November 02, 2005
Sony, DRM and Trespass to Chattels
By Eric Goldman
A minor storm is brewing over Sony's installation of DRM software on users' computers when they play Sony's CDs. Sony's software is installed as a "rootkit," a difficult-to-remove installation, and it supports Sony's DRM, which really irritates the anti-DRM crowd.
Let's be clear on 2 things:
1) Sony's software install is not "spyware." The installation process may use some techniques also used by "spyware"/adware vendors, but the DRM software doesn't engage in any of the pernicious activities normally associated with spyware or malware.
2) Sony's software was installed based on a EULA that contained disclosures about the software. Though we may doubt the efficacy of disclosures in the EULA (a point I'll discuss more below), this was not a surreptitious installation.
Accordingly, I'm a little perplexed about what Sony has done wrong from a legal perspective. (I have mixed views about the propriety of Sony's behavior from other perspectives). Sony has the right to protect its music via DRM. Doing so may require the installation of client-side software. Sony has disclosed the install in the EULA. It seems like everything is legally kosher.
(One possible angle I haven't seen addressed: when was the EULA presented, and what happened if a buyer balked at the EULA? In the context of a CD, it may be that the EULA wasn't presented until after purchase. If the EULA doesn't allow for a refund if the buyer doesn't agree with its terms, the EULA disclosure may be too late from a legal standpoint).
However, the Sotelo case doesn't offer us much insight here. First, the Sotelo decision was just a denial of a motion to dismiss, so its precedential value is low (especially if the court ultimately finds that there was no trespass to chattels). Second, a properly formed EULA consenting to the install would negate a trespass to chattels claim (and all of the various other related claims, like the Computer Fraud & Abuse Act).
In the end, the Sony blow-up simply might be a barometer of our fears about DRM, especially given how much some people hate DRM. But, personally, I think it's part of a larger phenomenon about the interplay between EULAs and control over a user's hard drive. In the end, even whrn a vendor discloses in a EULA that the vendor is going to install software on a user's computer, in some circumstances we simply find it impossible to believe that users in fact really meant "yes" when they clicked yes.
This disbelief reflects what I consider to be a crisis of contract--a EULA may have all of the legal niceties required to form a contract, but we still don't believe the user's consent to the EULA accurately reflects the user's true preferences. I'm still working out in my own mind how we solve this crisis. For now, I'm sure that an overbroad application of doctrines like trespass to chattels (where there in fact has been disclosure and consent) is not the right answer. I'm also not convinced that more disclosures, or more prominent disclosures, really solves the underlying problem, especially if users don't fully understand how software works in the first place. Therefore, I think this crisis raises some tough questions that will require thoughtful and non-emotional responses to work through.
UPDATE: Ed Felten says that the EULA disclosure isn't adequate. He quotes the current EULA (query what the EULA has said in previous incarnations):
"As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise"
He says this is misleading because "a rootkit neither protects the audio files nor facilitates use of the content." While it's true that the rootkit aspect may be unnecessary, I think this EULA disclosure is clear that DRM software will be installed on users' hard drive. This should be dispositive on all legal issues that the installation was consensual.
I do agree that the difficulty uninstalling the software may not be adequately disclosed. It would be nice to have that additional disclosure, but I'm not sure that it's legally required.
UPDATE 2: Ed Felten comments in response to this post, saying "Surely the user’s consent to installing “a small proprietary software program … intended to protect the audio files embodied on the CD” does not give SonyBMG free rein to do absolutely anything they like to the user’s computer."
I think this statement is true as far as it goes, but I'm not sure that Sony's behavior is fairly equated with doing anything they want. While Sony might have engaged in unnecessarily problematic ways to accomplish their software install, it appears that their install was only for the stated purpose, and I find it hard to believe that a judge would second-guess the specific installation choices accordingly.
UPDATE 3: I've updated my thoughts and addressed some of the comments in a more organized fashion in a new post.
Sony seem to be experimenting with a number of different DRM systems right now, but the impression I've had is that at least some of them install without any EULA - drop the CD in the drive, and software goes onto your computer to prevent you from playing or ripping the CD, no questions asked. From that point, you can then install a player to get at the content on the disc, but software has already been installed without your prior consent.
