ArticlePDF Available

The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident



Late in 2005, Sony BMG released millions of Compact Discs containing digital rights management technologies that threatened the security of its customers' computers and the integrity of the information infrastructure more broadly. This Article aims to identify the market, technological, and legal factors that appear to have led a presumably rational actor toward a strategy that in retrospect appears obviously and fundamentally misguided.The Article first addresses the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, and argues that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict these harms on the public.The Article concludes with two recommendations aimed at reducing the likelihood of companies deploying protection measures with known security vulnerabilities in the consumer marketplace. First, Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent exemptions from its anti-circumvention and antitrafficking provisions that enable security research and the dissemination of tools to remove harmful protection measures. Second, the Federal Trade Commission should leverage insights from the field of human computer interaction security (HCI-Sec) to develop a stronger framework for user control over the security and privacy aspects of computers.
eScholarship provides open access, scholarly publishing
services to the University of California and delivers a dynamic
research platform to scholars worldwide.
Berkeley Center for Law and Technology
UC Berkeley
The Magnificence of the Disaster: Reconstructing the Sony Bmg Rootkit Incident
Mulligan, Deirdre, University of California, Berkeley
Perzanowski, Aaron K., UC Berkeley School of Law
Publication Date:
Law and Technology Scholarship
Publication Info:
Law and Technology Scholarship, Berkeley Center for Law and Technology, UC Berkeley
DRM, TPM, copy protection, HCI-Sec, rootkit, copyright, DMCA, security
Late in 2005, Sony BMG released millions of Compact Discs containing digital rights management
technologies that threatened the security of its customers' computers and the integrity of the
information infrastructure more broadly. This Article aims to identify the market, technological,
and legal factors that appear to have led a presumably rational actor toward a strategy that in
retrospect appears obviously and fundamentally misguided.
The Article first addresses the market-based rationales that likely influenced Sony BMG's
deployment of these DRM systems and reveals that even the most charitable interpretation
of Sony BMG's internal strategizing demonstrates a failure to adequately value security and
privacy. After taking stock of the then-existing technological environment that both encouraged
and enabled the distribution of these protection measures, the Article examines law, the third
vector of influence on Sony BMG's decision to release flawed protection measures into the wild,
and argues that existing doctrine in the fields of contract, intellectual property, and consumer
protection law fails to adequately counter the technological and market forces that allowed a self-
interested actor to inflict these harms on the public.
The Article concludes with two recommendations aimed at reducing the likelihood of companies
deploying protection measures with known security vulnerabilities in the consumer marketplace.
First, Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent
exemptions from its anti-circumvention and antitrafficking provisions that enable security research
and the dissemination of tools to remove harmful protection measures. Second, the Federal Trade
eScholarship provides open access, scholarly publishing
services to the University of California and delivers a dynamic
research platform to scholars worldwide.
Commission should leverage insights from the field of human computer interaction security (HCI-
Sec) to develop a stronger framework for user control over the security and privacy aspects of
Electronic copy available at:
By Deirdre K. Mulligan & Aaron K. Perzanowski‡‡
I. INTRODUCTION..................................................................................1158
II. UNDISCLOSED HARM AND EXTERNALITIES ............................1166
CUSTOMERS ......................................................................................1166
III. MARKET INFLUENCES .....................................................................1177
A. THE ROOTKIT INCIDENT AS MISTAKE ..............................................1178
B. THE ROOTKIT INCIDENT AS CALCULATED RISK...............................1181
IV. THE ROLE OF TECHNOLOGY.........................................................1188
A. TECHNOLOGY AS ENCOURAGEMENT................................................1189
© 2007 Deirdre K. Mulligan and Aaron K. Perzanowski. The authors hereby per-
mit the use of this article under the terms of the Creative Commons Attribution 3.0
United States license, the full terms of which are available at http://creativecommons.-
Clinical Professor of Law; Director, Samuelson Law, Technology & Public Pol-
icy Clinic; Director, Clinical Program, University of California, Berkeley School of Law
(Boalt Hall).
‡‡ Associate, Fenwick & West LLP; J.D., University of California, Berkeley
School of Law (Boalt Hall), 2006.
Much appreciation to Pamela Samuelson, Chris Hoofnagle, Fred B. Schneider,
Matt Blaze, Edward Felten, Aaron Burstein, Ka-Ping Yee, Joseph Lorenzo Hall, Nathan-
iel Good, Fred von Lohmann, Jennifer M. Urban, Jack I. Lerner, the participants at the
Copyright, DRM Technologies, and Consumer Protection Conference, and the TRUST
(The Team for Research in Ubiquitous Secure Technology) Industrial Advisory Board
members for insight, comment, and discussion; Edward Felten and J. Alex Halderman for
giving us the opportunity to advise them on legal aspects of their research; Sara Adi-
bisedeh, Azra Medjedovic, and Brian W. Carver for their assistance in providing that
advice; Victoria Bassetti and others in industry for answering questions and providing
helpful direction; and Sarala V. Nagala and Rebecca Henshaw for their able research.
This paper would not have been possible without the support for interdisciplinary re-
search provided by TRUST (The Team for Research in Ubiquitous Secure Technology),
which receives support from the National Science Foundation (NSF award number CCF-
0424422). Finally, the authors wish to thank Rebecca M. Fisher for providing the inspira-
tion for the title of this article.
Electronic copy available at:
1. The PC as Playback Device .......................................................1189
2. The Lack of an Encrypted Format..............................................1192
B. TECHNOLOGY AS ENABLEMENT .......................................................1194
V. EXISTING LAW AND SKEWED INCENTIVES..............................1196
A. THE DMCA’S VEIL OF SECRECY......................................................1198
B. THE INSUFFICIENCY OF CONSENT.....................................................1205
SOFTWARE DOWNLOADS AND PRIVACY...........................................1211
VI. REALIGNING SKEWED INCENTIVES............................................1218
STATUTORY EXEMPTION TO THE DMCA .........................................1221
VII. CONCLUSION.......................................................................................1231
Late in 2005, as many as two million1 computer users learned that
software unknowingly installed on their machines effectively ceded con-
trol of their computers and data to any enterprising hacker with the neces-
sary ill intent. This software tool, known as a rootkit, enabled a host of
attacks on individual users and both private and public network infrastruc-
ture. But the rootkit, a tool rarely employed by legitimate software devel-
opers,2 was not installed by a virus attached to unscanned e-mails, nor was
it bundled with adware developed by a disreputable vendor. It was instead
distributed by Sony BMG Music Entertainment (Sony BMG), the world’s
second largest record label,3 on millions of Compact Discs (CDs) sold to
an unsuspecting public. The unwitting recipients of this software, Sony
BMG’s own customers, did no more than attempt to listen to lawfully pur-
chased music on their computers.
1. Jefferson Graham, Sony to Pull Controversial CDs, Offer Swap, USA TODAY,
Nov. 15, 2005, at 1B; Tom Zeller Jr., Sony BMG Stirs a Debate Over Software Used to
Guard Content, N.Y. TIMES, Nov. 14, 2005, at C1.
2. Rootkits have been used in some instances by anti-virus software developers to
protect their software from attack, but this incorporation of a rootkit into otherwise le-
gitimate software sparked significant debate. See MCAFEE, ROOTKITS, PART 1 OF 3: THE
3., BMG—A Passion for Music,
bertelsmann_corp/wms41/bm/index.php?ci=26&language=2 (last visited Sept. 6, 2007).
By the time the Sony BMG rootkit found its way to store shelves, CD-
based copy protection schemes were nothing new. A variety of protection
measures had been introduced on previous major label releases.4 Although
they differed in technological detail, these measures all aimed to disable or
limit the ability of customers to access and copy music contained on CDs.
XCP, a CD-based protection measure developed by First4Internet and
distributed by Sony BMG,5 initially appeared to be no different than its
predecessors. XCP created generally unwanted and unexpected restrictions
on the ability to use lawfully purchased CDs. But in October of 2005, after
CDs protected by XCP had been on the market for several months, com-
puter engineer and security expert Mark Russinovich discovered that XCP
incorporated a rootkit.6 While Russinovich was not the first security re-
searcher to uncover problems with Sony BMG’s protection measures, he
was the first to publicly disclose the presence of the rootkit because of the
pall hanging over research in this field.7 A blog post authored by Russino-
vich, and the media response it prompted,8 alerted the public to the pres-
ence of the rootkit, offering the first glimpses into the potential security
disaster enabled by Sony BMG’s DRM.
As the public learned in the wake of Russinovich’s disclosure, rootkits
are software tools, frequently employed by developers of malicious soft-
reports/2003/679.pdf; Evan Hansen, Celine Dion Disc Could Crash European PCs,
ZDNET.CO.UK, Apr. 5, 2002,,1000000097,2107848,-
00.htm; John Leyden, Marker Pens, Sticky Tape Crack Music CD Protection, THE REG-
ISTER, May 14, 2002,
tape_crack/ (discussing how a Celine Dion CD can prevent Macs from rebooting); Tony
Smith, BMG to Replace Anti-Rip Natalie Imbruglia CDs, THE REGISTER, Nov. 19, 2001,
5. The other three major labels—Universal Music Group, Warner Music Group,
and EMI—were also First4Internet customers and had included XCP on certain pre-
release materials. See Sony Tests Technology to Limit CD Burning, CNET.CO.UK, June 1,
6. Mark’s Blog,
sony-rootkits-and-digital-rights-management-gone-too-far.aspx (Oct. 31, 2005, 11:04
7. See infra Part II.
8. See Mark’s Blog,
31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx (Oct. 31, 2005, 11:04
PST); Paul F. Roberts, Sony BMG Hacking Into CD Buyers’ Computers, FOXNEWS.COM,
Nov. 03, 2005,,2933,174334,00.html; Francis Till, Sony
Plants Secret Controls on PCs, NATL BUS. REV., Nov. 3, 2005,
ware (malware),9 that allow programmers to cloak files and processes, ef-
fectively hiding their existence and operation from both a computer’s user
and the machine’s operating system.10 These cloaking devices can facili-
tate any number of attacks on individual computers including coordinated
offenses against websites, computer networks, and the internet itself. Once
installed, a rootkit can be used to hide any code, regardless of its author’s
original purpose. As such, a hacker’s ambition and imagination serve as
the primary constraints on the destructive effects rootkits enable.11
While Sony BMG’s customers first became aware of the dangers
posed by the rootkit through media reports following Russinovich’s Octo-
ber 31 announcement, the company was on notice that its product con-
tained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus
software developer F-Secure contacted Sony BMG on October 4, 2005,
alerting it to the presence of the rootkit.13 Of course, First4Internet, as the
developer that chose to incorporate the rootkit into its design, necessarily
knew of its presence from the outset.
9. “Malware,” short for malicious software, is a catch-all term that refers to any
software designed to cause damage to a single computer, server, or computer network,
and includes spyware, viruses, and other varieties of harmful software. Robert Moir, De-
fining Malware: FAQ, Oct. 1, 2003,
info/malware.mspx; see also Adam Baratz & Charles McLaughlin, Malware: What is It
and How to Prevent It, ARS TECHNICA, Nov. 11, 2004,
KERNEL 4, 8-10 (Addison-Wesley ed., 2005). Within the computer security community,
there was some debate over the proper classification of XCP. Some deemed XCP a root-
kit, while others applied the more ambiguous label of Potentially Unwanted Program. See
MCAFEE, supra note 2, at 3.
11. Hackers could exploit the cloaking capabilities of the XCP rootkit simply by
adding the prefix “$sys$” to the name of any files they chose to obscure. J. Alex Halder-
man & Edward W. Felten, Lessons from the Sony CD DRM Episode, in USENIX ASSN,
PROCEEDINGS OF THE 15TH USENIX SECURITY SYMPOSIUM 77, 18 (2006), available at (updated version).
