Co-authored by Corynne McSherry and Marcia Hofmann
For years, EFF has been warning that the anti-circumvention provisions of the Digital Millennium Copyright Act can be used to chill speech, particularly security research, because legitimate researchers will be afraid to publish their results lest they be accused of circumventing a technological protection measure. We've also been concerned that the Computer Fraud and Abuse Act could be abused to try to make alleged contract violations into crimes.
We've never been sorrier to be right. These two things are precisely what's happening in Sony v. Hotz. If you have missed this one, Sony has sued several security researchers for publishing information about security holes in Sony’s PlayStation 3. At first glance, it's hard to see why Sony is bothering — after all, the research was presented three weeks ago at the Chaos Communication Congress and promptly circulated around the world. The security flaws discovered by the researchers allow users to run Linux on their machines again — something Sony used to support but recently started trying to prevent. Paying lawyers to try to put the cat back in the bag is just throwing good money after bad. And even if they won — we'll save the legal analysis for another post — the defendants seem unlikely to be able to pay significant damages. So what's the point?
The real point, it appears, is to send a message to security researchers around the world: publish the details of our security flaws and we'll come after you with both barrels blazing. For example, Sony has asked the court to immediately impound all "circumvention devices" — which it defines to include not only the defendants' computers, but also all "instructions," i.e., their research and findings. Given that the research results Sony presumably cares about are available online, granting the order would mean that everyone except the researchers themselves would have access to their work.
Not content with the DMCA hammer, Sony is also bringing a slew of outrageous Computer Fraud and Abuse Act claims. The basic gist of Sony's argument is that the researchers accessed their own PlayStation 3 consoles in a way that violated the agreement that Sony imposes on users of its network (and supposedly enabled others to do the same). But the researchers don't seem to have used Sony's network in their research — they just used the consoles they bought with their own money. Simply put, Sony claims that it's illegal for users to access their own computers in a way that Sony doesn't like. Moreover, because the CFAA has criminal as well as civil penalties, Sony is actually saying that it's a crime for users to access their own computers in a way that Sony doesn't like.
That means Sony is sending another dangerous message: that it has rights in the computer it sells you even after you buy it, and therefore can decide whether your tinkering with that computer is legal or not. We disagree. Once you buy a computer, it's yours. It shouldn't be a crime for you to access your own computer, regardless of whether Sony or any other company likes what you're doing.