Sony's settlement over the rootkit fiasco represents a blueprint for legislative action, argues law professor Michael Geist.
Mark Russinovich spotted the problem in October
The Sony Rootkit controversy, in which the world's second largest record label rendered hundreds of thousands of personal computers vulnerable to hacker attack by inserting faulty copy-protection software into dozens of CDs, stands as one of the leading technology law blunders of 2005.
Sony faced an immediate onslaught of bad publicity as thousands of consumers worldwide awoke to the negative effects of copy-protection technologies, also known as technological protection measures (TPMs).
Moreover, the company was forced to address the legal fallout from the case with dozens of class action lawsuits launched throughout the United States, a criminal investigation called for in Italy, and the prospect of further legal claims in dozens of additional jurisdictions.
Last week, Sony took a major step toward putting the rootkit fiasco behind it by reaching a tentative settlement that will put a quick end to most of the US lawsuits.
While it still requires court approval, the settlement is significant since it contains a series of restrictions and conditions on the use of TPMs. This could create the starting point for a future statute that protects against the misuse of such technologies.
The settlement seeks to both compensate US consumers for the harm they suffered from the Sony CDs and to place limits on Sony's future use of TPMs.
It compensates most purchasers with a copy-protection free replacement CD as well as the choice of either $7.50 (£4.30) plus one free album download or three free album downloads. Sony will select at least 200 eligible titles for download.
The most notable feature of this portion of the settlement is that Sony will undertake to provide the free downloads from at least three music download services including rival Apple iTunes.
This aspect of the settlement is laced with irony since one of Sony's prime reasons for using the copy-protection software was to preclude its customers from copying the songs into MP3 format for playback on Apple iPods (the CDs could be easily copied into a format compatible with Sony digital audio players).
Sony has also agreed to comply with at least ten new limitations on its future use of TPMs in the United States. These limitations, which run until 2008, focus on improved disclosure requirements, security precautions, and privacy safeguards.
The disclosure requirements include a commitment to fully inform purchasers on its outer packaging when a CD contains copy-protection software, to ensure that its license agreements, which must be pre-approved by an independent oversight party, accurately disclose in plain language the nature and function of the copy-protection software, and to promptly reveal any updates or changes to the copy-protection software.
The settlement also includes a prohibition on the installation of any copy-protection software before the user has accepted the Sony license agreement.
New security precautions play an important role in the settlement agreement.
Sony has agreed to stop using the technologies that caused the harm; to ensure that an uninstaller program is made readily available to consumers for any future TPM; to obtain an expert opinion that the use of any other copy-protection software does not create security risks; and to fix any software vulnerabilities that may arise from the use of the copy-protection software.
The privacy safeguards are noteworthy since they extend beyond the obligations typically found in privacy legislation.
While privacy laws do not set limits on the use of TPMs (they merely require disclosure of the data collection and appropriate consents), the Sony settlement includes express limitations on the collection and use of personal information.
While the Sony settlement will likely gain court approval at a hearing in New York later this week, it is not without its critics.
Opponents of the settlement will argue that a few music downloads is a small price to pay given the damage that Sony has created to personal computers around the world.
Moreover, consumers living outside of the United States are excluded from the settlement, leaving thousands without compensation and protection against ongoing TPM misuse.
The Sony CDs found their way onto computers in more than 100 countries, with thousands of consumers throughout the UK and Europe among the victims.
While it remains possible that Sony will provide similar compensation to consumers worldwide, that appears unlikely. The major record labels began experimenting with copy-protected CDs in Europe months before introducing those same technologies in North America.
Moreover, the music, movie, and software industries have been pressing for stronger TPM protections in many other countries.
For example, France is debating tougher copyright controls, Australia is likely to introduce new legal protections for TPMs within the next two years, and the entertainment industry leaders are using the current Canadian election campaign to increase the pressure for TPM legal protections.
Blueprint for future
Notwithstanding its shortcomings, the Sony settlement does provide a potential starting point for a much-needed model statute to protect consumers from TPMs.
The European Union Copyright Directive and the US Digital Millennium Copyright Act has set up legal protections for TPMs by establishing anti-circumvention measures, however, the rootkit incident illustrates that there is the need for parallel consumer legal protections from TPMs.
The disclosure requirements provide a model for treating TPMs much like cigarettes and alcohol, with appropriate warnings on their potential negative consequences.
The security measures may be the first step toward a comprehensive TPM approval and licensing system that places the security needs of the general public ahead of private commercial interests.
The privacy provision acknowledges that mere disclosure of the privacy impact of TPMs does not provide the public with adequate privacy protection. Given that national privacy legislation does not provide sufficient privacy safeguards, new statutory limits on the collection and use of such information that cannot be overridden through license agreements are needed.
Countries worldwide are awakening to the need for consumer protections against TPM misuse.
While the Sony settlement does not address all TPM concerns - consumers should also be granted product return rights and should not be placed in the middle of corporate fights over interoperability -- its legacy may provide the starting blueprint for a model TPM consumer protection statute that finds a place on the legislative agenda of governments around the globe.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law.