Sonys Rootkit DRM Raises Legal Red Flags

By Steven Vaughan-Nichols  |  Posted 2005-12-01

Sonys Rootkit DRM Raises Legal Red Flags

Sony BMG Music Entertainments XCP digital rights management technology may have gotten the company into trouble in several ways.

First, XCP technology manipulates the Windows kernel to make its code almost undetectable on Windows systems.

This, in turn, makes it difficult to remove and makes it an ideal launch vehicle for malicious rootkit programs.

Click here to read more about how Sonys controversial DRM technology operates.

Next, as was expected, a rootkit Trojan—Backdoor.IRC.Snyd.A aka Backdoor.Ryknos—appeared.

Soon thereafter it was discovered that XCP may also violate the LGPL open-source license.

"The allegation that Sony has incorporated open-source software into its purportedly proprietary software in a manner inconsistent with the Open Source General Public License, if established, would create a nice irony," said Simon J. Frankel, an IP (intellectual property) attorney and partner with Howard Rice Nemerovski Canady Falk & Rabkin LLP in San Francisco.

"The entire purpose of open-source software is to make broadly useful software available for all to build on. For Sony to take such software and incorporate it into software that it claims as proprietary would be contrary to the entire spirit of open source," Frankel said.

"The improper use of GPL software by Sony could be the basis of a claim for violation of the GPL, which could prevent Sony from utilizing the rootkit program to the extent that it includes GPL software and, if a proper party were definable, could even subject Sony to damages claims under the license and copyright principles," said Michael R. Graham, IP attorney and partner with Marshall, Gerstein & Borun LLP, a Chicago-based law firm specializing in IP.

Not long after that, the lawsuits bagan. The first suit came from the EFF (Electronic Freedom Foundation), but it was soon followed by a suit from the state of Texas.

"On a very basic level of product liability law, if Sony is distributing a product that causes damage to consumers, then it may well be held liable," Frankel said.

"There also appears to be a particular Texas statute that may make Sony liable for distributing spyware to consumers computers. This potential legal liability only piles on to the tremendous public relations snafu caused by Sonys media player," Frankel added.

These suits may be only the beginning of Sonys troubles.

"Sonys surreptitious inclusion of this code into its CDs in an effort to prevent digital pirating of its software was ill-considered, and just another instance of the music industry grasping for digital locks for its recordings," Graham said.

He added, "But what could lose Sony its friends in the media business is that this type of introduction may also spur Congress to adopt anti-spyware, anti-Trojan horse legislation."

"The entertainment industry would be forced to seek an exception to such legislation—based on a use of reasonable steps to prevent piracy—or develop non-spyware software and technology that would limit the reproduction of CDs without compromising individuals systems," Graham said.

Next Page: Sonys EULA may be asking for trouble.

Sonys EULA May Be

Asking for Trouble">

What Suvashis Bhattacharya, an IP attorney in the Palo Alto office of Thelen Reid & Priest LLP, found most interesting, however, was the combination of all the other problems with Sonys EULA (End User License Agreement).

Bhattacharya suggested that the EULA "found on the CDs that contain the rootkit software has many restrictions and requirements that may be argued to violate the copyright laws as well as the rights that are guaranteed to the end user."

Among these, Bhattacharya said, are "restrictions in the License [that state] that the user will not be able to access the content on the CD if he or she no longer possesses the original CD.

"Considering that the user has the right to make a copy of the CD under the Fair Use doctrine, one may argue that this provision violates the copyright laws by requiring the user to erase all copies of the CD if the original CD is lost, destroyed or stolen."

Rubbing salt into the wound, the EULA also "requires the purchaser to install all updates for the rootkit software or otherwise lose rights to be able to access the contents on the CD."

And if your system is damaged by the rootkit? Too bad.

"Further, should the software be defective or expose vulnerabilities to hackers, the License states that the purchaser assumes the costs for fixing the problem. The License does allow the purchaser to collect up to $5.00 from Sony, however, in the case that the software causes a loss in data or equipment," Bhattacharya said.

Sony BMG recalls CDs carrying the XCP DRM software. Read more here.

Sonys EULA also restricts the users access to legal recourse, Bhattacharya said. "One provision in the License states that the user waives any right to seek judicial approval which may be needed to terminate the License. The License also forces the user to waive his or her right to a jury trial for any dispute that arises relating to the software or the License. Of course, it may be argued that this provision violates the U.S. Constitution as well as various state Constitutions."

The restrictions and requirements imposed by the EULA on CDs bearing the rootkit software raise many questions that the legal, software and consumer industries should tackle, lest enforcement of the agreements have "a chilling effect" on business, Bhattacharya said.

Taken all in all, as one legal marketing expert said, "if [Bhattacharyas] eye-opening analysis of Sonys EULA is true, look out!! Attorneys will be salivating."

Indeed, one way or another, thanks to its use and licensing of XCP DRM, Sony may be in for quite a legal shipwreck.

Check out eWEEK.coms for the latest open-source news, reviews and analysis.

Rocket Fuel