July 16, 2024

Sony CDs and the Computer Fraud and Abuse Act

We’ve written plenty here about the adventures of SonyBMG, First4Internet, and SunnComm/MediaMax in CD copy protection. Today, I want to consider whether the companies violated the Computer Fraud and Abuse Act (CFAA), which is the primary Federal law banning computer intrusions and malware. A CFAA violator is subject to criminal enforcement and to civil suits filed by victims.

A major caveat is in order: remember that although I have studied this statute, I am not a lawyer. I think I know enough to lay out the issues, but I won’t pretend to give a firm legal opinion on whether the companies have violated the CFAA. Also, bear in mind that the facts are different as to First4Internet (which designed and distributed the XCP software), SunnComm/MediaMax (which designed and distributed the MediaMax software), and SonyBMG (which distributed both software systems but may have known less about how they worked).

There are two relevant provisions in the CFAA. The first one, which I’ll call the “spying provision”, says this:

Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication … shall be punished …

The second one, which I’ll call the “damage provision”, says this:

Whoever … intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage … shall be punished …

(“Protected computer” is defined in the CFAA to include nearly every computer at issue here.)

Let’s look first at the spying provision. We know that the programs obtained information from the user’s computer (about how the user used the CD drive) and sent that information across the Net to either SonyBMG or SunnComm. In most cases that would be interstate communication. So the main issue would seem to be whether the companies, in installing their software on a user’s computer, intentionally accessed the computer without authorization or exceeded authorized access.

According to the CFAA,

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

In the case of XCP, the software that gathers and sends information only gets installed if the user agrees to an End User License Agreement (EULA), so the company is authorized to access the computer. They might still have exceeded authorized access, if the EULA’s terms did not entitle them to obtain some information that they obtained. Given the vagueness of the EULA language, this seems like a close call. Eric Goldman has argued that a court would give XCP the benefit of the doubt.

Things look worse for MediaMax. The company sometimes installs its software even if the user rejects the EULA. In this case the company is not authorized to put software on the user’s computer or to cause that software to run. But they do it anyway. It’s hard to see how that’s not either accessing without authorization or exceeding authorized access. It looks like MediaMax is in jeopardy on the spying provision.

Sony’s position here is interesting. They shipped the affected software, but they may not have known as much about how it worked. The spying provision applies only if the company accessed the computer (or exceeded authorized access) “intentionally”. If Sony didn’t know that MediaMax installed when the user denied the EULA, then Sony may be in the clear even if MediaMax itself is in violation.

Let’s turn now to the damage provision. This provision covers access without authorization, but doesn’t cover exceeding authorization. As I understand it, this means that you’re not in violation if you had any kind of authorization to access the computer.

The provision also requires that there be “damage”. According to the CFAA, damage includes “any impairment to the integrity or availability of data, a program, a system, or information, that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals”. As I understand it, the cost of detecting and mitigating a problem, including the value of time spent by people on detection and mitigation, can be included in the loss. Given that, there can be little doubt that each of these software systems caused damage of more than $5000 total. For example, if a system was installed on 100,000 computers and imposed at least five cents in detection and mitigation costs on each one of those computers, the aggregate damage is more than $5000.

It seems clear, too, that the installation of a rootkit, or the installation of software without permission – not to mention the security vulnerabilities caused by the software – constitutes an impairment to the integrity of users’ systems.

So the main sticking point in the damage provision would seem to be access without authorization. XCP gets a limited authorization to access the computer when the user agrees to the EULA, so they would seem to be okay. But when MediaMax installs despite the user rejecting the EULA, that looks to me like access without authorization. Again, it looks like MediaMax may be in trouble.

The word “intentionally” pops up in again in the damage provision, and again it might protect SonyBMG, if SonyBMG did not know that the software was designed to install without authorization.

There are two more issues regarding the damage provision. The first one is a possible objection from MediaMax, claiming that although the unauthorized installation may have been intentional, the damage was not intentional. As I understand it, courts have rejected this reading of the CFAA, holding that only the access must be intentional, but the statute applies even if the damage was an accident. It’s easy to understand why Congress would have wanted to write the law that way, to say that if you intentionally break in to somebody’s computer, you are responsible for any damage you cause to that computer, even if the damage happens accidentally.

The last issue is whether the companies had authorization to install or run software immediately upon insertion of the CD into the computer, even before the user is presented with a EULA. I think there’s a good argument that the companies ran more software than they were authorized to run in that situation, but it seems like a stretch to argue that they had no authorization to do anything at all. It seems reasonable to allow them to at least run enough software to pop up a EULA. In any case, it would be hard to find $5000 in damage from this behavior.

So here’s my very tentative bottom line: XCP is in the gray area but is probably okay; MediaMax may well be in violation; and Sony’s status depends on how much they knew about what the MediaMax software did. Perhaps a court hearing one of the SonyBMG lawsuits will give us its own analysis.

