Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

Business Law Today

The 'agreement' that sparked a storm
A 'click-through' goes bad
By Elizabeth Bowles and Eran Kahana
At a recent legal presentation attended by prominent intellectual property lawyers and law professors, a loaded question was posed to the audience: "By a show of hands — and be honest, now — how many of you read the terms and conditions presented in an end-user license agreement?" Of the nearly 100 people in the auditorium, not a single hand was raised. Shocking? Only if such an admission is unexpected. It really isn't.

Why does it matter that even those who should know better don't read their end-user license agreements (EULA)? The answer can be found in the Sony "rootkit" public relations nightmare. We define "rootkit" later in this article, but for the time being simply accept that what happened to Sony, or (more accurately) what it did to itself, goes beyond the confines of the Sony digital rights management case itself and should be analyzed within the contractual framework of EULAs and the tension between the freedom to contract and (arguably) overreaching terms/abuse of license. The ultimate question is: Does it matter if people know what they are installing on their computers?

Our story deals with Sony BMG's (Sony) recent controversial experience in dealing with digital rights management software. But before we continue with that story, we should briefly introduce some technical definitions: "rootkit" and "DRM."

First, let's take a look at a "rootkit." A rootkit is a set of software tools installed on a computer that is intended to conceal processes, files or system data currently running on the computer. The purpose of a rootkit is to help an intruder maintain access to a computer's system while protecting that intruder from detection. While rootkits can be used for legitimate purposes, they often modify parts of the operating system or install themselves as drivers or kernel modules.

The rootkit's cloaking is specifically designed to make it difficult for a user to find the rootkit and to disable or otherwise "hack" its processes. When used in the context of digital rights protection, the purpose of a rootkit is to make it difficult for end users to hack into and defeat content protection. How difficult it is to defeat content protection or, put another way, how well the rootkit is designed, may also affect the user's ability to remove the rootkit from his or her computer system.

The second technical term is digital rights management, popularly known as DRM. DRM refers to the technologies used by publishers or copyright owners to control end-user access to and use of digital data like music, movies and software. DRM is used by many brand-name copyright holders and distributors, one of the most notable being Apple's iTunes, which uses DRM to ensure that music files are only played on so-called "authorized computers."

Although the use of DRM is strongly supported by those interested in protecting digital rights, DRM is highly unpopular with many end-users, such as large peer-to-peer networks that depend on restriction-free sharing of intellectual property for their existence. These groups claim that "digital rights management" is a misnomer and that "DRM" should stand for "digital restrictions management."

So we now return to Sony and how their DRM scheme went wrong. The Sony DRM story dates back to mid-2004. That year, Sony began using two pieces of DRM software on its CDs. The first was Extended Copy Protection (XCP), developed by a company called First4Internet (F4I), and the second was MediaMax, developed by SunnComm. The purpose of these two programs was to protect the CD content of 52 titles featuring popular artists such as Frank Sinatra, Celine Dion and Louis Armstrong.

Sony allegedly used a rootkit to mask the installation of the XCP DRM software, which was cloaked by the installation of a file called Aries.sys. To make matters worse, according to several media reports, the Aries.sys file not only cloaked installation of the rootkit, it also transmitted user information back to Sony. The Sony DRM software was also alleged to interfere with the way both Microsoft Windows and Mac OS X operating systems normally play CDs and perhaps inadvertently opened security holes that allowed viruses to infect computers running the software. It was also alleged that this rootkit could not be removed without damaging the Windows operating system.

It wasn't until more than a year later that computer security experts, most notably Mark Russinovich, discovered the Sony rootkits on their systems. Being the techies that they are, and — to put it mildly — being that they were "disturbed" by their finding, they began blogging about it. The net result for Sony? Public and consumer outrage, three class-action lawsuits (two in California, one in New York), an investigation by Florida's attorney general, two investigations in Canada, and numerous bloggers more than willing to take Sony to task for its "bad" behavior.

The media frenzy that ensued over the next year and a half fanned the proverbial fires, causing Sony to suffer a number of "black eyes" as it scrambled to contain the damage.

