November 22, 2005

"What's wrong about all this is that in an effort to protect against illegal copying, it was Sony BMG that engaged in illegal conduct."

Said the Texas attorney general, Greg Abbott.
In separate legal actions yesterday, the Electronic Frontier Foundation, an influential digital rights advocacy group in California, and the Texas attorney general filed lawsuits against the music publisher Sony BMG, contending that the company violated consumers' rights and traded in malicious software.

They are the latest in a series of blows to the company after technology bloggers disclosed this month that in its efforts to curb music piracy, Sony BMG had embedded millions of its music CD's with software designed to take aggressive steps to limit copying, but which also exposed users' computers to potential security risks.

The copy-protection software, called XCP, was bought by Sony BMG from a British company, First 4 Internet, and was installed on 52 recordings, totaling nearly five million discs, according to the music publisher, which is jointly owned by Sony and Bertelsmann....

Users do have to accept "license agreements" that appear on their computer screens before playing CD's protected by the First 4 Internet and SunnComm software, but the foundation called the terms of those agreements "outrageous" and "anti-consumer."
It will be interesting to see what the courts do with those click-thru contracts. Any idea how many of them you've "agreed" to over the years?


Starless said...

It will be interesting to see what the courts do with those click-thru contracts. Any idea how many of them you've "agreed" to over the years?

Thousands? Tens of thousands?

It's a very interesting question. EULAs used to be relatively short and understandable. Now they're long strings of legalese that few people bother to actually look at (I know I don't anymore). Most commercial web sites have Use Policies that users are suppsoed to read and adhere to, but I'd be surprised if many people actually read them. So if they rule on the contracts, will the ruling require them to be shorter or longer? More accessible or place more of a burden on the users to read and know them?

EddieP said...

Absolutely no idea how many I've clicked through the years, but I'm delighted some one has gotten the pig's snout out of the trough long enough to make them look around. If a message ever needed to be sent, it's to the RIAA and others who continue their unbounded enthusiasm for pedaling crap and then bitching that if profits are down, it must be that people are stealing their products.

anselm said...

It's going to be interesting watching "institutional reform" in the music industry. There's so many variables shaping a mostly amorphous market: artists, digital formats, publicity, and distribution outlets.

Hopefully, the openness of the industry will empower people to spend based on their artistic preferences first and foremost, empowering artists in the process. For the moment, the big boys, esp. Sony, would like to hang on to their dominance by turning music into corporate trojan horses. Due to fundamental changes in the market, I think such actions will face a smackdown from (a) a market that has plenty of other options obtaining content, and (b) artists that have alternative ways of producing and marketing their work.

In a nutshell, the Sony's will have to relinquish some degree of creative control while also making the product cheaper - i.e. big changes.

anselm said...

Another interesting dynamic is that prices have to come down so much to entice people to get their music legally. We'll see that consumers prefer legal music, but will draw the line at being gouged or having their computers invaded by nefarious code.

Jacques Cuze said...

Seriously Ann, the real questions that you as a con law prof could answer for us laymen are:

A) Sony places a rootkit (trojan) on your computer without your knowledge or signed consent (the rootkit is installed BEFORE you click yes to the EULA). If I did this to you, I would be arrested. Why is my act criminal, why is Sony's not, and is that wise or good? If not, how do we change that?

B) How did corporations become persons? What would an originalist or founder think about this? Is it true that it was a mistake of a clerk in "Santa Clara vs...." What is the best most effective way to rectify this, through the courts, or Congress? Would it take an amendment? How could we avoid going through an amendment process? Are we stuck forever with this terrible mistake?

Starless said...

EddieP said...
the RIAA and others who continue their unbounded enthusiasm for pedaling crap and then bitching that if profits are down

My understanding is that profits are up, just that they aren't up as high as they thought they would be. And therefore, as you say, this "dip" must be due to stealing, not due to crappy product.

The RIAA is guaranteed to crash and burn, it's just a question of exactly how and exactly when.

HaloJonesFan said...

The rootkit only auto-installs if you have Autorun turned on in Windows. It's on by default, but it's simple to de-activate. It's not hard to interpret the installation of software as something that the consumer implicitly gave their consent to by having Autorun turned on.