UPDATE (1:30 PM EST): In the comments, Sam points out an important issue that I missed in writing this post. Even if SonyBMG did not know from the beginning that MediaMax installs and runs without authorization, they did find out about it eventually, and they kept shipping MediaMax discs anyway. So the software’s behavior would seem to be intentional on Sony’s part, at least with respect to those discs sold after Sony learned about the MediaMax behavior. ]


  1. curvedeye says

    new cd from Tool – 10000 days (Volcano/SonyBMG),comes with a rootkit…

  2. […] It seems clear, too, that the installation of a rootkit, or the installation of software without permission — not to mention the security vulnerabilities caused by the software — constitutes an impairment to the integrity of users’ systems. Link […]

  3. According to website http://www.pallabs.org/people.php the Chairman of First4Internet Nicholas Bingham was for 12 years president of Sony Television Entertainment, Sony Pictures. Can anybody read that web page and convince me that Sony didn’t know exactly what it was getting into?

    I live in the UK and am appalled at what has in my view been criminal actions by fellow UK citizens. I buy my own music CD’s, but as an IT professional I now will have to examine new CD’s as a potential PC security threat.

  4. supercat Says:
    “Generally-accepted types of DRM software will not damage system functionality.”

    Actually, it will — the only thing we can argue is degrees. Any constantly-running software that monitors whether you’re trying to ‘break the DRM rules’ is going to be at least a slight drag on the system. But that’s not the issue I’m getting at.

    Generally-accepted types of DRM software do nothing except decrypt encrypted data and play/display it. Some of them will examine the system configuration and refuse to run if it appears that “capture drivers” are installed, but they only run anything spyware-ish (or anything at all, for that matter) when they are being used for the purpose of decyrpting and displaying the protected content.

    I recognize that effectively preventing the duplication of audio content on red book CDs may be impossible without using malware. On the other hand, malware will be inherently ineffective against any major pirate anyway. All someone has to do is use a machine which does not have the malware loaded and will not auto-run it off CDs. Rip a CD with that, send it all over the world, and the copy-protection may as well not exist.

    Any protection system which relies upon continuously-running malware to protect unencrypted content can be breached quite easily by reading the content on a system without the malware installed. And systems which do not store unencrypted content on any persistent medium don’t need to have any protection software running except when the content is actually being decrypted. So what legitimate benefit does ANYONE receive from the installation of hard-to-remove malware on people’s machines? I can see some potential illegitimate benfits for record companies (e.g. compiling lists of what CDs people listen to) but no legitimate benefit whatsoever.

  5. David Sellick says

    supercat Says:
    “Generally-accepted types of DRM software will not damage system functionality.”

    Actually, it will — the only thing we can argue is degrees. Any constantly-running software that monitors whether you’re trying to ‘break the DRM rules’ is going to be at least a slight drag on the system. But that’s not the issue I’m getting at.

    The ‘copyprotected CDs’ contain plain redbook audio tracks, although there might be a random error designed to foil weaker computer CD drives. They may contain more — such as ‘random’ possibly “unreadable” data tracks, which is designed to cause computers problems, but they MUST contain redbook audio tracks to play on stereo CD equipment.

    To render the ‘copyprotected CDs’ unplayable or at least uncopyable on computers…that aren’t running the special player software…they have to intercept, replace, or bypass attempts of software to use underlying drivers designed to read/write to the CD drive. These drivers are not normally system-specific, but can be for more obscure CD drives. If you’re using Windows 9x/XP/2k, then these drivers are proprietary. Compatibility cannot be assured, especially if trying to deliberately sabotage their performance.

    What’s more since the replacement for them is not only proprietary but also operates in non-standard ways, compatibility AND reliability are in question. Hasn’t it come out that not only Sony’s XCP is a ‘rootkit’ that it also seriously messes up some computers?

    I’m telling you that’s no accident!

  6. I put a new post up, specifically for discussion of the proposed settlement. The idea is to give readers an obvious place to look for settlement discussions.

    Please continue the settlement discussion over there. Thanks.

  7. Bruce,

    Are you certain its not the same lawsuit? This paragraph in the article makes me think so, as yesterday’s announcement related to combined NY lawsuits:

    “Electronic Frontier Foundation (EFF) joined in this preliminary settlement agreement with Sony BMG this week to settle several class action lawsuits filed due to Sony’s use of flawed and overreaching computer program in millions of music CDs sold to the public. The proposed terms of settlement have been presented to the court for preliminary approval and will likely be considered in a hearing set for January 6, 2005 in federal court in New York City.”

    Also, this part is interesting:

    “Sony agreed to stop production of these flawed and ineffective DRM technologies”

    The article seems to indicate that Sony-BMG will not be using any copy protection technology for the near future. Yesterday’s announcement made it look like they could just make some changes to MediaMax 5.0 to comply with the terms, release it as 5.1 or 6.0 and then business as usual. The EFF statement indicates that they would only move forward with a more effective DRM. Removing some of the problems reported on Mediamax 5.0 to comply with the agreement will not make MediaMax more effective

  8. Looks like theEFF is settling their class action lawsuit too. This is important since the EFF is probably the closest thing to a consumer group involved in the Sony BMG DRM mess. My original idea was that Sony was trying to short circuit all the other suits with a favorable class action settlement in the SDNY. But this looks like a concerted push on their part to put the disaster behind them. I now expect to see at least some of state actions settle quickly too.