12. Posting of Ed Felten to Freedom to Tinker,
?p=937 (Nov. 30, 2005, 06:41 EST).
13. Steve Hamm, Sony BMG’s Costly Silence, BUS. WK., Nov. 29, 2005, http://- In fact,
according to Thomas Hesse, President of Sony BMG’s Global Digital Business group,
the alert from F-Secure was seen as a “routine matter” and “did not suggest that this
software was anything but benign.” Id. Even after F-Secure explained that the rootkit
posed a major security risk, Sony BMG “didn’t seem inclined to do anything about the
CDs that were already in circulation” and “wanted to keep the problem quiet.” Id.
Although Sony BMG claimed it was taking steps to address the is-
sue,14 it took no discernible action until Russinovich made the threat posed
by the software a matter of public knowledge. And even then, Sony BMG
attempted to downplay the importance of the rootkit discovery. As Tho-
mas Hesse, Sony BMG’s President of Global Digital Business, rhetori-
cally asked, “Most people, I think, don’t even know what a rootkit is, so
why should they care about it?”15
Subsequently, in an attempt to mollify customers who had already
purchased the infected CDs, Sony BMG offered tools to uninstall XCP.16
But, as discussed infra, those tools did more harm than good.17 In order to
stem the tide of public outcry and potentially mitigate further damages,
Sony BMG finally announced in mid-November its intention to recall the
millions of XCP-infected CDs that remained in the retail chain.18
But even before the XCP recall was announced, the focus of scrutiny
began to shift to Sony BMG’s other preferred technological protection
measure, SunnComm’s MediaMax software. Unlike XCP, MediaMax did
not employ a rootkit, but it did, however, introduce other significant secu-
rity vulnerabilities.
MediaMax enabled a dangerous privilege escalation.19 When installed,
MediaMax created a directory called “SunnComm Shared” on the user’s
hard drive.20 MediaMax set file permissions for this directory and its con-
tents that enabled any user of the computer, whether she had administrator
privileges or not, to read, modify, or delete the contents of the directory.21
These permissions enabled a guest or remote user to replace the Media-
14. Id.
15. Neda Ulaby, Sony Music CDs Under Fire from Privacy Advocates (National
Public Radio Program broadcast Nov. 4, 2005), available at
16. Id.
17. See infra notes 40-42 and accompanying text.
18. Tom Zeller, Jr., CD’s Recalled for Posing Risk to PC’s, N.Y. TIMES, Nov. 16,
2005, at C1.
19. See Wikipedia, Privilege Escalation,
_escalation (last modified July 26, 2007) (“Privilege escalation is the act of exploiting a
bug in an application to gain access to resources which normally would have been pro-
tected from an application or user. The result is that the application performs actions with
a higher security context than intended by the application developer or system adminis-
20. Jesse Burns & Alex Stamos, Information Security Partners, Media Max Access
Control Vulnerability 1 (2005),
21. Id.
Max files with malicious code, either intentionally or inadvertently. When
a user with administrator privileges later inserted a MediaMax disc, that
malicious code would be activated, triggering all manner of potential at-
tacks.22 When SunnComm released a patch to address this threat, it created
vulnerabilities similar to those caused by the XCP uninstall tool.23
Second and more fundamentally, MediaMax requires a user to possess
administrator privileges simply to listen to a CD.24 Requiring the use of an
administrator account for such mundane purposes is both “unnecessary
and dangerous.”25 Further compounding the security vulnerabilities cre-
ated by MediaMax, one component of the software, a kernel process capa-
ble of altering any aspect of the system, is loaded into memory at all times,
regardless of the presence of a MediaMax CD.26
Although the technological source of the security threats introduced by
XCP and MediaMax differed, as researchers soon discovered, the creators
of both protection measures exhibited other behavior typically associated
with the purveyors of spyware. For example, the software End User Li-
cense Agreements (EULAs) were rife with overreaching terms.27 More
troublingly, some of the EULA terms were simply untrue. The EULAs
professed that the software would collect no information about the user or
her computer,28 as did assurances offered by SunnComm and Sony BMG
on their websites29 and in the press.30 But despite the obvious sensitivity to
22. Id at 5.
23. Posting of Ed Felten to Freedom to Tinker, http://www.freedom-to- (Dec. 7, 2005, 10:33 EST). The original patch was later replaced with
one that avoided these problems. Id.
24. Posting of Ed Felten to Freedom to Tinker, http://www.freedom-to- (Nov. 22, 2005, 03:51 EST).
25. Id.
26. Id.
27. The Sony BMG EULA terminated the rights of consumers if, inter alia, the
original CD was stolen or the user filed for bankruptcy. The EULA also prohibited users
from using the CD on an office computer, limited Sony BMG’s liability to $5.00, and
permitted Sony BMG to install and use backdoors in the copy protection software or me-
dia player to enforce its rights at any time, without notice. See Fred von Lohmann, Now
the Legalese Rootkit: Sony-BMG’s EULA, DEEP LINKS, Nov. 9, 2005, http://www.eff.-
28. See infra text accompanying note 214.
29. Posting of J. Alex Halderman to Freedom to Tinker, http://www.freedom-to- (Nov. 12, 2005, 12:30 EST).
30. See, e.g., Sony Sued Over Controversial CDs, BBC NEWS, Nov. 22, 2005,; Carrie Kirby, Sony Gets an Earful
Over CD Software; Program to Block Music Piracy Prompts Privacy, Security Worries,
S.F. CHRON., Nov. 11, 2005, at A1; Bruce Schneier, Real Story of the Rogue Rootkit,
privacy concerns reflected in the public statements issued by these compa-
nies,31 the behavior of their protection measures told a different story.
Each time a user listened to a MediaMax or XCP-protected CD, data were
collected and transmitted to Sony BMG that included the user’s IP address
and a code corresponding to the particular CD title.32
Even if a user declined the Sony BMG EULA, thereby forgoing the
ability to access the CD on a computer,33 components of the MediaMax
software were loaded temporarily onto the user’s machine.34 One compo-
nent—a device driver that interfered with the ability of the computer’s
CD-ROM drive to copy data—was often permanently installed despite the
computer owner’s explicit refusal of the EULA terms.35 This driver was
loaded as part of the Windows kernel and could potentially “control virtu-
ally any aspect of the computer’s operation.”36
Compounding these concerns, both First4Internet and SunnComm,
like many malware vendors, initially failed to provide users with an unin-
staller to remove their software in its entirety.37 After news of the XCP
WIRED, Nov. 17, 2005,
31. This sensitivity was likely due, in part, to earlier controversy over media players
that report users’ listening and viewing habits. After a security consultant discovered that
the RealJukebox transmitted to RealNetworks a unique code corresponding to each cus-
tomer and the names of the CDs to which each user listened, Real quickly issued a patch
that disabled the transmission of this data. See Stuart J. Johnston, RealPrivacy in the New
Millennium?, PCWORLD, Dec. 17, 1999,,14419-page,-
32. Posting of Ed Felten to Freedom to Tinker,
?p=923 (Nov. 10, 2005, 08:25 EST); Mark’s Blog,
and-phoning-home.aspx (Nov. 4, 2005 12:04 PST); posting of J. Alex Halderman to
Freedom to Tinker, (Nov. 12, 2005, 12:30
EST). At least in part, this software served a fairly benign function—namely, to update
images and lyrics displayed while users listened to the CD.
33. If a user declined to accept the EULA, the CD was automatically ejected. Hal-
derman & Felten, supra note 11, at 6.
34. Id. at 7; Posting of J. Alex Halderman to Freedom to Tinker, (Nov. 12, 2005 12:30 EST); Posting of J. Alex Halderman to
Freedom to Tinker, (Nov. 28, 2005 14:23
35. Posting of J. Alex Halderman to Freedom to Tinker, http://www.freedom-to- (Nov. 28, 2005 14:23 EST).
36. Id.
37. Posting of Ed Felten to Freedom to Tinker, http://www.freedom-to- (Nov. 10, 2005, 08:25 EST); Halderman & Felten, supra note 11, at
rootkit broke, Sony BMG initially offered a software update that, in its
words, “remove[d] the cloaking technology component that has been re-
cently discussed in a number of articles.”38 Given the size of the update
and its creation of new files on the user’s computer, some suggested that
the update simply replaced one cloaking mechanism with another.39
Once mounting public pressure demanded that uninstallers be pro-
vided, Sony BMG required customers to endure a Byzantine series of
webpages, e-mails, and downloads before finally ridding themselves of
XCP.40 But Sony BMG’s missteps were not limited to a lack of transpar-
ency and convenience. The web-based XCP uninstaller created security
threats equal in magnitude to the rootkit it was intended to eliminate, per-
mitting malicious code embedded in any website to attack unsuspecting
customers who took steps to protect their machines by uninstalling the
rootkit.41 Days later, when SunnComm announced a web-based uninstaller
for its Media Max DRM, it suffered from a nearly identical flaw.42
The temptation to write off Sony BMG’s long and unfortunate series
of missteps as a display of utter disregard, or even contempt, for user secu-
rity and privacy is a strong one. Although the truth likely contains some
traces of these simple narratives, any reconstruction of the rootkit incident
that approaches reality reveals a more complicated story. Casting Sony
BMG as a hapless licensee of flawed protection measures developed by
irresponsible third party vendors does not shed any light on the possible
14; Posting of J. Alex Halderman to Freedom to Tinker, http://www.freedom-to- (Nov. 12, 2005, 12:30 EST).
38. Sony BMG Music Entertainment, Software Updates/Plug-ins (Nov. 7, 2005),, available at
web/20051107020216/ (last visited Sept.
6, 2007).
39. Posting of Ed Felten to Freedom to Tinker, http://www.freedom-to-tinker.-
com/?p=921 (Nov. 3, 2005, 07:35 EST).
40. Mark’s Blog,
sony-you-don-t-reeeeaaaally-want-to-uninstall-do-you.aspx (Nov. 9, 2005, 11:31 PST);
Posting of Ed Felten to Freedom to Tinker,
(Nov. 10, 2005, 08:25 EST). SunnComm required similar steps. Posting of J. Alex Hal-
derman to Freedom to Tinker, (Nov. 17,
2005, 13:46 EST).
41. Posting of J. Alex Halderman & Ed Felten to Freedom to Tinker, http://www.- (Nov. 15, 2005 07:07 EST); Posting of J. Alex Halderman
to Freedom to Tinker, (Nov. 15, 2005, 15:46
42. Posting of J. Alex Halderman to Freedom to Tinker, http://www.freedom-to- (Nov. 17, 2005, 13:46 EST).
failures of internal procedures to identify and prevent such mishaps and
the misalignment of interests that cause them. Understanding the complex
array of factors that contributed to Sony BMG’s actions and reactions is an
essential first step toward the adoption of policies and mechanisms to pre-
vent similar incidents in the future.
This Article aims to identify the market, technological, and legal fac-
tors that appear to have led a presumably rational actor toward a strategy
that in retrospect appears obviously and fundamentally misguided. Part II
begins by considering the harm that resulted from Sony BMG’s DRM
strategy—both the damage to Sony BMG and its customers as well as the
negative externalities imposed on a broad range of third parties. Part III
examines potential market-based rationales that influenced Sony BMG’s
deployment of these DRM systems and reveals that even the most charita-
ble interpretation of Sony BMG’s internal strategizing demonstrates a
failure to adequately value security and privacy. After taking stock of the
then-existing technological environment that both encouraged and enabled
the distribution of these protection measures in Part IV, we examine law,
the third vector of influence on Sony BMG’s decision to release flawed
protection measures into the wild, in Part V. We argue that existing doc-
trine in the fields of contract, intellectual property, and consumer protec-
tion law fails to adequately counter the technological and market forces
that allowed a self-interested actor to inflict such harms on the public.
