Is Sony’s DRM Spyware?

By Eric Goldman

Sony’s DRM software generated lots of discussion and new information since my last post on the subject. The discussion (especially the many great comments I got in response to my previous post) has prompted me to change some of my thoughts—in particular, my statement that the DRM software isn’t spyware.

1) Sony’s technological implementation of DRM exhibited some ineptitude, but Sony is being held to a rigorous standard because of DRM

ZDNet called Sony’s DRM “ineptware”—-software that doesn’t have a malicious intent but nevertheless can have a pernicious effect. For example, the software may make a computer unstable or slow. And the unnecessarily intrusive use of a rootkit “smokescreen” allows bad actors to hide behind the smokescreen.

However, Sony (and its upstream vendor First4Internet) hardly has cornered the market on inept software designs that lead to undesirable outcomes. There’s plenty of brain-dead software implementations out there. Why beat up on Sony?

I continue to believe that the underlying problem is DRM. Many technologists and consumer advocates harbor a deep animus towards DRM, so Sony’s technology failings are being held to a heightened standard.

I understand why there’s so much antipathy towards DRM, but I don’t think we should overreact to Sony’s failings. In particular, sloppy software design isn’t “spyware” or “malware,” or else those terms become far too overinclusive and thus meaningless.

2) Most of Sony’s failures to disclose are probably legally inconsequential, but the implied affirmative representation that the software could be uninstalled may be problematic

In my previous post, I said that Sony’s EULA adequately obtained consent to install its software. I still stand by that statement, for the most part, but the issue is more nuanced than my statement might indicate. Specifically, there are 2 separate disclosure issues-—Sony’s affirmative disclosures and Sony’s failure to disclose–and they should be addressed separately.

Except for the “phone-home” aspect (discussed below), I’m not particularly troubled by Sony’s failures to disclose the details of its software. In general, vendors aren’t obligated to make every affirmative disclosure that every consumers might find interesting. In this situation, I think many disclosures desired by the technologists aren’t legally compelled or expected. Sony and its vendor have made dozens or hundreds of design choices to implement the software. Consumers don’t need to know those choices, would not change their behavior if the choices were disclosed affirmatively, and would be overwhelmed by complete disclosure.

In contrast, I’ve become less comfortable with Sony’s disclosures regarding the difficulties uninstalling its software. The difference is that Sony made some affirmative statements that implied the software could be uninstalled. If Sony created the false impression that the software could be uninstalled when it couldn’t (or could be uninstalled only by breaking the OS), then Sony may have created some problems for itself.

3) If Sony’s DRM software reports information back to a central server, this looks like spyware and could be legally problematic

Of the various problems with Sony’s technological implementation, I am most troubled by the allegations that Sony’s software “phones home”; i.e., reports some information about each user back to a central server, including the combination of an IP address and a record of each album the user plays.

In my previous post, I said that Sony’s software wasn’t spyware. However, if the software is reporting back information about each user’s behavior, and that reporting back feature wasn’t disclosed, then I agree with Suzi that surreptitious and undisclosed monitoring and reporting back of user activity sounds like spyware.

Further, if the reports are true, the software’s behavior could be a prima facie violation of the Computer Fraud & Abuse Act (18 USC 1030(a)(2)), which applies to an actor who:

“intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer…”

Every computer connected to the Internet is a protected computer. The software allegedly obtains information (at minimum, the album being played). The phone-home “feature” may exceed the authorization given by the user; I don’t think that mere consent to installing the software acts as consent to the reporting back of information. If the reports are true, I don’t envy the position of Sony’s defense counsel.

UPDATE: Declan reports that the class action lawyers are circling.

UPDATE 2: Several anti-spyware software vendors have classified Sony’s software as spyware.