    Let me add that in addition to a JD, I also have an MBA, and this may end up being a B. School example of how to handle a PR disaster. They started off very slowly, not realizing how bad it was going to get. But then they got the word from the top to make it disappear, and that is apparently what is happening.

    We shall see if it works for them.

  9. the zapkitty says

    Anonymous Says:

    “Reading the detail, it is apparent that the results of the numerous other lawsuits taking place will also impact this agreement.”

    No. That is a lie by omission to placate those of the class they are supposedly representing who might question this quick settlement.

    Because, as one of the shills was crowing over in la la land, in court precedent is everything.

    Once this particular set of cheap ass lawyers hands Sony this token sack cloth and ashes then Sony will have the high ground in any further court proceedings. IANAL but I myself have seen this with other class action suits.

    “It’s a floor…”
    … but no one who has seen this before will be very surprised when it actually proves to be the glass ceiling.

    I shouldn’t have called them “cheap ass lawyers”, tho. As Bruce pointed out: they’ll rake in a pile from Sony… even if the class they’re representing never sees more than a few dollars each.

    (… assuming Sony didn’t hire them to begin with… hmmm… techno-thriller plotline there? 🙂 )

    And of course all the “protections against future misbehavior” in the settlement amount to a slap on the wrist for Sony… and a license to malware to their hearts content as long as they’re discreet about it.

    What I’m unsure of is how this will affect the criminal suits. Will it give Sony time to bury the dead bodies before a coroner can examine them?

    (I should not listen to Noir while posting… gloom and doom are the inevitable result.)

  10. Reading the detail, it is apparent that the results of the numerous other lawsuits taking place will also impact this agreement. There is a section at the end that states that the agreement is a “floor, not a ceiling” and explains that this means if any of the other lawsuits result in more favorable terms to their plaintiffs, those terms will also be granted to the plaintiffs in this suit.

  11. On the lighter side, breaking news is that Sony is using graffiti as a means of advertising. Ryan Singel of Wired News writes:

    “Seeking to market its handheld game device to hip city dwellers, Sony has hired graffiti artists in major urban areas to spray-paint buildings with simple, totemic images of kids playing with the gadget. But the guerrilla marketing gambit appears to be drawing scorn from some of the street-savvy hipsters it’s striving to win over.”


  12. IANAL but my reading of the judgment is that the $5 ceiling on liability in the EULA is removed, and that the question of compensation for damage to users’ computers and/or networks is left open as a separate issue which anyone affected may pursue, and that the settlement does not release the defendants from such claims (see top of p17 in pdf document).

    I infer from the settlement that the cost of the saga will be met by insurers for F4I and SunnComm.

    That being the case, I would have thought that those insurers would be considering insisting that the Mediamax discs are recalled.

    I also imagine that those insurers would not have anticipated that product liability and professional (sic) indemnity risks associated with music cd’s could extend to this sort of issue, and I would hope that in future they will play a more pro-active role in what goes on.

  13. Bruce just wondering what you think should be done for the victims that isn’t already being done?

  14. Ned Ulbricht says

    Brian Krebs in the Washington Post Security Fix blog today reports on the Hearing Order in connection with the settlement. The unsigned order, with a typewritten month of January and no date, proposes on pages 10-11:

    24. Plaintiffs and all members of the Settlement Class and any other person, representative, or entity acting on behalf of any members of the Settlement Class are, until the Fairness Hearing, barred and enjoined from: (i) filing, commencing, prosecuting, maintaining, or intervening in (as members of a class action or otherwise), any claim, lawsuit, arbitration, administrative, regulatory or other proceeding arising out of the Released Claims against any of the Released Parties; and (ii) organizing or soliciting the participation of any members of the Settlement Class into a separate class for purposes of pursuing as a purported class action (including by seeking to amend a pending complaint to include class allegations, or by seeking class certification in a pending action) any claim, lawsuit or other proceeding arising out of the Released Claims against any of the Released Parties. The Court finds that issuance of this preliminary injunction is necessary and appropriate in aid of the Court’s jurisdiction over the action and to protect and effectuate the Court’s review of the Settlement.

    As someone who is not a member of the (proposed) conditionally certified Settlement Class, I nevertheless find the proposed wording of this preliminary injunction potentially troublesome.

    In general, a fair settlement of litigation is in the public interest. The proposed settlement [PDF] provides citations on page 24 (p.31 in PDF) for the assertion, “It is well established that there is an overriding public interest in settling and quieting litigation, and this is particularly true in class actions” (quotation in source). But the public interest in fair settlements does not override all of the other interests of the public. The public interest in assuring the rights to petition for redress of grievances, and to free speech, demand a high bar. When those compelling interests are strictly scrutinized together with the general public interest in due process and in obtaining the testimony of witnesses, then I would hope that all courts would examine the balance very carefully.