Finally in Part VI, we present two recommendations aimed at reducing
the likelihood of companies deploying protection measures with known
security vulnerabilities in the consumer marketplace. First, we suggest that
Congress should alter the Digital Millennium Copyright Act (DMCA) by
creating permanent exemptions from its anti-circumvention and anti-
trafficking provisions in order to enable security research and the dissemi-
nation of tools to remove harmful protection measures. Second, we offer
promising ways to leverage insights from the field of human computer in-
teraction security (HCI-Sec) to develop a stronger framework for user con-
trol over the security and privacy aspects of computers. The Federal Trade
Commission (FTC), under its existing authority to protect consumers from
deceptive and unfair practices, could develop best practices and regula-
tions regarding the installation of software and the collection and trans-
mission of information about users, their computers, and their actions. In
addition, we recommend that the FTC explore the development of stan-
dards for security in the context of software and online data collection ac-
Before attempting to reconstruct the system of incentives that impelled
Sony BMG to distribute the XCP and MediaMax protection measures, a
clear accounting of both the actual and potential damage wrought by these
technologies is in order. The harms flowing from the rootkit incident were
varied and wide-reaching. The security flaws inherent in Sony BMG’s
DRM left users open to attack, and the DRM collected data about users’
private activities without proper disclosure. Moreover, Sony BMG, as well
as its artists, suffered damage to their reputation and bottom line as a result
of the rootkit incident. But the effects of the rootkit extended well beyond
the parties to these transactions. The rootkit incident threatened both the
security of the network infrastructure and the future of DRM technology.
This Part briefly summarizes the harms suffered by the parties directly
involved in the rootkit incident and then considers the broad social costs
that resulted from Sony BMG’s failure to fully account for the impact of
its technology.
A. Direct Harm to Sony BMG, its Artists, and its Customers
The vulnerabilities created by Sony BMG’s DRM gave rise to an array
of potential abuses. The XCP rootkit permitted a hacker to write malicious
code that, once installed on a user’s computer, would run undetected so
long as the name of the file containing that code began with the prefix
“$sys$.”43 Similarly, the MediaMax privilege escalation allowed an at-
tacker to replace code installed on users’ machines and automatically exe-
cuted upon insertion of a MediaMax disc.44 Practically any malicious code
authored by a hacker could take advantage of these general purpose secu-
rity holes. The user’s data could be altered, deleted, or even held for ran-
som; the machine could be rendered inoperable; a program could sniff
sensitive passwords or collect financial records and other personal data;
trade secrets and other corporate information could be collected; illegal
data could be downloaded and stored on the user’s machine. In short, these
protection measures provided the means for remote attackers to take con-
trol of customers’ computers.
Although these attacks represent worst case scenarios, the threats
posed by Sony BMG’s DRM were far from theoretical. Within days of the
public rootkit announcement, malicious code leveraging the XCP protec-
tion scheme to hide from antivirus programs and system administrators
43. Halderman & Felten, supra note 11, at 18.
44. Id. at 17.
was spreading across the internet. A Trojan Horse45 discovered early in
November of 200546—variously referred to as Backdoor.Ryknos,47 Bre-
plibot,48 and Stinx-E49—attempted to take advantage of the cloaking capa-
bilities of the rootkit.50 Backdoor.Ryknos was transmitted via spam e-mail
messages. Once on a user’s system, it opened a back door to connect to an
IRC51 channel where the attacker could remotely control the user’s sys-
tem.52 The remote attacker could download, delete, and execute files,53
and send information about the compromised machine.54 Antivirus and
security software providers, already on the lookout for code intended to
take advantage of the rootkit, quickly mobilized to identify and remove
this Trojan. The high profile of the Sony BMG rootkit, coupled with this
speedy response, likely discouraged others from attempting to further ex-
ploit the rootkit vulnerability.
To make matters worse, Sony BMG’s surreptitious software installa-
tion and undisclosed data collection impeded the ability of computer users
to make informed choices about security and privacy. The “phone home”
feature of Sony BMG’s DRM undermined customer privacy by collecting
and transmitting information about users’ interactions with protected CDs,
including users’ IP addresses.55 But the EULA governing DRM-protected
45. Trojan Horses are programs that may appear benign or useful but in fact harbor
malicious code. See MCAFEE, supra note 2, at 4.
46. Elia Florio,, Backdoor.Ryknos—Technical Details, http://www.- (last
updated Feb. 13, 2007).
47. See Elia Florio,, Backdoor.Ryknos—Summary, http://www.- (last
updated Feb. 13, 2007).
48. See Jarkko Turkulainen,, F-Secure Virus Descriptions:
Breplbot.b, (last updated Nov. 11,
2005); McAfee Threat Center, W32/Brepibot, -
htm#VirusChar (last updated Feb. 1, 2006).
49. See Sophos Threat Analysis, Troj/Stinx-E,
analyses/trojstinxe.html (last visited Sept. 6, 2007).
50. Florio, supra note 47.
51. Internet Relay Chat (“IRC”) is an open protocol used for text-based internet
communication. See generally Wikipedia, Internet Relay Chat,
wiki/Internet_Relay_Chat (last updated May 11, 2007).
52. Florio, supra note 46.
53. Id.; Turkulainen, supra note 48.
54. Florio, supra note 46.
55. In some instances the IP addresses collected by these protection measures could
provide sufficient data to identify the user’s location and identity. PETER ECKERSLEY ET
Sony BMG CDs explicitly disavowed any collection or dissemination of
data related to customers or their computers. These misleading terms ren-
dered Sony BMG customers incapable of offering informed consent to the
data collection engaged in by XCP and MediaMax. Through this duplicity,
Sony BMG deprived its customers of the ability to protect their own pri-
Sony BMG also failed to disclose adequately the security failures of its
DRM. Components of these measures were installed—sometimes perma-
nently—before customers were confronted with the EULA terms.56 The
CD packaging, which was the only means of pre-installation notice, con-
tained precious few indicia of the DRM contained within. The CD jewel
cases featured the International Federation of the Phonographic Industry
(IFPI) “Content Protected” logo on their spines57 and a small nondescript
“content protection grid” that provided general information and system
requirements on their back covers.58 These half-hearted disclosures failed
to provide Sony BMG customers with fair warning of the security and pri-
vacy threats created by these DRM schemes or the scope of the limitations
that they imposed on the use of the media.
Once the public became aware of the undisclosed costs of XCP and
MediaMax, Sony BMG discovered that it was not insulated from the fall-
out of its own DRM strategy. CDs distributed with these protection meas-
ures experienced a steep drop-off in sales within some market segments.
Later, the recall of millions of XCP and MediaMax discs led to significant
expense and further lost sales opportunities.59 In addition, Sony BMG
PRIVACY (2006),
56. Posting of J. Alex Halderman to Freedom to Tinker, http://www.freedom-to- (Nov. 12, 2005, 12:30 EST); Posting of J. Alex Halderman to Free-
dom to Tinker, (Nov. 28, 2005, 14:23 EST).
57. Electronic Frontier Foundation, A Spotters’ Guide to XCP and SunnComm’s
MediaMax, (last visited Sept. 6,
58. See Figure 1, infra Part V; see also Sony BMG Music Entertainment, CD’s Con-
taining XCP Content Protection Technology,
html (last visited Sept. 6, 2007).
59. Tom Zeller Jr., Sony BMG to Recall Copy-Restricted CDs, INTL HERALD TRIB.,
Nov. 17, 2005, Finance at 13; Tom Zeller, Jr., Technology; CD’s Recalled For Posing
Risk to PC’s, N.Y. TIMES, Nov. 16, 2005, at C1; Sony BMG Recalls Discs With Flawed
Protection System (Update4), BLOOMBERG.COM, Nov. 16, 2006, http://www.-; Paul Tay-
lor, Sony BMG Bows to Pressure, FT.COM, Nov. 16, 2005,
spent millions to settle the steady stream of lawsuits arising out of the
rootkit incident.60 Less quantifiably, the resulting backlash from artists and
customers significantly damaged the reputations of Sony BMG and its
parent corporations.
Potential customers who were aware of the existence and dangers
posed by Sony BMG’s protection measures steered clear of XCP discs.
The sales history of Get Right with the Man, an XCP-infected album by
Van Zant that was released some six months prior to the rootkit an-
nouncement, is emblematic of the online retail impact of the rootkit inci-
dent. On November 2, just two days after the initial public announcement
of the rootkit, Get Right with the Man ranked at number 887 on the music
charts at The next day, after Amazon user reviews alerted
shoppers to the dangers posed by XCP, the album dropped to number
1,392.62 By the Thanksgiving holiday weekend, the XCP recall was un-
derway and the album plummeted to number 25,802.63 In contrast, in retail
environments in which customers had less immediate access to informa-
tion about the dangers of XCP, sales of Get Right with the Man were rela-
tively undisturbed.64 Since brick and mortar retailers like Wal-Mart, the
nation’s leading seller of CDs,65 do not facilitate the sort of customer
feedback common to online retailers, this outcome is hardly surprising.
Once Sony BMG instituted the recall of the remaining XCP-protected
discs, and later MediaMax CDs, its albums were largely unavailable for
purchase. In total, Sony BMG recalled 4.7 million XCP-protected CDs,
roughly 2.6 million of which had not yet been sold.66 The XCP recall cost
60. See infra note 69.
61. Lorraine Woellert, Sony’s Escalating “Spyware” Fiasco, BUS. WK., Nov. 22,
62. Id.
63. Id.
64. John Borland, Sony Sailing Past Rootkit Controversy, CNET NEWS.COM, Nov.
21, 2005,
65. Max Fraser, The Day the Music Died, THE NATION, Nov. 27, 2006, http://www.-
66. Hiawatha Bray, New Security Flaw Vexes Sony BMG Piracy Battle, BOSTON
GLOBE, Dec. 8, 2005,
new_security_flaw_vexes_sony_bmg_piracy_battle; Brian Garrity & Ed Christman, Sony
BMG Recalls Copy Protected CDs, BILLBOARD.COM, Nov. 18, 2005, http://billboard.-
com/bbcom/news/article_display.jsp?vnu_content_id=1001524942. Even after the recall,
the copy-protected CDs were still available in many states. Arik Hesseldahl, Spitzer Gets
