A Legal Analysis of the Sony BMG Rootkit Debacle

YIAAL writes "Two lawyers from the Berkeley Center for Law and Technology look at the Sony BMG Rootkit debacle: 'The Article first addresses the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, and argues that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict these harms on the public.' Yes, under 'even the most charitable interpretation' it was a lousy idea. The article also suggests some changes to the DMCA to protect consumers from this sort of intrusive, and security-undermining, technique in the future."

Nothing like...

Good old greed..

More legal stuff?

Just send Chuck Norris over there for crying out loud!

It's the wee hours...

... of the morning, so I'll bite. I'll admit that I only got as far as reading the abstract, so sue me. I really don't see the need for a journal published paper to dissect the situation. Sony got caught up in the zeitgeist over Napster and how digital distribution was going to destroy their business model, just like how Hollywood freaked over the VCR. I think paranoia and utter indifference to the customer pretty much sums up the whole situation. Other than that, I don't see the need to dredge up a two-year old incident with a published paper, other than it's pretty late.

Its a moral issue.

This shouldn't be about laws, its a moral issue.

Laws don't and should not be the only guiding factor in the actions of people or corporations. It is not the case that anything specifically prevented by law is allowed. A person or corporation should also be a good citizen, and there are things you just should not do, such as inflict root kits on other people's computers.

The question then is; how did somebody at Sony arrive at the conclusion that they should try to protect their IP right in this manner?

Waas this a comittee decision where moral judgement went out the window in a corporate meeting? Or are people at Sony severely lacking personal moral judgement?

I would like to know.

Re:Its a moral issue.

The problem is that morals are specifically off the society book nowdays. Standalone (without religios tint) morals and how society functions are not something kids study in school or at home. At best they get a version which was skewed and slanted through the prism of their family religion. At worst they do not get anything. The situation is same all over US, UK and most of Europe. The rest of the world closely follows.

Sigh... As usually Heinlein "Starship Troopers" is probably right. We need "History and Moral Philosophy" lessons in school. Though there is noone to teach them in the current generation.

Re:Its a moral issue.

As much as I like that story, and its one of my all time favorite books, it starts with the premise that returning soldiers would essentially take over the world and everything would be wonderful thereafter. History has shown quite clearly that every time this occurs things go badly.

Except that they don't become "Citizens" until *after* they have served, and are no longer in the military. History has indeed shown that when the military takes over the government, then yes, bad things happen. But that's not the system that was described. It was civilians who had *previously* served in the military. Even today, one of the qualifications that many people look for in their elected leaders is previous military service.

History has shown that when citizens are ignorant of history, the means by which they both first gained and retain their freedoms, and by which their country remains free from attack, very bad things happen. Pearl Harbor happened because Japan saw that America after WW1 had shrunk their military to a fraction of its' previous strength, and the citizens and most of the government had a policy of isolationism and retreat from world conflict. Japan failed to take into account the American peoples' outrage and anger, and the sleeping industrial might America could bring to bear.

The surest way to get robbed in a big city is to look and act like a victim. The surest way to start a war is to appear conquerable to other nations with acceptable losses. That's precisely what the people who advocate unilateral disarmament, and also those who preach disengagement when targeted by terrorists, fail to understand.

As to the Sony/BMG rootkit incident, as long as the punishment for getting caught in bad corporate behavior is acceptable, expect to see such behavior repeated.

Cheers!

Strat

Minor correction

"Even today, one of the qualifications that many people look for in their elected leaders is previous military service."

"Even today, one of the qualifications that many people IN THE USA look for in their elected leaders is previous military service."

The US has a weird, hyper-patriotic society that a lot of Europeans find bizarre, brainwashing and militaristic.

And only giving the franchise to people who have previously served in the military? Screw you! What gives you the right to decide that? What gives those citizens the right to decide how everyone else gets to live? Nothing whatsoever.

Re:Minor correction

"It's the USAs' military might that saved Europe in WW1 and WW2"

That's a subject for debate, not proclamation...

