September 29, 2022

Sony-BMG Sues Maker of Bad DRM

Major record company Sony-BMG has sued the company that made some of the dangerous DRM (anti-copying) software that shipped on Sony-BMG compact discs back in 2005, according to an Antony Bruno story in Billboard.

Longtime Freedom to Tinker readers will remember that back in 2005 Sony-BMG shipped CDs that opened security holes and invaded privacy when inserted into Windows PCs. The CDs contained anti-copying software from two companies, SunnComm and First4Internet. The companies’ attempts to fix the problems only made things worse. Sony-BMG ultimately had to recall some of the discs, and faced civil suits and government investigations that were ultimately settled. The whole episode must have cost Sony-BMG many millions of dollars. (Alex Halderman and I wrote an academic paper about it.)

One of the most interesting questions about this debacle is who deserved the blame. SunnComm and First4Internet made the dangerous products, but Sony-BMG licensed them and distributed them to the public. It’s tempting to blame the vendors, but the fact that Sony-BMG shipped two separate dangerous products has to be part of the calculus too. There’s plenty of blame to go around.

As it turned out, Sony-BMG took most of the public heat and shouldered most of the financial responsibility. That was pretty much inevitable considering that Sony-BMG had the deepest pockets, was the entity that consumers knew, and had by far the most valuable brand name. The lawsuit looks like an attempt by Sony-BMG to recoup some of its losses.

The suit will frustrate SunnComm’s latest attempt to run from its past. SunnComm had renamed itself as Amergence Group and was trying to build a new corporate image as some kind of venture capitalist or start-up incubator. (This isn’t the first swerve in SunnComm’s direction – the company started out as a booking agency for Elvis impersonators. No, I’m not making that up.) The suit and subsequent publicity won’t help the company’s image any.

The suit itself will be interesting, if it goes ahead. We have long wondered exactly what Sony knew and when, as well as how the decision to deploy the dangerous technology was made. Discovery in the lawsuit will drag all of that out, though it will probably stay behind closed doors unless the case makes it to court. Sadly for the curious public, a settlement seems likely. SunnComm/Amergence almost certainly lacks the funds to fight this suit, or to pay the $12 million Sony-BMG is asking for.

DMCA Exemptions Granted

Last Wednesday afternoon the U.S. Copyright Office released its list of DMCA exemptions for the next three years. The timing is interesting: releasing news in the afternoon of the day before Thanksgiving is a near-optimal strategy if you want that news to escape notice and coverage in the U.S.

The purpose of these exemptions are to prevent harm to the public from overbreadth of the DMCA’s prohibition on circumventing technologies that control access to copyrighted works. Exemptions last three years.

The good news that that six exemptions were granted, the most ever:

  • Professors can make compilations of film and video material for research or teaching.
  • Archivists can preserve copies of old programs and computer games.
  • Anyone can work around broken hardware “dongles” that prevent access to software programs.
  • Blind people can use software to have e-books read aloud.
  • Wireless phone customers can switch their phones to a different wireless provider.
  • Anyone can study, test, or remove malware distributed on CDs.

(These are summaries; the exact scope of each exemption is detailed in the original document.)

I’m particularly happy about the last exemption, which was requested by Alex Halderman and me, with lots of help from Deirdre Mulligan and Aaron Perzanowski. The exemption is narrower than I would have liked – plenty of valuable research still raises legal issues – but it’s good to see official recognition that the DMCA has harmed research.

The not-so-good news is in some of the exemptions that were not granted. The exemption for censorware research was not renewed, mostly because its most effective advocates, such as Seth Finkelstein, got tired of re-requesting it. (Even if nothing has changed, each exemption must be rerequested every three years through the same bureaucratic process – one example of how the playing field is tilted against exemptions.)

Also, exemptions for space-shifting (e.g. downloading content into portable players like iPods) and backing up digital media were denied. As usual, the Copyright Office pretended not to know what everybody else seems to know, e.g. that digital media are fragile and need to be backed up.

On the other hand, they did seem to recognize the DMCA’s harm to public discourse. The exemptions for film scholarship, archiving, access by the blind, and malware research all address harms to public debate caused by the DMCA. Fair use is sometimes broken down into two categories: transformative uses such as scholarship, research and parody; and personal uses such as time-shifting and space-shifting. The Copyright Office now seems to recognize that the DMCA is harming transformative use.

But what they don’t yet see, apparently, is the harm to personal use – hence the denial of the space-shifting and backup requests. Worse yet, they didn’t even acknowledge that these personal uses are lawful in the first place. In short, the Copyright Office still isn’t willing to grapple with the issues of most direct interest to the public. Maybe they’ll catch on three years from now, or six. Or maybe the new Congress will act sooner and reform the DMCA.

(Derek Slater has a nice summary of some other commentary.)

Ed Talks in SANE

Today, I gave a keynote at the SANE (System Administration and Network Engineering) conference, in Delft, the Netherlands. SANE has an interesting group of attendees, mostly high-end system and network jockeys, and people who like to hang around with them.

At the request of some attendees, I am providing a PDF of my slides, with a few images redacted to placate the copyright gods.

The talk was a quick overview of what I used to think of as the copyfight, but I now think of as the technologyfight. The first part of the talk set the stage, using two technologies as illustrations: the VCR, and Sony-BMG’s recent copy-protected CDs. I then switched gears and talked about the political/regulatory side of the techfight.