>How did corporations become
>persons? What is the best most
>effective way to rectify this...
>Are we stuck forever with this
>terrible mistake?

Begs the question of whether it's a terrible mistake that needs to be fixed. I don't think that it is. I would rather a corporation such as Cessna be allowed to limit its liability, so that they don't get sued into prison because some idiot tried to fly VFR in IFR conditions.

Jonathan said...

I've done some cursory research on click-through EULAs for casual arguments, and it looks like courts have generally found click-through EULAs to be an enforceable form of contract under the UCC. The district court opinion in Davidson Associates, Inc. v. Internet Gateway, 334 F.Supp. 2d 1164 (E.D. Mo. 2004), has a good discussion of the issue and survey of the caselaw. As I recall, Irwin Seating Co. v. IBM, No. 1:04CV568, 2005 WL 1475390 (W.D. Mich. June 22, 2005), is also a decent starting point.

Contracts was never my subject, but it seems like there are a lot of interesting wrinkles with click-through EULAs that have been glossed over by most of the courts that have addressed the issue.

jeff said...

The tech community has been waiting for literally years for a decent lawsuit involving EULA's and click-through licensing to come up. Hopefully this will be the suit and we can get this under control.

I recommend bombarding the judge (and jury, if any) with as many of these ridiculous documents as they can come up with.

anselm said...


It's not feasible to do away with EULAs. I can see something similar to credit card agreements, where certain essential terms would be posted in boldface right up top. Such terms would certainly include: what software, if any, will be loaded into your computer, where will it be loaded, and how to remove.

F15C said...

Isn't there a legal issue in that Sony takes your money at the store, but only later tells you that there are some onerous ramifications to your purchase?

Wade_Garrett said...

I'm just a student, but I'll try my best! According to Judge Frank Easterbrook, of the 7th Circuit Court of Appeals, those are enforceable contracts -- as long as you had the opportunity to read the terms, then you can be bound by them, no matter how small the type was or how hard the clauses are to find.

According to Easterbrook, if the computer companies have an objective grounds for believing you've agreed to a contract -- ie, your having clicked on the "I agree" button, then you have "committed" a contract. The fact that no reasonable person would read through tens of pages of boilerplate to find the one or two clauses that are even potentially relevant is beside the point.

Some other judges have differentiated these Easterbrook rulings on their facts -- essentially a polite way of saying that they refuse to follow his precedent, without coming right out and saying so. Since Contract cases rarely ever make it to the Supreme Court, the outcome of law suits such as this one might depend on which federal judicial circuit the suit is brought in.

Wade_Garrett said...

F15c - there was a pretty well-known case about five years ago in which the 7th Circuit ruled that a consumer was bound by just such an agreement. (Pro CD v. Zeidenberg)

The person bought a software program in a store, and in very small print on the outside of the box it said that there was a licensing agreement contained inside the box. As it turned out, the agreement was in something like 7-point font on page 85 of a 100-page owner's manual.

The district court, here in Madison, Wisconsin, ruled that since the buyer had no idea what the terms of the contract were at the time of purchase, he was not bound by the contract. On appeal the 7th Circuit ruled that since the customer knew that, if he bought the software, he WOULD be bound to a contract after purchase, then he had a duty to find the terms and return the product within a certain period of time if he did not want to be bound by the terms.

As far as I can tell, every law school in the midwest, other than the University of Chicago, where Judge Easterbrook is a member of the faculty, roundly criticizes his decision in that case.

Tristram said...

Hoever, what about if the EULA doesn't accurately represent the actions? On the site of the person that orignanly published this, he did a close reading of the ORGINAL EULA (I beleive it has since changed...), and it did not mention rootkit level, un-uninstallable, undectable (by less than expert users). It may be the case that EULAs my be fine, but in this case, the EULA was inadequate (to say the least).

Starless said...

It's funny, we can pretty much blame Bill Gates for all of this EULA mess.

In the '70's, the freewheeling, pot-smoking micro-computer enthusiasts of Berkeley treated pretty much all micro-computer software as Open Source. Then nebishy capitalist Bill Gates came along and everybody started copying his tape of BASIC (like they did with everything else) and he cried "copyright infringement".

