My most recent column at Law.com, "Sony-BMG's Copy-Protection Quagmire", describes the various legal theories that have been brought against Sony-BMG over the CD copy-protection debacle. The quick summary: more than a dozen class action suits filed around the country, based on a mix of state anti-spyware statutes, the federal Computer Fraud and Abuse Act, common law trespass to chattels claims, and state law consumer protection and deceptive advertisting statutes.

Complete text of the article after the jump.

Sony BMG's Copy-Protection Quagmire

Fred von Lohmann
Special to Law.com
12-19-2005

Sony BMG is the world's second largest music company, responsible for approximately one-quarter of all album sales in the United States. Among the CDs that it has been selling in 2005, however, are millions that include "copy-protection" software. If the owner of one of these CDs wants to play or copy these CDs on her Windows computer, she must first install software intended to restrict the number and kind of copies that her computer can make.

After quietly distributing these CDs for months, Sony BMG was caught flat-footed when computer security professionals in early November 2005 discovered that its copy-protection software creates serious security risks. At least one variant of the protection software installs itself even if users decline the pop-up "end-user license agreement" and eject the CD. Moreover, when the CDs are played, the software "phones home" to servers controlled by Sony BMG, reporting details regarding the user's listening habits. Finally, once installed, the copy-protection software is difficult, if not impossible, to uninstall.

The response from customers, musicians and consumer journalists has been swift and merciless. A reporter for Stereophile magazine put it this way: "In other words, Sony installs files on its consumers' computers without their permission, does not allow the files to be removed, and spies on its customers." His verdict: "Weasels, we calls 'em." On the opinion pages of The New York Times, a working musician urged the music industry to recognize that "copy-protection software is bad for everyone, consumers, musicians and labels alike." At online retailer Amazon.com, the reviews of Sony BMG's copy-protected CDs are filled with customer complaints.

But the public relations meltdown was only the beginning of Sony BMG's troubles. Within weeks, more than 10 class action lawsuits in both state and federal courts had been filed against Sony BMG (including two in which this author serves as counsel). Texas Attorney General Greg Abbott has also filed an action against Sony BMG, and the attorneys general of New York, Illinois and Massachusetts have expressed concern about the CDs in question.

Sony BMG's experience is quickly shaping up into an object lesson in the legal risks that companies can face when they distribute faulty software and mislead the public.

THE PROBLEM AND SONY BMG'S RESPONSE

All of Sony BMG's copy-protected CDs include one of two protection technologies, either First4Internet's Extended Copy Protection (XCP) or SunnComm's MediaMax software.

The initial security revelations, published on the SysInternals Web log in early November 2005, related to the XCP software. The Web log reported that the XCP software automatically installed a "rootkit" on Windows computers. A "rootkit" is essentially the computer equivalent of Harry Potter's invisibility cloak, permitting software to render itself "invisible" to a computer's operating system, anti-virus and anti-spyware software, thereby hiding itself from the computer user. Rootkits are generally associated with viruses, spyware and other "malware" that wants to burrow deep into a computer in order to avoid discovery and removal. The XCP rootkit posed a serious security risk because, once installed on a user's computer, it could be used by other third parties to hide their own malicious software.

Sony BMG initially responded to the XCP revelations by attempting to downplay the risks, with one senior Sony BMG executive opining that "most people, I think, do not even know what a rootkit is, so why should they care about it?" While typical computer users may not have appreciated the vulnerabilities created by XCP's rootkit feature, virus writers responded within days by developing and releasing viruses designed to exploit it. Soon thereafter, the leading makers of anti-spyware and anti-virus tools, including Microsoft, Symantec and Computer Associates, branded XCP a security threat. Their concerns were soon echoed by the U.S. Computer Emergency Readiness Team (US-CERT), an arm of the Department of Homeland Security charged with the task of protecting the nation's Internet infrastructure.

Security woes were only part of the problem. Having paid full retail price for the CDs, music fans got them home only to discover that using them on a computer was subject to a bewildering and outrageous array of contractual conditions imposed by a mandatory "end-user license agreement" (EULA). For example, the EULA includes provisions purporting to require the immediate deletion of all copies if a user files for personal bankruptcy or parts with possession of the CD (including, presumably, if the CD were stolen from your car). The EULA also attempts to limit Sony BMG's liability to no more than $5, well short of a refund of the purchase price, and to force consumers to litigate in New York if they have any disputes with Sony BMG. In short, when it came to using these CDs on their computers, music fans are getting far less for their money than they had with traditional CDs.

