bcit tmgt 7133 report by wesley kenzie on sony music's 2005 drm debacle

TMGT 7133 Law for Intelligence-Based Business Instructor Dean Palmer Assignment 1 Due Date April 25, 2010 Student ID A00242330 Student Name Arthur (Wesley) Kenzie

Sony Music Entertainment and their 2005 DRM Debacle

Introduction ......................................................................... 2 A Canadian Perspective .......................................................... 3 Conclusions ........................................................................... 5 References ........................................................................... 6

TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 2 of 8

Introduction In October 2005, computer security researcher Mark Russinovich made a surprising discovery which he posted about on his blog at http://blogs.technet.com/markrussinovich. [1] Russinovich is not your average blogger, nor is he your average computer security researcher. In fact he earned his Ph.D. in computer engineering from Carnegie Mellon University in 1994 [2][3] and Dr. Russinovich is currently a "Technical Fellow" at Microsoft in their Platform and Services Division [4]. His previous company, Winternals Software, was acquired by Microsoft in July 2006 [5] along with another company he had co-founded, Sysinternals.com [6]. What Russinovich discovered in October 2005 during testing of a program he was developing called RootkitRevealer, was a rootkit installed on his own computer. Rootkits [7] are programs which are able to hide themselves from normal methods of detection. They are called "root" kits because they are able to run with administrative (aka "root") privileges. Their covert nature underscores the fact that their presence and their functionality is not something a computer user would typically want or has consented to. This particular rootkit was designed to perform digital rights management ("DRM") functions on behalf of the music rights holder, Sony BMG Music Entertainment (known as simply Sony Music Entertainment since the 2008 buyout by Sony of partner Bertelsmann Music Group [8]). Russinovich documented on his blog how he proceeded to investigate this rootkit, and how he determined that it came from a Sony BMG music CD that he had recently purchased. The fallout from his discovery and disclosure has been significant and far reaching. This assignment paper discusses a Canadian legal and policy perspective of this case, written by University of Ottawa law professor, Jeremy deBeer [9]. deBeer reviews the technology used by Sony Music, and the implications with regards to Canadian laws of contracts, competition, consumer protection, privacy, trespassing, negligence, and more.



A Canadian Perspective In the February and March 2006 issues of Internet and E-Commerce Law in Canada [9], Jeremy deBeer provides an insightful and comprehensive review of the 2005 Sony Music rootkit case, called "How Restrictive Terms and Technologies Backfired on Sony BMG Music". His review covers the following issues: (1) Privacy. The DRM software used by Sony Music surreptitiously "phoned home" using the user's Internet connection to "...transmit information about a user's computer system, software and Internet connection." Was this consented to by the user as part of their acceptance of the End User License Agreement ("EULA") ? Perhaps. However, deBeer thinks a case could be made that this was not informed consent and that this disclosure of identifiable personal information is in contravention of the Personal Information and Protection of Electronic Documents Act ("PIPEDA"). (2) Competition. deBeer points out that the Canadian Competition Act "provides a private right of action in respect of material false or misleading representations made to the public for the purpose of promoting a product or business interest". What was false or misleading? According to deBeer the EULA contained numerous false and/or misleading statements including misrepresentation of the true nature of the DRM technology, the security vulnerabilities the DRM technology created, the practical inability to uninstall the DRM technology, and the data transmissions the DRM technology performed. (3) Contract Law. Artists who are under contract to Sony Music might have cause to seek redress for negative publicity, and lost sales as a direct result of Sony Music's actions, according to deBeer's analysis. Also deBeer argues that there are two additional and separate contracts in play with regards to this case: that between the consumer and retailer, and that between the consumer and Sony Music via the EULA. All these contracts are potentially rescindable, on various grounds, with various remedies available to consumers. (4) Negligence. There is an established duty of care that is owed by manufacturers to end-users, and it is possible that Sony Music has violated this covenant. They may also be liable for exposing their users to unreasonable risk, for product liability, and for negligent misstatement. Were