I think Britain, France and Italy might might disagree. Without the USA's support, Britain would have been invaded by the Nazis. France and Italy were liberated.

And people are proposing it as a good model and a natural one. It's not, it's only in the US that the military are seen as some sort of gods.

I don't know whose post you're responding to here. I said nothing about anyone being gods nor does anyone I know in the USA think of the military in that way or even close. Nor was I seriously proposing the Starship Troopers society as an actual model. Just the un-arguable fact that a weak military invites attack from others that have expansionist aims.

Cheers!

Strat

Re:Its a moral issue.

Just a minor thing on Starship Troopers:
Not all the people who volunteered for public service ended up as soldiers - they simply ended up doing what their society thought it needed and they had the ability to do.

Heinlein actually wrote a bit about the "world" of Starship Troopers in Expanding Universe (in a retrospective on his literary career).
At the time when the events in the book take place, quite a lot of people were needed as soldiers - but due to the way we people are wired (with tight-nit social groups as soldiers), soldiers were usually the last to stop serving in public and thus the last to actually get to vote.
Yes, you didn't get the franchise until *after* you've stopped serving in that world.

I do agree that the premise is shaky - but the idea of not giving everyone franchise just because they were 18 years old and alive was one of the ideas Heinlein was toying with in that book.
Of course, he argued that clearly the founders of US of A never intended everyone to get the franchise either - his criterion were simply a bit more merit-based.

In Expanding Universe he did mention that the idea of having stable people with a stake in maintaining a working society as a rather good idea, and goes on arguing for removing the franchise from men and giving it to women who have born children, as they have a personal reason for being interested in having a society that works... and makes a rather convincing argument of it.

I can heartily recommend Expanding Universe if you are interested in what Heinlein said he was thinking when writing.
As with all things written down, of course, you must consider the source - but I got a lot of amusement out of his writings, and like his meritocratic views personally.
The book "Requiem" is also a good read, if a trifle sad at times - but it did contain his speeches at a few scifi conventions which I hadn't read - highly interesting for a person not born until the last years of the Red Scare.

(Sorry for pushing Heinlein, but I really liked those books and they represent a very enlightening perspective on what Heinlein professed to believe.)

Re:Its a moral issue.

"The question then is; how did somebody at Sony arrive at the conclusion that they should try to protect their IP right in this manner?"

Seems like when it comes to protecting their a$$e$, they don't care about morals. Anything goes. It's sad to say, but it all comes down to the all mighty dollar for these companies/corporations.

Then again, I'm a cynic.

Re:Its a moral issue.

The question then is; how did somebody at Sony arrive at the conclusion that they should try to protect their IP right in this manner?

This is probably not best discussed in terms of "protecting IP rights" but rather in terms of:

1. Individual decision-makers in the organization trying to protect their own personal interests (cover your ass, look busy, do something!);
2. An interest in seizing control (squatting, adverse possession, invasion) of the user's desktop, in order to use that as a foothold to greater control over the medium;
3. High-pressure and deceptive sales tactics by the spyware makers.

Someone at Sony was charged with "doing something" and "making the piracy problem go away". They were desperate. They also wanted something to show for their efforts, namely, an ability to exercise power on user desktops. (Recall, the copyright terrorists have long wanted "self-help" capabilities that amount to sabotaging users' property at will.)

Spyware must have seemed like a perfect solution: it doesn't just "do something" about the pirates, it accomplishes a long-standing goal of seizing greater control of the medium. It is not at all about "IP rights"; it's about power -- in this case, about ripping power out of the users' hands.

Precedent.

It was a push on legal norms. The recording industry has done it before, and more successfully.

A quote from Lessig's Free Culture:

After Vivendi purchased MP3.com, Vivendi turned around and filed a malpractice lawsuit against the lawyers who had advised it that they had a good faith claim that the service they wanted to offer would be considered legal under copyright law. This lawsuit alleged that it should have been obvious that the courts would find this behavior illegal; therefore, this lawsuit sought to punish any lawyer who had dared to suggest that the law was less restrictive than the labels demanded.

