, according to the music publisher, which is jointly owned by Sony and Bertelsmann....

Users do have to accept "license agreements" that appear on their computer screens before playing CD's protected by the First 4 Internet and SunnComm software, but the foundation called the terms of those agreements "outrageous" and "anti-consumer."
It will be interesting to see what the courts do with those click-thru contracts. Any idea how many of them you've "agreed" to over the years?

25 comments:

Bennett said...

It's going to be interesting watching "institutional reform" in the music industry. There's so many variables shaping a mostly amorphous market: artists, digital formats, publicity, and distribution outlets.

Hopefully, the openness of the industry will empower people to spend based on their artistic preferences first and foremost, empowering artists in the process. For the moment, the big boys, esp. Sony, would like to hang on to their dominance by turning music into corporate trojan horses. Due to fundamental changes in the market, I think such actions will face a smackdown from (a) a market that has plenty of other options obtaining content, and (b) artists that have alternative ways of producing and marketing their work.

In a nutshell, the Sony's will have to relinquish some degree of creative control while also making the product cheaper - i.e. big changes.

Bennett said...

Another interesting dynamic is that prices have to come down so much to entice people to get their music legally. We'll see that consumers prefer legal music, but will draw the line at being gouged or having their computers invaded by nefarious code.

Anonymous said...

Seriously Ann, the real questions that you as a con law prof could answer for us laymen are:

A) Sony places a rootkit (trojan) on your computer without your knowledge or signed consent (the rootkit is installed BEFORE you click yes to the EULA). If I did this to you, I would be arrested. Why is my act criminal, why is Sony's not, and is that wise or good? If not, how do we change that?

B) How did corporations become persons? What would an originalist or founder think about this? Is it true that it was a mistake of a clerk in "Santa Clara vs...." What is the best most effective way to rectify this, through the courts, or Congress? Would it take an amendment? How could we avoid going through an amendment process? Are we stuck forever with this terrible mistake?

jeff said...

The tech community has been waiting for literally years for a decent lawsuit involving EULA's and click-through licensing to come up. Hopefully this will be the suit and we can get this under control.

I recommend bombarding the judge (and jury, if any) with as many of these ridiculous documents as they can come up with.

Bennett said...

jeff:

It's not feasible to do away with EULAs. I can see something similar to credit card agreements, where certain essential terms would be posted in boldface right up top. Such terms would certainly include: what software, if any, will be loaded into your computer, where will it be loaded, and how to remove.

Unknown said...

Isn't there a legal issue in that Sony takes your money at the store, but only later tells you that there are some onerous ramifications to your purchase?

Wade Garrett said...

I'm just a student, but I'll try my best! According to Judge Frank Easterbrook, of the 7th Circuit Court of Appeals, those are enforceable contracts -- as long as you had the opportunity to read the terms, then you can be bound by them, no matter how small the type was or how hard the clauses are to find.

According to Easterbrook, if the computer companies have an objective grounds for believing you've agreed to a contract -- ie, your having clicked on the "I agree" button, then you have "committed" a contract. The fact that no reasonable person would read through tens of pages of boilerplate to find the one or two clauses that are even potentially relevant is beside the point.

Some other judges have differentiated these Easterbrook rulings on their facts -- essentially a polite way of saying that they refuse to follow his precedent, without coming right out and saying so. Since Contract cases rarely ever make it to the Supreme Court, the outcome of law suits such as this one might depend on which federal judicial circuit the suit is brought in.

Wade Garrett said...

F15c - there was a pretty well-known case about five years ago in which the 7th Circuit ruled that a consumer was bound by just such an agreement. (Pro CD v. Zeidenberg)

The person bought a software program in a store, and in very small print on the outside of the box it said that there was a licensing agreement contained inside the box. As it turned out, the agreement was in something like 7-point font on page 85 of a 100-page owner's manual.

The district court, here in Madison, Wisconsin, ruled that since the buyer had no idea what the terms of the contract were at the time of purchase, he was not bound by the contract. On appeal the 7th Circuit ruled that since the customer knew that, if he bought the software, he WOULD be bound to a contract after purchase, then he had a duty to find the terms and return the product within a certain period of time if he did not want to be bound by the terms.

As far as I can tell, every law school in the midwest, other than the University of Chicago, where Judge Easterbrook is a member of the faculty, roundly criticizes his decision in that case.

Tristram said...

Hoever, what about if the EULA doesn't accurately represent the actions? On the site of the person that orignanly published this, he did a close reading of the ORGINAL EULA (I beleive it has since changed...), and it did not mention rootkit level, un-uninstallable, undectable (by less than expert users). It may be the case that EULAs my be fine, but in this case, the EULA was inadequate (to say the least).

Smilin' Jack said...

Another relevant question is: what software does the EULA apply to? The software described in the documentation accompanying the EULA? Or the software that is actually installed on your machine? In my experience it is extremely rare for software to conform to its documentation: it all has "bugs." It seems to me that any such deviation from the documentation should void the contract.