After that, copyright statements started showing up on other budding software capitalists' work. Then we had the EULA statement that showed up on a single card. After that they started piling on the legal language in the EULA until it became burdensome for software producers to print a separate copy for each user.

It was a big deal when they stopped with the hard copy EULA and just put it in the install app, requiring people to click "I Accept" before they could install the software. Users cried "foul" because it switched the burden from the producers to the consumers for making the EULA clear, but the courts sided with the producers.

Now we just blithely click through having little idea what we're agreeing to. It's comparable to the contract on the back of an airline ticket. They aren't under any obligation to fly you anywhere, they're only obliged to try their best.

Thanks Bill Gates!

Dave said...

"What the courts do" with these types of contracts is an irrelevant question because, in the case of Sony, agreeing to the contract deposited a piece of software on youtr computer, which would subsequently be removed.

Smilin' Jack said...

Another relevant question is: what software does the EULA apply to? The software described in the documentation accompanying the EULA? Or the software that is actually installed on your machine? In my experience it is extremely rare for software to conform to its documentation: it all has "bugs." It seems to me that any such deviation from the documentation should void the contract.

A related question: Microsoft et al. routinely sell software with many thousands of known bugs. Why is that not consumer fraud?

Jack said...

Slightly off-topic, but not really, is that little has been noted outside of the real geek community on how Sony violated the copyright of some of the code included in the anti-piracy software in question.

Ironic, eh?

You can read about it here and here.

A.Q. said...

One thing I have not seen mentioned in many legal blogs, is that Sony wasn't using the rootkit to help their DRM efforts.

Rather, the rootkit was there to prevent the music from being used on a competitor's (Apple) device.

This is far more insidious-- and shows how DRM is being abused in anti-consumer ways.

Ann Althouse said...

Quxxo: Those actually aren't conlaw questions.

HaloJonesFan said...

>Isn't there a legal issue in that
>Sony takes your money at the
>store, but only later tells you
>that there are some onerous
>ramifications to your purchase?

Well, but the answer to that is to require the customer to agree to the EULA at the store, which is hardly the kind of solution I think we are all looking for.

Jacques Cuze said...

I appreciate the response Ann, but would you then explain what is a con law question, and why those are not (in part so we know what is germane in these sorts of discussions?)

Regarding B) My understanding is that corporations were not considered persons before 1886, when a mistakenly written headnote of a Supreme Court Case erroneously repeated since "granted" them personhood in the 14th. My understanding is that the founders were diametrically opposed and warned against granting corporations personhood.

How is it that a mistakenly written headnote that changes law from then on is not a con law question?

When a mistake is made in interpreting a Supreme Court Decision, where should appeals be filed? With the court? Which court? With Congress? With the President?

What sort of case would it take for this to be addressed by a lower court, and appeals court, and the Supreme Court?

If that is not a question for a con law prof to address, what kind of professor would address this?

Regarding A) How would the founders have dealt with a company that damaged customers in such a way? What is the foundation for treating these companys in a civil and not a criminal manner when it would be different for citizens. Again, if this is not a con law prof question, I am genuinely curious as to what sort of academic would consider this an interesting question.

Thank you Ann,

Bruce Hayden said...

Judge Easterbrook and the ProCD decision is, IMHO, one of the worst decisions I have ever read. He totally sidestepped the claim that there was no independant consideration supporting the contract, that it was not a meeting of the minds, and would not be considered a binding contract under the Restatement 2nd, and that the after-supplied terms wouldn't be enforceable under UCC II by blythely pointing out that everyone does it.

And since then, more courts than not have followed him, quoting that decision approvingly, and rarely gotten into the real contract formation issues.

Sorry to be so heated. But I have been involved in this area of the law for over 15 years now, and that decision is one of my pet peeves.

Wade_Garrett said...


Its not a Con Law issue because the legal issues in the case don't relate to the Constitution. The laws of contract and copyright are what decide these cases. Freedom of speech, federalism, separation of powers, jurisdiction, the right to vote, etc -- those are Constitutional issues.

sonicfrog said... will cover the progress of the Texas lawsuit, as well as the one here in California. The woman that runs it, PJ, has done a great job dispelling the FUD in the SCO vs The World cases (IBM, Novell, AutoZone, Chrysler, etc. etc.), and is on top of the Sony cases as well.