Legal norms are not just about judicial precedent.

Auto-run is evil

Of course this would be a non-issue if Windows didn't automatically run software when you put a CD in the drive; this is just another reason why auto-run is an insanely bad idea.

Re:Auto-run is evil

say bye bye to autorun.inf...

One quick trick prevents Autorun attacks [windowssecrets.com]

I'll try one more time

Can we please get an Icon that has a foot and a handgun?

what they are really saying is...

the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, and argues that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict these harms on the public.' Yes, under 'even the most charitable interpretation' it was a lousy idea. The article also suggests some changes to the DMCA to protect consumers from this sort of intrusive, and security-undermining, technique in the future." ...the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems...
That's pretty simple. They thought that there was a vast network of 13-year-old superhackers that were going to destroy the company by sharing files of music recordings. Then some schmuck (names? anyone who knows?) in the firmware special projects department told some marketing manager that he knew how to keep 13-year-old superhackers from copying music from CDs by simply adding a little piece of code. ...demonstrates a failure to adequately value security and privacy.
The only security and privacy that they care about is their own. These concepts don't exist for people who are not executives in the company. Especially customers.

... then-existing technological environment that both encouraged and enabled the distribution of these protection measures...
"Since we own the music on the disk that is placed into a computer CD drive, we, by the simple and obvious extension of corporate logic, thereby own the computer and all of the data inside it." If you want to become a corporate executive, you need to start thinking like one. ... flawed protection measures...
If it keeps ordinary people from copying stupid pop songs from our CDs, then it is not flawed. If it destroys or corrupts the data on user's PC, we don't care. Serves them right as they are supposed to only be listening to CDs on a real Sony CD player. After all, we invented the CD so we can set the terms on its use. ... contract, intellectual property, and consumer protection law... ...is whatever the hell Sony's legal department says it is. And we have many, many millions of dollars, euro, UK pounds, or yen to prove it. Without the cash, talk is trash.

... Yes, under 'even the most charitable interpretation' it was a lousy idea...
Next year's rootkit software will work. And the first thing that it will do is send your name and address to our lawyer's office who will prepare a standardized form charging you with theft of intellectual property (which is some illiterate junkie thug under Sony corporate contract moaning 'baby, baby, baby' over and over). Our bot software will then serve this to anyone who puts a Sony music CD into any device with internet access (unless, of course, the device is a $999 Sony model DRM-XKE CD player with hi-def 2-inch LCD screen and wireless internet access). After all, we invented the CD so we can set the terms on its use.

suggests some changes to the DMCA ...
The only changes that our legal department will allow the US politicians to pass will be ones that increase the criminal penalties for possession of music. This will happen when Sony completes its corporate merger with Wackenhut and CCA and completes the vast network of corporate prisons being built i

what their saying (reformated better)

...the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems...
  That's pretty simple. They thought that there was a vast network of 13-year-old superhackers that were going to destroy the company by sharing files of music recordings. Then some schmuck (names? anyone who knows?) in the firmware special projects department told some marketing manager that he knew how to keep 13-year-old superhackers from copying music from CDs by simply adding a little piece of code. ...demonstrates a failure to adequately value security and privacy.
  The only security and privacy that they care about is their own. These concepts don't exist for people who are not executives in the company. Especially customers.

... then-existing technological environment that both encouraged and enabled the distribution of these protection measures...
  "Since we own the music on the disk that is placed into a computer CD drive, we, by the simple and obvious extension of corporate logic, thereby own the computer and all of the data inside it." If you want to become a corporate executive, you need to start thinking like one. ... flawed protection measures...
  If it keeps ordinary people from copying stupid pop songs from our CDs, then it is not flawed. If it destroys or corrupts the data on user's PC, we don't care. Serves them right as they are supposed to only be listening to CDs on a real Sony CD player. After all, we invented the CD so we can set the terms on its use. ... contract, intellectual property, and consumer protection law... ...is whatever the hell Sony's legal department says it is. And we have many, many millions of dollars, euro, UK pounds, or yen to prove it. Without the cash, talk is trash.

