LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Sony's rootkit: an update

Sony's rootkit: an update

Posted Nov 15, 2005 19:09 UTC (Tue) by pr1268 (subscriber, #24648)
Parent article: Sony's rootkit: an update

I have a few comments and questions regarding the EFF Sony EULA link:

  • Does the EULA cover the music or the software? After all, isn't the purpose of buying a music CD for the music?
  • If I bought such a CD with the accompanying EULA, and the EULA police came knocking on my door, couldn't I just say, "Sure, I'll relinquish my rights to use the software, but I'd like to keep the music!"
  • Isn't a EULA some kind of legally binding contract? Does that mean that I have to (a) sign somewhere when I purchace into the contract (in many places, a signature is required of such legal documents), or (b) be informed of such a legally-binding agreement at time of purchase? I envision a time in the not-so-distant future when we're going to have to sign our lives away at places like Wal-Mart, Best Buy, Circuit City, etc. whenever we buy a {music CD|movie DVD|any other form of media}, and the retailers are going to keep a stack of paper contracts handy with notaries public standing by the sales registers (Okay, that's a little extreme, but not implausible given the current state of DRM). Imagine how tough it would be for Amazon.com to sell someone a CD or DVD given this restriction.
  • In the meanwhile, how can I abide by the terms of the EULA if I don't have a computer? If I buy the music CD for the sole purpose of playing it on my {home|car|portable} stereo, and I don't ever see the terms of the EULA, does that mean that I have to abide by the terms of a "phantom" contract which I might never see?
  • One final question: Let's assume that the EULA is not a legally binding agreement, due to the sheer complexity (and cost) of implementing the Orwellian society I painted in the third bullet above with respect to DRM, and I never agree to the EULA (or even see such a document). Can [media company] still haul me into court for failing to abide by a legally binding contract to which I never agreed to in the first place if they "catch" me listening to my music CD? Granted, I do realize that the whole thing about DRM is to protect the media companies against me doing something illegal with the music/movie (like file sharing on P2P networks, etc.), but Sony's willingness to use rootkit technology to ensure everyone complies seems a little extreme.

DRM has gotten out of hand. This Sony incident has only brought to light the issue of what lengths companies will go to given a piece of legislation (DMCA) to hide behind. Much kudos to Dr. Russinovich and his wonderful Blog.

<snide comment>Resistance is futile. Prepare to have your computer assimilated into the [media company] collective.</snide comment>

(Log in to post comments)

Sony's rootkit: an update

Posted Nov 15, 2005 20:55 UTC (Tue) by NAR (subscriber, #1313) [Link]

Isn't a EULA some kind of legally binding contract? Does that mean that I have to (a) sign somewhere when I purchace into the contract (in many places, a signature is required of such legal documents), or (b) be informed of such a legally-binding agreement at time of purchase?

If you buy a ticket for the train/underground/bus/etc., you enter into a contract with the public transport company but I doubt you sign anything.

Bye,NAR

Sony's rootkit: an update

Posted Nov 16, 2005 1:39 UTC (Wed) by phgrenet (subscriber, #5979) [Link]

For the difference between a license and a contract, no better source than LWN: The GPL is a License, not a Contract

license vs contract

Posted Nov 18, 2005 0:20 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

>For the difference between a license and a contract,
An important difference to know, but not relevant here. We're not talking about a license; we're talking about a EULA - end user license agreement. Agreement is a synonym for contract. This is a contract in which the copyright owner gives you a copyright license in exchange for money and various promises from you.

Sony's rootkit: an update

Posted Nov 16, 2005 10:13 UTC (Wed) by nix (subscriber, #2304) [Link]

In the UK at least there is the concept of `implied contracts', which are what you enter into when e.g. you pull something off the store shelves, and what you are violating if you then walk out of the shop without paying for it; you'd also have one with the public transport company. Intent and mutual understanding are very important here: you probably don't enter into an implied contract with Sony allowing Sony to dump rootkits on your computer merely because you bought a CD that they happened to originally produce!