Sony BMG's initial efforts to address the problem were half-hearted, at best. An early uninstaller, offered to customers only after completing a complex request procedure, created new security vulnerabilities. Nearly two weeks elapsed before Sony BMG finally announced that it would halt further production of the XCP CDs. Ultimately, Sony BMG announced that it would offer to exchange XCP-protected CDs for unprotected replacements. More than a month after the initial public revelations, a revised XCP uninstaller was finally released.

The other copy-protection technology, SunnComm's MediaMax, presented its own problems. Researchers discovered that the MediaMax software installed itself on Windows computers even when users declined the pop-up license agreement. When Sony BMG released an uninstaller for MediaMax, it created additional security risks. The Electronic Frontier Foundation (EFF) subsequently commissioned an examination of the MediaMax software, revealing a potentially dangerous security vulnerability. When Sony BMG released a "patch" to address this flaw, another vulnerability was discovered, necessitating the withdrawal of the patch.

Both XCP and MediaMax are also troubling from a privacy perspective, as they routinely transmit information over the Internet to servers controlled by Sony BMG, sending information about a user's listening habits. This "phone home" feature is not disclosed to CD buyers, who are instead told by Sony BMG that "no information is ever collected about you or your computer without your consenting."

THE LEGAL CLAIMS

The numerous lawsuits filed against Sony BMG in the wake of the protected-CD debacle provide an illuminating overview of the kinds of claims that companies may face when distributing faulty software.

One set of claims is rooted in statutes forbidding computer intrusion. For example, a number of the class action complaints rely on the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ? 1030, which forbids accessing a computer without, or in excess of, the authority of the owner of the computer. Private civil litigants are entitled to bring suit where the prohibited computer intrusion causes losses exceeding $5,000, threatens public health or safety, or damages a computer system used by government entities for judicial, national security or defense functions. Similar state laws have also been invoked, including California's Penal Code ?502, which prohibits the unauthorized introduction of a "contaminant" into a computer that transmits information about a computer to third parties without authorization.

Recently enacted state laws aimed at "spyware" and "adware" are a second basis for legal claims against Sony BMG. Class actions filed in California, for example, allege violations of recently enacted California Business & Professions Code ?22947.3, which prohibits deceptively taking control of a user's computer, modifying computer settings or preventing users from uninstalling software. Similarly, the Texas attorney general relied on the Consumer Protection Against Computer Spyware Act, Texas Business & Commercial Code ?48.053, which prohibits manipulating software in order to prevent a computer user from detecting, locating and removing the software. The Texas statute also prohibits intentionally misrepresenting that the installation of software is necessary for security or privacy reasons. ?48.055(1). In addition to California and Texas, 10 other states have enacted laws aimed at spyware, many of which may reach Sony BMG's conduct.

Several complaints brought in California also articulate claims based on the Consumer Legal Remedies Act (CLRA), California Civil Code ?1770, a state consumer protection statute applicable to consumer transactions involving goods. This statute forbids, among other things, the imposition of unconscionable contractual terms on consumers, misrepresentations about a product and misleading advertising.

Some class action complaints have also included common law trespass to chattels claims, alleging that Sony BMG's copy-protection software constitutes unauthorized intermeddling with the possessory interests of computer owners, resulting in damage to their computers. While this theory of liability has proven controversial when applied in Internet contexts, several courts have indicated a willingness to entertain such claims. See Register.com v. Verio, 356 F.3d 393, 404 (2d Cir. 2004); eBay v. Bidder's Edge, 100 F.Supp.2d 1058 (N.D. Cal. 2000).

Finally, many of the complaints include allegations that Sony BMG's conduct amounts to an unfair or deceptive trade practice, fraud, or false advertising under applicable state statutes. The class actions filed in California, for example, invoke California's Business & Professions Code ??17200 and 17500, while those filed in New York invoke General Business Law ??349 and ??350.

From a legal perspective, the many suits against Sony BMG will raise a welter of questions of first impression for the courts on whose dockets they appear. Whether those courts have an opportunity to rule on all of them may depend on whether Sony BMG opts to seek an early and comprehensive settlement aimed at repairing the damage that already has been done by its ill-considered copy-protection strategy. But irrespective of the outcome in these cases, counsel advising companies that distribute software with their products have been afforded a sneak preview of the kinds of legal actions that can be brought against clients that release defective software into the national marketplace.

Fred von Lohmann is a senior staff attorney with the Electronic Frontier Foundation, a San Francisco-based nonprofit devoted to protecting civil liberties and free expression in the digital world.

Related Issues