... Yes, under 'even the most charitable interpretation' it was a lousy idea...
Next year's rootkit software will work. And the first thing that it will do is send your name and address to our lawyer's office who will prepare a standardized form charging you with theft of intellectual property (which is some illiterate junkie thug under Sony corporate contract moaning 'baby, baby, baby' over and over). Our bot software will then serve this to anyone who puts a Sony music CD into any device with internet access (unless, of course, the device is a $999 Sony model DRM-XKE CD player with hi-def 2-inch LCD screen and wireless internet access). After all, we invented the CD so we can set the terms on its use.

suggests some changes to the DMCA ...
    The only changes that our legal department will allow the US politicians to pass will be ones that increase the criminal penalties for possession of music. This will happen when Sony completes its corporate merger with Wackenhut and CCA and completes the vast network of corporate prisons being built in distant lands. These will be needed to hold the vast number of unemployed former American college students who not only illegally listened to music, but also fell behind on their student loan payments.

Re:what their saying (reformated better)

The only security and privacy that they care about is their own. These concepts don't exist for people who are not executives in the company. Especially customers.

Add "copyrights" to the list. Since there are several cases showing how little the "entertainments" industry cares about other people's copyrights.

The only changes that our legal department will allow the US politicians to pass will be ones that increase the criminal penalties for possession of music.

Unless someone can get the changes sneaked past. e.g. something tacked onto the end on an anti-terrorism bill :)

Left hand, meet right hand

Unfortunately, due to scaling problems, any sufficiently large and diverse corporation will have components that exhibit behavior that are detrimental to other components, or even the whole. While this can be reduced and discouraged, I do not believe it can be completely solved - something will always manage to slip its way through the cracks.

Sony has a huge image problem (especially among the geek elite) due to this effect, and due to the fact that its goals do not seem to align with the geeks of Slashdot's dream of free content for all. Maybe better laws, regulation, and consumer awareness will provide the sticks and carrots necessary to help guide this behavior to constructive not destructive purposes. If that happens, I'd suggest investing heavily in porcine aviation stocks, however.

Re:Left hand, meet right hand

And now meet what I like to call handcuffs.

An easy solution to this problem, and it would only take a few instances, would be to seize all assets of the company in question and begin prosecution. If corporations are damn near treated like real humans, then let them see the other side of the coin. Make every failure in process hurt them where it matters, I guarantee we won't have this happen again. Or we end up with less corporations willing to "risk" product release in the US.

As it stands companies can seemingly get away with whatever they want to protect their business model.

Law

"The article also suggests some changes to the DMCA to protect consumers from this sort of intrusive, and security-undermining, technique in the future."

How about this, when an industry pushes legislative half assed measures and gets them passed in to law, they forfeit normal protections afforded every other group out there.

In this case DMCA law prohibits the consumer from doing all sorts of things, in an effort to protect a particular industry. Since Sony installed, without permission, software that effectively broke computers, they'd held to a HIGHER standard than any other organization.

In this case the law should have revoked the corporate charter surrendered all assets to the government. Since the Corporation is a "legal" entity, the same as a person, the government should treat it exactly like a person caught doing the same thing.

My $.02

Legal solution?

Why is a legal solution needed? Clearly, the whole incident worked out very badly for Sony-BMG. Any company can see this example and determine that this kind of software should not be used.

I don't hit my hand with a hammer, even though no law that restrains me from doing it. Is there a role for government in keeping folks from hitting their hand with a hammer?

boo ray

and despite the debacle, people still want Blue Ray to win the Hi-def war.

I don't quite buy it

I know Sony acted like a jackass, but it was more ignorance than malice. They didn't write the rootkit, they bought it from somebody else. And if they knew what a rootkit was, the people who wrote it didn't tell Sony it was a rootkit, and likely did not consider it to be a rootkit. They advertise the software as preventing users from making copies, and I'm guessing Sony considered the software on that criterion alone.

