Dark clouds are gathering above the US headquarter of Sony BMG in New York. Complaints are showering down on the enterprise. Class actions zig-zag the once so blue sky of the world’s second largest entertainment company. Sony BMG is in deep trouble, and the forecasts are on "storm".
All this because of a small piece of software, Sony BMG’s newest Extended Copy Protection technology XCP, developed by First4Internet (cf. also the INDICARE Monitor article on intrusive DRM by Bohn 2005). Apparently, Sony BMG could not resist the temptation to pack more functionality into its DRM than is really needed to protect contents against unauthorised copying. After all, who would care? Or, to speak in the words of Sony BMG’s global digital business division president Thomas Hesse: "Most people, I think, don’t even know what a rootkit is, so why should they care about it?" (cited in EFF 2005). For those, who still do not know what a rootkit is: a rootkit is a piece of software that cloaks processes, files and logs from a computer’s operating system or from its antivirus programs with the effect that the owner of the computer will not notice that certain routines are performed on his or her computer, or that the software disturbs the transmission of data from terminals, CD drives or keyboards. Sony BMG’s XCP installs, unnoticed by the user, a piece of software that prevents consumers not only from copying the content of a CD more often than the allowed three times. XCP recognises and registers the CD that is played on a computer, identifies the IP number of the computer, is able to monitor and report user behaviour back to the firm, manipulates parts of the computer memory, crashes applications or the entire Windows operating system, interferes with file copying software and other media players and, accidentally, offers shelter for viruses, worms and other nasty things. Attempts to remove the software can lead to system crashes, malfunctions, un-usability of the CD drive and other damage at consumer's computers (Russinovich 2005a).

Luckily, somebody knew what a rootkit is, and could recognise one when he saw one. Mark Russinovich, chief software architect at Winternals Software Inc, discovered to his dismay that the Sony BMG CD "Get Right with the Man" by the Van Zant brothers installed not only an "underhanded and sloppily written" (Russinovich 2005a, but see also Hamm 2005) piece of software, but also a potentially harmful one. Russinovich documented his discovery on his blog, and the story soon made its way into the media. Comment from Russinovich: "This is the case of the blogosphere having an impact, at least for the moment" (Russinovich 2005b). The impact will be not just for the moment.

Class actions against Sony BMG based on consumer law
The first class action against Sony BMG on behalf of Sony BMG CD buyers was brought by a Californian lawyer, Alan Himmelfarb. One of the many things that is special about this case, is that, at least to the knowledge of the author, this was one of the first occasions that in the US an action on the basis of consumer law was brought against DRM. Until now, in the US the DRM discussion was generally kept in the copyright domain (see e.g. Liu 2003, Cohen 2005). Himmelfarb accused Sony BMG of the violation of Sections 1770 (a) 5 and 9 of the Californian Civil Code (this title in the Californian Civil Code is also known as the Consumer Legal Remedies Act; cf. sources). Section 1770 (a) 5 and 9 ban representing that goods or services have characteristics which they do not have, comparable to the European provision on misleading practices. According to Himmelfarb, by concealing the existence of the rootkit program, and what it does once installed on a user’s computer, Sony BMG has violated both sections of the Californian Civil Code and has committed unfair, deceptive and misleading business practices.

Not content with that, the Electronic Frontier Foundation (EFF) brought a second class action complaint against Sony BMG’s XCP technology. The EFF charge also includes the MediaMax technology used by Sony BMG. The EFF found that the MediaMax DRM has characteristics very similar to those of XCP. Again, the EFF claim is based on the Consumer Legal Remedies Act.

Scrutiny of the Sony BMG's EULA
In addition to the charge about misleading practices, the EEF complained about Sony BMG’s provisions in the consumer contract, in form of Sony BMG’s End User Licence Agreements ("EULA") for the XCP and MediaMax CDs. The EEF had a closer look at the EULAs and found, indeed, rather bizarre conditions:

  • restrictions on the user’s ability to use the digital content on the CD in the event that that consumer chose to leave the United States, speak: once you leave the country you are no longer allowed to listen to any of the CDs you purchased.
  • restrictions on resale and transfer of the digital content on the CDs, speak: no way that you can get rid of your infected CD by selling it to your uncle or at the flee market.
  • restrictions on the user’s ability to use the digital content on the CDs at work, speak: you go to work, the music stays home;
  • restrictions on the user’s ability to use and retain lawfully made copies of the digital content on the CDs in the event that the original CD is stolen or lost, speak: should anybody nick your CDs, you are obliged to also delete all remaining copies that you might have made, as if you didn’t have enough trouble already;
  • restrictions on the user’s ability to use the digital content on the CDs following a bankruptcy, speak: if you’ve lost your money you’re are not worthy to listen to Sony BMG music;
  • conditioning the user’s continued use of the digital content on the CDs on acceptance of all Sony BMG software updates, speak: you have to accept all updates that Sony BMG wants to smuggle onto your computer, or: forget about listening to your CD;
  • restrictions on the user’s ability to examine and test his or her computer to understand and attempt to prevent the damage caused by the rootkit, speak: maybe you have a bad feeling with that CD, maybe you are a second Russinovich, still, Russinovitch-like self-help actions are not part of your contract, sorry;
  • a reservation of rights by Sony BMG to use "technological 'self-help' measures" against the computers of users who desire to make use of the digital content on the CDs "at any time, without notice to [the user]"; speak: Sony BMG reserves the right to happily install more anti-copying protection ever after, and you are not even entitled to know about it;
  • and… and… and. (EFF 2005).

Without accepting the EULAs, consumers will have no access to the CD. This is hard, considering that they have already purchased the CD. It remains to be seen how the judge will decide. In the US, contractual freedom is a highstanding value, which makes it at least doubtful if the judge will find these restrictions unconscionable.

The two cases (and more are on the way; e.g. the Attorney General of Texas brings a suit against Sony BMG in Texas; cf. The State of Texas 2005) confirm once more that DRM is not only a matter of copyright law, but that it touches, much more broadly, on valid interests of consumers, those who purchase digital content for own, private use. EEF’s allegations concerning MediaMax, moreover, show that the rootkit scandal was not simply an accident, but part of an established business strategy of one of the largest music publishers in the world. The cases are in line with earlier cases in Europe where consumers claimed that the CDs they bought were defective products, due to the restrictions imposed by the DRM (Helberger 2004, 2005 a, b). The Sony BMG case, however, adds a number of new dimensions to the existing experiences with claims against DRM. This is why it is interesting to look at some details of the claim more closely.

Unfair competition law
Interestingly, Californian law knows another provision. In Division 8 of the Business and Professions Code (cf. sources), i.e. California's unfair competition law, which was also evoked by both, Himmelfarb and the EFF against Sony BMG, Section 22947 contains what is called the Consumer Protection Against Computer Spyware Act (cf. sources).. Unfair competition law plays an important role in terms of consumer protection in California, as it includes a number of consumer friendly provisions. The Consumer Protection Against Computer Spyware Act prohibits a person or entity other than the owner of a computer to insert without authorisation spyware on that person’s computer, that is software that:

  • takes control of the computer;
  • modifies internet settings;
  • collects personal information;
  • prevents efforts to block the installation of that software;
  • pretends that the consumer can de-install the software, if in reality she cannot do so;
  • removes, disables or renders inoperative security, anti-spyware or antivirus software installed on this computer.

In other words, the law, which passed Senate in August 2004, seems to have been written with an eerie foresight of the Sony BMG case. European consumer law does not know any comparable rules. The closest to this are probably national provisions on computer tampering in national penal codes.

It remains to be seen how the Superior Court of the State of California will decide – if it will decide at all. Presently, there are strong indications that Sony BMG will do its best to avoid a decision and settle the cases brought against it. EFF requests that Sony BMG will be obliged to:

  • widely and detailed publicise the potential security and other risks for consumers associated with XCP and MediaMax technology;
  • cooperate fully with manufacturers of anti-virus or similar security tools to facilitate the complete removal of XCP and MediaMax from infected computers (something which is, so far, not possible);
  • refund the purchase price of the CDs containing MediaMax or XCP and
  • to refrain from further abuses.

The last claim is interesting insofar as it is not restricted to appropriate labelling, as was claimed in the EU cases. Instead, the plaintiff demands that Sony BMG will avoid further abuses, making evident that Sony BMG’s invasive technology should not be accepted under any terms, even if consumers receive a prior warning.

