Sony, DRM and Trespass to Chattels
By Eric Goldman
A minor storm is brewing over Sony’s installation of DRM software on users’ computers when they play Sony’s CDs. Sony’s software is installed as a “rootkit,” a difficult-to-remove installation, and it supports Sony’s DRM, which really irritates the anti-DRM crowd.
Let’s be clear on 2 things:
1) Sony’s software install is not “spyware.” The installation process may use some techniques also used by “spyware”/adware vendors, but the DRM software doesn’t engage in any of the pernicious activities normally associated with spyware or malware.
2) Sony’s software was installed based on a EULA that contained disclosures about the software. Though we may doubt the efficacy of disclosures in the EULA (a point I’ll discuss more below), this was not a surreptitious installation.
Accordingly, I’m a little perplexed about what Sony has done wrong from a legal perspective. (I have mixed views about the propriety of Sony’s behavior from other perspectives). Sony has the right to protect its music via DRM. Doing so may require the installation of client-side software. Sony has disclosed the install in the EULA. It seems like everything is legally kosher.
(One possible angle I haven’t seen addressed: when was the EULA presented, and what happened if a buyer balked at the EULA? In the context of a CD, it may be that the EULA wasn’t presented until after purchase. If the EULA doesn’t allow for a refund if the buyer doesn’t agree with its terms, the EULA disclosure may be too late from a legal standpoint).
However, the Sotelo case doesn’t offer us much insight here. First, the Sotelo decision was just a denial of a motion to dismiss, so its precedential value is low (especially if the court ultimately finds that there was no trespass to chattels). Second, a properly formed EULA consenting to the install would negate a trespass to chattels claim (and all of the various other related claims, like the Computer Fraud & Abuse Act).
In the end, the Sony blow-up simply might be a barometer of our fears about DRM, especially given how much some people hate DRM. But, personally, I think it’s part of a larger phenomenon about the interplay between EULAs and control over a user’s hard drive. In the end, even whrn a vendor discloses in a EULA that the vendor is going to install software on a user’s computer, in some circumstances we simply find it impossible to believe that users in fact really meant “yes” when they clicked yes.
This disbelief reflects what I consider to be a crisis of contract–a EULA may have all of the legal niceties required to form a contract, but we still don’t believe the user’s consent to the EULA accurately reflects the user’s true preferences. I’m still working out in my own mind how we solve this crisis. For now, I’m sure that an overbroad application of doctrines like trespass to chattels (where there in fact has been disclosure and consent) is not the right answer. I’m also not convinced that more disclosures, or more prominent disclosures, really solves the underlying problem, especially if users don’t fully understand how software works in the first place. Therefore, I think this crisis raises some tough questions that will require thoughtful and non-emotional responses to work through.
UPDATE: Ed Felten says that the EULA disclosure isn’t adequate. He quotes the current EULA (query what the EULA has said in previous incarnations):
“As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise”
He says this is misleading because “a rootkit neither protects the audio files nor facilitates use of the content.” While it’s true that the rootkit aspect may be unnecessary, I think this EULA disclosure is clear that DRM software will be installed on users’ hard drive. This should be dispositive on all legal issues that the installation was consensual.
I do agree that the difficulty uninstalling the software may not be adequately disclosed. It would be nice to have that additional disclosure, but I’m not sure that it’s legally required.
UPDATE 2: Ed Felten comments in response to this post, saying “Surely the user’s consent to installing “a small proprietary software program … intended to protect the audio files embodied on the CD” does not give SonyBMG free rein to do absolutely anything they like to the user’s computer.”
I think this statement is true as far as it goes, but I’m not sure that Sony’s behavior is fairly equated with doing anything they want. While Sony might have engaged in unnecessarily problematic ways to accomplish their software install, it appears that their install was only for the stated purpose, and I find it hard to believe that a judge would second-guess the specific installation choices accordingly.
UPDATE 3: I’ve updated my thoughts and addressed some of the comments in a more organized fashion in a new post.