On ZDNet, By Declan McCullagh from CNET News.com talks about the possible recourse for computer owners/users regarding the Sony ‘Rootkit’/spyware issue and possible repercussions for Sony.
After discussing the history that led up to the article, Declan states the following;
Still, it may be too late for the entertainment giant to fend off the plaintiff’s bar. One recent court case in Illinois, Soleto v. DirectRevenue, sets a nonbinding precedent that lawyers expect to be invoked against Sony.
In that case, DirectRevenue was sued for installing spyware on Windows computers without obtaining proper authorization from a user. U.S. District Judge Robert Gettleman said the company could be sued on trespass, Illinois consumer fraud, negligence, and computer tampering grounds.
Then there’s a California spyware-related law that says a company may not “induce” anyone to “install a software component” by claiming installation is necessary to “open, view or play a particular type of content.”
Translation: Sony could be in double trouble. Its Windows software is hardly necessary to play music–the disc works just fine on a Macintosh or in an old-fashioned CD player.
Apparently, in California, Robert Green, a partner at the San Francisco firm of Green Welling, says he’s “readying a class action lawsuit against Sony.” They are currently investigating the case and talking to those who have been effected by this.
But in a twist of fate, Declan goes on to say this;
In a bizarre twist, though, it’s not only Sony that could be facing a legal migraine. So could anyone who tries to rid their computer of Sony’s hidden anticopying program.
That’s because of Section 1201 of the Digital Millennium Copyright Act, which bans the “circumvention” of anticopying technology.
“I think it’s pretty clear that circumventing Sony’s controls violates the DMCA,” says Tim Wu, a Columbia University professor who teaches copyright law. (Violations of the DMCA include civil fines, injunctions, computer confiscations, and even criminal penalties.)
Wu noted that one possible reprieve might come from last year’s ruling from a federal appeals court in a case dealing with garage door openers–it said no copyright violations were taking place, so no DMCA violation occurred. Then again, another federal appeals court objected to bypassing anticopying technology used in DVDs, which is probably a closer analogy.
As mentioned in the past, I have not bought albums/CDs from the RIAA/Big 5 record labels for many years because I refuse to pay for the RIAA/Big 5 lawsuits against their customers and potential customers, and because it was so easy to see where all this DRM/DMCA/Copy Protection crap would lead.
A country, apparently being driven by greedy corporations, can not ‘en masse’ allow their normal law abiding citizens to be turned into criminals, and not pay the penalty for the devastating loss to a society’s sense of fairness, right and wrong, and what many people may deem justifiable in such an unjust society.
When the laws of the land become so unjust as to turn normal law abiding citizens into criminals, what is to be done?
And what justification can be used for such dangers to the very core of a society’s well being?
No doubt theyâ€™ll ask us to just trust them. I wouldnâ€™t. The companies still assert â€” falsely â€” that the original rootkit-like software â€œdoes not compromise securityâ€ and â€œ[t]here should be no concernâ€ about it. So I wouldnâ€™t put much faith in any claim that the new update is harmless. And the companies claim to have developed â€œnew ways of cloaking files on a hard driveâ€. So I wouldnâ€™t derive much comfort from carefully worded assertions that they have removed â€œthe â€¦ component .. that has been discussedâ€.
The companies need to come clean with the public â€” their customers â€” about what they did in the first place, and what they are doing now. At the very least, they need to tell us what is in the software update theyâ€™re now distributing.
Also, Freedom to Tinker‘s earlier posting on this subject here:
Itâ€™s a good security practice to give users as little permission as they need to do their jobsâ€”we call this the â€œPrinciple of Least Privilegeâ€ in the security tradeâ€”because, among other reasons, it restricts the activities of malicious software. If every user on a system has administrator access, any malicious programs that become installed can put up their own cloaking mechanisms using the same techniques that XCP2 uses. However, consider what happens when there are multiple accounts on the system, some with Administrator access and some with more limited control. Such a setup is fairly common today, even on family computers. If the administrator uses a CD that installs XCP2, the XCP2 cloaking driver will be available to applications installed by any user on the system. Later, if one of the unprivileged users installs some malware, it can use the XCP2 driver to hide itself from the user and the Administrator, even though it wouldnâ€™t have permission to perform such cloaking on its own.
This kind of security bug is called a â€œprivilege escalation vulnerability.â€ Whenever such a vulnerability is discovered in Windows, Microsoft quickly rolls out a patch. If Sony and First4Internet have any regard for their customersâ€™ security, they must immediately issue a fix for this serious problem.
Copy protection vendors admit that their software is merely a â€œspeedbumpâ€ to copyright infringement, so why do they resort to such dangerous and disreputable means to make their systems only marginally more difficult to bypass? One of the recording industryâ€™s favorite arguments why users should avoid P2P file sharing is that it can expose them to spyware and viruses. Thanks to First4Internetâ€™s ill-conceived copy protection, the same can now be said of purchasing legitimate CDs.
In case you havenâ€™t already disabled Autorun, now might be a good time.
Much more in both articles. Thanks Eric, I have enjoyed Freedom to Tinker for a very long time. But I hadn’t been there this week. Definitely a must read blog on anything related to these types of issues.
