The real challenge of writing a blog post about Sony BMG and XCP copy protection, is that just when you think you’ve finished it, the story gets more interesting!
I've been watching how this issue has progressed. The FAQ on Sony’s web site originally said, in answer to the question of whether the XCP code was spyware: ‘Of course not’. That’s not what it says now.
Sony BMG’s actions give rise to two legal issues which are of interest to UK legal observers:
The open source problem
Firstly, that the copy protection software was, in part, allegedly copied! The code, provided to Sony BMG by a software company based in Oxford, is said to have incorporated software written by Jon Johansen and made available to be reused under the open source LGPL licence.
Whilst it is possible to incorporate LGPL in some commercial software distributions, in order to do so legitimately under your own licence terms, you need to jump through a number of hoops. One such requirement is that you must ensure that the licence terms of the distributed software “permit modification of the work for the customer's own use and reverse engineering for debugging such modifications”. The XCP End User Licence Agreement (EULA) states: “You may not change, alter, modify or create derivative works, enhancements, extensions or add-ons to any of the LICENSED MATERIALS…You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part”.
If, as appears to be suggested, Sony BMG’s CDs incorporate the LGPL material without a broader consent obtained from the relevant author, this will be a breach of the LGPL, and Jon Johansen could be entitled to take action against Sony BMG.
A number of software companies have had their fingers burned through unintentional inclusion of open source code in proprietary products, and software producers would do well to give training to coders on the implications of taking coding short cuts by using open source in their projects.
The Computer Misuse Act problem
A second issue is the question of the Computer Misuse Act. Whilst the Act is generally regarded as relatively toothless when it comes to computer crime, section 3 makes it an offence to intentionally modify the contents of a computer without the consent of the user.
Some observers have questioned whether Sony BMG’s distribution of the XCP software falls foul of this section. Sony’s initial FAQ pointed to their EULA, and the fact that the CDs in question were labelled as containing copy protection code. The EULA states:
“As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.”
The EULA also purports to limit Sony BMG’s liability for any problems with the software to US$5.
What is not completely clear is the extent to which clicking ‘I accept’ to this EULA is sufficient to consent to the permanent installation of software deep in the computer’s operating system with, it is alleged, the potential to facilitate virus or other hacker attacks. At the very least, it would be difficult for Sony BMG to argue that someone who puts a music disc in their CD-ROM drive and clicks their agreement to a EULA has given their informed consent to the XCP software installation, if it also has the effects described by the Electronic Frontier Foundation (EFF) who state that the code: “degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers”.
Interestingly, the EFF state in their US Court complaint that, in the case of SunnComm’s MediaMax, another copy protection technology used by Sony BMG on some audio CDs, the software is installed prior to display of the relevant EULA, and is not removed even if a user does not accept the terms of the EULA.
Sony BMG confirmed, in a letter to the EFF, that it “…is committed to reviewing the EULAs that it uses on all its discs with copy protection software to ensure that they are clear and disclose information to the consumer.”
What this does make clear is the importance of getting the terms of your end user licence agreement right, particularly when distributing software to consumers. However, if the licence had said in bold letters: “Do you agree to install software which degrades the performance of your machine and opens up new security vulnerabilities?”, the number of those clicking ‘Accept’ might have been significantly reduced.
Whilst lawsuits have been filed in the US, where it is believed the majority of the CDs were distributed, we are not aware of any plans to consider prosecuting Sony BMG in the UK. We may have to wait before learning what "consent" means under the Computer Misuse Act.
Sorry folks, just checked FAQ link:
http://cp.sonybmg.com/xcp/english/faq.html#contentprotection
and it STILL says XCP ISN'T spyware, as it has all November.
-Roly
Posted by: Roly Roper | December 06, 2005 at 02:31 PM
It does, but the point I was making was that their denial has been reworded from the earlier "Of course not". As reported here: http://bloglala.com/sony-bmg-music-entertainment-spyware-article-59.html the original FAQ from SonyBMG read: "I have heard that the protection software is really malware/spyware. Could this be true?
Of course not..."
Posted by: Kevin Calder | December 06, 2005 at 03:22 PM
If you decline the EULA, what rights do you have to use the CD you bought? Do you have any rights that you wouldn't have if you had accepted the EULA?
Secondly, even if you do accept the EULA and assuming that it's a valid contract, is the fact that Sony BMG would have broken the EULA if you had not accepted the EULA, grounds for invalidating the EULA as a whole? I expect there's a clause about survival of other clauses, however don't their actions show bad faith, and wouldn't this have implications for the contract as a whole? Would Sony lose rights as a result? Or could you gain rights that you wouldn't have had under the licence?
I can't find a full online copy of the Suncomm MediaMax EULA, but I expect it's broadly similar to the this one - http://www.sysinternals.com/blog/sony-eula.htm. The first part of that says:
----
Article 1. GRANT OF LICENSE
1. Subject to your agreement to the terms and conditions set forth in this EULA, SONY BMG grants to you a personal, non-exclusive and non-transferable license, with no right to grant sublicenses, to:
(a) install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER, solely in machine-executable form;
(b) install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form;
(c) use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE;
in each instance, solely for your own personal and private use and not for any other purpose (including, without limitation, any act of electronic or physical distribution, making available, performance or broadcast, or any act for profit or other commercial purpose) and in accordance with the terms and conditions set forth in this EULA.
-----
I'm wondering whether Sony BMG could have damaged their copyright on affected CDs as a result of their actions, giving you a lot more scope than the licence above.
Posted by: Jeff V | December 06, 2005 at 04:20 PM
Are you going to try and raise a class action suit against Sony?. Sony-BMG have already changed the EULA quite early on in this saga.
Posted by: Geoff | December 07, 2005 at 09:03 AM
I'm not sure that anyone in the UK could establish that they have suffered damage as a result of the use of the SonyBMG CDs. Did SonyBMG change the XCP EULA - do you have any details?
Posted by: Kevin Calder | December 07, 2005 at 02:12 PM
so if you decline how do you take XCP off your computer
Posted by: bob gardener | February 09, 2007 at 04:35 PM
Sony have provided a further software product to remove XCP. Details are available here: http://cp.sonybmg.com/xcp/english/updates.html
Posted by: Kevin Calder | February 12, 2007 at 10:28 AM