Jacques Cuze said...

Thanks Terence, I still would very much appreciate hearing Ann's take on the issue.

Isn't (A) (civil litigation for a corporation vs. criminal litigation for a person) a violation of due process and equal protection?

Isn't (B) (error by a clerk becomes law) a violation of Article I, Section 8, Powers of Congress?

Admittedly, I am pulling these completely out of my a** as I am engineer not lawyer.

Jacques Cuze said...

Isn't (B) (corporations become citizens) also a violation of the 14th Amendment? Giving Monsanto, Microsoft, and GM free speech rights, the ability to own other corporations, and the ability to donate to elections does in fact lessen and deprive me of property, rights, and equal protection.

John A said...

"It will be interesting to see what the courts do with those click-thru contracts."

Uh, this may be superfluous as some comments already noted case law (I'm no lawyer), but -

For an answer, look up shrink-wrap licenses. Software used to be distributed with a statement that the EULA was on the disk, and opening the wrapping so you could read the disk - and EULA - constituted agreement to the EULA.

My memory is that the courts agreed...

In this case [cases: looks like there are at least two sets of software], however, the installed software went a long way past what was stated.

Bruce Hayden said...

The Sony DRM rootkit, et al. was discovered by Windows systems expert Mark Russinovich, and you can find a lot of information on it on his blog. Also, I have been pulling together a lot of the information on a blog dedicated to the Sony DRM code situation.

Bruce Hayden said...


A couple of clarifications. First, Sony actually utilizes Digital Rights Management (DRM) code from at least two different companies.

The code that started this whole thing off is from First 4 Internet Ltd. It is the First 4 code that installs the actual rootkit (which is the code that hides stuff that shouldn't be hidden), plus DRM code. It appears to be on CDs of some 50 Sony titles (and installed on over a half a million computers). And if you reject the EULA, the CD is ejected and no software is installed.

However, Sony has also utilized DRM code from SunnComm for other music titles, and this is the software that gets at least partially installed even when you reject the EULA.

Also, the First 4 code is not strickly a "trojan" - but it does do a lot of other naughty things. The rootkit part, as indicated above, hides any files or registry keys starting with "$sys$". This has already is being exploited by hackers.

Indeed, both DRM codes from Sony appear to open up significant hacker windows - but none apparently as bad as the original full uninstall for the First 4 code, which utilized Microsoft ActiveX.

Jacques Cuze said...

Interesting, but I still fail to understand in what sense the first 4 code is not a trojan.

# Trojans are programs (often malicious) that install themselves or run surreptitiously on a victim's machine. They do not install or run automatically, but may entice users into installing or executing by masquerading as another program altogether (such as a game or a patch) or they may be packaged with hacked legitimate programs that install the trojan when the host program is executed. ...

# A Trojan is a small computer program, usually installed on a computer without the owners knowledge, that allows another person elsewhere on the internet to make use of your computer. ...

# A type of computer virus which comes disguised as a program. People download this program usually from the Internet because they think that the program is of some use, but once they start it up it could perhaps erase your hard drive or just wreak havoc all over your system. Recently there has been a discovery of a Trojan Horse type virus which comes in the form of a file called AOL4FREE.COM this file should NOT be downloaded to your system by any means. ...

# A program that is installed without your knowledge and carries a destructive payload. Once your computer becomes infected by the worm or virus, it can be very difficult to repair the damage. Trojans usually come attached to another file, for example: .avi, .exe, or even .jpg. Many people do not notice or see file extensions, so what may appear as "fun" in reality could be "fun" The difference here is the added .exe extension. ...

# named after the Trojan horse used by the rescuers of Helen of Troy. A Trojan is a computer program that disguises itself as a useful software application that is actually used to gain access to your computer.

# A destructive programme which manifest as a benign application

Bruce Hayden said...

Now some notes on the Sony EULA. If it is enforceable, it would probably immunize Sony from damages. And, because of ProCD and its progeny, there is a decent chance that it would be enforceable, despite its onerous nature. Also, see a blog entry on the enforceability of clickwrap licenses by Ray Nimmer.