Then again, that impression has been gleaned from reading blog entries which may not be the most accurate sources of information on the subject. I haven't purchased a single DRM CD and don't intend to, so I have no personal experience of the issue.
Posted by: Gareth at November 2, 2005 02:41 PM
If you'll read Mark Russinovich's blog entry, you'll notice several things that this XCP software does in addition to hiding itself like malware:
- scans the executables corresponding to the running processes on the system every two seconds
- degrades system performance 24/7 (not just when the media player is in use)
- uses misleading names such as "Plug and Play Device Manager" to deceive users into thinking it's a legitimate part of Windows
- tampers with the low-level operation of the system, causing stability and compatibility problems
- installs hooks and filters, making it difficult to uninstall without breaking Windows
If that's not malware, I don't know what is.
Posted by: J. Stanley at November 2, 2005 02:59 PM
I think J. Stanley's comment starts to expose the real problem here, and why all the "nerds" are pissed.
This represents DRM gone too far. The techniques used with this DRM package are hacker (the malicious kind) techniques. There has got to be a point at which EULAs cannot protect companies from doing whatever they want.
Some questions: Would I have purchased a CD that I knew would install un-removable, malicious software on my computer? If I had clicked 'no' to the EULA and consequently wanted to return the CD, could I get my money back?
Anyways, overall, I am still thinking about this -- in fact, it kept me up last night.... I really have no solid legal arguments (as evidenced above). I just have the feeling that this is one of the first pieces of software that stretches the power of a clickthrough too far.
Why don’t black hat’s incorporate and simply sell their viruses, etc. with a EULA? If Sony can do it, why not the hackers? Is intent the issue here? If so, how do I know that Sony doesn’t want to steal my pin number?
1) Sony's software install is not "spyware."
And you know this because you have investigated the software? Or simply because there hasn't yet been any revelation that, for example, the software phones home? The EULA mentions that the user must install updates, perhaps this happens automatically over the Internet without the user's consent?
2) Sony's software was installed based on a EULA that contained disclosures about the software.
Yes, it did "contain disclosures" about the software. C'mon, all good spyware EULAs contain disclosures as well, but the goal of good spyware is misdirection.
Posted by: Dave at November 2, 2005 05:00 PM
Are you sure that what is installed is really what the normal user would consider a "software program?" This is something which patches the operating system in pretty fundamental ways. That is, it's not just installing a standalone software program, in doing so it's modifying other programs already installed upon the computer.
I don't know if there's a standard definition of "software program" applicable to cases like this, but certainly the normal user would not expect this sort of behavior.
Posted by: starwed at November 3, 2005 11:05 AM
Starwed, I think you hit the nail on the head. I have a low degree of confidence that consumers really understood Sony's disclosure. However, I have even less confidence that consumers would understand a more detailed and technical disclosure either.
Therefore, the problem isn't with Sony's disclosure; the problem is that consumers don't understnad what's taking place on their hard drive. Thus, the finer points of a definition of "software" doesn't matter. Eric.
Posted by: Eric Goldman at November 3, 2005 12:00 PM
In the UK we have a law called the Sale of Goods and Services Act. Under that law is a requirement that the seller of a product/service gives an accurate representation of the product/service they are selling. It is also required that any faults should be disclosed as well. Now since this software introduces a security threat, in so much that malicious software can hide under the DRM's cloak, it has a fault. That fault was not disclosed by Sony to its consumers.
As a result of failing to meet the requirements of the Sale of Goods and Services Act, the EULA (which is a contract) is void, since the vendor (Sony) have failed to meet statutary requirements in presenting that contract.
Now, since the EULA is void, this leaves Sony open to charges under the Computer Misuse Act as well, as it is regarded as a criminal offense to modify someone's computer without consent. So even though they may have given/implied consent by clicking "I Agree" on the EULA, since the EULA is void and a not a legal contract, charges under this law can also be applied.
There needs to be a serious review of how EULAs stand in regards to contract law. It is no secret that the majority of people who come across a EULA never read it, and Sony know this as much as everyone else, so they are trying to take advantage of the situation, which is morally and ethically wrong.