In the last part of the talk, I analogized the techfight to the Cold War. I did this with some trepidation, as I didn’t want to imply that the techfight is just like the Cold War or that it is as important as the Cold War was. But I think that the Cold War analogy is useful in thinking about the techfight.

The analogy works best in suggesting a strategy for those on the openness/technology/innovation/end-to-end side of the techfight. In the talk, I used the Cold War analogy to suggest a three-part strategy.

Part 1 is to contain. The West did not seek to win the Cold War by military action; instead it tried to contain the other side militarily so as to win in other ways. Similarly, the good guys in the techfight will not win with lawyers; but lawyers must be used when necessary to contain the other side. Kennan’s definition of containment is apt: “a long-term, patient but firm and vigilant containment of [the opponent’s] expansive tendencies”.

Part 2 is to explain. This means trying to influence public opinion by explaining the benefits of an open and free environment (in the Cold War, an open and free society) and by rebutting the other side’s arguments in favor of a more constraining, centrally planned system.

Part 3 is to create. Ultimately the West won the Cold War because people could see that ordinary citizens in the West had better, more creative, more satisfying lives. Similarly, the best strategy in the techfight is simply to show what technology can do – how it can improve the lives of ordinary citizens. This will be the decisive factor.

In the break afterward, somebody referred to a P.J. O’Rourke quote to the effect that the West won the Cold War because it, unlike its opponents, could provide its citizens with comfortable shoes. (If you’re the one who told me this, please remind me of your name.) No doubt O’Rourke was exaggerating for comic effect, but he did capture something important about the benefits of a free society and, by analogy, of a free and open technology ecosystem.

Another American approached me afterward and said that by talking about the Cold War as having been won by one side and lost by the other, I was portraying myself, to the largely European audience, as the stereotypical conservative American. I tried to avoid giving this impression (so as not to distract from my message), calling the good side of the Cold War “the West” and emphasizing the cultural rather than military aspects of the Cold War. I had worried a little about how people would react to my use of the Cold War analogy, but ultimately I decided that the analogy was just too useful to pass up. I think it worked.

All in all, it was great fun to meet the SANE folks and see Delft. Now back to real life.

RIAA Says Future DRM Might "Threaten Critical Infrastructure and Potentially Endanger Lives"

We’re in the middle of the U.S. Copyright Office’s triennial DMCA exemption rulemaking. As you might expect, most of the filings are dry as dust, but buried in the latest submission by a coalition of big copyright owners (publishers, Authors’ Guild, BSA, MPAA, RIAA, etc.) is an utterly astonishing argument.

Some background: In light of the Sony-BMG CD incident, Alex and I asked the Copyright Office for an exemption allowing users to remove from their computers certain DRM software that causes security and privacy harm. The CCIA and Open Source and Industry Association made an even simpler request for an exemption for DRM systems that “employ access control measures which threaten critical infrastructure and potentially endanger lives.” Who could oppose that?

The BSA, RIAA, MPAA, and friends – that’s who. Their objections to these two requests (and others) consist mostly of lawyerly parsing, but at the end of their argument about our request comes this (from pp. 22-23 of the document, if you’re reading along at home):

Furthermore, the claimed beneficial impact of recognition of the exemption – that it would “provide an incentive for the creation of protection measures that respect the security of consumers’ computers while protecting the interests of the record labels” ([citation to our request]) – would be fundamentally undermined if copyright owners – and everyone else – were left in such serious doubt about which measures were or were not subject to circumvention under the exemption.

Hanging from the end of the above-quoted excerpt is a footnote:

This uncertainty would be even more severe under the formulations proposed in submissions 2 (in which the terms “privacy or security” are left completely undefined) or 8 [i.e., the CCIA request] (in which the boundaries of the proposed exemption would turn on whether access controls “threaten critical infrastructure and potentially endanger lives”).

You read that right. They’re worried that there might be “serious doubt” about whether their future DRM access control systems are covered by these exemptions, and they think the doubt “would be even more severe” if the “exemption would turn on whether access controls ‘threaten critical infrastructure and potentially endanger lives’.”

Yikes.

One would have thought they’d make awfully sure that a DRM measure didn’t threaten critical infrastructure or endanger lives, before they deployed that measure. But apparently they want to keep open the option of deploying DRM even when there are severe doubts about whether it threatens critical infrastructure and potentially endangers lives.

And here’s the really amazing part. In order to protect their ability to deploy this dangerous DRM, they want the Copyright Office to withhold from users permission to uninstall DRM software that actually does threaten critical infrastructure and endanger lives.

If past rulemakings are a good predictor, it’s more likely than not that the Copyright Office will rule in their favor.

Sony CD DRM Paper Released

Today Alex and I released our paper about the Sony CD DRM episode. This is the full, extended version of the paper, with a bunch of new material that hasn’t been published or posted before.

As an experiment, we posted draft sections of the paper here and asked readers for comments and feedback. The experiment was a success, giving us lots of good comments and suggestions that helped us improve the paper. Several reader-commenters are thanked in the paper’s acknowledgments section.

We also asked readers to help suggest a title for the paper. That didn’t work out so well – some suggestions were entertaining, but none were really practical. Perhaps a title of the sort we wanted doesn’t exist.

Enjoy the paper, and thanks for your help.

[UPDATE (Feb. 21): If you don’t like PDFs, you can now read the paper in your browser, thanks to an HTML+images version created by Jesse Weinstein.]