Thanks to Tweeny for this one. An article on CSMonitor.com – Sony aims at pirates – and hits users sums it up this way:
In response to a flood of criticism, Sony and First 4 Internet reacted with information-age speed. The software patch was up and running on the Web by Nov. 2. But the patch serves only to locate the hidden software. Bloggers and computer experts are still steamed: The patch does nothing to help the user remove the rootkit, they say, and may in fact aggravate the problem.
For his part, Russinovich wonders why Sony wasn’t more careful in the first place. He cites a National Public Radio interview with Sony’s president of Global Digital Business, Thomas Hesse, in which he said that “most people, I think, don’t even know what a rootkit is, so why should they care about it?”
“That quote nicely summarizes the problem,” Russinovich says.
Thanks to epp_b on SNL Forums, for the following:
Here we go again. Sony may have thrown a bone to angry consumers by opening up its DRM rootkit to virus-protection vendors, but that hasnâ€™t stopped at least some customers (or their lawyers) from deciding that Sony has infringed their rights. So, the only surprising thing about the fact that Sony is being sued over the DRM is the locale of the lawsuit: itâ€™s not in the litigation-happy US, but in Italy, which is typically known for more, shall we say, direct, ways of dealing with problems (OK, thatâ€™s two national stereotypes in one sentence, for those of you keeping score at home). The lawsuit, from ALCEI (Italyâ€™s EFF), charges that Sonyâ€™s DRM amounts to a virus, which is installed in a way thatâ€™s â€œsurreptitious way and not transparent.â€ The irony, of course, is that the DRM has been in place for months, but the rootkit issue only came to light recently, thanks to Mark Russinovich, a systems expert with a flawless understanding of Windowsâ€™ internal workings and questionable musical tastes.
Thanks to zlim on SNL Forums, for the following:
SONY IS FINALLY GOING to have to answer the tough questions, because it is being sued.
In a BetaNews blurb entitled Sony President: Rootkit of No Concern BetaNews reports that NPR had an interview with Sony BMG’s Global Digital Business President Thomas Hesse. In this interview, Mr. Hesse downplayed the the DRM fiasco saying he objected to terms such as malware, spyware and rootkit. BetaNews quoted Mr. Hesse as stating that “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
When I listened to the NPR Morning Edition “Sony Music CDs Under Fire from Privacy Advocates” presentation from November 4, 2005, I thought it was a rounded approach in presenting a capsulated audio report on the issues, including not only Mr. Hess’ comments, but those of several notable security experts including Mark from Syinternals who found the rootkit on his system and did the forensic investigation to determine where it came from, what it’s potential was, what it did, and how to remove it.
It is certainly interesting to note that Sony of course as BetaNews reports totally played down the potentially devastating possibilities of such software, and their hiding of it, and did not address the lack of information in the EULA for the approximately 20 CDs he said make use of the hidden DRM enforcing technology.
Thanks to another SFL Forums member, hkspike, who posted yet another album with copy protected content that apparently installs this same thing. Check out just one of the comments at Amazon.com’s listing for Swiftfoot’s album Nothing Is Sound:
Tim Foreman, the bass player of Switchfoot, posted a work around for the copy protection on this CD on the Sony music forum. Naturally they deleted it. Unfortunately, even with this workaround, the copy protection still gets installed on your computer.
DO NOT ALLOW YOUR COMPUTER TO AUTORUN WHEN YOU PLAY THIS DISC. Also, if you use a username that does not have administrator privileges on your computer the rootkit on the CD may not be able to be installed. But your best bet is NOT to use this CD (or ANY copyprotected SONY CD) on your computer.
This rootkit is the same type of software hackers illegally install on your computer for nefarious purposes and is illegal in some states and a number of nations. It will run on your computer using up CPU power even if the CD is not playing. Their is no uninstall provided. You are not warned that it will be installed. It is poorly written code and incompatible with some software, causing freezeups and bluescreens. And if you try to remove it with a spyware tool your computer will all of a sudden not be able to ‘find’ your CD drive and it will be unusable. For the full story, check out http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html.
Too bad Sony wants to scare off the very people who are NOT stealing their music online!
Another commenter noted:
What can I do about this in the future?
You can write to Sony or call Sony and complain.
General SONY BMG: 212-833-8000
Arista Records: 646-840-5600
SONY BMG U.S. Latin: 305-695-3600
J Records: 646-840-5600
Jive Records: 212-727-0016
RCA Label Group Nashville: 615-301-4300
RCA Records: 212-930-4000
SONY BMG Corporate Press: 212-833-5047
You can also write the artists and share with them how unhappy you are with the bundling of software like XPC. However I doubt the artist’s have much of a say in this matter but I figure it couldn’t neccessarily hurt.
There are several there like these. And it’s really a shame too. The artists were apparently not happy with the situation either. And from the comments by those who purchased the CD, it is a good CD album.
Makes me glad I don’t buy anything associated with the RIAA/Big 5 labels.
NOTE: And I don’t do any filesharing either. I have simply opted out of the RIAA/Big 5 labels entirely. If I didn’t already own it prior to Napster being taken down, or it’s not an Indie artist that doesn’t do DRM, then I don’t make use of it. Period.