Corporations need to be held more accountable for their actions and in a time where identity theft and internet fraud are rife, a company that breaches criminal law in this fashion and leaves their consumers wide open to further criminal attacks and compromises of security, should be prosecuted.
I have already started discussion with law enforcement here in the UK regarding this matter. What makes the situation worse has been the actions of Sony in the last 24 hours.
First they release this "patch" saying it will unhide the "rootkit" then in a public statement, they claim they have found new ways to hide their software. Yet people are supposed to believe this new software is not just as bad just hidden in another way?
Secondly, they state (again as a public statement) that the CD has only been sold in the US and that there are no copy protected CD from Sony anywhere in the UK. It took me 30 seconds to find an Avril Lavigne CD in my collection which is distributed by BMG and has copy protection software on it and is in the UK. Furthermore the FAQ on their own website states that they only produce one commercial version of an album for the whole world and that they all have Sony copy protection on them. So again they have lied, and again they have violated the Sales of Goods and Services Act in the UK by publicly misrepresenting their products, as there most certainly are cds in the UK from Sony with copy protection.
They also made another public statement that the software does not add any security risks to the consumer's computer. This is another lie, as has been clearly demonstrated, any system that is running this "rootkit" is vulnerable to other malicious software cloaking itself behind it. So again, a breach of the Sales of Goods and Services Act.
Not to mention how they changed the EULA in order to try and cover themselves in light of the public outrage over this matter. What about people who do not have internet connections? How do they get the patch or view the new EULA?
I have stated elsewhere that all Sony CDs should be removed from the shelves of retailers in the UK until such time as the legal issues surrounding this scandal are clarified. Failure to do this, will leave millions of people at risk, simply through being able to buy one of the "20" titles released with this "protection" embedded.
So whether or not the US consumers have any comeback on this legally, the UK most certainly does and I will be following every avenue available to make this matter as public as possible and to ensure that Sony and First 4 Internet receive the maximum penalties under the law.
Posted by: Alexander Hanff at November 3, 2005 01:55 PM
I would tend to think that there are other issues of liability that might come into play as well.
Note that many security experts and blogs have mentioned (even in the comments above) that this software MIGHT be used by hackers and other malicious programmer to cloak the behavior of their software. However, many people don't realized that it ALREADY HAS. In less that 36 hours, in fact.
Russinovich posted his blog entry on Monday at 11am. By Tuesday at 7pm hackers had already proven and publicly posted on the internet the fact that this Sony software could be effectively used to cheat on Blizzard's World of Warcraft online game by allowing cheat program to hide from Blizzard's existing detection software. (http://www.securityfocus.com/brief/34).
Since there is nothing theoretical about the possibility of malware piggybacking on this rootkit (already proven and implemented) I think that there is no argument that Sony or First 4 Internet could possibly make that eschews them of product liability claims, if they are presented correctly.
Posted by: HavaCuppaJoe at November 3, 2005 06:09 PM
HavaCuppaJoe, we don't have a general theory of product liability that holds software vendors liable for software defects or for how software may be misused by third parties. So I'm not sure how to correctly present a claim against Sony based on the facts you highlight. Eric.
Posted by: Eric Goldman at November 3, 2005 06:17 PM
Then don't you think it's time that we do?
How many CD purchasers read security/technology/legal blogs on a regular basis? 5%? 10%? Less?
So now we have an entire class of consumers that are left significantly vulnerable to attacks simply by listening to a music CD on their computer? This smacks of negligence any way you slice it.
Posted by: HavaCuppaJoe at November 3, 2005 06:26 PM
Eric, I am totally mystified why you are being so soft on Sony. As has been said by other posters, the DRM program patched the operating system. This is a *massive* issue. It quite possibly falls foul of the Computer Misuse Act here in the UK, which would make it a criminal matter, and thus the EULA is totally irrelevant.
Also you fail to mention that the legallity of EULA's as contacts has failed to be established, as there is conflicting legal precedence in the US and none at all in the UK, afaik.