  15. the zapkitty says

    Bruce Hayden wrote:
    “Well, guess what. It appears to be over.”

    Was your first clue the line where the settlement explained the sell-out by saying “Trust us… we’re experienced at this” ? 😉

  16. Well, guess what. It appears to be over. The proposed settlement agreement cited by Alex Eckelberry appears to be asking for an opt-out class of all U.S. victims of both XCP and MediaMax Sony DRM code. I should expect that the three parties involved, Sony, the class action attorneys, and the SDNY court, will all agree to this. After all, they all benefit by the settlement. Of course, what is not mentioned is the compensation that these attorneys are going to get. Indeed, if this is like many other class action settlements, they are the only ones who will really be compensated. Yes, there is a CD exchange program. But most likely nothing, or close to nothing, beyond that for the victims. (There is a most favored nation provision, but that would seem to just make any more generous settlements highly improbable).

  17. the zapkitty says

    Anonymous wrote:

    “Bye Bye SunnComm?”

    Hardly, according to the shills over in la la land.

    The news was broken with a trumpeting announcement, out of nowhere and relevant of nothing in particular, of the Windows metafile vulnerability.

    And as sure as an atomic clock the settlement news was posted a few minutes later…

    … with the prognostication that everything was good now, their software has been proven under fire, Sony will certainly put an updated version of Mediamax on all its CDs in 2006, DVDs were the next target for Mediamax and we’ll get those music download stores too, and that Sunncomm/Mediamax could proceed with business as usual after only a few minor fixes…

    “I never thought I’d see a resonating Orwellian Kafkaesque scenario… let alone having to watch it rerun forever!”

    Anonymous Black Mesa Research Facility scientist remarking on the Sony DRM debacle.

  18. Steve Cotton says

    IANAL, but the settlement that Alex Eckelberry has linked to looks like Sony BMG’s dream.

    Section III.B.7 is very interesting, on page 14 (21st page of the PDF). It permits all of these:
    Installing software from music CDs (after the EULA is accepted)
    MediaMax 5.1 or 6.0
    Any software that isn’t called XCP or MediaMax
    Phoning home without the user’s express consent
    Anything after 1 Jan 2008

    Section III.B.1 on page 10 (17th page of the PDF) seems to be an attempt to promote online music services (iTunes gets mentioned by name). I think it’s worth as much as some online services’ introductory offers.

    I’d love to see Groklaw’s opinion of this.

  19. Bye Bye SunnComm?

    Bye Bye First4Internet

    Go riddance to both

  20. Preliminary settlement for Sony suit

    Girard Gibs and Kamber and Associates sued Sony BMG, First 4 Internet and SunnComm International last month in regard to the Sony rootkit mess.

    We have obtained a copy of a preliminary settlement that was filed today seeking judicial approval for a settlement in the Sony case.

    The proposed settlement is as follows:

    Under the terms of the settlement, Defendants agree to:

    • stop manufacturing SONY BMG CDs with XCP software (“XCP CDs”) and SONY BMG CDs with MediaMax software (“MediaMax CDs”);

    • immediately recall all XCP CDs;

    • provide software to update and uninstall XCP and MediaMax content protection software from consumers’ computers;

    • ensure that ongoing fixes to all SONY BMG content protection software are readily available to consumers;

    • implement consumer-oriented changes in operating practices with respect to all CDs with content protection software that SONY BMG manufactures in the next two years;

    • waive specified provisions currently contained in XCP and MediaMax software End-User Licensing Agreements (“EULAs”);

    • refrain from collecting personal information about users of XCP CDs or MediaMax CDs without their affirmative consent; and

    • provide additional settlement benefits to Settlement Class Members including cash payments, “clean” replacement CDs without content protection software, and free music downloads.

    Much more reading in the proposed settlement, which you can read here.

    Alex Eckelberry


  21. Ned Ulbricht says

    In a 30 Jul 2001 article, “BMG tests unrippable CDs”, CNET staff writer Gwendolyn Mariano reported that according to Sami Valkonen, senior vice president at BMG Distribution, “BMG [was] testing technologies from SunnComm, Midbar, Macrovision and a handful of other companies.”

    The article further states:

    In the Macrovision test, copy-protected CDs were released without notice to consumers to ensure unbiased feedback, according to the company.

    The fact that BMG has previously distributed copy-protected CDs without notice to consumers might tend to indicate BMG’s willingness or propensity to be less than forthright about the attributes of their CD products.

  22. the zapkitty says

    tRellium wrote:
    “They make no guarantees regarding future versions of Windows either, meaning that your sunncomm “bonus” DRM will probably not be able to run anyway.”


    Windows Vista, according to reports, will not allow the covert “before the EULA” installation that is the hallmark of Mediamax and it also will not allow the trick that lets unsigned drivers get installed without a warning.

    So… it appears that Mediamax is already broken beyond repair in the next iteration of Windows.

    If folks want to play the CD on their PC’s they’ll have to learn how to bypass the malware… and both Microsoft and the Federal Government will be happy to show them how 🙂

  23. Anonymous Says:
    December 21st, 2005 at 12:27 pm

    UH OH!