the actions of Sony Music reasonable? deBeer makes a case that they were not. (5) Trespass. I found deBeer's discussion of the trespass to chattels issue fascinating. He contends that Sony Music "... intentionally interfered with end-users possessory rights in respect of computer hardware and software". He calls this "cyber-trespassing", and makes the point that in "traditional" English legal authority, there is no requirement to establish harm in order to make this tort actionable. (6) Consumer protection. In this context deBeer advises that Sony Music "... may have violated warranties relating to quality, quiet possession, fitness for purpose and/or merchantability". He acknowledges that the EULA stipulated the end-user waive certain rights, and that it made certain disclaimers. However, under Ontario's Sale of Goods Act and Consumer Protection Act, such disclaimers are almost certainly void. deBeer's critical analysis of Sony Music's deployment of digital rights management technologies is not solely targeted at Sony Music, however. He points out that the use of DRM technical measures is inherently dangerous in numerous ways, and states that many companies are currently making use of DRM technologies. "There are hundreds of millions of copies of hundreds of album titles in circulation employing MediaMax™ or other DRM systems." (MediaMax was one of the two DRM technologies that Sony Music was discovered to be using in October 2005.) This means that Sony Music is not unique, but rather this 2005 debacle "... illustrates the potential abuses that can occur if consumers are not protected from the widespread deployment of DRM systems." Have we done anything in Canada about this issue? Nothing substantive as yet, according to deBeer's review. The Commissioner of Competition has the power to initiate an investigation under the Competition Act; the Ontario Minister of Consumer and Business Services has the power to enforce the Consumer Protection Act on behalf of consumers; the Privacy Commissioner of Canada has the power to initiate a complaint and to launch an investigation into this matter. Yet no level of government has yet made any effort to hold Sony Music accountable. New legislation has been proposed at the Federal government level in both 2006 and 2008, specifically with Bills C-60 and C-61 [10], but no changes have yet been enacted. Further, both these proposed changes to the



Copyright Act drew plenty of criticism, and with respect to DRM, they both clearly tilted the balance in favour of digital rights holders, to the detriment of consumer's and user's rights.



Conclusions The discovery of Sony Music's use of digital rights management technology on their music CD's in October 2005 brought to light many significant issues that we continue to grapple with. These issues span a wide range of government and corporate policies in the areas of consumer protection, warranties, transparency, trust, reputation, distribution of artistic creations, protection of privacy, and computer security as well as legal issues of copyright, contract, competition, negligence, and trespassing. In Canada, despite considerable discussion and debate in the intervening years, very little has changed. A bigger problem than inertia however, appears to be that the proposed changes in law that have been tabled since then grant more power and more rights to the providers and owners of DRM technologies rather than to the consumers who are forced to give up their legal rights because of those DRM technologies. Mr. deBeer himself lashes out at this imbalance in a National Post article published in 2008 [11] as does the Editor-in-Chief of Internet and E-Commerce Law in Canada in another National Post article from 2008 [12]. I believe that unless there is a stronger will to create a more balanced set of laws in Canada to clarify the rights and responsibilities of both content producers and consumers of that content, the Sony Music DRM debacle will have been a missed opportunity.



References [1] Mark's Blog, Sony, Rootkits and Digital Rights Management Gone Too Far, Reference found on April 25, 2010 at http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx [2] Amazon.com book search, Microsoft Windows Internals (4th Edition), Reference found on April 25, 2010 at http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174 [3] Affidavit of Mark Russinovich, United States District Court, Southern District of New York, Class Action Case No. 1:05-cv-09575-NRB, Reference found on April 25, 2010 at http://www.sonysuit.com/classactions/michaelson/71.pdf [4] Microsoft News Center, Mark Russinovich, Reference found on April 25, 2010 at http://www.microsoft.com/presspass/exec/techfellow/Russinovich/default.mspx [5] Microsoft System Center, Microsoft Acquires Winternals, Reference found on April 25, 2010 at http://www.microsoft.com/systemcenter/winternals.mspx (also at http://www.winternals.com) [6] Windows Sysinternals, Reference found on April 25, 2010 at http://technet.microsoft.com/en-us/sysinternals/default.aspx (also at http://www.sysinternals.com) [7] Google.com search, Definitions of Rootkit on the Web, Reference found on April 25, 2010 at http://www.google.com/search?hl=en&q=define:Rootkit&btnG=Search [8] Wikipedia.org search, Sony Music Entertainment, Reference found on April 25, 2010 at http://en.wikipedia.org/wiki/Sony_Music_Entertainment and at http://articles.latimes.com/2008/oct/14/business/fi-sony14 [9] deBeer, Jeremy, How Restrictive Terms and Technologies Backfired on Sony BMG Music, in M. Geist, editor-in-chief, Internet and E-Commerce Law



in Canada, Volume 6, Number 12 and Volume 7, Number 1 (Markham, Ontario, Canada: LexisNexis Canada Inc., 2006) [10] House of Commons of Canada, Bill C-61 An Act to amend the Copyright Act, Reference found on April 25, 2010 at http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3570473&file=4 and Bill C-60 at http://www2.parl.gc.ca/HousePublications/Publication.aspx?Language=E&Parl=38&Ses=1&Mode=1&Pub=Bill&Doc=C-60_1 [11] deBeer, Jeremy. Canada's new copyright bill: More spin than "win-win". National Post. June 16, 2008. Reference found on April 25, 2010 at http://www.nationalpost.com/news/story.html?id=590280 [12] Geist, Michael. Copyright bill's fine print makes for disturbing reading. National Post. June 12, 2008. Reference found on April 25, 2010 at http://www.nationalpost.com/news/story.html?id=585974