A related question: Microsoft et al. routinely sell software with many thousands of known bugs. Why is that not consumer fraud?

Ann Althouse said...

Quxxo: Those actually aren't conlaw questions.

Anonymous said...

I appreciate the response Ann, but would you then explain what is a con law question, and why those are not (in part so we know what is germane in these sorts of discussions?)

Regarding B) My understanding is that corporations were not considered persons before 1886, when a mistakenly written headnote of a Supreme Court Case erroneously repeated since "granted" them personhood in the 14th. My understanding is that the founders were diametrically opposed and warned against granting corporations personhood.

How is it that a mistakenly written headnote that changes law from then on is not a con law question?

When a mistake is made in interpreting a Supreme Court Decision, where should appeals be filed? With the court? Which court? With Congress? With the President?

What sort of case would it take for this to be addressed by a lower court, and appeals court, and the Supreme Court?

If that is not a question for a con law prof to address, what kind of professor would address this?

Regarding A) How would the founders have dealt with a company that damaged customers in such a way? What is the foundation for treating these companys in a civil and not a criminal manner when it would be different for citizens. Again, if this is not a con law prof question, I am genuinely curious as to what sort of academic would consider this an interesting question.

Thank you Ann,

Bruce Hayden said...

Judge Easterbrook and the ProCD decision is, IMHO, one of the worst decisions I have ever read. He totally sidestepped the claim that there was no independant consideration supporting the contract, that it was not a meeting of the minds, and would not be considered a binding contract under the Restatement 2nd, and that the after-supplied terms wouldn't be enforceable under UCC II by blythely pointing out that everyone does it.

And since then, more courts than not have followed him, quoting that decision approvingly, and rarely gotten into the real contract formation issues.

Sorry to be so heated. But I have been involved in this area of the law for over 15 years now, and that decision is one of my pet peeves.

Wade Garrett said...

Quxxo,

Its not a Con Law issue because the legal issues in the case don't relate to the Constitution. The laws of contract and copyright are what decide these cases. Freedom of speech, federalism, separation of powers, jurisdiction, the right to vote, etc -- those are Constitutional issues.

sonicfrog said...

Groklaw.net will cover the progress of the Texas lawsuit, as well as the one here in California. The woman that runs it, PJ, has done a great job dispelling the FUD in the SCO vs The World cases (IBM, Novell, AutoZone, Chrysler, etc. etc.), and is on top of the Sony cases as well.

Anonymous said...

Thanks Terence, I still would very much appreciate hearing Ann's take on the issue.

Isn't (A) (civil litigation for a corporation vs. criminal litigation for a person) a violation of due process and equal protection?

Isn't (B) (error by a clerk becomes law) a violation of Article I, Section 8, Powers of Congress?

Admittedly, I am pulling these completely out of my a** as I am engineer not lawyer.

Anonymous said...

Isn't (B) (corporations become citizens) also a violation of the 14th Amendment? Giving Monsanto, Microsoft, and GM free speech rights, the ability to own other corporations, and the ability to donate to elections does in fact lessen and deprive me of property, rights, and equal protection.

John A said...

"It will be interesting to see what the courts do with those click-thru contracts."

Uh, this may be superfluous as some comments already noted case law (I'm no lawyer), but -

For an answer, look up shrink-wrap licenses. Software used to be distributed with a statement that the EULA was on the disk, and opening the wrapping so you could read the disk - and EULA - constituted agreement to the EULA.

My memory is that the courts agreed...

In this case [cases: looks like there are at least two sets of software], however, the installed software went a long way past what was stated.

Bruce Hayden said...

The Sony DRM rootkit, et al. was discovered by Windows systems expert Mark Russinovich, and you can find a lot of information on it on his blog. Also, I have been pulling together a lot of the information on a blog dedicated to the Sony DRM code situation.

Bruce Hayden said...

quxxo

A couple of clarifications. First, Sony actually utilizes Digital Rights Management (DRM) code from at least two different companies.

The code that started this whole thing off is from First 4 Internet Ltd. It is the First 4 code that installs the actual rootkit (which is the code that hides stuff that shouldn't be hidden), plus DRM code. It appears to be on CDs of some 50 Sony titles (and installed on over a half a million computers). And if you reject the EULA, the CD is ejected and no software is installed.

However, Sony has also utilized DRM code from SunnComm for other music titles, and this is the software that gets at least partially installed even when you reject the EULA.

Also, the First 4 code is not strickly a "trojan" - but it does do a lot of other naughty things. The rootkit part, as indicated above, hides any files or registry keys starting with "$sys$". This has already is being exploited by hackers.

Indeed, both DRM codes from Sony appear to open up significant hacker windows - but none apparently as bad as the original full uninstall for the First 4 code, which utilized Microsoft ActiveX.

Anonymous said...