    ‘High’ risk in Symantec antivirus software flaw

    Symantec is a company for whom people pay to have their software updated. This is not true of sunncomm/sony when you think you are jsut buying a music CD, which never before had these security issues.

    Sunncomm introduced the need for security updates to a product for which it was previously irrelevant, and we are to applaud their workmanship? Of course, to sunccomm drones its all part of the “bonus” material.

    More to the point is that sunncomm WANTS to infect your pc so that eventually you need to rebuy their software and the music you already paid for, for the sole purpose of patching or “upgrading” the previously defective software. They make no guarantees regarding future versions of Windows either, meaning that your sunncomm “bonus” DRM will probably not be able to run anyway.

    Its product failure in every possible sense, and its designed that way. They want the DRM itself to make the music obsolete before the CD disk itself is likely to degrade. Enforced obsolescence based entirely on when their accounting department decides its time to refill the coffers.

  24. Trying to bring down companies that respect the artists and their efforts,

    So there’s no problem with hitting Sony and members of the RIAA then.

  25. I agree to what Sam have posted here: Sony/BMG should also be responsible.
    Haven’t we-The Consumers had enough of spyware. They should have realize this “Blunder” and yet they continue to distribute Media Max! EULA is nothing but a joke.

  26. Ok, stop right there. What NEEDS to be pointed out is by the very nature of DRM:
    Installing this software damages system functionality.

    Generally-accepted types of DRM software will not damage system functionality. If you have DRM data but do not have the player installed, the content will be useless. If you install the player, you will be able to use the content, but only in the way the player allows. If you uninstall the player, you will no longer be able to use the content because the system will be as it was before you installed it (and you couldn’t use the content then).

    What Sony is pushing is very different, and Sony does NOT make the difference clear to customers before it installs its evilware on their machines.

  27. Edward Kuns says


    You are so obviously a troll that it’s funny that you think anybody might take you seriously and that you don’t realize what a complete waste of your time it is to post such hysterical (that is to say irrational) comments. Any rational person can see the purpose of this blog and the purpose of Prof Felton’s research.

    We all understand the talking points of the trolls. Only one person connected to any of the DRM companies attempted any rational discussion and it’s really a shame that only one even tried. But that fact — in and of itself — illustrates the contemptuous nature of the DRM companies involved here.

    You could use logic similar to yours to defend a police state, saying that anyone who is against random search and seizure and anyone who is against constant monitoring of the public must be for theft and mayhem. It’s a false dichotomy.

  28. “Now all of a sudden Felton is a lawyer checking about fraud”

    Is that why the SunnComm trolls are so worried?

  29. Now all of a sudden Felton is a lawyer checking about fraud. His job at Princeton is to find problems with software/hardware.

    Why should he be interested in First4, Mediamax and any legal problems, this is beyound your scope. get back to doing what your supposed
    to be doing and stop trying to hang these companies.

    Your agenda is for everyone to have free access to do as they please with music.

  30. Can we change the name of this blog to read Freedom to teach to steal, cheat and find ways around paying our just due.

    Trying to bring down companies that respect the artists and their efforts,
    is like me getting a Diploma from Princeton vial a mail order house.

    Can Felton & Halderman tell me how to circumvent the years of schooling
    and get a Diploma for free. They teach us how to beat the system.

  31. I notice that MediaMax has now release a 3rd version of its uninstall.

    No explanation is given as to why a new version was released. Did the 2nd version have problems? Should people who used V2 use V3?

    No explanation, just a new date…

    DEC 6th, 8th, 16th and now 22nd.


    There is also a Dec 16th version of a fix for the security exposure. Again, no explanation.


    In relation to the previous versions of security exposure patch, the EFF site talks about a faulty release on December 6th, that was “fixed” on December 8th. The December 8th fix was still being tested by security experts. We now have a December 16th version of the patch, with no explanation as to what new changes were made or what was wrong with the December 8th version.

    This lack of explanation by SunnComm is utterly unprofessional and contemptuous of MediaMax users.

  32. Ned Ulbricht says

    SunnComm press release 3 Feb 2005, “SunnComm’s New MediaMax (Version 5) Copy Management and Enhancement Technology Passes Independent Testing with Flying Colors”

    SunnComm International, Inc. (OTC:SCMI), the developer of MediaMaxâ„¢ and the U.S. leader in digital content security and enhancement for audio compact discs, announced today that it has received exceptional test results from Belgium-based PMTC, an international multimedia test center, on its newest version of MediaMax.(http://www.pmtctest.com/new/home/home_home.html)


    From http://www.pmtctest.com/new/home/home_home.html, following page navigation for Software, Multimedia Tests, Functionality

    Functionality Testing

    Multimedia Applications

    To ensure that your product functions the way it was intended, a complete functionality test is of paramount importance.

    Each functionality test starts with an in-depth analysis of the product. Based on this analysis and the documentation provided by the developer, a set of test plans and test matrices is generated. These are uniquely created for each specific title in order to ensure full (or required) coverage of all aspects of your product.