Another interesting characteristic of the US cases is their nature as class action – an accepted procedural instrument under US consumer protection law. EFF pointed out, very correctly, that it would be impracticable and prohibitively expensive if all members of the class sued individually. The damages suffered by each consumer were relatively small, too small to justify the high expenses for individual prosecution in a matter that is as complex as the present case. As a result, consumers would probably not sue on an individual basis. Moreover, as EFF also pointed out, a multitude of individual claims poses a serious strain on the functioning of the court system. These are problems that are equally critical in Europe and render the instrument of consumer protection law in DRM cases less effective; the situation in Europe is complicated by the fact that most European member states do not acknowledge the instrument of class action.

Finally, to mention a third interesting detail and difference to the European cases: neither Himmelfarb nor the EFF sought to use consumer protection law as a means to protest against the restriction of usage possibilities through DRM (e.g. private copying) or to make an argument in favour of fair use. In contrast, DRM and the private copying exception were at the heart of most of the existing claims in Europe. To the knowledge of the author, no (successful) attempts have been made in the US so far to use such a thing as warranties law as a means to enforce the private copying exception (as was done in Europe). The author was rather puzzled about this finding and tried, subsequently, to identify if this difference is the result of US consumer protection law and policy, or if it is by accident that yet no action in this respect has been taken in the US.

The answer must remain somewhat speculative. Partly, the reason might have to do with the structure of US copyright, notably the fair use defence. Unlike in Europe, in the US there is little discussion about if copyright law conveys a right to private copying. It is widely acknowledged that fair use is an affirmative defence, not a right. However, because the fair use principle is far broader than the European private copying exception, and because fair use cases are able to accommodate different interests beyond the making of private copies, the fair use doctrine invites far more readily attempts to adapt copyright law in a way to accommodate user interests (Cohen 2005, Liu 2003), without seeking recourse to consumer protection law. This may explain, why in the US, the DRM discussion has concentrated so far mostly on the copyright domain.

On the other hand, its vagueness and the lack of a clearly encircled (that is: worded) protection worthy consumer interest (e.g. private copying) in US copyright law may be a reason, why consumer protection law is of little use to enforce an existing standard in copyright law. Such a standard simply does not exist, at least not in form of clearly carved out copyright exceptions. This observation leads to the other part of a possible answer, why US consumer protection law was not used so far to enforce user interests in e.g. private copying. The respect for contractual freedom and the contractual autonomy of private parties is particularly strongly developed in the US. In general, the idea is that the state should refrain from interfering with the actions of private parties as much as possible. In contrast, in Europe the concept of the positive protection duty of the state, i.e. the state’s duty to actively create an environment that is favourable to consumers’ interests, is far more commonly acknowledged. Finally, in both, the US and Europe, a general idea prevails that consumer protection law protects in the first place individual consumer interests, and is less suitable to protect public policy interests, such as broad availability of services, stimulating creativity and innovation, etc.

Bottom line
The cases brought by Himmelfarb and the EFF are in many respects a primer. They also introduce us to the US consumer protection law as a possible remedy against DRM misuse, next to copyright law. We can await with suspense the decision by the Superior Court of the State of California, and whether it will trigger a wider reaching discussion about consumer protection in the IP sector in the US. One can hope so, because US law knows a number of interesting tools to improve the legal standing of consumers, be it the institute of class action, be it special rules about spyware. One the other hand, chances are high that this case of consumers suing an undertaking because of unfair practices will be, as so many others before it, settled before the judge will have a chance to make a final statement. Even so – some hairy questions are on the table! And, hopefully, they cannot be removed from there by simply giving each affected consumer a new CD or a voucher for some free downloads. This is about more than just a new CD.


About the author: Dr. Natali Helberger is senior project researcher at the Institute for Information Law, University of Amsterdam, and managing legal partner in the INDICARE project. Dr. Helberger specialises in information law, technical control of information, the interface between law and technology, and between media, intellectual property and telecommunications law. Presently, she is staying as visiting scholar at the University of California, Berkeley. Contact:

Status: first posted 09/01/06; licensed under Creative Commons