Interesting, but I still fail to understand in what sense the first 4 code is not a trojan.

# Trojans are programs (often malicious) that install themselves or run surreptitiously on a victim's machine. They do not install or run automatically, but may entice users into installing or executing by masquerading as another program altogether (such as a game or a patch) or they may be packaged with hacked legitimate programs that install the trojan when the host program is executed. ...
www.voiceanddata.com.au/vd/admin/glossary.asp

# A Trojan is a small computer program, usually installed on a computer without the owners knowledge, that allows another person elsewhere on the internet to make use of your computer. ...
www.internet-security.adopto-internet.com/glossary.html

# A type of computer virus which comes disguised as a program. People download this program usually from the Internet because they think that the program is of some use, but once they start it up it could perhaps erase your hard drive or just wreak havoc all over your system. Recently there has been a discovery of a Trojan Horse type virus which comes in the form of a file called AOL4FREE.COM this file should NOT be downloaded to your system by any means. ...
www.planetech.co.uk/glossary.htm

# A program that is installed without your knowledge and carries a destructive payload. Once your computer becomes infected by the worm or virus, it can be very difficult to repair the damage. Trojans usually come attached to another file, for example: .avi, .exe, or even .jpg. Many people do not notice or see file extensions, so what may appear as "fun program.zip" in reality could be "fun program.zip.exe." The difference here is the added .exe extension. ...
ths.gardenweb.com/faq/lists/comphelp/2005011632014938.html

# named after the Trojan horse used by the rescuers of Helen of Troy. A Trojan is a computer program that disguises itself as a useful software application that is actually used to gain access to your computer.
www.tecc.com.au/tecc/guide/glossary.asp

# A destructive programme which manifest as a benign application
www.hscgroup.co.uk/t.html

Bruce Hayden said...

Now some notes on the Sony EULA. If it is enforceable, it would probably immunize Sony from damages. And, because of ProCD and its progeny, there is a decent chance that it would be enforceable, despite its onerous nature. Also, see a blog entry on the enforceability of clickwrap licenses by Ray Nimmer.

I suggested a couple of weeks ago that the best way to overcome the Sony EULA was that it fraudulently misleads users as to what happen if the users agreed to the terms of the EULA. The Texas AG in their complaint follow the same theory.

I should also note another advantage that the Texas AG has over individuals suing Sony - their EULA prescribes NY law and that suit be brought in NY. But the State of Texas, by and through its Attorney General, can make a very persuasive case that the suit be heard in Texas under Texas law for public policy reasons.

I would think that the EFF class action suit could overcome at least some of the EULA provisions based on its class action status, but would be less likely to overcome the NY law and venue provisions (it was filed in LA, CA) - unless it is limited to CA residents.

Just my thoughts.

XWL said...

The strangest thing about this case is the titles they chose to include the XCP software on.

It's Jazz, pop and country mostly (e.g., Celine Dion, Earl Scruggs, Frank Sinatra, Neil Diamond, Shel Silverstein?!)

This list suggests that there won't be a lot of people coming forward to claim damages given that most of the copies of the 52 cds listed won't end up being played or ripped in any PCs.

Are these the kind of titles that were really showing up on file sharing networks?

(all those high school and college kids trading their stolen Shel Silverstein songs must have nearly bankrupted SonyBMG, they had to fight back)

That list suggests there won't be many people able to claim damages as it would first appear given that of the 52 cds listed I have my doubts that a large percentage of copies found their way into a PC (at least compared to a cd from 50 cent or even Madonna)

(and the subset of people who bought cds off of that list, listened to them on their PCs and play WoW are even smaller)

Bruce Hayden said...

I think the third party liability issues are interesting. They may be able to immunize themselves via their EULA against those buying their CDs. But the third parties didn't agree to the EULA. They aren't a party to the agreements at all.

Now, Sony may be able to make claims against the parties agreeing to their EULA for damages done to third party - though I think that most courts would not enforce it in that case (because Sony would be attempting to benefit from its own negligence). But even if it did succeed, such CD owners are unlikely to be able to indemnify Sony for the magnitude of damages possible here. (i.e. most CD owners are effectively judgement proof at this level of damages).

Bruce Hayden said...

I finally got my hands on the EFF CA class action complaint. It is long (30 pages of complaint followed by 12 pages of EULAs), but contains most of the relevant information on the subject - it is probably better organized than my blog on the subject I mentioned earlier - though it doesn't cover some of the adverse things that the First 4 code does.

In comparing it to the Texas AG complaint, the EFF complaint doesn't really bother trying to overcome the EULA, but rather is based almost entirely on CA consumer fraud and computer tampering statutes. And, interestingly, instead of trying to overcome the EULAs, it uses them as evidence of consumer fraud, etc.

Oh, and it points out that Computer Associates considers the First 4 rootkit a "trojan". I disagree, but they are in the business, and I am not, so I stand corrected.