Sony BMG roughly $6.5 million in return fees and manufacturing costs.67
Although the twenty million MediaMax discs it distributed were never of-
ficially recalled,68 Sony BMG ceased production of MediaMax discs in
December of 2005.69 Various state Attorneys General negotiated the de-
struction of the remaining stock of MediaMax CDs at Sony BMG’s ex-
pense.70 In addition, Sony BMG’s subsequent settlement with the FTC es-
tablished an incentive program to prompt retailers to return any remaining
Not surprisingly, Sony BMG artists and their management lashed out
at the label for its use of these protection measures.72 Even before news of
the rootkit broke, artists expressed their frustration with protected CDs,
which among other things, prevented fans from transferring music to their
iPods.73 In a message to fans, Tim Foreman, of Sony BMG band Switch-
foot, wrote,
We were horrified when we first heard about the new copy-
protection policy that is being implemented by most major labels
. . . and immediately looked into all of our options for removing
this from our new album . . . . It is heartbreaking to see our
blood, sweat, and tears over the past 2 years blurred by the con-
fusion and frustration surrounding this new technology.”74
This dissatisfaction only grew once artists and fans learned of the dan-
gers posed by these technologies. The manager for Sony BMG artist Trey
Anastasio, whose November 1 album release was marred by the inclusion
on Sony BMG’s Case, BUS. WK., Nov. 29, 2005,
67. Brian Garrity & Ed Christman, supra note 66.
68. Juan Carlos Perez, FTC Seeks Public Comment on Sony Rootkit Settlement,
COMPUTER WORLD, Jan. 30, 2007,
69. Settlement Agreement at 27, In re Sony BMG CD Techs. Litig., No. 1:05-CV-
09575 (S.D.N.Y. Dec. 28. 2005), available at
70. Respondent Assurance of Voluntary Compliance or Discontinuance at 16, In re
Sony BMG Music Entertainment (S.D.N.Y. Dec. 21, 2006), available at http://www.nj.-
71. Press Release, Federal Trade Commission, Sony BMG Settles FTC Charges
(Jan. 30, 2007), available at
72. Brian Hiatt, Sony XCP Bomb Sparks Rage, ROLLING STONE, Nov. 28, 2005,
73. Halderman & Felten, supra note 11, at 15.
74. Tim Rogers, Stupid CD Copy Protection—Switchfoot Responds, BLOGCRITICS
MAGAZINE, Sept. 22, 2005,
of XCP, called the incident “a complete fiasco that will impact the entire
industry,” and an “inexcusable blunder on the labels’ part.”75 Another
Sony BMG artist, My Morning Jacket, not only provided instructions on
its website that enabled fans to bypass the MediaMax software on the
band’s album Z, but also sent over one hundred burned copies of the al-
bum to fans dissatisfied with the DRM.76 In a New York Times Op-Ed,
Damian Kulash, of the band OK Go, who narrowly avoided the inclusion
of DRM on their EMI release Oh No in part because of the band’s protes-
tations, described copy protection software as “at best a nuisance, and at
worst a security threat.”77
The outcry from fans, artists, and consumer advocates alike gave rise
to a palpable shift in the public perception of Sony BMG and its parent
corporations.78 Online petitioners called for a boycott of not only protected
Sony BMG CDs, but Sony products generally.79 In the fallout of the root-
kit incident, one leading technology media outlet ranked Sony BMG’s
protected discs fifth in its list of the worst technology products in his-
tory.80 The incident earned Sony BMG further distinction by being named
one of the top ten “dumbest moments in business” for 2005.81 Although
the financial impact of this public relations disaster is difficult to estimate,
Sony BMG remains, in the eyes of many consumers, inextricably associ-
ated with its misguided attempts at content protection.
B. Externalities Arising from the Rootkit Incident
Aside from its impact on Sony BMG and its customers, the rootkit in-
cident inflicted broadly dispersed costs on individuals and institutions oth-
75. Hiatt, supra note 72.
76. James Montgomery, My Morning Jacket Tackle Copy-Protection Software
Problems—By Burning CDs For Fans,, Dec. 16, 2005,
77. Damian Kulash Jr., Buy, Play, Trade, Repeat, N.Y. TIMES, Dec. 6, 2005, at A27.
78. Olga Kharif, For Sony, a Pain in the Image, BUS. WK., Dec. 2, 2005, http://-; Sony
BMG Hits the Wrong Note, COMPUTER BUS. REV. ONLINE, Nov. 16, 2005, http://-
79. The Sony Boycott Blog, (last visited Sept. 6, 2007);
Boycott Sony!!! Petition,,
petition.html (last visited Sept. 6, 2007).
80. Dan Tynan, The 25 Worst Tech Products of All Time, PC WORLD, May 26,
81. Adam Horowitz et al., 101 Dumbest Moments in Business, BUSINESS 2.0, Jan.
2006, at 98, available at
erwise unconnected to Sony BMG’s DRM strategy. First, the insecurity
introduced into individual computers led to network-wide vulnerabilities.
Second, the rootkit incident undermined consumer acceptance of digital
rights management technology. The first of these externalities foisted the
costs of network insecurity onto the public, while the second decreased the
value and viability of DRM strategies and forced Sony BMG’s partners
and competitors within the content protection industry to rethink their
Because of the distributed nature of the information infrastructure,
overall network security is, in part, a function of the security of the mil-
lions of private and personal computers that comprise it.83 As a result, at-
tacks on individual computers endanger, by extension, the network itself.
Improving and maintaining the security of our collective information in-
frastructure is an established national priority84—a national priority di-
rectly threatened by Sony BMG’s DRM.
These network vulnerabilities could manifest themselves in a number
of ways. First, XCP-infected machines could be exploited by attackers to
penetrate otherwise secure corporate, university, government, or military
networks. In the weeks following the public announcement of the rootkit,
the number of networks containing at least one installation of XCP topped
half a million.85 These networks suffered an increased risk of attack, leav-
ing the sensitive data they stored subject to theft or tampering.
Second, computers infected with Sony BMG’s DRM could serve as
launching points for attacks on third party machines. An attacker could
utilize the vulnerabilities created by these DRM systems to enlist thou-
82. While network insecurity almost certainly functions as a negative externality,
the impact of the lessened value of DRM is more difficult to classify in terms of overall
social utility.
AN OVERVIEW OF KEY ISSUES (Stewart D. Personick & Cynthia A. Patterson eds., Na-
NATIONAL STRATEGY TO SECURE CYBERSPACE (2003), available at http://www.-
85. Quinn Norton, Sony Numbers Add Up to Trouble, WIRED, Nov. 15, 2005,; Dan Kaminsky, Wel-
come To Planet Sony, DOXPARA RESEARCH, Nov. 15, 2005,
sands of machines, unbeknownst to their owners, into massive botnets86
armies of so called “zombie” computers—which are directed to relay
spam or conduct crippling distributed denial of service (DDOS) attacks.87
Past DDOS targets have included corporations and national security as-
sets, including the infrastructure of the internet itself.88 Zombies may also
be used to relay anonymous messages and hide the activities and commu-
nications of criminal and terrorist organizations from law enforcement.89
Whether through direct access to protected networks or through dis-
tributed attacks, Sony BMG’s DRM threatened the basic operation of
critical services that rely on the network infrastructure, among them, fi-
nancial, communications, and disaster response services. The worst-case
scenarios of rootkit-enabled attacks were nothing short of catastrophic.
Although these potential outcomes may smack of doomsday prognostica-
tion, the Department of Homeland Security took note of the public threat
posed by Sony BMG’s DRM, cautioning that the XCP rootkit or similarly
misguided attempts to control copyrighted works could interfere with the
response to public health crises by compromising the security of the in-
formation infrastructure.90
86. Posting of Ed Felten to Freedom to Tinker,
?p=1150 (Apr. 26, 2007, 10:41 EST) (discussing botnet threats in general).
87. A distributed denial of service attack occurs when multiple compromised sys-
tems flood the bandwidth or resources of a targeted system, usually one or more web
servers. See, e.g., Press Release, U.S. Department of Justice, Man Pleads Guilty to Infect-
ing Thousands of Computers Using Worm Program then Launching them in Denial of
Service Attacks (Dec. 28, 2005), available at;
Ellen Messmer, Web Sites Unite to Fight Denial-of-Service War, NETWORK WORLD,
Sept. 25, 2000,
ref=858966935; Jaikumar Vijayan, VeriSign Details Massive Denial-of-Service Attacks,
COMPUTER WORLD, Mar. 16, 2006,
88. See, e.g., Tim Weber, Criminals ‘may overwhelm the web’, BBC NEWS, Jan. 25,
2007,; John Leyden, Telenor Takes
Down ‘massive’ Botnet, THE REGISTER, Sept. 9, 2004,
2004/09/09/telenor_botnet_dismantled/; Gregg Keizer, Dutch Botnet Suspects Ran 1.5
Million Machines, TECHWEB TECH. NEWS, Oct. 21, 2005,
89. Comment of Edward W. Felten & J. Alex Halderman to the United States Copy-
right Office, concerning RM 2005-11—Exemption to Prohibition on Circumvention of
Copyright Protection Systems for Access Control Technologies (Dec. 1, 2005), available
90. Homeland Security Warns Against Anti-Piracy, WASHINGTONPOST.COM, Nov.
11, 2005,
1101160.html. Stewart Baker, assistant secretary of policy at the Department of Home-
Aside from the social cost of decreased security of the information in-
frastructure, the rootkit incident resulted in a second externality. By dra-
matically increasing public awareness of the restrictions on access and
copying imposed by DRM technologies, while simultaneously corroding
consumer confidence in their safety, the rootkit incident likely undermined
the significant investments of both content providers and protection meas-
ure vendors in such technology. In the wake of the rootkit fiasco, major
labels abandoned the use of DRM on CDs,91 and leading protection meas-
ure vendors ceased development of new CD-based DRM systems.92 But
unlike the collective costs to security imposed by the rootkit incident, the
reduced viability of DRM in the consumer music market may well repre-
sent a positive externality, rather than a negative one. To the extent the
constraints and risk DRM imposed on consumers outweighed any benefits
they conferred on copyright owners and the public, the reduction of DRM
in the consumer marketplace could increase overall utility.
The impact of the rootkit incident has extended beyond the CD market,
coloring consumer perception of the desirability of DRM and forcing
copyright owners and technology companies to rethink their content pro-
tection strategies. DRM, of course, faced criticism long before the rootkit
land Security, warned copyright holders against overly aggressive efforts to protect copy-
righted material:
I wanted to raise one point of caution as we go forward, because we are
also responsible for maintaining the security of the information infra-
structure of the United States and making sure peoples’ [and] busi-
nesses’ computers are secure. . . . There’s been a lot of publicity re-
cently about tactics used in pursuing protection for . . . CDs in which
questions have been raised about whether the protection measures in-
stall hidden files on peoples’ computers that even the system adminis-
trators can’t find. It’s very important to remember that it’s your intel-
lectual property; it’s not your computer. And in the pursuit of protec-
tion of intellectual property, it’s important not to defeat or undermine
the security measures that people need to adopt in these days.
Id.; Brian Krebs, DHS Official Weighs In on Sony, WASHINGTONPOST.COM, Nov. 11,
91. Robert Thompson & Tom Ferguson, Copy-Protection Curtailed, BILLBOARD,
Dec. 16, 2006, at 27 (“EMI Music Group has dropped copy-protection technology from
new CD releases internationally amid concerns it was not slowing piracy. The decision
means that no major labels are currently releasing copy-protected discs.”).
92. Macrovision Scraps CD Protection Software, Readies New Download Service,
CONSUMER ELECTRONICS DAILY, Feb. 23, 2007 (“[Macrovision CEO Fred] Amoroso
conceded that the discovery in late 2005 of a rootkit in Sony BMG CDs containing
First4Internet’s copy protection software ‘spooked the industry.’”).
incident.93 But after the general public became more attuned to the pres-
ence and effects of DRM, in part through the debate sparked by the XCP
rootkit, these criticisms came from not only consumer advocates, but from
leading technology companies with intimate ties to the music industry as
well. In December of 2005, Bill Gates decried the lack of “simplicity and
interoperability” of the DRM technologies protecting music downloads.94
Others like Yahoo! Music chief David Goldberg urged the industry to
drop DRM on downloads.95 These early critiques of DRM led the music
industry to implement limited experiments in legitimate DRM-free
These experimental DRM-free releases gave way to calls for more
fundamental changes. In February of 2007, Apple CEO Steve Jobs pub-
lished an open letter in which he called for the major record labels to
“abolish DRM[] entirely.”97 Less than a month later, EMI and Apple an-
nounced that EMI’s entire digital catalog would be available without
DRM on iTunes and through other retailers.98 During the joint Apple/EMI
93. See, e.g., Pamela Samuelson, Intellectual Property and the Digital Economy:
Why the Anti-Circumvention Regulations Need to be Revised, 14 BERKELEY TECH. L.J.
519, 556 (1999).