(Disclaimer: IANAL but I've typed up stuff for lawyers on this subject when critically short of money over a decade ago; info may be terribly inaccurate)

contracts without signing

Posted Nov 18, 2005 0:30 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

In the UK at least there is the concept of `implied contracts', which are what you enter into when e.g. you pull something off the store shelves,

That's not even an implied contract, at least in US terminology. It's an explicit contract. (Technically, it isn't formed when you take the item from the shelf, but when you check out, which is why the price is allowed to change in between). An implied contract would be one defined in law that the two parties didn't actively choose to enter.

There's simply nothing in law that says a signature or piece of paper is required for a contract to be legally binding. The vast majority of contracts don't have that.

There are some laws, called "statutes of frauds" that make contracts of certain kinds unenforceable if not on paper. For example real estate transactions usually require paper, and many loans do. Under the Uniform Commercial Code (which is the law most places in the US), a contract that has elements that will take longer than 3 years to complete must be in writing.

EULA and the UCC

Posted Nov 15, 2005 21:12 UTC (Tue) by ncm (subscriber, #165) [Link]

First, the EULA is not a legally binding contract. In the U.S., the Uniform Commercial Code (UCC) makes clear that the vendor cannot place any additional restrictions or conditions on you, the buyer, after you have paid your money(*). If it's not on the outside of the box, it's wastepaper. Even if it is on the box, but contradicts local warranty consumer-protection laws, it's wastepaper. Similarly, any sort of "click-through" during installation is void: you already paid, it's too late to demand your acquiescence. If you have to click it to get to what you paid for (i.e., the music), then clicking it doesn't mean anything. It's better, as a policy, not to read it, except perhaps as a warning of what damage they are promising you might suffer, i.e. like the "hazard" warning on your toaster. (Be sure to tell your lawyer about your policy.)

Second, the danger is not Sony breaking down your door to try to enforce their (void) contract. At issue is whether you are owed damages for the harm they have caused you even though they "disclaimed" it. Did you "agree" to be kicked in the nether region, just by clicking on that button? Hell, no! (*) Even if it were a valid contract, any of its provisions that damage your machine are superseded by the warranty, and by any other laws they violated. I doubt a judge would even let them introduce the EULA in evidence, if your own lawyer is on the ball to object.

Third, I don't understand why everybody who writes about this acts as if the EULA had any legal standing. At most, paragraphs might be snipped from it to be introduced as written proof of Sony's malice aforethought.

Fourth, if you were harmed, you will be better off explicitly opting out of any class-action suits. You can sue Sony in your local small-claims court for (e.g.) the time it took to re-install your OS, and probably get treble damages. If your damage was greater -- e.g. local network compromised by worms taking advantage of the holes it installed -- you can still sue, and get treble damages, and Sony still probably won't spare a lawyer to show up and contest it. If you or yours were harmed, then please, please do sue Sony, and then blog all about it. Compete with other bloggers for the side of the damage award extracted. Make it worth your while; your damages (itemized) should include the time it took you to bring the case to court, too.

(*) I'm no lawyer. Also, last I heard, the UCC was rescinded in Maryland. Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere. If you live in one of those places, you might be screwed -- however, since they broke the law, it might be void anyhow!

EULA and the UCC

Posted Nov 18, 2005 1:02 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I'm no lawyer. ... Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere.

Doesn't that kind of negate your whole first paragraph ("the EULA is not a legally binding contract")? On the left hand, we have someone who is not a lawyer, and some nebulous crowd of people criticizing a court decision. On the right hand, we have a federal appeals court judge in an actual court decision. Seems to me the left hand is all but empty.

I know the case in question quite well, and I haven't heard that people think it won't be influential anywhere else. The decision is solidly reasoned and there aren't conflicting decisions in other circuits. I'm sure there were the usual statements that a 2nd Circuit decision isn't binding anywhere else, but such decisions are nonetheless usually highly influential.

The judge, incidentally, not only describes why shrink wrap agreements are legally enforceable (giving precedents for well-accepted contracts that aren't complete until some time after money changes hands), but also that it would be bad policy if they weren't -- forcing people to waste packaging space on fine print nobody reads anyway.

I've also read the UCC, though not so recently that I remember every paragraph, and I sure don't remember anything about not being able to add restrictions on the buyer after the buyer has paid. There are plenty of contracts where paying money comes before negotiation is complete. If you have a section number, I'd be interested.