I suggested a couple of weeks ago that the best way to overcome the Sony EULA was that it fraudulently misleads users as to what happen if the users agreed to the terms of the EULA. The Texas AG in their complaint follow the same theory.

I should also note another advantage that the Texas AG has over individuals suing Sony - their EULA prescribes NY law and that suit be brought in NY. But the State of Texas, by and through its Attorney General, can make a very persuasive case that the suit be heard in Texas under Texas law for public policy reasons.

I would think that the EFF class action suit could overcome at least some of the EULA provisions based on its class action status, but would be less likely to overcome the NY law and venue provisions (it was filed in LA, CA) - unless it is limited to CA residents.

Just my thoughts.

brylin said...


Great comment! (But which Jonathan are you? - see the comments about Atrios.)

Bruce Hayden,

I noticed your extensive collection of information on this Sony issue yesterday. Good work!
Your knowledge and background lead me to trust your comments.

In general, I think EULAs are binding but I think Sony is in big trouble because computers with their stealth software become vulnerable to malicious programs. I wouldn't mind being a class action lawyer in the EFF case (think $$ atty fees).

And on the subject of EFF, I was once on a panel with an EFF lawyer and I found her organization's positions to be generally reasonable.

brylin said...

And consider Sony's third party liability, to take one example involving the most popular online game:

"Blizzard Entertainment, makers of the popular online roleplaying game "World of Warcraft," recently came under fire for installing a program called "The Warden" on players' machines, in order to verify that they weren't attempting to cheat or hack the game. The program can enable access to anything that's on a user's computer while playing the game, including personal files, spreadsheets, and so on.

Several enterprising World of Warcraft hackers found they could use the Sony rootkit to cloak their activities from any sort of monitoring, including Blizzard's own program."
Read the whole article.

XWL said...

The strangest thing about this case is the titles they chose to include the XCP software on.

It's Jazz, pop and country mostly (e.g., Celine Dion, Earl Scruggs, Frank Sinatra, Neil Diamond, Shel Silverstein?!)

This list suggests that there won't be a lot of people coming forward to claim damages given that most of the copies of the 52 cds listed won't end up being played or ripped in any PCs.

Are these the kind of titles that were really showing up on file sharing networks?

(all those high school and college kids trading their stolen Shel Silverstein songs must have nearly bankrupted SonyBMG, they had to fight back)

That list suggests there won't be many people able to claim damages as it would first appear given that of the 52 cds listed I have my doubts that a large percentage of copies found their way into a PC (at least compared to a cd from 50 cent or even Madonna)

(and the subset of people who bought cds off of that list, listened to them on their PCs and play WoW are even smaller)

Bruce Hayden said...

I think the third party liability issues are interesting. They may be able to immunize themselves via their EULA against those buying their CDs. But the third parties didn't agree to the EULA. They aren't a party to the agreements at all.

Now, Sony may be able to make claims against the parties agreeing to their EULA for damages done to third party - though I think that most courts would not enforce it in that case (because Sony would be attempting to benefit from its own negligence). But even if it did succeed, such CD owners are unlikely to be able to indemnify Sony for the magnitude of damages possible here. (i.e. most CD owners are effectively judgement proof at this level of damages).

Starless said...

Anyone know if MS is bringing a suit over this one? Or are they just attacking the software directly (a move I applaud them)?

Bruce Hayden said...

I finally got my hands on the EFF CA class action complaint. It is long (30 pages of complaint followed by 12 pages of EULAs), but contains most of the relevant information on the subject - it is probably better organized than my blog on the subject I mentioned earlier - though it doesn't cover some of the adverse things that the First 4 code does.

In comparing it to the Texas AG complaint, the EFF complaint doesn't really bother trying to overcome the EULA, but rather is based almost entirely on CA consumer fraud and computer tampering statutes. And, interestingly, instead of trying to overcome the EULAs, it uses them as evidence of consumer fraud, etc.

Oh, and it points out that Computer Associates considers the First 4 rootkit a "trojan". I disagree, but they are in the business, and I am not, so I stand corrected.

HaloJonesFan said...

I can't believe that people are calling this a "trojan". That's pointless rhetoric. It's like calling Bush "Hitler". It's salesmanship, an attempt to define the terms of the debate such that the other side is automatically seen as a villain.