Sonys Rootkit DRM Raises Legal Red Flags

News Analysis: Possibly violating copyright laws, the GPL and even the U.S. Constitution, Sony BMG's digital rights management blunder may lead the company into serious legal trouble.

Sony BMG Music Entertainments XCP digital rights management technology may have gotten the company into trouble in several ways.

First, XCP technology manipulates the Windows kernel to make its code almost undetectable on Windows systems.

This, in turn, makes it difficult to remove and makes it an ideal launch vehicle for malicious rootkit programs.

/zimages/4/28571.gifClick here to read more about how Sonys controversial DRM technology operates.

Next, as was expected, a rootkit Trojan—Backdoor.IRC.Snyd.A aka Backdoor.Ryknos—appeared.

Soon thereafter it was discovered that XCP may also violate the LGPL open-source license.

"The allegation that Sony has incorporated open-source software into its purportedly proprietary software in a manner inconsistent with the Open Source General Public License, if established, would create a nice irony," said Simon J. Frankel, an IP (intellectual property) attorney and partner with Howard Rice Nemerovski Canady Falk & Rabkin LLP in San Francisco.

"The entire purpose of open-source software is to make broadly useful software available for all to build on. For Sony to take such software and incorporate it into software that it claims as proprietary would be contrary to the entire spirit of open source," Frankel said.

"The improper use of GPL software by Sony could be the basis of a claim for violation of the GPL, which could prevent Sony from utilizing the rootkit program to the extent that it includes GPL software and, if a proper party were definable, could even subject Sony to damages claims under the license and copyright principles," said Michael R. Graham, IP attorney and partner with Marshall, Gerstein & Borun LLP, a Chicago-based law firm specializing in IP.

Not long after that, the lawsuits bagan. The first suit came from the EFF (Electronic Freedom Foundation), but it was soon followed by a suit from the state of Texas.

"On a very basic level of product liability law, if Sony is distributing a product that causes damage to consumers, then it may well be held liable," Frankel said.

"There also appears to be a particular Texas statute that may make Sony liable for distributing spyware to consumers computers. This potential legal liability only piles on to the tremendous public relations snafu caused by Sonys media player," Frankel added.

These suits may be only the beginning of Sonys troubles.

"Sonys surreptitious inclusion of this code into its CDs in an effort to prevent digital pirating of its software was ill-considered, and just another instance of the music industry grasping for digital locks for its recordings," Graham said.

He added, "But what could lose Sony its friends in the media business is that this type of introduction may also spur Congress to adopt anti-spyware, anti-Trojan horse legislation."

"The entertainment industry would be forced to seek an exception to such legislation—based on a use of reasonable steps to prevent piracy—or develop non-spyware software and technology that would limit the reproduction of CDs without compromising individuals systems," Graham said.

Next Page: Sonys EULA may be asking for trouble.