Initially this damage control was arguably not well thought out. Sony's public position was reported as, "Most people don't even know what a rootkit is, so why should they care about it?" (Arguably, most people don't know what a EULA provides, but is it fair to argue that they should not care about it?) Other media reports detailed how Sony subsequently argued that the installation of the rootkit, and indeed that everything it did was all included in its EULA, and that, therefore, it was contractually allowed to do as it did, including cloaking the software and monitoring end user behavior.

The public relations nightmare notwithstanding, the ultimate question here concerns Sony's EULA. From a legal perspective, EULAs have a role to play in managing copyright holders' rights. How they are used and enforced is something that should concern every lawyer.

Let's begin with establishing a few important points pertaining to EULAs. Most users typically see them in the form of click-through agreements, which require acceptance of the terms and conditions prior to allowing installation of software. True to their purpose, EULAs, for the most part, play a valuable role in protecting the software developer's work. It is also fair to say that a few rancorous EULAs create a whole lot of bad press for the legitimate majority.

At the most basic level, click-through agreements are enforceable, provided they comply with the normal rules of contract formation, such as offer and acceptance. Because of the medium in which they appear, it is generally the case that when properly presented — the EULA must be legible, timely and complete — there is usually very little controversy about them.

It is also equally well established that when these factors are in place, a user need not have read nor even understood a EULA to be bound to it; it only matters that he or she had an opportunity to read it. In the Sony DRM case, one of the $60-million questions is whether the opportunity to read the EULA was legally meaningful or, put another way, whether the user's consent was valid. This question is key in light of the clearly unanticipated actions taken by the Sony rootkit and its DRM software.

Ultimately, the Sony rootkit experience illustrates how EULAs should not be used. Why? EULAs should never serve as a vehicle for developers to "sneak" in terms and conditions that they know, or should know, would be offensive to public policy or, for that matter, to the general public. Also, it can make the developer look really bad even though, legally speaking, the developer is in the right — all the "i"s dotted, all the "t"s crossed and "voila": A valid contract was formed.

But really now, who cares about legal technicalities when the developer's customers are mounting the consumer equivalent of a mutiny? It should be common sense for any company that if consumers stop purchasing its goods, the EULA has no value regardless of how carefully it was constructed.

It must be noted that Sony has an unquestionable right to protect its copyright. The only question is how far does this right extend? In other words, did Sony have the right to take the steps it did to protect those rights even if those actions would be tantamount to an abuse of license? Part of the outrage over Sony's conduct was because no other copyright holder in Sony's industry has tried to take their license rights this far.

Also, when the DRM software spies on end users without their knowledge, is impossible to uninstall, and is hidden from view, can it still be valid despite ostensible consumer "consent"? In the Sony DRM case, the critical variable was whether there was valid consent. If there was no valid consent, then no contract was formed, which means that Sony failed to get the user's consent to install the program. If so, it is in a world of hurt.

It is also possible that the Sony rootkit, put simply, is "malware" (malicious software) as many have argued. In fact, Microsoft reportedly added the Sony rootkit to its list of worms, Trojans and viruses that its Windows Malicious Software Removal Tool detects and deletes. Proponents of the idea that Sony's behavior was malicious point to the allegation that the Sony rootkit developers cooperated with antivirus companies to ensure that anti-virus software would not detect the rootkit.

Then, of course, there are those who wholeheartedly disagree that the rootkit is malware. Period. Sony, for example, posted on its Web site's FAQ that the rootkit was not malware because "[t]he protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system."

Ultimately, regardless of whether the software was deliberately malicious or just inept, the key question we keep returning to is whether there was legally valid consent.

This exercise reveals at least two things: First, it is alleged that the only notice that the rootkit even existed was contained in a click-through EULA visible only after removal of the shrink wrap and after the first steps of installation were initiated. If the user clicked on "Disagree," they could only use the CD as a coaster — since the CD had been opened, it was not returnable, only exchangeable for the same title. Add to this the allegations that the CD package did not alert consumers to the fact that an application would be installed, let alone the specifics of what it would do once on the hard drive.

Many courts that have enforced click-through EULAs in the past have done so in part precisely because the software in question was returnable. The fact that the CDs purchased from Sony could not be returned and that there was no notice on the outside of the package meant that the Sony DRM EULA was more likely to be found a contract of adhesion rather than a garden-variety click-through agreement.