Sony's rootkit: an update

Posted Nov 15, 2005 22:18 UTC (Tue) by kms (subscriber, #6679) [Link]

> Isn't a EULA some kind of legally binding contract?

I believe it attempts to be a contract, though in most jurisdictions it is impossible for a minor to enter into such a contract so just get your kids to buy your CDs and you'll be fine :-)

I stand corrected about this EULA

Posted Nov 16, 2005 4:15 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

I was wrong earlier; the GPL is indeed a good example of a license vs. a contract.

Furthermore, I found the actual text of Sony's EULA on Mark Russinovich's Web page here.

I read through all the legal-ese (IANAL), and sure enough this EULA does indeed target the "DIGITAL CONTENT" of the disc. Which means pretty much all the content, since a CD is a 5km-long spiral of microscopic pits and plains that represent binary 0's and 1's. How someone might interpret the music to be part of the digital content could be debated; I realize that once you play the CD on a loudspeaker system, it's no longer digital and therefore not subject to the restrictions of the EULA (although it does fall under the jurisdiction of performance restrictions under copyright law, but that's a whole other topic).

Also, I'd like to thank Mark Russinovich for sharing his experiences. Although I do not use MS Windows (I've been "Windows-Free" since August 2004), I feel that we need people like him with incredibly sharp Windows skills and a Blog to make people aware of the consequences of installing closed-source software (and having to agree to a EULA) for which you have no knowledge of what that software's actually doing to your PC.

But that goes for all licensed software. I feel better about running a piece of licensed software on my computers for which somebody is examining the safety, security, and reliability of that software (thus explains one of the many reasons I like open-source). A college professor told me that the legal issues of running licensed software later found to be intentionally (or negligently) malicious will be very seriously examined in the next few years. Perhaps the "Sony DRM Rootkit incident of 2005" is only a preview of what's to come...

I stand corrected about this EULA

Posted Nov 16, 2005 9:27 UTC (Wed) by james (subscriber, #1325) [Link]

Despite reality, the EULA defines DIGITAL CONTENT not to include the music:

This compact disc (“CD”) product contains standard so-called “Red Book”-compliant audio files that can be played on any standard CD player, including those contained in many personal home computer systems. As an added feature, this compact disc (“CD”) product also enables you to convert these audio files into digital music files and/or may also contain other already existing digital content (such files and content, collectively, the “DIGITAL CONTENT”)

Incidentally, even if you accept the validity of EULAs, this one doesn't come into force until you click "AGREE". If you don't click "AGREE", then presumably normal copyright law is in effect:

By clicking on the “AGREE” button below, you will indicate your acceptance of these terms and conditions, at which point this EULA will become a legally binding agreement between you and SONY BMG.

Unfortunately, in the USA "normal copyright law" includes the DCMA. A case could be made that if the DRM software was "technical measures", and the technical measures included a mechanism designed, documented and labelled to turn off the technical measures, then you aren't circumventing them. But I wouldn't care to rely on that if I had to defend myself against Sony.

As always, I Am Not A Lawyer. Sorry.

Tab, enter?

Posted Nov 17, 2005 3:15 UTC (Thu) by midg3t (subscriber, #30998) [Link]

Now if you were to press tab a couple of times and press space or enter on the "Agree" button, would you still be accepting the EULA?

What about if you wrote an application to scan all window elements for the text "I Agree", and any that matched would be sent the appropriate Win32 API "activate" signal.

And what about if somebody else installs that software on your machine.

How about if you wrote a wrapper around the installer that bypassed the entire EULA, beginning execution at the first real install step, were files are decompressed & installed.

Perhaps it's a long shot, but in a world where the law is what is written and not what is intended, who knows what you can get away with.

I stand corrected about this EULA

Posted Nov 17, 2005 8:52 UTC (Thu) by chad.netzer (subscriber, #4257) [Link]

My reading is that they DO include the "audio files" in their definition of "DIGITAL CONTENT", or at the very least, any "digital music files" created from the "audio files". And you can bet that is what they intended.

What is wierd is that they claim to include software to convert audio-files into digital music files, which further implies that they may have included code from LAME (and probably some CD-Paranoia like application). Ie. they claim to include ripping and conversion software. Hmmmm.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.