    The profoundness of a functionality test is determined by the requirements of the product and the available budget.

  33. the zapkitty says

    David Sellick wrote:

    in response to supercat who wrote:
    > If the EULA had said: “This
    > software cannot be
    > uninstalled without damaging
    > system functionalty, and may
    > contain security holes.”

    “Ok, stop right there. What NEEDS to be pointed out is by the very nature of DRM..”

    supercat wasn’t pointing out what “needs to be said about DRM”… he was pointing out what Sony needed to say to the user in advance of Sony’s screwed up mess… in order to absolve Sony 🙂

  34. Ned Ulbricht says

    The financial summaries seen by top-level officers in a large organization probably would not show that specific QA group(s) received funding to execute specific test plan(s).

    But a creative outside auditor could conceivably correlate financial documents with engineering documents to check for discrepancies between the level of engineering effort proposed/approved/completed and the funds allocated/approved/spent.

  35. Ben,

    This intent problem is faced all the time in trying to criminally prosecute CEOs. They often try to claim that it was those underneath them who were involved, and that they, themselves, were ignorant of what was going on. And then the prosecutors have to go and find some documentation showing that they actually did have the requisite knowledge and intent. That is, BTW, one of the reasons for Sarbanes – Oxley, which now requires both the CEO and the CFO of a company to essentially personally certify financial reports.

    That is the trouble with criminal statutes, like this one. They invariably have specific intent requirements, and that is one of the elements that has to be proven beyond a reasonable doubt for a conviction. Contrast this with civil trials, where the level of proof is much lower (typicially, requiring a preponderance of the evidence), plus the ability to get at those in charge through respondeat superior / agency law.

    That said, it may well turn out that Sony did have actual information that would constitute the requisite intent. For example, my impression is that when the DRM software “calls home” to notify them that a user was playing a specific CD, the site being accessed is a Sony site. This would probably constitute actual knowedge by Sony that their DRM software was indeed spyware / adware.

  36. David Sellick says

    supercat Says:
    December 21st, 2005 at 5:43 pm
    If the EULA had said: “This software cannot be uninstalled without damaging system functionalty, and may contain security holes.”

    Ok, stop right there. What NEEDS to be pointed out is by the very nature of DRM:
    Installing this software damages system functionality.

    That’s what it means to ‘protect copyright’ by blocking CD access to unfettered reading and writing.

  37. While I have no idea the actual legal backdrop, if Sony is allowed to claim ignorance as a defense, then any company can intentionally create such a shield. Hiring another company to “fix a problem” for you without verifying that they are complying with the law seems like a pretty easy way to get illegal things done.

  38. Ned Ulbricht says

    According to the December 8th, 2005 press release from Illinois Attorney General Lisa Madigan, “Sony BMG has discontinued using MediaMax software.” While I’m quite sure that the Illinois Attorney General’s office made this statement in good faith, can this fact be confirmed?

  39. the zapkitty says

    Okay… then the currently presentable options seem to be that either Sunncomm/Mediamax has been lying constantly in press releases and to their shareholders about the level of Sony input into the software… and lying in press releases and to shareholders is one thing SuncMax has a paper trail of doing… and that the bad apples were a BMG inheritance.

    Or one could argue the fact that the latest, and worst-offending, version of Mediamax was released after the merger and to Sony’s stated satisfaction is proof enough that Sony should not have been ignorant of all this (and they really couldn’t have been, but we’re talking currently available proof here…) but still, yeah, not nearly as strong.

    And meanwhile in la la land the latest “unofficial” (i.e. easily denied) reports to SuncMax shareholders say that the Suncmax CEO is on the phone twice a day to Sony…

  40. You are talking two different things here. The first is presuming that someone can show that Sony was briefed, etc., on all this stuff, and the second is that the patent application is somewhat indicative that SunnComm knew. But, without establishing the knowlege connection between SunnComm and Sony, Sony could claim that it was a SunnComm issue.

  41. the zapkitty says

    But if it can be proved that Sony, via contractor testimony, intended far deeper spyware activities (as evidenced by the patent application), and then backed off to the level currently disclosed… Intent, yes?

    And if the level of intrusion in the patent claims is currently implemented then I think that there would be no escape for Sony.

  42. A couple of comments.

    The overall statute is criminal, as it potentially provides for prison time. Obivously, Sony can’t be put in prison, but any fines by the Govt. against the company would be considered criminal in nature. The result is that intent is much more strictly defined than in a purely civil context. Since intent is one of the elements of the offense, the govt. would have to prove intent beyond a reasonable doubt. And thus, imputing it, as suggested by some above, would not be sufficient. That SunnComm and/or First 4 knew that their software was in violation may not be sufficient here.

    On the other hand, Ed is right – most computers today are used, at least to some token amount, in Interstate, and/or foreign commerce, since the Internet/WWW is now global. And, thus, most computers these days would be considered “protected” under the statute.

    On the other hand, without Secret Service / DOJ buy in, you are left with suing for economic damages, which are hard to quantify and prove. Highly unlikely, short of (another) class action suit, that it would be worthwhile suing under this statute.