Posted by: Emil at November 3, 2005 06:44 PM
The bottom line is that this is guaranteed to destroy your computer. If every CD installs another low-level OS patch, and each one uses 1% of the CPU as was reported, after playing 100 CD from different sources, your computer will have no CPU capacity to do anything. And this is the optimistic scenario. More likely, conflicts between the DRMs will crash you computer long before that.
Posted by: Justin Starren at November 3, 2005 07:00 PM
What troubles me about this case is the level of deception involved from top to bottom. We start with a EULA that fails to disclose the extent of the changes to the system, software that makes invasive changes to the operating system specifically to prevent the computer owner from discovering what changes where made, and installed components that are deliberately misnamed to look like they are part of the operating system. The extent of the changes make it far more likely that security and stability problems will be introduced (this does both) and it is impossible for even an informed user that carefully reads the EULA to understand the extent of the changes (or again, determine them by casual inspection of the system after the fact).
"Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted."
This seems to imply that the software can be removed or deleted. I suppose in theory it can, but an expert on windows internals who made the attempts managed to cripple his system in the first attempt. Even then he only succeeded by making changes to the OS that Microsoft discourages with the strongest possible language. For at least 99% of users removal of this software is impossible and will likely break the machine if they try.
I'll note that when Microsoft installs OS patches that cannot be undone, they have very plain disclosure of this fact separate from the EULA. They have also gotten very good about disclosing configurations that present a possible security risk (which the installtion of a rookit inherently does). If perfect disclosure is impossible, there is a least a very clear model of how this could be done better.
I think that if the law does not prohibit the installion of unistallable rookits without meaninful disclosure then the law needs to be corrected.
Posted by: Kevin Sours at November 3, 2005 10:29 PM
Emil, I'm still not clear exactly what contract formation process Sony used. However, I think it would be easy to overstate the conflict in US law over EULA validity. There are some procedures (like a mandatory non-leaky clickthrough) where the likelihood of the court blessing the contract formation process is extremely high. I've collected a lot of cases here: http://www.ericgoldman.org/Resources/onlinecontracts.htm .
Kevin S., I do think the inability to uninstall the software is more problematic than some of the other issues, especially with the implication in the EULA that the software could be removed. My instincts tell me that most judges would not second-guess a software design decision to modify the OS, so that only leaves the implicit permanence of the install as a problem. I'm not sure a judge would get as worked up as the technologists about a permanent install, but I'll keep thinking about that.
Posted by: Eric Goldman at November 3, 2005 10:44 PM
"Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted."
Isn't there an issue about the fact it CANNOT be deleted - surely that makes the EULA misleading (and therefor potentially void) at the very least.
Is there not another issue regarding the fact that the program does MORE than "protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT"?
Whether you consented to the right of SonyBMG to protect their copyright with this program (and I'd happily click yes to the wording of this EULA for JUST THAT) you may not agree to yoru system being fundamentally altered in such a way to leave it open to security issues (I WOULD NOT agree to my system being left vunerable to spyware and malware as a result!)
Your legal assesment is narrow in that it only examines whether SonyBMG and the end user agreed to the protection of SonyBMG's rights - which most users would.
There is a bigger question of what was NOT in the EULA and what was INTENTIONALLY witheld from the end user in this agreemment - i.e. do you agree that SonyBMG can ALTER your system in a way that you can not reverse!?
Another issue that has been longstanding in the DRM debate is the fact that record labels describe these discs as Compact Discs (CDs) which by definition they are NOT (i.e. the presence of DRM does not meet the Orange Book standard of what is a CD!).
SonyBMG and others have EVERY right to release DRM protected discs, however they should have to label them as such (for eg CD-ROMs - which is what they essentially are now - data discs! or maybe another new name - DRMDisc) and not as CDs
Posted by: LukeinOz at November 3, 2005 11:33 PM
the way of sony is stupid. the can´t protect nothing. I could conect outpout line to input audio, and record the digital audio making all mp3 that i want, and duplicate after the cd all the times that i want.