Much like the average sysadmin doesn't consider the privacy implications of leaving a backup tape in a car, the average music exec doesn't consider the privacy implications of some piece of copy protection software.

My point is that Sony didn't know what they were doing, nor were they competant enough to realize that they didn't know what they were doing.

dom

Who really should we be mad at?

I was highly pissed at Sony for doing this.

But I am more pissed at Microsoft.

This is NOT supposed to happen - I would allow them a foulup of this magnitude only on the virgin release of WIN95.

Let's face it, neither people nor businesses are unconditionally honest. I believe the proper lawyerspeak for "dishonesty" is "realistic".

People will violate copyright and patent if they feel they can get away with it.

Business will write loans that nobody can pay, will insert phrases like "we reserve the right to make any change at any time to this contract" in their written contracts, and sucker customers will sign it anyway.

Both pranker/hackers and businessmen *will* write hostile code.

I am not nearly so mad at Sony for doing this as I am at Microsoft for having code that lacks resilence against such attacks. Even as much as simple integrity checking of core files would isolate tampering of those files.

This could be as easy as when the customer boots from his purchased legit installation CD and asks it directly to verify his OS. There is no way any hacker could compromise the code on a stamped CD. At least the computer owner would know his computer is telling him the truth over which processes and threads are running, and know the registry keys are being honestly reported.

How a business claims "trustworthy computing" and such a thing happens makes me think of the banking industry repackaging all those toxic loans, then having some ratings agency stamp them with a high rating, then sell it all off to corporate pension managers - with every party in the whole sorry chain shielded by "hold harmless" law from the repercussions of their negligence.

All this "plays for sure" businesstalk rings of Circuit City Divx. Its marketing headhock which the technically illiterate ( even if they are business savvy; ) falls for over and over again. I realize a business appears to have much lower needs of system security than I feel is prudent - hence their acceptance of stuff that requires other companies products to crutch it up before it works. It seems to me that despite all the hoopla, we still have basically lousy stuff that hasn't seen any improvement since WIN98.

Linux seems to be the answer, as I know had this exploit been used on Linux, there would have immediately been free and open discussion of what happened and how to make damn sure it doesn't happen again. I can not count on that kind of support on proprietary systems, whose support is whatever the vendor sees fit to support - with any other help facing legal liability for even trying to help.

Remember Sony/BMG and Sony Corp aren't the same

The rootkit was put on those CDs by Sony/BMG, which is a separate entity that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group). Furthermore, the people at the top, who make all of the important decisions are all from the BMG side. So, if either company is more to blame, it is Bertelsmann. Does this mean you should boycott Bertelsmann? It does seem a bit silly to boycott Random House (major book publisher and Bertelsmann subsidiary) over what happened to some music CDs, and yet that is what some are doing w.r.t. Sony Vaio, Sony cameras, etc. My suggestion would be to boycott the product that Sony/BMG puts out-their music CDs.

Downfall

Is it just me or is Sony losing it? It seems that Sony has been making a lot of really bad mistakes and it is heading freefall. On the way to becoming a shadow of the former self?

An excellent article !

This article really was a pleasure to read (although it took me most of a day).

Not just because of the conclusions ("Part III examines potential market-based rationales that influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy.") but also because of the rant-free and very lucid and illuminating analysis of the factors involved.

To me, the best part was: "After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures in Part IV, we examine law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, in Part V. We argue that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict such harms on the public.".

Those who have hopes for political action to amend the current crop of laws may be interested to read: "Finally in Part VI, we present two recommendations aimed at reducing the likelihood of companies deploying protection measures with known security vulnerabilities in the consumer marketplace. First, we suggest that Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent exemptions from its anti-circumvention and anti trafficking provisions in order to enable security research and the dissemination of tools to remove harmful protection measures. Second, we offer promising ways to leverage insights from the field of human computer interaction security (HCI-Sec) to develop a stronger framework for user control over the security and privacy aspects of computers."

Still Sony got it right.......

Still Sony got it right with its laptop batteries. We should all run out and buy those. Apparently they're HOT HOT HOT!