94. Gates: Digital Locks Too Complex, BBC NEWS, Dec. 15, 2006, http://news.-; Michael Arrington, Bill Gates On The Future Of
DRM, TECHCRUNCH, Dec. 14, 2006,
95. Ian C. Rogers, Dave Goldberg to Record Labels: No DRM, Please, YAHOO!
MUSIC BLOG, Feb. 25, 2006,
record-labels-no-drm-please/; John Borland, Yahoo Exec: Labels Should Sell Music
Without DRM, CNET NEWS.COM, Feb. 23, 2006,
96. Jessica Simpson, Jesse McCartney, and Lily Allen were among the artists in-
cluded in these initial trials for DRM-free downloads. Ian C. Rogers, Buy A Customized
MP3 At Yahoo! Music, YAHOO! MUSIC BLOG, July 19, 2006,
blog/2006/07/19/buy-a-customized-jessica-simpson-mp3-at-yahoo-music/; Is EMI Ex-
perimenting With MP3’s?, HYPEBOT, Nov. 29, 2006,
hypebot/2006/11/is_emi_experime.html; Ben Fritz, Yahoo Tests ‘Right’ to MP3
Downloads, VARIETY.COM, Sept. 18, 2006,
98. Press Release, EMI, EMI Music Launches DRM-free Superior Sound Quality
Downloads Across its Entire Digital Repertoire (Apr. 2, 2007), available at http://www.-; Press Release, Apple, Apple Unveils Higher
Quality DRM-Free Music on the iTunes Store (Apr. 2, 2007), available at http://www.- The first DRM-free EMI release, the album
press conference, Jobs noted the rootkit as an example of the failure of
CD-based DRM.99 Other digital music retailers, including Microsoft, fol-
lowed suit and agreed to provide DRM-free EMI music.100
Obviously, the fear of rootkit-like security vulnerabilities was not the
sole, or even primary, impetus for this shift in the market for digital music
downloads. But the rootkit incident contributed to the creation of an envi-
ronment amenable to this change in the prevailing wisdom among record
labels and their online content distributors. The rootkit incident thrust the
negative implications of DRM into the public consciousness on a broader
scope than had previous rounds of criticism. These implications included
not only the privacy and security interests directly at stake in the rootkit
incident, but also more general concerns over restrictions on noninfringing
uses, portability, and platform independence. As a validation of the long-
standing and frequently marginalized critiques of DRM, the rootkit inci-
dent made it more difficult for these criticisms to be dismissed out of
hand. If the rest of the music industry follows EMI in its march away from
DRM, the rootkit incident may prove, in retrospect, to have been a major
strategic turning point.
But even copyright holders that continue to insist upon DRM recog-
nize its public relations pitfalls in the current marketplace. In a transparent
effort to divert attention away from the restrictions placed on users by
technological protection measures, some have called for a shift in termi-
nology, dropping “Digital Rights Management”—a term once thought
consumer-friendly—and replacing it with the euphemistic “Digital Con-
The Good, The Bad & The Queen, by the innominate EMI band, was made available im-
mediately. The remainder of the EMI catalog was scheduled for DRM-free release on
iTunes in May of 2007.
99. Eric Nicoli, CEO, EMI Group & Steve Jobs, CEO, Apple, Q&A at EMI Press
Conference (Apr. 2, 2007), audio available at
5zvx0/interviews.php?task=view; Jobs Talks New iTunes Functions, DRM and Video,
iPod Storage, APPLEINSIDER, Apr. 2, 2007,
02/jobs_talks_new_itunes_functions_drm_and_video_ipod_storage_transcript.html. Ap-
ple’s position was likely influenced, at least in part, by growing international opposition
to its iTunes DRM. See Apple DRM illegal in Norway: Ombudsman, The Register,
&height=650&width=950 (Jan. 24, 2007); Thomas Crampton, iTunes legal attacks
spread from France, International Herald Tribune,
08/business/apple.php (June 9, 2006).
100. See, e.g., Elizabeth Montalbano, Microsoft Will Sell DRM-free Songs, PC
WORLD, Apr. 6, 2007,,130472/article.html.
sumer Enablement.”101 Whether substantive changes in current business
models prevail or the industry instead adopts cosmetic fixes, the market
for DRM has undergone an important shift, in part as the result of the
rootkit incident.
The harms that resulted from the rootkit incident affected all parties to
the sale and licensing of protected Sony BMG CDs. Customers received a
product tainted by reduced functionality, undisclosed invasions of privacy,
and increased vulnerability to security breaches. Sony BMG and its artists
hardly benefited from this deal, suffering both financial and reputational
repercussions. The externalities that flowed from the rootkit incident un-
dermined collective investments in network security and DRM technology
for parties entirely removed from Sony BMG and its ill-designed protec-
tion measures. In the end, it appears safe to conclude that no one’s best
interest—especially not that of Sony BMG—was served by the distribu-
tion of XCP and MediaMax. The next Part attempts to surmise what mar-
ket considerations could have convinced Sony BMG that the distribution
of these protection measures was a reasonable, self-interested decision.
Failures of software developers to adequately safeguard the security of
their users’ systems and information come as no shock to those familiar
with the state of computer security. The values and incentives that give
rise to these failures are well documented.102 Users frequently undervalue
their own privacy and security,103 and even those who claim to place a
high value on these interests often act inconsistently with those values.104
Because increased security provides little or no competitive advantage
through product differentiation, firms recognize that the significant in-
vestments in time and resources needed to identify and eliminate the bugs
that create insecurity will not be recouped.105 As a result, firms systemati-
cally under-invest in software security and fail to eliminate vulnerabilities.
101. Glen Dickson, NCTA: HBO’s Zitter Says DRM Is Misnomer, BROADCASTING &
CABLE, May 9, 2007,
102. See Ross Anderson & Tyler Moore, The Economics of Information Security, 314
SCIENCE 610 (2006), available at
103. See Alessandro Acquisti & Jens Grossklags, Privacy and Rationality in Individ-
ual Decision Making, IEEE SECURITY & PRIVACY, Jan.-Feb. 2005, at 26.
104. See id.
105. See Bill Thompson, Taking Computer Insecurity Seriously, BBC NEWS, Sept.
17, 2004,; Jeordan Legon, As Net
Attack Eases, Blame Game Surges, CNN.COM, Jan. 28, 2003,
However, these incentives to under-invest in security cannot fully ex-
plain the Sony BMG rootkit incident. Typically, software vulnerabilities
result from a developer’s failure to remove incidental and unintended in-
firmities in its code. But the rootkit incident in large part resulted from the
intentional introduction of components and functionality that undermined
user security and privacy in the service of content protection.106 From the
perspective of protection measure developers and content owners, these
security and privacy flaws served as features rather than bugs.107 In this
sense, the motivations underlying the rootkit incident share some common
features with those that spur the development of spyware. Because it dif-
fers so fundamentally from the longstanding understanding of how inse-
cure software makes its way to market, the Sony BMG rootkit incident
raises new questions about the incentives to protect or subvert user secu-
rity and privacy in the context of DRM technology.
This Part examines two basic sets of market-based explanations of
Sony BMG’s decision-making process. The first considers possible fail-
ures to grasp the likely impact of its technology, and suggests systematic
inadequacies in Sony BMG’s review of the DRM systems it licenses. The
second countenances more informed and, consequently, more deliberate
cost-benefit calculations that could encourage the use of cloaking tech-
nologies and inadequate disclosures. Ultimately, although we conclude
that this second set of explanations is the more plausible, both likely con-
tributed, to varying degrees, to the release of these protection measures.
A. The Rootkit Incident as Mistake
Imperfect information and bounded rationality offer perhaps the most
charitable explanations of Sony BMG’s decision to distribute XCP and
MediaMax. Given the resources and sophistication of Sony BMG, this ex-
TECH/internet/01/27/worm.why/; Brendan I. Koerner, Ain’t No Network Strong Enough,
SALON.COM, Aug. 31, 2000,;
Mindy Blodgett, Is Your Business as Safe as You Think?, CNN.COM, July 16, 1999,
106. Some of the risks created as a result of the rootkit incident were the result of
failures to eliminate bugs rather than the intentional introduction of risk. This more tradi-
tional narrative, for example, explains the flaws in the uninstaller tools and patches re-
leased after the disclosure of the harms of XCP and MediaMax. MediaMax’s privilege
escalation vulnerability likewise can be explained without implying any harmful intent on
the part of its developers.
107. As Professor Felten has explained, these vulnerabilities are “caused not by any
flaws in [the] execution of their copy protection plan, but from the nature of the plan it-
self.” Posting of Ed Felten to Freedom to Tinker,
?p=934 (Nov. 22, 2005, 03:51 EST).
planation seems at best incomplete. But even if Sony BMG lacked critical
information about the dangers posed by its protection measures or miscal-
culated their likelihood and severity, its decision points to a culpable fail-
ure of internal procedures to safeguard against the wide-scale distribution
of flawed protection measures.
A good-faith mistake on the part of Sony BMG could have arisen in
two ways. First, Sony BMG could have been unaware of the objectionable
features of its DRM—at least those not directly related to the constraints
placed on accessing and copying music. Second, Sony BMG could have
been misinformed or misled about the dangers posed by the various com-
ponents of its protection measures.
Both of these explanations depend on a lack of adequate pre-release
security reviews of protection measures. Sony BMG has offered no public
indication that any pre-release security review occurred. Assuming Sony
BMG did not intentionally distribute software with knowledge of the dan-
gers it posed, any such review must have failed to identify the threats in-
herent in XCP and MediaMax. It is unlikely that Sony BMG lacked suffi-
cient in-house security expertise to meaningfully examine the functionality
of the protection measures it licensed. Given that Sony Corporation of
America, whose holdings include Sony Electronics and Sony Computer
Entertainment America, controls a 50% interest in Sony BMG, more than
adequate technical analysis was within reach. Moreover, external security
review of new DRM schemes is common within the music industry. And
as demonstrated by the research of F-Secure108 and Mark Russinovich,109
as well as by the analysis of Ed Felten and J. Alex Halderman,110 trained
security professionals could have easily identified the security risks posed
by these protection measures.
Aside from a disregard for user security,111 another explanation for the
lack of meaningful security review is overconfidence in the protection
measure vendors who provided these technologies. In retrospect, any such
confidence was obviously misplaced. But even without the benefit of
hindsight, Sony BMG had good reason to subject its vendors’ products to
scrutiny. Prior to inking the deal to provide XCP to Sony BMG,
First4Internet’s business focused on content filtering, particularly the
108. See Hamm, supra note 13.
109. See Mark’s Blog, supra note 8 (Oct. 31, 2005, 11:04 PST).
110. See Halderman & Felten, supra note 11.
111. As discussed infra in Section III.B, an undervaluing of user security and privacy
could explain Sony BMG’s decision.
automated recognition of pornographic images.112 Aside from an earlier
revision on XCP used by a number of labels on a smattering of pre-release
CDs,113 First4Internet had no apparent expertise or experience in content
protection software.
SunnComm, the company that delivered MediaMax, offered even
more cause for concern. The company began as a provider of Elvis imper-
sonation services.114 After a change in management following a false press
release announcing a non-existent $25 million production deal with War-
ner Brothers,115 the company purchased a 3.5” floppy disk factory in 2001,
displaying a disturbing dearth of technological savvy.116 After two em-
ployees announced their intention to leave the fledgling company to de-
velop copy protection software, SunnComm convinced the pair to lead a
new division, leaving both Elvis and floppy discs behind in order to de-
velop what would become MediaMax.117
Sony BMG—perhaps realizing too late its misplaced trust in
SunnComm, or perhaps simply hoping to recoup some of its financial and
public relations losses—filed a lawsuit against the Amergence Group (a
re-branded SunnComm)118 in July of 2007. Sony BMG’s claims include
112. See First 4 Internet Powers New Anti-Porn Solutions at Europe’s Biggest Secu-
rity Show; Major New Products from PixAlert, Pure Content and Green Technology
Meet Growing Corporate Need to Filter Pornography, TMCNET, Apr. 20, 2005, After the rootkit incident,
First4Internet continued to do business under the name Fortium Technologies. See Robert
Lemos, Sony BMG Sues Copy-protection Maker, SECURITYFOCUS, July 13, 2007,
113. See Sion Barry, Controlling Illicit Internet Content Drives F4I Success,
ICWALES, June 15, 2005,
114. Ashlee Vance, Is SunnComm a Sham or the Next, Big DRM Success?, THE REG-
ISTER, Sept. 27, 2004,
115. Complaint for Injunctive and Other Relief, U.S. Sec. and Exch. Comm’n v.
Paloma (D.D.C. Apr. 11, 2002), available at
116. SunnComm purchased the floppy drive company, which was formerly a failed
oil and gas company, in part to avoid SEC scrutiny by merging with a fully reporting
company. See Vance, supra note 114.