  43. Let me add the obvious – not only is autorun initially enabled, but at least with XP home edition, the initial, default, account has administrator privileges. Coming off of 95/98 systems, how many users know that XP is really a multiuser system, and that you should run under another, more limited, account? (Ok, at least 98 could be run this way – it just rarely was).

  44. the zapkitty says

    As the media whitewash fails the spin control gets kinda crazy…


    “… In the end little real damage was done to consumers…”

  45. The EULA won’t stand thanks to MediaMax. You can’t enforce a contract (no matter how much dispute there is as to whether they really are) when the consumer clicked “I DO NOT AGREE” and you attempt to carry out the times anyway…

  46. Suppose you sign a video rental contract which provides that “Acme video shall have the right to ensure compliance with its rental terms by billing customers’ credit cards for unreturned movies, filing suit in small claims court if credit cards are declined, or using such other means as Acme Video sees fit.”

    Would such a contract authorize Acme Video to break into your house if you failed to return a movie on time?

    By a literal reading, it would (if such a break in was a means that Acme Video saw fit to use). On the other hand, a court would hold such a provision unenforceable. Laws vary by state, but as a general rule a contract is only enforceable to the extent that it represents a “meeting of the minds”. The Sony junkware EULAs were written to obscure their true function, thus deliberately precluding a meeting of the minds.

    If the EULA had said: “We want to install some software on your computer which will take over the CD ROM drivers and prevent them from reading digital audio from our disks into any unapproved programs. This software cannot be uninstalled without damaging system functionalty, and may contain security holes. If you accept this agreement, you will allow us to install this software as well as anything else we want into your computer.” then these junkware companies might be able to argue that the installation was consensual. As far as I know, however, none of the junkware EULAs contain anything close to the above text.

  47. I have been involved with some business subcontracted out by Sony.

    They have people to do vendor management and were very proud of their technical capabilities. In our case they asked for very deep information and were very aware of what was going on … This was a different division, but I would be surprised if the music people didn’t know exactly what was being done for them.

    Not a lawyer, but the vendor management effort at Sony should be probed to see what they actually knew.

  48. It occurs to me that the linke above may not work for other users since I was logged in.

  49. Some humor to the absurdity of EULAs. If they give us one sided agreements we can give them one sided agreements.
    I ran accross this quote on http://www.leovilletownsquare.com/fusionbb/showtopic.php?fid/24/tid/8939/pid/76848/post/last/#LAST
    And then hurl it through the window of a Sony officer
    and run like hell

  50. Ed, you might want to check up (or get a non-binding opinion on) Agency Law in the United States. (I’m neither a lawyer nor American, but I know a lot of lawyers here in Australia.)

    The EFF complaint specifically lists Sony BMG and “their agents”. This is a legal term which, I believe, is specifically intended to defend against a claim of plausible deniability on Sony’s part. The general idea, as I understand it, is that Sony is responsible for anyone who was acting as their agent and under their instruction or something like that. It’d be interesting to know if that applies here.

  51. Ed notes that Sony EULA creates a “gray area”. Below is an excerpt from the Sony/BMG EULA. Unless EULAs are somehow invalidated, we as consumers have no rights and would not be able to seek relief under the CFAA. The ELUA also states that Sony/BMG liability would be limited to $5.
    “SONY BMG and each LICENSOR reserve the right to use the SOFTWARE and/or any APPROVED MEDIA PLAYER to enforce their respective rights in and to the DIGITAL CONTENT, including any and all of the restrictions on use set forth in this Article 3, at any time, without notice to you.”


  52. the zapkitty says

    This version of the Texas AG story seems more complete:


  53. the zapkitty says

    What the Sunncomm stock shill is trying to drown out with their off-topic spam is, of course, this news item:

    The Texas Attorney General has added distribution of the Sunncomm/Mediamax malware to the charges against Sony in its lawsuit.


  54. “Johnny rosin up your bow and give the devil his due.”

    “Fire on the mountain run boy run”

  55. UH OH!

    ‘High’ risk in Symantec antivirus software flaw
    By Colin Barker, ZDNet (UK)
    Published on ZDNet News: December 21, 2005, 8:06 AM PT

    Symantec’s antivirus software contains a vulnerability that could be exploited by a malicious hacker to take control of a system, the company said late Tuesday.

    According to Symantec, the bug, which affects a range of the company’s security products, is a “high” risk. Denmark security company Secunia has labeled it “highly critical.”

    According to an advisory issued by Secunia, the bug affects most of Symantec’s products, including enterprise and home user versions of Symantec AntiVirus, Symantec Norton AntiVirus and Symantec Norton Internet Security, across the Windows and Macintosh platforms.

    The vulnerability is within Symantec AntiVirus Library, which provides file format support for virus analysis. “During decompression of RAR files, Symantec is vulnerable to multiple heap overflows allowing attackers complete control of the system(s) being protected,” said security consultant Alex Wheeler, who first discovered the flaw. “These vulnerabilities can be exploited remotely, without user interaction, in default configurations through common protocols such as SMTP.”

