My law firm is investigating the situation surrounding “rootkits” on Sony-label CDs. In connection with our investigation, we are interested in learning more about the experiences consumers have had with those CDs. I can be contacted at (212) 239-4340 or, by e-mail, at tciarlone@lawssb.com.

EULA is not excuse to Sony at all, because “small proprietary software” (that is the rootkit) is installed automatically before user has a chance to accept EULA. And it is remains on users computer regardless if he/she accepts EULA or not! Please see comments in Marks Russinovich blog (http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html )

“They are installing something to stop the CD from playing in a computer, regardless if the user accepts the EULA or not.”

This “something” that gets installed is a filter driver that captures communication between CD player and software installed on users machine (eg. Microsoft Media Player, Winamp etc.). The purspose of this filter driver is to impair the software other than the player bundled with the CD (thus preventing it from playing the CD), and this is what actually Sony calls “Digital Rights Maangement”. This filter driver is installed together with the rootkit that hides it from eyes of the user. This all happens before user has a chance to refuse the EULA!

Thus your 2nd point does not apply – dangerous software that Sony installs is *not* subject to EULA, as it is installed even if user refused to accept it. Then only software that semes to be subject to EULA is the player that is not impaired in its communication with the CD by the filter driver that got installed beforehand. If user does not accept the EULA, he will not be able to play the CD using any other software that can be bought “off the shelf”, as communication between such software and the CD is impaired by the filter driver. This all can be actually easily verified.

I want to be very precise here. My understanding of the system is that there are two parts. First is the DRM software itself that handles the protection of the CD contents, and the “rootkit” software that hides both the DRM portion and itself from detection. The rootkit isn’t strictly necesary for the operation of the DRM software, but it intended to make detection of and tampering with the DRM software more difficult. My concern is not with the DRM portion (the installation of which I believe is adequately disclosed by the EULA) but with the rootkit portion (which is not).

The reason I make this distinction is because I believe that any rootkit will, by fulfilling its intented function, introduce security problems in the system. The software installed by Sony is very similar to the kinds of software used by virus and spyware writers to prevent security tools from detecting and removing them. Moreover, this software, as written, can be used by virus writers to hide there own files in addition to the ones that Sony intends to hide (and even if it were better written I don’t believe there is any real way to prevent a virus writing from altering the hidden files from doing the same thing). If deployement of this package becomes widespread, then I guarentee that we’ll see a virus that goes around taking full advantage of it.

I can’t shake the notion that the real problem here isn’t that you can’t come up with a plain language disclosure of the issues, but rather that such any plain language disclosure would make it immediately clear to the average user that installing the software is a really bad idea.

“Installing this software will interfere with the operation of most virus scanners” isn’t something that many people will ignore. I also have trouble chalking that up to idiosyncratic interests.

Sony have so far had three differnt FAQ’s posted on their site at here:

http://cp.sonybmg.com/xcp/english/faq.html

I have a complete summary listing of the exact wording here

http://netweb.wordpress.com/2005/11/05/sony-and-the-xpc-faq/

I have hyperlinks to the cached pages of are there also.

Interestingly in the first version I have from MSN Cache there is not a single mention in the enire site for any form of the words:-

‘Update’, ‘Security’, ‘Uninstall’ or ‘Remove’

The main additions to the FAQ are:-

Two versions of “I heard this is malware?’

The addition of ‘How can I update this software?’

The addition of ‘How can I make my computer secure?’

Two versions of ‘How do I uninstall the software?’

Does Sony now have suffecient wording here???

And a couple of other little things I wrote regarding Security Issues this raises.

http://netweb.wordpress.com/2005/11/04/cd-audio-standards/

http://netweb.wordpress.com/2005/11/04/why-rootkits-are-global-security-breaches/

Privacy

Will personal information be collected from my computer during the installation process?

No, none of your personal information will be collected during the installation process.

————————————

Hmmm…. Not during install but afterwords YES as per Mark Russinovich’s http://www.sysinternals.com/blog/

You’re right that many legal standards (both in contract law and consumer protection law) turn on an objective test (i.e., what would a hypothetical “reasonable” consumer have thought/responded?). However, in a failure to disclose case, there are strong equitable considerations. In this respect, I think the law tolerates many types of failures to disclose much more than it tolerates affirmative misrepresentations.

(I recognize that the EULA may have had an implied representation that the software could be uninstalled, and that is more problematic than the failures to disclose).

You’re also right that we don’t always expect disclosures to be read by everyone but sometimes we hope that influential decision-makers will read the disclosures and affect a larger set of decision-makers accordingly. I think this general principle animates the disclosure scheme of public securities law. We don’t expect individual stockholders will understand a 10-K, but the analysts should be able to, and the analysts’ behavior will affect the market sufficiently to protect the individual stockholders.

However, I don’t think this philosophy animates all disclosures schemes, and for good reason. Consumers have wildly different idiosyncratic interests, so there’s no way for a vendor to disclose information material to each consumer’s interests. Furthermore, if in fact a vendor did make disclosures that addressed every possible idiosyncratic interest, the disclosures would be too overwhelming for consumers to digest. Therefore, I think disclosure laws are generally more geared towards the interests of the “ordinary” consumer than the “expert” consumer.

Eric.

http://www.sysinternals.com/blog/

You write: “My instincts tell me that most judges would not second-guess a software design decision to modify the OS, so that only leaves the implicit permanence of the install as a problem. I’m not sure a judge would get as worked up as the technologists about a permanent install, but I’ll keep thinking about that.”

It seems to me that whether the judge is “worked up” is the right question to ask if somebody challenges the EULA as unconscionable. But the question here is what users authorized when they agreed to the EULA. Would a reasonable user, reading the EULA, have understood it to be authorizing Sony to install unremovable software, or software that creates security vulnerabilities by hiding files and programs?

I’m also not convinced by the argument that a typical user wouldn’t understand a more detailed disclosure. A typical user wouldn’t read the EULA at all. If it’s acceptable to treat something that almost nobody reads as a valid contract, that can only be so because we are relying on the odd user who does read the EULA carefully to make a stink if the EULA language is outrageous. So a detailed disclosure helps even if only a few people read and understand it.

Consider what would have happened if Sony’s EULA had disclosed the rootkit and permanent-install aspects of their software. We would have had the same public outcry over the software, but it would have happened *before* so many people installed the software.