TMGT 7133 Law for Intelligence-Based Business

Instructor Dean Palmer

Assignment 1
Due Date April 25, 2010
Student ID A00242330
Student Name Arthur (Wesley) Kenzie

Sony Music Entertainment

and their 2005 DRM Debacle

Introduction ......................................................................... 2
A Canadian Perspective .......................................................... 3
Conclusions ........................................................................... 5
References ........................................................................... 6
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

Introduction

In October 2005, computer security researcher Mark Russinovich made a

surprising discovery which he posted about on his blog at
http://blogs.technet.com/markrussinovich. [1]

Russinovich is not your average blogger, nor is he your average computer

security researcher. In fact he earned his Ph.D. in computer engineering
from Carnegie Mellon University in 1994 [2][3] and Dr. Russinovich is
currently a "Technical Fellow" at Microsoft in their Platform and Services
Division [4]. His previous company, Winternals Software, was acquired by
Microsoft in July 2006 [5] along with another company he had co-founded,
Sysinternals.com [6].

What Russinovich discovered in October 2005 during testing of a program he

was developing called RootkitRevealer, was a rootkit installed on his own
computer. Rootkits [7] are programs which are able to hide themselves from
normal methods of detection. They are called "root" kits because they are
able to run with administrative (aka "root") privileges. Their covert nature
underscores the fact that their presence and their functionality is not
something a computer user would typically want or has consented to. This
particular rootkit was designed to perform digital rights management
("DRM") functions on behalf of the music rights holder, Sony BMG Music
Entertainment (known as simply Sony Music Entertainment since the 2008
buyout by Sony of partner Bertelsmann Music Group [8]).

Russinovich documented on his blog how he proceeded to investigate this

rootkit, and how he determined that it came from a Sony BMG music CD
that he had recently purchased.

The fallout from his discovery and disclosure has been significant and far
reaching. This assignment paper discusses a Canadian legal and policy
perspective of this case, written by University of Ottawa law professor,
Jeremy deBeer [9]. deBeer reviews the technology used by Sony Music, and
the implications with regards to Canadian laws of contracts, competition,
consumer protection, privacy, trespassing, negligence, and more.

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 2 of 8

 
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

A Canadian Perspective

In the February and March 2006 issues of Internet and E-Commerce Law in
Canada [9], Jeremy deBeer provides an insightful and comprehensive review
of the 2005 Sony Music rootkit case, called "How Restrictive Terms and
Technologies Backfired on Sony BMG Music".

His review covers the following issues:

(1) Privacy. The DRM software used by Sony Music surreptitiously "phoned
home" using the user's Internet connection to "...transmit information about
a user's computer system, software and Internet connection." Was this
consented to by the user as part of their acceptance of the End User License
Agreement ("EULA") ? Perhaps. However, deBeer thinks a case could be
made that this was not informed consent and that this disclosure of
identifiable personal information is in contravention of the Personal
Information and Protection of Electronic Documents Act ("PIPEDA").

(2) Competition. deBeer points out that the Canadian Competition Act
"provides a private right of action in respect of material false or misleading
representations made to the public for the purpose of promoting a product
or business interest". What was false or misleading? According to deBeer the
EULA contained numerous false and/or misleading statements including
misrepresentation of the true nature of the DRM technology, the security
vulnerabilities the DRM technology created, the practical inability to uninstall
the DRM technology, and the data transmissions the DRM technology
performed.

(3) Contract Law. Artists who are under contract to Sony Music might have
cause to seek redress for negative publicity, and lost sales as a direct result
of Sony Music's actions, according to deBeer's analysis. Also deBeer argues
that there are two additional and separate contracts in play with regards to
this case: that between the consumer and retailer, and that between the
consumer and Sony Music via the EULA. All these contracts are potentially
rescindable, on various grounds, with various remedies available to
consumers.

(4) Negligence. There is an established duty of care that is owed by

manufacturers to end-users, and it is possible that Sony Music has violated
this covenant. They may also be liable for exposing their users to
unreasonable risk, for product liability, and for negligent misstatement. Were

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 3 of 8

 
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

the actions of Sony Music reasonable? deBeer makes a case that they were
not.

(5) Trespass. I found deBeer's discussion of the trespass to chattels issue

fascinating. He contends that Sony Music "... intentionally interfered with
end-users possessory rights in respect of computer hardware and software".
He calls this "cyber-trespassing", and makes the point that in "traditional"
English legal authority, there is no requirement to establish harm in order to
make this tort actionable.

(6) Consumer protection. In this context deBeer advises that Sony Music "...
may have violated warranties relating to quality, quiet possession, fitness for
purpose and/or merchantability". He acknowledges that the EULA stipulated
the end-user waive certain rights, and that it made certain disclaimers.
However, under Ontario's Sale of Goods Act and Consumer Protection Act,
such disclaimers are almost certainly void.

deBeer's critical analysis of Sony Music's deployment of digital rights

management technologies is not solely targeted at Sony Music, however. He
points out that the use of DRM technical measures is inherently dangerous in
numerous ways, and states that many companies are currently making use
of DRM technologies. "There are hundreds of millions of copies of hundreds
of album titles in circulation employing MediaMax™ or other DRM systems."
(MediaMax was one of the two DRM technologies that Sony Music was
discovered to be using in October 2005.) This means that Sony Music is not
unique, but rather this 2005 debacle "... illustrates the potential abuses that
can occur if consumers are not protected from the widespread deployment of
DRM systems."