117. Id.
118. SunnComm, too, underwent something of a re-branding after the rootkit inci-
dent, rechristening itself the Amergence Group. Press Release, The Amergence Group,
SunnComm Establishes New Subsidiary—The Amergence Group (Jan. 26, 2007), avail-
able at
negligence and breach of contract, alleging that MediaMax was defective
and failed to satisfy SunnComm’s warranty.119 The Amergence Group
contends that Sony BMG retained “final authority” over the functional
specifications of MediaMax, and that SunnComm simply delivered the
product demanded by Sony BMG.120 This litigation, as it proceeds, may
well reveal the extent of Sony BMG’s knowledge of the objectionable fea-
tures of its DRM.
Until such information is available, Sony BMG’s sophistication121 and
access to both internal and external resources offer good reasons to ques-
tion the likelihood that it was in the dark as to the existence of the dangers
posed by the rootkit and the other objectionable features of XCP and Me-
diaMax. Even assuming Sony BMG was oblivious as to the details of its
DRM, the failure to act expeditiously once notified by F-Secure of the
rootkit and its dangers suggests that a lack of knowledge alone fails to
fully explain Sony BMG’s actions. In any case, to the extent that igno-
rance of the functionality and likely effects of its DRM influenced Sony
BMG’s decision-making, its failure to independently review these tech-
nologies evinces an undervaluation of the documented potential effects of
DRM on user security and privacy.
B. The Rootkit Incident as Calculated Risk
Since characterizations of the rootkit incident as the result of a good-
faith mistake by Sony BMG fail to fully account for its internal decision-
making, explanations that presume some degree of knowledge present
more plausible scenarios. Understanding why Sony BMG would know-
ingly distribute protection measures that carried the risks associated with
XCP and MediaMax requires consideration of the relative value proposi-
tions presented by CD-based DRM to content owners and customers. Al-
though DRM, in theory, offers copyright holders some benefit from re-
duced copying, consumers generally see DRM as a poor bargain since it
requires them to pay the same price for a product with diminished func-
119. See Summons Notice, Sony BMG Entm’t v. Amergence Group, No. 602201-
2007 (N.Y. Sup. Ct.) (on file with authors).
120. Press Release, The Amergence Group, Sony-BMG Files Suit Against Amer-
gence Group (July 11, 2007), available at
121. Sony, along with Philips, owns the rights to the core DRM patents of Intertrust.
In theory, at least, Sony BMG could have implemented a suite of better technical solu-
tions. See Press Release, Sony Corporation of America, Philips and Sony Lead Acquisi-
tion of Intertrust, available at (Nov. 13,
tionality. Underhanded tactics such as those used by Sony BMG offer one
way to overcome this skepticism, although this story should counsel
against their future use.
Although the precise amounts are uncertain, the music industry loses
revenues each year as a result of copyright infringement.122 Songs copied
on peer-to-peer networks, BitTorrent, and other lesser-known corners of
the darknet contribute to these losses, as does large-scale CD piracy and
the casual physical copying of CDs by everyday consumers.123 DRM is
intended to serve as a partial solution to the widespread infringement of
music industry copyrights, but, as the industry is likely aware, CD-based
DRM cannot hope to address two of these three sources of infringement.
Since only a single unrestricted copy of a particular track is necessary to
rapidly populate peer-to-peer and other networked methods of file transfer,
measures like XCP and MediaMax are all but worthless when it comes to
preventing infringement on the internet.124 And protection measures that
can be easily thwarted125 pose no genuine hurdles for the sophisticated,
large-scale commercial pirates that press upwards of one billion counter-
feit CDs each year.126
The value of CD-based DRM like XCP and MediaMax, therefore,
flows from its ability to prevent the casual schoolyard trading of burned
CDs and other varieties of personal copying. The precise scope of finan-
cial harm caused by such purported infringement is unclear.127 Nor does
122. RIAA, Piracy: Online and on the Street,
php?content_selector=piracy_details_online (last visited July 30, 2007).
123. Id. See also Peter Biddle & Paul England, The Darknet and the Future of Con-
tent Distribution, ACM SIGCOMM COMPUTER COMM. REV., Oct. 2001, at 140, avail-
able at (describing the darknet as “a collec-
tion of networks and technologies used to share digital content [and] an application and
protocol layer riding on existing networks” and citing as examples of darknets “peer-to-
peer file sharing, CD and DVD copying, and key or password sharing on email and news-
124. See Halderman & Felten, supra note 11, at 2.
125. As discussed infra in the text accompanying note 179, MediaMax can be de-
feated by simply holding down a computer’s shift key. Earlier DRM systems could be
circumvented using just adhesive tape or a felt tip pen. HALDERMAN, supra note 4, at 4,
126. Pirate CD Sales Top 1 Billion, CNN.COM, July 10, 2003, http://edition.cnn.-
com/2003/BUSINESS/07/10/music.piracy/; Pirate CD Sales Hit Record High, BBC
NEWS, July 22, 2004,
127. Industry research indicates that such “social sharing” accounts for as much as
37% of music acquisition by volume. NPD GROUP, NARM/NPD 2007, PHASE ONE, CON-
SUMERS & MUSIC DISCOVERY 4 (2007), available at http://www.digitalmusicnews.-
com/research/npd_presentation_narm. However, as with earlier projections of harm aris-
any available evidence reveal the effectiveness of these measures in limit-
ing such activity. Perhaps in recognition of the tenuous argument for the
utility of these measures, even on this single front of the war against in-
fringement, the music industry is quick to downplay its expectations for
CD-based DRM, typically referring to these protection measures as mere
“speed bumps” or inconveniences intended to keep honest customers hon-
est.128 But given their rudimentary design, these protection measures dis-
proportionately affect those customers with the least knowledge of the op-
erations of their computers, precisely those reasonably expected to pose
the least threat of infringement. From the content owners’ own perspec-
tive, these protection measures offer only marginal value, and even this
valuation may be the result of overestimates of the effectiveness of CD-
based DRM.
If the value of CD-based DRM to content owners is low, albeit posi-
tive, the value of these protection measures to customers is almost unques-
tionably negative. Even at the time of the rootkit incident, the overwhelm-
ing majority of CDs were sold without DRM;129 customers were, as a
technological matter, free to copy songs from these discs to their hard
drives, transfer them to iPods, burn them to CDs, and listen to them using
the software of their choice.130 XCP and MediaMax altered long-standing
consumer expectations131 by placing technological and contractual limits
on customers’ ability to use their CDs in the manner to which they were
ing from peer-to-peer downloads, estimates of the relative proportion of these burned and
ripped copies that translate to lost sales would likely vary significantly.
128. Sony spokesman Nathaniel Brown characterized SunnComm’s first copy protec-
tion scheme in the following manner after J. Alex Halderman reported that it was easily
disabled: “Copy management is intended as a speed bump, intended to thwart the casual
listener from mass burning and uploading. We made a conscious decision to err on the
side of playability and flexibility.” John Borland, Shift Key Breaks CD Copy Locks,
CNET NEWS.COM, Oct, 7, 2003,
129. In 2005, over 600 million CDs were sold in the United States. See US CD Album
Sales Show 7% Slide, BBC NEWS, Dec. 29, 2005,
entertainment/4566186.stm. Of those, the millions of CDs protected by XCP and Me-
diaMax represented only a small percentage.
130. See infra notes 132-136.
131. Consumer expectations flow from prior experience with similar objects and in-
formation. These experiences are in turn a result of the capacity of the technology, laws,
norms, and markets. Consumer expectations of interacting with DVDs today reveals how
these forces can come together in ways that create expectations different from those
which prevailed during the CD era.
Empirical research has cataloged the deep-seated expectations of con-
sumers with respect to their interaction with digital music. In a study con-
ducted in the European Union, consumers indicated uniform and strong
beliefs in their right to move digital music between devices.132 Similarly,
individuals shared a strong conviction that copying for their own purposes
is legal,133 and a high percentage of the survey population had burned their
own music mixes in the prior six months.134 While survey participants’
belief in the legality of “sharing” music was less strong and consistent,135
they reported a significant amount of sharing with family and friends.136
These consumer expectations are firmly rooted in the pre-digital pat-
terns of consumption and use of recorded music. Concerns over private
copying enabled by new technologies are, of course, nothing new. Nearly
every advance in the recording and distribution of music has sparked near
hysteria from then-dominant rights holders. Music publishers balked at the
player piano,137 the phonograph138 and radio of both the terrestrial139 and
internet140 varieties. And long before the music industry feared peer-to-
peer infringement, reel-to-reel copying led the industry to infamously pro-
claim that “Home Taping is Killing Music.”141 The concerns that motivate
132. According to the study, 81% of those surveyed thought it legal to play a pur-
chased file on different devices. NICOLE DUFFT ET AL., INDICARE, DIGITAL MUSIC US-
133. In the study, 73% of users surveyed thought it was legal to make a copy of a CD
or file which they had bought for themselves, for their own use. Id.
134. Of all digital music users surveyed, 80% had burned their own mixes to CD over
the past 6 months, 39% had done so several times per month or more often. The share of
teens that burn their own CDs several times per month or more often is 46%, compared to
34% of the 40+ group. Id. at 16. In Germany, almost 90% of the digital music users like
to burn their own mixes on CD compared to “only” 75% in the UK. Id. at 18 tbl. 3.2.
135. Id. at 42.
136. More than three quarters of digital music users have shared music files with
their family members and friends over the past 6 months; 60% have shared music files
with other people. Again, teens are the most active music file sharers; about half of them
share music files with friends and family several times per month or more often.
Id. at 16.
138. Id.
139. See id. at 58-59.
140. See id. at 195-99.
141. Neil Strauss, THE POP LIFE; 2 Big Forces Converging To Change the Sale of
Music, N.Y. TIMES, Dec. 10, 1998, at E1.
DRM are simply a continuation of this pattern of hostility to disruptive
Although engineering constraints have historically limited the copying
of music, digital works are trivially copied without any loss of quality. In
part driven by the lack of practical constraints on digital copying, DRM
proactively introduces technological hurdles that exceed those available to
earlier generations of copyright holders, displacing the traditionally porous
enforcement of copyright with limits embedded in and enforced by soft-
ware code.142 In contrast, previous mechanisms for addressing infringe-
ment intruded less far less on the consumer’s experience of the purchased
music. For example, the Serial Copy Management System, which con-
trolled downstream copying of the ill-fated Digital Audio Tape format, did
not impede the use of the original tape or even the recording of first-
generation copies.143 DRM, on the other hand, frequently constrains the
portability of music by tethering it to particular devices or platforms. Con-
sumers are limited in their ability to experience the music on their own
terms, in the time, place, and even sequence of their choice. Their ability
to copy, share, and recode content is likewise constrained in a manner that
offends many users’ perceptions of fairness, if not law.
The constraints imposed by DRM generally reduce the value to con-
sumers of protected content. Information goods typically increase in value
as the number and extent of their possible uses increase.144 With respect to
DRM, consumers will, in principle, pay more for goods with liberal usage
rules. In addition, more consumers can be expected to purchase such
goods.145 Consumers regard media with very limited uses as the equivalent
of damaged goods146 and will pay less for them, if they are willing to pur-
chase them at all.147 In short, CD-based DRM renders the protected discs
142. See Radin, Margaret Jane, Regulation by Contract, Regulation by Machine, 160
J. Inst. & Theoretical Econ. 142, 151-153 (2004); see generally LAWRENCE LESSIG, CODE
143. See Digital Audio Recording Devices and Media Act of 1992, 17 U.S.C.
§§ 1001-1010 (2000).