Second, this exercise leads us to examine the text of the EULA itself, which is alleged to include the following terms:
  • Restrictions on the user's ability to use the digital content on the CD in the event that that consumer chooses to leave the United States;
  • Restrictions on user's ability to use the digital content on the CDs at work;
  • Restrictions on user's ability to use and retain lawfully made copies of the digital content on the CDs in the event that the original CD is stolen or lost;
  • Restrictions on user's ability to use the digital content on the CDs following a bankruptcy;
  • Conditioning the user's continued use of the digital content on the CDs on acceptance of all Sony BMG software updates;

  • A purported $5 limit on Sony BMG's entire liability to the purchaser of the CDs;
  • Restrictions on user's ability to examine and test his or her computer to understand and attempt to prevent the damage cause by the rootkit;
  • A reservation of rights by Sony to use technological "self-help" measures against the computers of users who want to make use of the digital content on the CDs "at any time, without notice."
What the EULA notably does not say is that the CD will install a potentially harmful rootkit and will transmit information back to Sony.

At the same legal presentation mentioned at the beginning of this article, the presenter read through each one of the EULA's terms. The audience's reaction was one of initial amusement coupled with an utter lack of understanding of the rationale for any of them.

Granted, this does not amount to an empirical analysis of the issue. However, when so many legal experts bewilderingly shake their heads when asked "why are these provisions necessary?" that raises a very serious question. If the terms are unnecessary, then even assuming for the sake of argument that Sony successfully obtained valid user consent to its EULA, do they amount to an abuse of license?

Eventually, Sony realized that its behavior was not what its consumers wanted, expected, or would be willing to put up with. In a salvage attempt, it proposed one settlement in which Sony would provide the following:
  • A replacement CD.
  • A cash benefit of $7.50.
  • Free downloads of the music on the CD.
  • Up to three additional free album downloads.
  • Software updates to fix known security vulnerabilities.
  • Disclose security vulnerabilities discovered in the future.
  • Ensure that, "until 2008, any future content protection software will be fully and accurately disclosed, independently tested, and readily uninstalled."
Whether or not this compensation package is acceptable to those "injured" by Sony's behavior or, for that matter, appropriate as a deterrent to others is open to debate, and the cases against Sony for their allegedly overreaching use of DRM software are still going forward.

That said, lawyers should take note of the practical lessons offered by this saga:

(1) Provide clear and conspicuous disclosure on the outside packaging so that users know the DRM software is included before they open the CD. The strength of the notice on the outside of the package will doubtless be the subject of debate, with copyright holders arguing that the notice should be minimal so as not to scare off consumers needlessly. That notwithstanding, it is doubtless that any copyright holder would be covered if a consumer purchases a CD that clearly contains the following notice:
  • Attention: This CD will install a software application on your computer that will monitor the contents on your hard drive and alert [name of copyright owner] to any infringing use;
(2) repeat in the EULA a full and simply worded disclosure of the operation of the DRM software, specify that it includes a rootkit, and an explanation of what the rootkit and software will do; and

(3) provide an easy and workable detection and removal process that will not damage the operating system even if the program destroys the CD content on its way out.

Following these simple steps should avert any similar future controversy, which is no small thing considering the significant expenses Sony has incurred in dealing with the issues raised by its DRM software. Taking appropriate measures to avoid future controversy is an excellent way to ensure that the legal tools available are in sync with the business needs of clients.

Other resources

The Section's Cyberspace Committee considers the following items its "e-contracting trilogy":
  • "Click-Through Agreements: Strategies for Avoiding Disputes on Validity of Assent," Christina L. Kunz et al., 57 Business Lawyer 401 (Nov. 2001)
  • "Browse-Wrap Agreements: Validity of Implied Assent in Electronic Form Agreements," Christina L. Kunz et al. (a different et al.), 59 Business Lawyer 279 (Nov. 2003)
  • "Strategies For Modifying Electronic Agreements and Policies," a CLE program presented by the Business Law Section's Cyberspace Committee at the Spring 2005 meeting.
Bowles is president of Artistotle.net Inc., in Little Rock, Ark. Her e-mail is ebowles@aristotle.net. Kahana is a corporate lawyer with DataCard Corp., in Minnetonka, Minn. His e-mail is eran_kahana@datacard.com. Opinions expressed here are his own.

Back to Top