SonyBMG and First4Internet, the companies caught installing rootkit-like software on the computers of people who bought certain CDs, have taken their first baby steps toward addressing the problem. But they still have a long way to go; and they might even have made the situation worse.
Yesterday, the companies released a software update that they say “removes the cloaking technology component that has been recently discussed in a number of articles”. Reading that statement, and the press statements by company representitives, you might think that that’s all the update does. It’s not.
The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function – they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.
No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert – falsely – that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.
The companies need to come clean with the public – their customers – about what they did in the first place, and what they are doing now. At the very least, they need to tell us what is in the software update they’re now distributing.
Meanwhile, lawprof Eric Goldman asks whether the SonyBMG EULA adequately disclosed what the company was doing to users’ computers. If not, the company may be legally liable for trespass to chattels, or may even have violated the Computer Fraud and Abuse Act. Goldman concludes that the disclosure may be adequate as a legal matter, though he doesn’t assert that it’s a good business practice.
While the legal question is beyond my expertise, it’s awfully hard to see how, from a common-sense viewpoint, SonyBMG could be said to have disclosed that they might be installing rootkit-like software. Surely the user’s consent to installing “a small proprietary software program … intended to protect the audio files embodied on the CD” does not give SonyBMG free rein to do absolutely anything they like to the user’s computer. Whether, as a legal matter, Sony exceeded their user-granted authorization to modify the user’s computer would ultimately be for a court to decide.
Goldman says, with some justification, that today’s EULAs expose a “crisis” in contract law by attenuating, almost beyond recognition, the notion of consent to a contract. Part of the problem is the well-known fact that hardly anybody reads EULAs. But another part of the problem is that EULAs don’t give even the most diligent users a clear idea of what they are consenting to.