Have we done anything in Canada about this issue? Nothing substantive as

yet, according to deBeer's review. The Commissioner of Competition has the
power to initiate an investigation under the Competition Act; the Ontario
Minister of Consumer and Business Services has the power to enforce the
Consumer Protection Act on behalf of consumers; the Privacy Commissioner
of Canada has the power to initiate a complaint and to launch an
investigation into this matter. Yet no level of government has yet made any
effort to hold Sony Music accountable.

New legislation has been proposed at the Federal government level in both
2006 and 2008, specifically with Bills C-60 and C-61 [10], but no changes
have yet been enacted. Further, both these proposed changes to the

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 4 of 8

 
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

Copyright Act drew plenty of criticism, and with respect to DRM, they both
clearly tilted the balance in favour of digital rights holders, to the detriment
of consumer's and user's rights.

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 5 of 8

 
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

Conclusions

The discovery of Sony Music's use of digital rights management technology

on their music CD's in October 2005 brought to light many significant issues
that we continue to grapple with. These issues span a wide range of
government and corporate policies in the areas of consumer protection,
warranties, transparency, trust, reputation, distribution of artistic creations,
protection of privacy, and computer security as well as legal issues of
copyright, contract, competition, negligence, and trespassing.

In Canada, despite considerable discussion and debate in the intervening

years, very little has changed. A bigger problem than inertia however,
appears to be that the proposed changes in law that have been tabled since
then grant more power and more rights to the providers and owners of DRM
technologies rather than to the consumers who are forced to give up their
legal rights because of those DRM technologies. Mr. deBeer himself lashes
out at this imbalance in a National Post article published in 2008 [11] as does
the Editor-in-Chief of Internet and E-Commerce Law in Canada in another
National Post article from 2008 [12].

I believe that unless there is a stronger will to create a more balanced set of
laws in Canada to clarify the rights and responsibilities of both content
producers and consumers of that content, the Sony Music DRM debacle will
have been a missed opportunity.

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 6 of 8

 
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

References

[1] Mark's Blog, Sony, Rootkits and Digital Rights Management Gone Too
Far, Reference found on April 25, 2010 at
http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-
rootkits-and-digital-rights-management-gone-too-far.aspx

[2] Amazon.com book search, Microsoft Windows Internals (4th Edition),

Reference found on April 25, 2010 at http://www.amazon.com/Microsoft-
Windows-Internals-4th-Server/dp/0735619174

[3] Affidavit of Mark Russinovich, United States District Court, Southern

District of New York, Class Action Case No. 1:05-cv-09575-NRB, Reference
found on April 25, 2010 at
http://www.sonysuit.com/classactions/michaelson/71.pdf

[4] Microsoft News Center, Mark Russinovich, Reference found on April 25,
2010 at
http://www.microsoft.com/presspass/exec/techfellow/Russinovich/default.m
spx

[5] Microsoft System Center, Microsoft Acquires Winternals, Reference found

on April 25, 2010 at
http://www.microsoft.com/systemcenter/winternals.mspx (also at
http://www.winternals.com)

[6] Windows Sysinternals, Reference found on April 25, 2010 at

http://technet.microsoft.com/en-us/sysinternals/default.aspx (also at
http://www.sysinternals.com)

[7] Google.com search, Definitions of Rootkit on the Web, Reference found

on April 25, 2010 at
http://www.google.com/search?hl=en&q=define:Rootkit&btnG=Search

[8] Wikipedia.org search, Sony Music Entertainment, Reference found on

April 25, 2010 at http://en.wikipedia.org/wiki/Sony_Music_Entertainment
and at http://articles.latimes.com/2008/oct/14/business/fi-sony14

[9] deBeer, Jeremy, How Restrictive Terms and Technologies Backfired on

Sony BMG Music, in M. Geist, editor-in-chief, Internet and E-Commerce Law

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 7 of 8

 
 TMGT 7133 Assignment 1 - Sony Music's 2005 DRM Debacle

in Canada, Volume 6, Number 12 and Volume 7, Number 1 (Markham,

Ontario, Canada: LexisNexis Canada Inc., 2006)

[10] House of Commons of Canada, Bill C-61 An Act to amend the Copyright
Act, Reference found on April 25, 2010 at
http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=3570473
&file=4 and Bill C-60 at
http://www2.parl.gc.ca/HousePublications/Publication.aspx?Language=E&Pa
rl=38&Ses=1&Mode=1&Pub=Bill&Doc=C-60_1

[11] deBeer, Jeremy. Canada's new copyright bill: More spin than "win-win".
National Post. June 16, 2008. Reference found on April 25, 2010 at
http://www.nationalpost.com/news/story.html?id=590280  

[12] Geist, Michael. Copyright bill's fine print makes for disturbing reading.
National Post. June 12, 2008. Reference found on April 25, 2010 at
http://www.nationalpost.com/news/story.html?id=585974  

Copyright (c) 2010 Arthur Wesley Kenzie. All Rights Reserved. page 8 of 8