145. This principle is borne out by the INDICARE survey results, which indicate that
people are willing to pay substantially more for digital music with more functionality. See
DUFFT ET AL., supra note 132, at 25.
146. See SHAPIRO & VARIAN, supra note 144.
available at
less valuable to consumers. Yet this reduction in functionality is not coun-
terbalanced by any proportionate decrease in cost. DRM-protected CDs
are sold at roughly the same price as standard non-protected CDs.148 Some
protected CDs include bonus features like music videos or interactive art-
ist biographies, but for most consumers these features were likely insuffi-
cient to compensate for the reduction in basic functionality of the pro-
tected discs.
Another factor in choosing to surreptitiously deploy DRM, beyond
skirting consumer resentment, was that Sony BMG likely underestimated
the public reaction to the security and privacy threats created by its DRM.
Both research and market history have demonstrated that many users are
willing to trade security and privacy for ease of use, desired functionality,
or even small sums of money.149 These results could lead a firm to place
minimal value on user security and privacy in its risk calculus. In the root-
kit incident, these assumptions proved incorrect. Consumers, it would ap-
pear, care enough about privacy and security to want to make the decision
about when and whether to trade it away for themselves. In part, the strong
reaction to these faulty protection measures could stem from deeply in-
grained expectations about our experience of music. In contrast to brows-
ing the internet or downloading software, consumers consider the playing
of a CD to be a private and passive act and one that carries no risk of at-
tack from the outside world. When security and privacy threats intruded
upon this zone of safety, consumers reacted with unexpectedly intense in-
dignation. The particularly strong reaction may also have stemmed from
the lack of any perceptible fair trade-off between the benefits gained by
consumers and the risks they faced. A user who downloads a free game or
screensaver from the internet may suspect a risk of unwanted adware, but
justifies that risk by the benefit of a free program. Here customers paid the
expected price, and not only received less than they bargained for in terms
148. Id. at 28, 33.
149. For an overview of surveys and experiments revealing divergence in consumers’
privacy attitudes from their behavior during transactions, see Alessandro Acquisti & Jens
Grossklags, Privacy Attitudes and Privacy Behaviors: Losses, Gains, and Hyperbolic
Stephen Lewis eds., 2004). For specific examples of this phenomena, see Sarah Spieker-
mann, Jens Grossklags, & Bettina Berendt, E-privacy in 2nd Generation E-commerce:
Privacy Preferences Versus Actual Behavior, in PROCEEDINGS OF THE 3RD ACM CON-
FERENCE ON ELECTRONIC COMMERCE 38-47 (2001) (discussing lab study finding incon-
sistencies between participants’ self-reported privacy concerns and behavior in online
shopping experiences).
of CD functionality, but were also saddled with undisclosed privacy and
security risks.
XCP and MediaMax presented unique marketing challenges for Sony
BMG. Since fully-informed customers were unlikely to pay full price for
what they would view as an inferior product, Sony BMG faced a choice. It
could either develop a product that included DRM but was nonetheless
attractive to consumers—most likely by significantly reducing retail
prices—or it could obfuscate the nature of the product it sold and prevent
its customers from excising the unwanted DRM post-purchase. All evi-
dence suggests that Sony BMG adopted the latter approach.
These same market conditions, however, existed for all major record
labels, yet most of Sony BMG’s competitors were content to implement
less invasive technological protection measures, knowing full well that
they would fail to prevent infringement.150 The other major labels, unlike
Sony, did not insist upon maximum effectiveness at the risk of harm to
The history of Sony, one of the two parent companies of Sony BMG,
in its attempts to restrict access to and copying of its content may offer
some insight into why Sony BMG, unlike its competitors, accepted these
risks in return for an uncertain and at best marginal increase in the effec-
tiveness of its DRM. The aggressive stance adopted by Sony in halting
innovative consumer-driven uses of products like the Aibo robotic dog151
and the Playstation152 suggest a willingness to seek maximum protection
of Sony intellectual property, even at the risk of consumer alienation.
150. See Jefferson Graham, CD Woes May Have Had Roots in Merger, USA TODAY,
Nov. 18, 2005, at 1B. Some have suggested that shifts in management and massive staff
cuts at Sony BMG may have contributed further to the breakdown that led to the release
of XCP. See id.
151. The Aibo, which retailed for $1299, came preprogrammed with a limited set of
functions. John G. Spooner, Sony Aibo to Spread More Puppy Love, CNET NEWS.COM,
Oct. 10, 2002, One enterprising Aibo
owner and hobbyist decrypted the software code that defined the Aibo’s abilities and dis-
tributed new software to Aibo owners that “taught” the dogs to dance and speak, among
other things. David Labrador, Teaching Robot Dogs New Tricks, SCIENTIFIC AMERI-
CAN.COM, Jan. 21, 2002,
EABD-1CD6-B4A8809EC588EEDF. Despite the fact that the software was of use only
to Aibo owners and arguably increased the product’s value, Sony demanded removal of
the software, contending that decryption of the Aibo code violated the DMCA. Id.
152. When Connectix developed its Virtual Game Station, a software emulator that
enabled owners of Sony PlayStation games to play titles on Apple computers, Sony filed
a copyright infringement suit, alleging that Connectix, by reverse engineering Sony’s
game console, infringed the copyright in the PlayStation BIOS. Sony Computer Entm’t
In light of this corporate heritage, the difficulty of convincing consum-
ers of the value of DRM-protected CDs, and its underestimation of public
reaction to degraded security and privacy, Sony BMG’s decision to deploy
XCP and MediaMax, its attempts to cloak its technology and its failures of
disclosure emerge as explicable, if irresponsible, reactions to market con-
ditions. But while its motivations are apparent, the long-term strategic
benefit of this approach is difficult to discern, especially with the benefit
of hindsight. The limitations and strengths of both the CD and the personal
computer as platforms for the dissemination and playback of content,
which we examine next, constrained and enabled Sony BMG’s choices,
further explaining, but not excusing, its actions.
The technological landscape encouraged Sony BMG’s decision to de-
ploy its DRM through stealth measures. The personal computer, in theory,
allows users broad choice over the operating system and applications that
run upon it. The universal nature of the PC sits in stark contrast to the sin-
gle-purpose devices historically used by individuals to enjoy music. This
flexibility limits the control that Sony BMG and other copyright owners
Am., Inc. v. Connectix Corp., 203 F.3d 596, 598-99 (9th Cir. 2000). After the Ninth Cir-
cuit reversed the district court’s finding of infringement, id. at 609-10, Sony acquired all
rights to the Virtual Game Station from Connectix and ceased development rather than
allow consumers to access its games on a competitor’s platform. Phillip Michaels, Emu-
lation Sensation: Microsoft Buys Virtual PC from Connectix, MACWORLD, May 2003, at
25, 25, available at 2003 WLNR 8626928. Sony also filed suit against Bleem, the manu-
facturer of a PC-based PlayStation emulator, claiming that by using screenshots of Sony
games in its advertising, Bleem infringed Sony’s copyrights. The Ninth Circuit vacated
the district court’s preliminary injunction, holding that Bleem’s use was likely fair. Sony
Computer Entm’t Am., Inc. v. Bleem, LLC, 214 F.3d 1022, 1029 (9th Cir. 2000).
After the release of the PlayStation 2, Sony brought suit against Gamemasters, the
manufacturer of the Game Enhancer, a device that enabled PlayStation owners to play
games from other countries by bypassing region code restrictions encoded on game discs.
Sony Computer Entm’t Am., Inc. v. Gamemasters, 87 F. Supp. 2d 976 (N.D. Cal. 1999).
Sony succeeded in obtaining a preliminary injunction on both contributory infringement
and anti-trafficking theories, precluding U.S. customers from playing games legally pur-
chased in Asia and Europe. Id. at 989.
In hopes of exerting further control over the video game aftermarket, Sony obtained
a patent in connection with its latest video game console, the PlayStation 3, on a technol-
ogy that would tie each copy of a game to a single console, effectively eliminating the
resale and rental market for PlayStation 3 games. Dawn C. Chmielewski, Furor Over
Sony Patent: Technology That Could Prevent Resale of Games and Other Digital Goods
Raises Speculation, Fears, L.A. TIMES, July 10, 2006, at C1. That technology has yet to
be implemented.
can exert over the applications that will be used to access and copy their
CDs. As a result of the inability to control the platform for content deliv-
ery, Sony BMG was encouraged to consider preemptively limiting poten-
tial infringement through the use of invasive software countermeasures.
Further complicating efforts to control content, the music industry’s long-
time distribution medium of choice, the CD, is an unencrypted format.
These inescapable features of the playback device and distribution me-
dium encouraged the adoption of invasive DRM techniques such as those
employed by Sony BMG.
Technology not only animated Sony BMG’s strategy, it also enabled
it. Sony BMG likely banked on its ability to keep the existence and func-
tionality of its DRM relatively secret from the general public. The rootkit
itself was designed to maintain secrecy, but equally importantly, the stan-
dard configuration of many personal computers allows third parties to sur-
reptitiously install code, including the DRM at issue here, without alerting
the user or requiring affirmative steps to proceed with installation.
A. Technology as Encouragement
In conjunction, two features of the technological landscape encour-
aged, if not required, the use of intrusive technological protection meas-
ures such as those employed by Sony BMG. Given the combination of a
general purpose, multifunctional networked playback device with an en-
trenched but unencrypted digital distribution medium, the music industry’s
adoption of software-based technological protection measures seems, in
hindsight, unavoidable.
1. The PC as Playback Device
From the perspective of many copyright holders, the PC is perhaps the
least-desirable device imaginable for the playback of unprotected CDs.
Unlike the single-purpose devices that consumers have traditionally used
to listen to music, the PC is a general-purpose device, a machine with
nearly unbounded functionality, limited primarily by the software running
on it. As a result, PC users are able to not only listen to the music con-
tained on a CD, but to copy, transcode, edit, remix, and distribute it as
Contrast this range of user freedoms with those permitted by analog
playback devices like the phonograph—particularly in the days before
reel-to-reel and cassette recorders—and modern digital playback devices,
like the DVD player. Phonograph users, even well into the twentieth cen-
tury, were constrained in their ability to make copies of recordings by the
dictates of the state of the art—the equipment required to press phono-
graph records was simply not feasible for consumer use.
While the limitations of early analog media were primarily the result
of engineering hurdles that would be overcome by subsequent innovations,
limitations on modern digital playback devices are largely the result of
intentional design decisions targeted at curtailing the relative ease of digi-
tal copying. The functionality of DVD players, for example, is tightly con-
trolled by the DVD Copy Control Association (DVD CCA), the industry
body that licenses the Content Scramble System (CSS) and holds the keys
necessary to manufacture devices and software that legally play DVDs.
Indeed both the DVD medium and its playback devices were designed
from the ground up to permit increased control over consumer use of con-
tent. By insisting that CSS licensees conform to rigid specifications, con-
tent owners enjoy some increased assurance that devices that copy DVDs
will not be appearing on store shelves any time soon. And when its licen-
sees offer product features that test the bounds of this control, the DVD
CCA has brought suit to maintain its grip over the medium.153
Unlike the DVD player, the personal computer was not developed with
copy control and content protection in mind. Computer users are free to
add or replace hardware, to substitute one operating system for another,
and to install or uninstall software—or, if sufficiently skilled, to write their
own. A system that permits this level of flexibility does not lend itself to
the sort of control to which copyright holders aspire when designing play-
back devices. Any restriction imposed by software can be removed by
software. As a result, skilled and determined users are capable of defeating
any software-based content protection scheme deployed on a standard PC.
