On Monday, EFF went to superior court in North Carolina in order to challenge e-voting recidivist Diebold and their attempt to skirt the state's strong new election transparency rules. Diebold pleaded with the court for an exemption from the statute's requirement to escrow "all software that is relevant to functionality, setup, configuration, and operation of the voting system" and to release a list of all programmers who worked on the code because... well... it simply couldn't do it. It would likely be impossible, said Diebold, to escrow all of the third party software that its system relied on (including Windows).
What a difference a few days make.
When we recently reported that the DOJ had chosen not to appeal two court decisions that forcefully rejected its secret requests to track cell phones without probable cause, we expressed our fear that the government would keep trying to secretly convince other judges to grant these illegal orders while avoiding appellate review.
Spotting Sony BMG's DRM in the wild can be challenging. While many have a standardized disclosure box on the back, CDs with the SunnComm MediaMax software have a far wider array of indicia; notably stickers on the front and, less helpfully, fine print on the back.
Real Networks today announced the availability of a web-based version of its Rhapsody music service. Finally, there is a listen-on-demand authorized music service with deep major label catalog that Mac and Linux users can use. I expect Napster 2.0 and Yahoo! will feel competitive pressure to migrate to a cross-platform, browser-based solution, as well.
After failing to reach a compromise on the final draft of the USA PATRIOT renewal bill, as described previously, Congress headed home for some turkey and put off the debate until after the Thanksgiving holiday.
Now everyone's back, and the word through the grapevine is not good. We're hearing that a final version of the conference report, essentially unchanged from the last version that we described here, will be coming down in the next day or two. A vote on the Senate and House floors is expected shortly thereafter--probably this week.
It's really getting down to the wire, so if you haven't already, call your Members of Congress today and say No! to PATRIOT renewal.
EFF and Sony-BMG today announced the existence of a new security vulnerability that affects Sony-BMG CDs that include SunnComm MediaMax Version 5 copy protection software. The vulnerability was discovered by the security firm iSEC Partners after EFF requested an examination of the SunnComm software.
Next Steps Unclear, Action Still Needed
Backroom deals have watered-down the best reforms and opportunistic politicians have bolted on unpopular additions. However, several other senators refuse to go along with the deal, and a filibuster may be in the offing next week. Call your senators and representative now, and demand they vote "no" on PATRIOT renewal!
Mr. Kevin M. Clement
President and Chief Executive Officer
MediaMax Technologies, Inc.
As you know, we have already discovered one security concern arising from the MediaMax software, resulting in the patch issued on Tuesday and the revised patch issued yesterday.
The Electronic Frontier Foundation (EFF) remains concerned that additional security flaws will be discovered in MediaMax software, in both version 5 and version 3. EFF isn't alone in this concern. Indeed, as Professor Ed Felten has noted, "Experience teaches that where there is one bug, there are probably others. That's doubly true where the basic design of the product is risky. I'd be surprised if there aren't more security bugs lurking in MediaMax." See http://www.freedom-to-tinker.com/?p=944.
EFF was sad but not surprised to discover that the security holes in the software Sony BMG has placed on its CDs did not end with the XCP rootkit. As reported on EFF's site Tuesday equally troubling risks are built into CDs loaded with another type of software, MediaMax version 5. Given the nature of the software being forced on consumers along with their music, we fully expect that more problems will be uncovered.
But EFF is pleased to see that Sony BMG has begun to learn from experience in at least one way. In responding to the newly discovered problems with MediaMax version 5, Sony BMG has at last taken the obvious step we suggested last month--using its artists' websites to notify consumers of the security risks.
When I buy a CD, I look forward to having the lyrics printed in the liner notes. That's part of what I expect in exchange for my money. If the record label omits the lyrics, I feel I'm entirely within my fair use rights to listen closely to the recording and copy down the lyrics. Similarly, I'm within my fair use rights when I use a search engine to find the lyrics of the music I've legitimately purchased. And thanks to Apple's iTunes software, I now can add those lyrics to the digital copies of the music I've purchased and have them appear when the song plays on my iPod.
Apparently, at least one music publisher thinks that makes me a music pirate. Yes, annotating music I've legitimately purchased with lyrics makes me a pirate, according to music publishing giant Warner/Chappell.
While Sony BMG has only offered a patch for the MediaMax'd CDs that have a serious security problem, a recent Rolling Stone article notes that the band My Morning Jacket is offering its own recall of the MediaMax'd discs:
Mike Martinovich, manager for My Morning Jacket, says that even before the revelation of MediaMax's security problems, his company had been mailing burned, unprotected copies of MMJ's new album Z to fans who complained that MediaMax prevented them from transferring songs to their iPods. "It should have been enough that fans are annoyed," he says. "But this should be the final reason."
As you may know, EFF filed suit last week on behalf of voting integrity advocate Joyce McCloy, arguing that the North Carolina Board of Elections ignored its obligation to test all electronic voting system source code before certifying those systems for use in the state. Wednesday, the judge in the case asked for further briefing on the issue and additional oral argument in a hearing set for Dec. 21.
At issue is North Carolina's tough election transparency law, which requires the Board of Elections to review all e-voting code "prior to certification." However, on Dec. 1, the board certified voting systems from Diebold Election Systems, Sequoia Voting Systems, and Election Systems and Software without having first obtained -- let alone reviewed -- the system code.
That's the question that pearLyrics asked today on its homepage. But the cautious optimism from developer Walter Ritter comes after a rough week.
pearLyrics is software that automates the process of adding lyrics to iTunes tracks. As EFF's Fred von Lohmann outlined in his blog post Tuesday, Ritter recently received a cease & desist letter from Warner/Chappell Music. The letter claimed that Ritter was liable for copyright infringement because he developed a tool that "enable[s] the reproduction and downloading" of song lyrics. Fred fired off a open letter in response, pointing out that while the software does not violate U.S. copyright law, if Warner/Chappell went through with its threats, it could get in its own legal trouble.