The purpose of sony with your "rootkit" is something stupid, they will never stop the duplication with this cracker method, just add danger at the user´s system.
greetings from spain, ad sorry if my english is not very good. I´m laughing and my eyes are plenty of tears. :))
Posted by: manuel at November 4, 2005 06:47 AM
You write: "My instincts tell me that most judges would not second-guess a software design decision to modify the OS, so that only leaves the implicit permanence of the install as a problem. I'm not sure a judge would get as worked up as the technologists about a permanent install, but I'll keep thinking about that."
It seems to me that whether the judge is "worked up" is the right question to ask if somebody challenges the EULA as unconscionable. But the question here is what users authorized when they agreed to the EULA. Would a reasonable user, reading the EULA, have understood it to be authorizing Sony to install unremovable software, or software that creates security vulnerabilities by hiding files and programs?
I'm also not convinced by the argument that a typical user wouldn't understand a more detailed disclosure. A typical user wouldn't read the EULA at all. If it's acceptable to treat something that almost nobody reads as a valid contract, that can only be so because we are relying on the odd user who does read the EULA carefully to make a stink if the EULA language is outrageous. So a detailed disclosure helps even if only a few people read and understand it.
Consider what would have happened if Sony's EULA had disclosed the rootkit and permanent-install aspects of their software. We would have had the same public outcry over the software, but it would have happened *before* so many people installed the software.
Posted by: Ed Felten at November 4, 2005 08:09 AM
The four faces of the Sony DRM FAQ
Sony have so far had three differnt FAQ's posted on their site at here:
I have a complete summary listing of the exact wording here
I have hyperlinks to the cached pages of are there also.
Interestingly in the first version I have from MSN Cache there is not a single mention in the enire site for any form of the words:-
'Update', 'Security', 'Uninstall' or 'Remove'
The main additions to the FAQ are:-
Two versions of "I heard this is malware?'
The addition of 'How can I update this software?'
The addition of 'How can I make my computer secure?'
Two versions of 'How do I uninstall the software?'
Does Sony now have suffecient wording here???
And a couple of other little things I wrote regarding Security Issues this raises.
Posted by: Stephen at November 4, 2005 11:42 AM
I agree with Eric.
Sony is merely trying to protect its rights.
However, a couple of bad apples does not justify Sony installing DRM software on a user's computer without the user's fully informed consent. More importantly, the fact that a CD contains DRM software should be fully disclosed to the consumer PRIOR to purchase (on the case of the CD...) That way, the consumer, not Sony, is making the decision of whether or not to install the software.
Posted by: Matt at November 4, 2005 02:56 PM
Not spyware? Or so you thought....
A commenter on Sysinternal's blog site is reporting that he attached a packet sniffer to his computer infected with Sony's malware. Anytime he plays one of his Sony discs on that computer, the malware attempts to contact two separate Sony websites, reporting his IP address and the title of the CD he is listening to. You don't think that is spyware? And where is mention of this made in the current or past versions of the ever-changing EULA and FAQs on Sony's website?
Posted by: Robert Johnson at November 4, 2005 03:38 PM
Robert, thanks for the comment. If Sony's software is surreptitiously reporting back data from the user, then I could see much bigger legal headaches for Sony. Eric.
Posted by: Eric Goldman at November 4, 2005 04:11 PM
Mark Russinovich has confirmed this report. His blog now has an update complete with the smoking gun network traces.
Posted by: HavaCuppaJoe at November 4, 2005 05:12 PM
Ed, both of your points are great.
You're right that many legal standards (both in contract law and consumer protection law) turn on an objective test (i.e., what would a hypothetical "reasonable" consumer have thought/responded?). However, in a failure to disclose case, there are strong equitable considerations. In this respect, I think the law tolerates many types of failures to disclose much more than it tolerates affirmative misrepresentations.
(I recognize that the EULA may have had an implied representation that the software could be uninstalled, and that is more problematic than the failures to disclose).
You're also right that we don't always expect disclosures to be read by everyone but sometimes we hope that influential decision-makers will read the disclosures and affect a larger set of decision-makers accordingly. I think this general principle animates the disclosure scheme of public securities law. We don't expect individual stockholders will understand a 10-K, but the analysts should be able to, and the analysts' behavior will affect the market sufficiently to protect the individual stockholders.