    RAR is a native format for WinRAR, which is used to compress and decompress data. So far, the vulnerability has been reported in Dec2Rar.dll version and, according to Wheeler, potentially affects all Symantec products that use the DLL. The full list of products affected can be seen here.

    Symantec has not yet released a patch to address this problem. In the meantime, Wheeler recommends that users “disable scanning of RAR-compressed files until the vulnerable code is fixed.”

    This is not the first vulnerability Wheeler has discovered. In October, he highlighted a similar flaw in Kaspersky Lab’s antivirus software, which was later acknowledged by the company. Again, it was a heap overflow vulnerability.

    In February, he found a different heap overflow vulnerability in Symantec’s antivirus software.


  56. the zapkitty says

    Your “open port” analogy is correct…. but the hole I speak of is the legal dichotomy in that the EULA relies on a specific Windows configuration, and thus is not universally enforceable even on Windows systems the packaging may list… much less other operating systems.

    Uneven application and enforcement can mean that very bad things happen to such an “agreement” in court.

  57. Do Sony CDs break the law?

    Freedom to Tinker  has an interesting post on whether the DRM software on Sony CDs violate the Computer Fraud and Misuse Act. 
    The conclusions that Ed Felten come to are interesting.

    So here’s my very tentative bottom line: XCP is…

  58. Windows Autorun is enabled by default. Ask any windows user if they have disabled autorun and you are likely to be confronted with a blank stare. Worse, the default if you double click on the icon in “my computer” is autorun, not open, at least if there is autorunnable software (I have it disabled and occasionally make this mistake).

    Just because I have an open port on my computer doesn’t mean it is an invitation for anyone to access anything on my system (and in the sense I mean it, courts have ruled so).

    Normally autorun doesn’t alter my system in any way. It usually opens the main program on the CD, which often can run from the CD and not require anything to be altered on my computer, much less any permanent alteration, and certainly not malware. It is like an unlocked door – I’m not inviting thieves and vandals into my home just because I forget to set every lock. I may leave the door unlocked because I’m expecting known guests.

    I would also agree with the “intent” problem, at least their slow reaction when everyone was screaming “fire”. When Tylenol was sabotaged with poison, they immediately recalled all capsules, they didn’t offer to provide poison detection and removal kits via mail.

  59. Carlie Coats says

    IANAL either, but in giving Sony the benefit of the
    doubt on “intentionally” you may be giving them
    a free ride: there is a legal doctrine that says
    that someone must be presumed competent in
    his own field; consequently, damage caused thereby
    may be assumed intentional.


  60. I think maybe you’re too quick to give Sony/BMG a pass on this.
    Whether or not they knew about these issues when the released the CD’s (and that’s arguable, see zapkitty’s remark above), by now they most assuredly DO know about the issues, and they continue to distribute the MediaMax CD’s. If I’m on the jury, Sony/BMG is guilty.

  61. the zapkitty says

    (The zapkitty sneaks into the discussion again, weighing in on the practical side…)

    The EULA in current audio CD “DRM” arrangements are only launched when Windows Autorun is enabled. Since Autorun is not ” legally mandated” as part of Windows operations, that leaves the whole EULA thing out of the question… along with the malware… but if the EULA is only inflicted on those unenlightened folks who run Windows with Autorun, doesn’t that create a hole in the “valid authorization and enforcement theory?

    Secondly, although I’m sure documents are being shredded and evidence burned as I type, there is the consistent and strong assertion from the Sunncomm/Mediamax shills that their latest malware was designed to Sony specifications.

    And of course F4I/XCP is toast in that regard…

  62. How about this for damage: I am a librarian at a small library. We’ve had to pull the one xcp disk we owned and send it in to be replaced. We pulled the MediaMax cds (all versions) and placed warning labels on them. I created a web page about the issue. My director and I have spent a lot of time discussing this issue and our responsibilities to our patrons who may have used these disks.

    This time, effort and energy is damage caused by their tactics without harm to a computer per se. Is it $5000? I’d like to think my time is priceless, but hey, I’m a librarian for crying out loud.

    This are my opinions, not my library’s

  63. Ed has correctly identified the crucial points. I am not a lawyer either, so my comments are those of a layman. My fundamental problem rests on the word “authorization”. I do not believe that EULAs constitute legitimate enforceable contracts, therefore the installation of DRM programs constitutes trespass. I hope that we can someday get a clear precedent setting legal opinion finding EULAs are not valid contracts. In terms of Ed’s post, the definition of “authorization” is fundamental to utilizing CFAA.

    Next is the definition of “the assesser is not entitled so to obtain or alter”. Again, the EULAs purport to give the vendor the right to use your computer to do whatever is necessary to protect there so-called intellectual property. Pursuing a case under CFAA will require that other laws (which purport to protect DRM rights) be partially or wholly overtuned,

  64. Has CFAA ever been invoked against a player of any size in the computer industry? My impression was that the “grey area” of authorization that you mention had pretty much expanded to any legitimate business that sold you something to put in your machine.