We’ve written plenty here about the adventures of SonyBMG, First4Internet, and SunnComm/MediaMax in CD copy protection. Today, I want to consider whether the companies violated the Computer Fraud and Abuse Act (CFAA), which is the primary Federal law banning computer intrusions and malware. A CFAA violator is subject to criminal enforcement and to civil suits filed by victims.
A major caveat is in order: remember that although I have studied this statute, I am not a lawyer. I think I know enough to lay out the issues, but I won’t pretend to give a firm legal opinion on whether the companies have violated the CFAA. Also, bear in mind that the facts are different as to First4Internet (which designed and distributed the XCP software), SunnComm/MediaMax (which designed and distributed the MediaMax software), and SonyBMG (which distributed both software systems but may have known less about how they worked).
There are two relevant provisions in the CFAA. The first one, which I’ll call the “spying provision”, says this:
Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication … shall be punished …
The second one, which I’ll call the “damage provision”, says this:
Whoever … intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage … shall be punished …
(“Protected computer” is defined in the CFAA to include nearly every computer at issue here.)
Let’s look first at the spying provision. We know that the programs obtained information from the user’s computer (about how the user used the CD drive) and sent that information across the Net to either SonyBMG or SunnComm. In most cases that would be interstate communication. So the main issue would seem to be whether the companies, in installing their software on a user’s computer, intentionally accessed the computer without authorization or exceeded authorized access.
According to the CFAA,
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
In the case of XCP, the software that gathers and sends information only gets installed if the user agrees to an End User License Agreement (EULA), so the company is authorized to access the computer. They might still have exceeded authorized access, if the EULA’s terms did not entitle them to obtain some information that they obtained. Given the vagueness of the EULA language, this seems like a close call. Eric Goldman has argued that a court would give XCP the benefit of the doubt.
Things look worse for MediaMax. The company sometimes installs its software even if the user rejects the EULA. In this case the company is not authorized to put software on the user’s computer or to cause that software to run. But they do it anyway. It’s hard to see how that’s not either accessing without authorization or exceeding authorized access. It looks like MediaMax is in jeopardy on the spying provision.
Sony’s position here is interesting. They shipped the affected software, but they may not have known as much about how it worked. The spying provision applies only if the company accessed the computer (or exceeded authorized access) “intentionally”. If Sony didn’t know that MediaMax installed when the user denied the EULA, then Sony may be in the clear even if MediaMax itself is in violation.
Let’s turn now to the damage provision. This provision covers access without authorization, but doesn’t cover exceeding authorization. As I understand it, this means that you’re not in violation if you had any kind of authorization to access the computer.
The provision also requires that there be “damage”. According to the CFAA, damage includes “any impairment to the integrity or availability of data, a program, a system, or information, that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals”. As I understand it, the cost of detecting and mitigating a problem, including the value of time spent by people on detection and mitigation, can be included in the loss. Given that, there can be little doubt that each of these software systems caused damage of more than $5000 total. For example, if a system was installed on 100,000 computers and imposed at least five cents in detection and mitigation costs on each one of those computers, the aggregate damage is more than $5000.
It seems clear, too, that the installation of a rootkit, or the installation of software without permission – not to mention the security vulnerabilities caused by the software – constitutes an impairment to the integrity of users’ systems.
So the main sticking point in the damage provision would seem to be access without authorization. XCP gets a limited authorization to access the computer when the user agrees to the EULA, so they would seem to be okay. But when MediaMax installs despite the user rejecting the EULA, that looks to me like access without authorization. Again, it looks like MediaMax may be in trouble.
The word “intentionally” pops up in again in the damage provision, and again it might protect SonyBMG, if SonyBMG did not know that the software was designed to install without authorization.
There are two more issues regarding the damage provision. The first one is a possible objection from MediaMax, claiming that although the unauthorized installation may have been intentional, the damage was not intentional. As I understand it, courts have rejected this reading of the CFAA, holding that only the access must be intentional, but the statute applies even if the damage was an accident. It’s easy to understand why Congress would have wanted to write the law that way, to say that if you intentionally break in to somebody’s computer, you are responsible for any damage you cause to that computer, even if the damage happens accidentally.
The last issue is whether the companies had authorization to install or run software immediately upon insertion of the CD into the computer, even before the user is presented with a EULA. I think there’s a good argument that the companies ran more software than they were authorized to run in that situation, but it seems like a stretch to argue that they had no authorization to do anything at all. It seems reasonable to allow them to at least run enough software to pop up a EULA. In any case, it would be hard to find $5000 in damage from this behavior.
So here’s my very tentative bottom line: XCP is in the gray area but is probably okay; MediaMax may well be in violation; and Sony’s status depends on how much they knew about what the MediaMax software did. Perhaps a court hearing one of the SonyBMG lawsuits will give us its own analysis.
UPDATE (1:30 PM EST): In the comments, Sam points out an important issue that I missed in writing this post. Even if SonyBMG did not know from the beginning that MediaMax installs and runs without authorization, they did find out about it eventually, and they kept shipping MediaMax discs anyway. So the software’s behavior would seem to be intentional on Sony’s part, at least with respect to those discs sold after Sony learned about the MediaMax behavior. ]