However, I don't think this philosophy animates all disclosures schemes, and for good reason. Consumers have wildly different idiosyncratic interests, so there's no way for a vendor to disclose information material to each consumer's interests. Furthermore, if in fact a vendor did make disclosures that addressed every possible idiosyncratic interest, the disclosures would be too overwhelming for consumers to digest. Therefore, I think disclosure laws are generally more geared towards the interests of the "ordinary" consumer than the "expert" consumer.
Posted by: Eric Goldman at November 4, 2005 06:08 PM
Will personal information be collected from my computer during the installation process?
No, none of your personal information will be collected during the installation process.
Hmmm.... Not during install but afterwords YES as per Mark Russinovich's http://www.sysinternals.com/blog/
"Consumers have wildly different idiosyncratic interests, so there's no way for a vendor to disclose information material to each consumer's interests."
I want to be very precise here. My understanding of the system is that there are two parts. First is the DRM software itself that handles the protection of the CD contents, and the "rootkit" software that hides both the DRM portion and itself from detection. The rootkit isn't strictly necesary for the operation of the DRM software, but it intended to make detection of and tampering with the DRM software more difficult. My concern is not with the DRM portion (the installation of which I believe is adequately disclosed by the EULA) but with the rootkit portion (which is not).
The reason I make this distinction is because I believe that any rootkit will, by fulfilling its intented function, introduce security problems in the system. The software installed by Sony is very similar to the kinds of software used by virus and spyware writers to prevent security tools from detecting and removing them. Moreover, this software, as written, can be used by virus writers to hide there own files in addition to the ones that Sony intends to hide (and even if it were better written I don't believe there is any real way to prevent a virus writing from altering the hidden files from doing the same thing). If deployement of this package becomes widespread, then I guarentee that we'll see a virus that goes around taking full advantage of it.
I can't shake the notion that the real problem here isn't that you can't come up with a plain language disclosure of the issues, but rather that such any plain language disclosure would make it immediately clear to the average user that installing the software is a really bad idea.
"Installing this software will interfere with the operation of most virus scanners" isn't something that many people will ignore. I also have trouble chalking that up to idiosyncratic interests.
Posted by: Kevin Sours at November 5, 2005 04:15 PM
I do believe that there have been some users who had the DRM stealth installed on their systems. Sony admitted that the DRM had been on discs released in 2004, (which wasn't previously known) didn't they? IIRC, there wasn't an EULA for those discs. That changes things. I think they should be prosecuted under the Computer Fraud and Abuse Act.
Posted by: KatK at November 7, 2005 09:27 AM
Dear Mr Goldman
EULA is not excuse to Sony at all, because "small proprietary software" (that is the rootkit) is installed automatically before user has a chance to accept EULA. And it is remains on users computer regardless if he/she accepts EULA or not! Please see comments in Marks Russinovich blog (http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html )
"They are installing something to stop the CD from playing in a computer, regardless if the user accepts the EULA or not."
This "something" that gets installed is a filter driver that captures communication between CD player and software installed on users machine (eg. Microsoft Media Player, Winamp etc.). The purspose of this filter driver is to impair the software other than the player bundled with the CD (thus preventing it from playing the CD), and this is what actually Sony calls "Digital Rights Maangement". This filter driver is installed together with the rootkit that hides it from eyes of the user. This all happens before user has a chance to refuse the EULA!
Thus your 2nd point does not apply - dangerous software that Sony installs is *not* subject to EULA, as it is installed even if user refused to accept it. Then only software that semes to be subject to EULA is the player that is not impaired in its communication with the CD by the filter driver that got installed beforehand. If user does not accept the EULA, he will not be able to play the CD using any other software that can be bought "off the shelf", as communication between such software and the CD is impaired by the filter driver. This all can be actually easily verified.
Posted by: Bronek Kozicki at November 8, 2005 05:14 AM
Class Action Law Firm Investigating Sony CDs:
My law firm is investigating the situation surrounding “rootkits” on Sony-label CDs. In connection with our investigation, we are interested in learning more about the experiences consumers have had with those CDs. I can be contacted at (212) 239-4340 or, by e-mail, at firstname.lastname@example.org.
Posted by: Tom Ciarlone at November 14, 2005 09:24 AM