Sorry, pinning it on BMG dosen't work. This is vintage Sony, and their contempt for their customer. In this country Sony DVD players were the only ones that wern't reliably region free (big deal if you want discs from other regions, which are legal and sold openly). Or then there's the noxious DRM on Minidisc - can't pull a digital copy of something you recorded onto your PC even if you own it, they lied and said minidisc played MP3 when it transcoded instead, the are a key bankroller of the RIAA's standover extortion from kids and grandmothers, they took DRM to a whole new level with Bluray, and of course there's ARCOSS. If you want to go back even further, goofle the underhand way they used misinformation to kill off the Dreamcast.

Sony is the vermin of the consumer electronics industry. You should boycott them not just to make a stand, but because the products they peddle are often no better than the alternatives - they just cost more and always seem to have hidden strings attached. They are underhand, arrogant, dishonest people. Why woould you give them your hard earned money?

"hanges to the DMCA to protect consumers"

Pigs will be ice skating in hell before that happens...

Hardware vs Software

The way I see it, my computer is my property much like my house is also my property. They both have "doors" to the outside world, but that doesn't mean that anyone can just walk in and have a beer. I guess my favorite analogy is buying a new TV. What if you went out and bought a new TV that had a hidden camera in it, but you didn't know about the hidden camera, and it was broadcasting a signal to anyone who wanted to watch. Would you keep the TV? Would you litigate against the company that made the TV? The camera in the TV is much like the Rootkit in a CD/DVD/etc...They are both there "To make sure you aren't breaking any laws" but they are also massive invasions of privacy into a place that they entered without permission. It would be clear cut if it was a hardware camera, why is it different because it is a software camera?

Never let Sony live this down.

Of all the Big Four, it's definitely the easiest to make an argument against purchasing Sony music.

You can tell music consumers about all the obnoxious legal tactics that the Big Four does, and they just don't 'get it'.

However, if you mention that a company puts out audio discs that can potentially F--- up your computer, I think that does sink in.

(Just don't go too deeply into rootkits. I find it's tricky to explain to people who aren't computer-savvy.)

Sony/BMG EULA - the choral music setting

The Sony/BMG EULA - set as haunting choral plainchant [wired.com].

One of my favourite examples of "transformative" fair use ever.

Elvis-wannabes who went into FLOPPY DISKS in '01?

No, really, read the paper before you mod me off-topic — page 1180 (24th of PDF [ssrn.com]):

SunnComm, the company that delivered MediaMax, offered even more cause for concern. The company began as a provider of Elvis impersonation services. After a change in management following a false press release announcing a non-existent $25 million production deal with Warner Brothers, the company purchased a 3.5" floppy disk factory in 2001, displaying a disturbing dearth of technological savvy. After two employees announced their intention to leave the fledgling company to develop copy protection software, SunnComm convinced the pair to lead a new division, leaving both Elvis and floppy discs behind in order to develop what would become MediaMax.

I swear, I'd be hard pressed to come up with anything this surreal even if I tried.

And I'm still waiting for the arrests

As the tag says--"bullshit, it's a felony". When the fuck are we going to see everyone involved in this project DRAGGED AWAY IN HANDCUFFS? As I've said before, if a preteen was caught installing rootkits on thousands of computers without their owners' consent, he would certainly be dragged away in handcuffs even if he was just messing around, even if money wasn't involved at all.

If you care about freedom and justice in this country, don't sit around idly talking about class action lawsuits. Instead, find a copy of a rootkit'ed CD (buy it from eBay if you must), put it in the drive of your XP box to verify that it does its thing, then take it to your local law enforcement office (preferably FBI) and report the crime. If enough people do this, they just might take it seriously. They JUST MIGHT hold a multinational corporation to the same standards of justice as a preteen kid.

Stop Buying Sony

I hate to be succinct here but...STOP buying anything SONY...Hit them in their pocketbook and let them know you are going to stop buying their products. Letters have more of an impact but e-mails can work as well.