It's the best holiday gift any civil libertarian could hope for: a bipartisan coalition of Senators has refused to end a filibuster that is blocking renewal of the USA PATRIOT Act. The group of Democrats and Republicans are rightly concerned that the PATRIOT renewal bill lacks meaningful checks and balances to protect civil liberties from roving wiretaps, secret search warrants, super-secret demands for private records, and the many other broad police powers that Congress granted in haste immediately after the 9/11 attacks. Many of those PATRIOT powers are set to expire on December 31st—but Congress is set to adjourn for the holidays today.
Displaying political courage too rarely seen, the Volusia County Council today voted to reject Diebold's proposal for a paperless e-voting system and instead adopt a more expensive contract with competitor ES&S. This contract will eventually lead to the use of a ballot marking system that will ensure an auditable, voter-verified process.
The County Council had been subject to powerful pressure from Diebold, the National Federation of the Blind, and the state of Florida -- including threats of criminal sanctions -- to adopt Diebold's system. In July, the NFB filed suit against the Council, demanding that the County adopt the NFB's favored system even though federal accessibility requirements do not kick in until January 1st.
While the Senate was standing up for civil liberties, the House was handing out a Christmas gift to Hollywood. For digital consumers and innovators, however, it looks to be a nasty stocking-filler.
Representatives Sensenbrenner and Conyers have introduced H.R. 4569, the "Digital Transition Content Security Act of 2005," a.k.a. the return of the MPAA's "Plugging the Analog Hole" scheme, which is itself just a variant on the dreaded "Hollings Bill" introduced back in 2002.
The new bill is a rehash of the one we first mentioned on Halloween. It would impose strict legal controls on any video analog to digital (A/D) convertors "manufacture[d], imported or otherwise traffic[ed]" in the United States.
My most recent column at Law.com, "Sony-BMG's Copy-Protection Quagmire", describes the various legal theories that have been brought against Sony-BMG over the CD copy-protection debacle. The quick summary: more than a dozen class action suits filed around the country, based on a mix of state anti-spyware statutes, the federal Computer Fraud and Abuse Act, common law trespass to chattels claims, and state law consumer protection and deceptive advertisting statutes.
Complete text of the article after the jump.
Sony BMG's Copy-Protection Quagmire
Fred von Lohmann
Special to Law.com
The Texas Attorney General announced today that Texas is expanding its lawsuit against Sony BMG to include the SunnComm MediaMax CDs, which are also part of EFF's lawsuit against Sony BMG. The Texas AG's press release explained:
The Attorney General alleges the company's "MediaMax" technology for copy protection violates the state's spyware and deceptive trade practices laws in that consumers who use these CDs are offered a license agreement, but even if consumers reject that agreement, files are secretly installed on their computers that pose additional security risks to those systems.
Yesterday, Magistrate Judge Gorenstein of the federal court for the Southern District of New York issued an opinion permitting the government to use cell site data to track a cell phone's physical location, without the government having to obtain a search warrant based on probable cause.
CNN is reporting breaking news that the Senate has ended its impasse over USA PATRIOT Act renewal. As we told you previously, pro-PATRIOT lawmakers have been unable to end a filibuster by senators demanding that new protections for civil liberties be added to the renewal bill. With the "sunsetting" provisions of PATRIOT set to expire on December 31st and the holiday recess fast approaching, the Administration and its supporters in the Senate have now chosen to cut a deal: the sunsetting provisions will be extended for another six months, allowing more time for debate on what reforms must be added to the PATRIOT Act before complete renewal. It's not yet clear how the House of Representatives will respond, but we think it's likely to accept the deal tomorrow (knock on wood).
The House passed a one-month extension of the Patriot Act on Thursday and sent it to the Senate for final action as Congress scrambled to prevent expiration of anti-terror law enforcement provisions on Dec. 31.
Approval came on a voice vote in a nearly empty chamber, after Rep. James Sensenbrenner, R-Wis., chairman of the House Judiciary Committee, refused to agree to a six-month extension the Senate cleared several hours earlier....
It was not clear when the Senate would act on the one-month bill, but approval was possible by evening.
We'll let you know what the Senate ends up doing.
Last week, the New York Times reported that President Bush personally authorized the National Security Agency (NSA) to wiretap the international phone and email communications of people within the U.S., all without getting search warrants. We've gotten several inquiries from people wondering what EFF thinks about it, and whether we plan on suing anyone.
The suspense is over. After a weeks-long game of brinksmanship, the Senate and House have agreed to extend the sunsetting provisions of PATRIOT--which were scheduled to expire on December 31st--until February 3rd. The President plans on signing the bill.
Following a flurry of litigation that found EFF fighting both alongside and against the state Board of Elections, Diebold on Thursday withdrew from the North Carolina procurement process, ceding the state's voting machine business to rival ES&S.
"The proposed settlement will provide significant benefits for consumers who bought the flawed CDs," said EFF Legal Director Cindy Cohn. "Under the terms, those consumers will get what they thought they were buying--music that will play on their computers without restriction or security risk. EFF is continuing discussions with Sony BMG, however, and believes that there is more they can do to protect music lovers in the future."
"Sony agreed to stop production of these flawed and ineffective DRM technologies," noted EFF Staff Attorney Kurt Opsahl. "We hope that other record labels will learn from Sony's hard experience and focus more on the carrot of quality music and less on the stick of copy protection."