In recognition of this fact, content owners have sought to embed pro-
tection measures at deeper levels of the machine’s architecture. The de-
velopment of trusted computing platforms was in essence an attempt to
reinvent the PC in a manner that wrested control from the hands of users
and entrusted it to hardware manufacturers, software developers, and con-
tent owners.154 While some touted this approach for its potential security
153. Kaleidescape, the producer of a high-end home entertainment server that al-
lowed customers to store hundreds of DVDs on a networked device, prevailed in a law-
suit alleging that it violated the terms of its DVD CCA license. Transcript of Proceedings
at 66, 67, 70, DVD Copy Control Ass’n, Inc. v. Kaleidescape, Inc., No. 1-04-CV031829
(Cal. Sup. Ct. Mar. 29, 2007), available at
154. See Ross Anderson, Cryptography and Competition Policy—Issues with
“Trusted Computing,” at 3-5,; see also
benefits, others suspected that DRM was the true driving force behind
trusted computing.155 Microsoft’s Palladium, for example, was intended to
take advantage of specially developed Intel hardware to integrate digital
rights management into the CPU itself.156 By embedding features like re-
mote attestation,157 sealed storage,158 and memory curtaining159 into the
trusted computing environment, this approach held some promise for con-
tent owners who hoped to exercise greater control over copyrighted mate-
rial on PCs. But despite widespread adoption of the Trusted Platform
Chad Woodford, Comment, Trusted Computing or Big Brother? Putting the Rights Back
in Digital Rights Management, 75 U. COLO. L. REV. 253 (2004).
155. See id.
156. Electronic Privacy Information Center, Microsoft Palladium - Next Generation
Secure Computing Base,
html (last updated Nov. 11, 2002).
157. Remote attestation is a process by which software authenticates itself to a re-
mote host. The user’s local machine would share information about its hardware and
software configuration in order for a remote machine to determine whether it will be
trusted. Vivek Haldar et al., Semantic Remote Attestation - A Virtual Machine Directed
Approach to Trusted Computing, in USENIX ASSN, PROCEEDINGS OF THE THIRD
able at For example, users
whose machines contained unauthorized software could be refused access by a remote
website or service.
158. Sealed storage is a means by which the cryptographic keys necessary to access
encrypted data are generated by authorized software rather than stored in the open on the
user’s machine. This approach is meant to ensure that content cannot be accessed by un-
authorized software that could circumvent the limits imposed by authorized software.
Infrastructure/trusted_computing/20031001_tc.pdf; Arnd Weber & Dirk A. Weber, Legal
Risk Assessment of Trusted Computing. A Review, INDICARE MONITOR, Feb. 24, 2006,
at 58, available at
159. Memory curtaining is a technique that prevents one application from accessing
the memory used by another application, preventing, for example, unauthorized programs
from capturing content being played by an authorized program that enforces restrictions
on use of that content. SCHOEN, supra note 158; see also Mike Burmester & Judie Mul-
holland, The Advent of Trusted Computing: Implications for Digital Forensics, in ACM
available at There are stronger methods for iso-
lating memory and resources. Andrew Whitaker, Marianne Shaw, and Steven D. Grib-
ble, Scale and Performance in the Denali Isolation Kernel, ACM SIGOPS OPERATING
SYS. REV, Winter 2002, at 195, available at
Module specifications,160 trusted computing has yet to yield any radical
transformation of the computing environment.
2. The Lack of an Encrypted Format
For the majority of its nearly 30-year history, the Compact Disc for-
mat, first developed in the late 1970s by Philips and Sony, has enabled
consumers to freely access and copy CD content.161 The CD, unlike later-
developed digital formats like the DVD,162 includes no content encryp-
tion.163 Digital audio tracks on CDs can be read and copied by any com-
patible hardware, even in the absence of any cryptographic key. But by the
late 1990s, after recordable CD media and hardware became common-
place and use of peer-to-peer networks became widespread, copyright
holders sought to exercise greater control over the post-sale use of CDs.
Given the massive user base of the CD and the investments of both con-
tent owners and consumer electronics manufacturers in the format, record
labels faced a difficult task. They needed to devise methods to prevent
unwanted PC-based copying while simultaneously maintaining usability
on standard audio equipment. This required grafting protection measures
onto a preexisting unencrypted format while retaining backwards com-
Two general approaches to this problem emerged and can be broadly
categorized as either passive or active. Passive protection measures rely on
changes to the structure and data contained on the CD to prevent copy-
ing.164 Active protection measures, like XCP and MediaMax, on the other
hand, rely on the installation of software on the user’s computer to inter-
fere with the accessing and copying of audio files.165
160. For details on the Trusted Platform Module specifications, see Trusted Comput-
ing Group, Trusted Platform Module (TPM) Specifications, https://www.trusted- (last visited July 30, 2007).
161. See J. Alex Halderman, Evaluating New Copy-Prevention Techniques for Audio
MANAGEMENT 101 (2002), available at
162. The vast majority of commercially available DVDs utilize CSS, a method of
encryption meant to ensure that only authorized devices and software can be used to ac-
cess content. The DVD CCA’s tight control over licensing of the keys necessary to ac-
cess DVDs has successfully prevented the distribution of devices that enable users to
copy DVDs. But see DVD Copy Control Ass’n, Inc., supra note 153.
163. See Halderman, supra note 161.
164. For a study of the effectiveness of passive protection measures, see id.
165. Halderman & Felten, supra note 11, at 4.
Each song on a CD is stored as an individual track. Each track com-
prises a number of frames, each of which holds 1/75 second of audio.166 In
addition, parallel data streams, called subchannels, are multiplexed with
each track’s main data.167 These subchannels mark the divisions between
tracks, the track number, and the current track running time.168 Aside from
the track data, each CD contains a table of contents (TOC) which indicates
the number of tracks and the starting position of each track.169
By introducing errors into CD data and the TOC, passive protection
measures attempt to exploit subtle differences in the hardware and soft-
ware of standard audio equipment and PCs.170 For example, because the
CD specification requires a two second gap before the beginning of the
first track,171 many PC CD drives specify time 00:02.00 as frame 0. By
altering a TOC to indicate that the first track starts at time 00:01.74, pas-
sive protection measures can cause failure when a PC attempts to read the
disc.172 But since standard CD players use a different frame address
scheme, the altered TOC typically does not interfere with playback.173
Other passive measures rely on changes to the track data itself. Most CD
players, for example, interpolate over errors caused by corrupt audio sam-
ples.174 But since most PC CD-ROM drives cannot correct for such errors,
by intentionally including corrupt samples, passive measures can interfere
with the ability of PC drives to properly read protected discs without af-
fecting playback on standard audio equipment.175
For a variety of reasons, passive protection measures proved to be at
best an incomplete solution. First, some common audio components were
unable to play back CDs with passive protection. Car stereos and DVD
players with CD playback functionality often encountered difficulties with
passively protected discs.176 Second, not all PC drives were susceptible to
166. Id.
167. Id.
168. Id.
169. Halderman, supra note 161.
170. Id.
171. Id. See also INTERNATIONAL STANDARD NO. 60908, Audio Recording—
Compact Disc Digital Audio System (Int’l Electrotechnical Comm’n 1999).
172. Halderman, supra note 161.
173. Id.
174. Id.
175. Id.
176. Will Knight, Philips Says Copy-Protected CDs Have No Future, NEW SCIEN-
TIST, Jan. 11, 2002,; Sony’s ‘Copy-
Proof’ CD Fails to Silence Hackers, USA TODAY, May 20, 2002, http://www.usatoday.-
the rather crude methods relied upon by passive protection.177 And as
these methods became more prevalent, new drives were designed to elimi-
nate the shortcomings of earlier hardware.178 Even for computer users
whose drives had difficulty reading passively protected discs, the careful
application of tape or a felt tip pen could defeat passive DRM.179 As a re-
sult, passive protection was largely abandoned in favor of active protec-
tion measures, which leave audio playback devices wholly undisturbed
while providing greater and more flexible control over PCs.180 However,
unlike passive protection measures, active protection measures introduced
an additional difficulty for content owners and developers of protection
measures: since active measures operate by means of software running on
users’ machines, these measures needed to guarantee the installation of
software most users would reject if given the choice. Luckily for copy pro-
tection proponents, the Windows computing environment made such in-
stallation without consent surprisingly easy.
B. Technology as Enablement
Technology not only motivated Sony BMG’s choice to deploy inva-
sive software-based DRM, but also provided the means to execute this
strategy. Once installed, the rootkit itself helped to ensure that average
consumers remained unaware of the software Sony BMG had installed on
their machines. What enabled the stealth installation of the DRM software
in the first place, however, was a standard feature of the dominant PC op-
erating system: Sony BMG relied on the AutoRun feature of the Windows
operating system to run and install code on users’ machines without notice
or consent.
AutoRun allows software code contained on removable media, like
CDs, to run automatically when inserted into a computer. When a CD is
inserted into a computer, Windows scans the disc for a file named “Auto-
Run.inf.”181 If that file is present, Windows faithfully executes its instruc-
tions.182 The file could instruct the computer to launch a program, open a
particular website, or take some other more harmful action. Despite the
177. See Halderman, supra note 161.
178. Halderman & Felten, supra note 11, at 8.
179. See Halderman, supra note 161.
180. Some later discs used a combination of active and passive protection measures.
Edward W. Felten & J. Alex Halderman, Digital Rights Management, Spyware, and Se-
curity, IEEE SECURITY & PRIVACY, Jan.-Feb. 2006, at 18, available at http://www.-
181. Halderman & Felten, supra note 11, at 5.
182. Id.
potentially destructive power ceded by AutoRun, Microsoft included no
meaningful safeguards for computer users.
Using AutoRun, Sony BMG was able to install DRM software on
computers without the knowledge or consent of users. Upon insertion of
an XCP disc, AutoRun launched an installer program that presented users
with the terms of the XCP EULA. If the user “accepted” the EULA terms,
XCP installed software to play the CD and copy DRM-protected Windows
Media files. These files, unlike MP3 files, cannot be copied to Apple’s
iPod or other portable media players. If a user instead rejected the EULA,
the CD was ejected from the machine. Furthermore, if a user launched an
audio program prior to accepting the EULA and installing XCP, the auto-
launched installer gave the user thirty seconds to exit that program before
the disc was ejected.183 For many, if not most, users, this procedure meant
that the only way to listen to a protected disc on a computer was to install
MediaMax employed even more aggressive tactics with the help of
AutoRun. When inserted, MediaMax discs used AutoRun to install, with-
out notice or consent, a device driver that altered the user’s CD-ROM
drive to prevent playback of MediaMax discs. Next, the installer presented
the EULA. If accepted, the MediaMax software was installed. But if the
user instead refused the terms of the EULA, the disc was ejected. Even if
the user refused to accept the EULA, and the CD was ejected,
SunnComm’s MediaMax technology often remained installed on the
user’s computer—saddling users with all of the security and privacy vul-
nerabilities but providing no access to the music they purchased.184
In the face of predictable user reluctance to actively impede their own
lawful uses of legally purchased CDs, Sony BMG and its DRM vendors
leveraged the dominant operating system’s lack of end user control over
software installation decisions to clandestinely alter the personal comput-
ing environment of millions of users. In doing so, Sony BMG relied in
part on methods used by spyware distributors to spread malicious code
and seize remote control of users’ computers. Arguably, the decision to
use these stealth techniques was motivated by the same desires—limiting
user knowledge, engagement, and choice—that motivate their use in the
spyware and malware contexts.
Sony BMG’s use of these techniques occurred against a backdrop of
efforts by companies, including Microsoft, to bolster user control over
183. Id. at 6.
184. Id. at 7.
software installation through industry-wide efforts to create more mean-
ingful and effective consent mechanisms185 and product design to prevent
the installation of spyware.186 These efforts recognized that the categoriza-
tion of products as malware or spyware depends as much on the consent
experience and on satisfying user expectations as it does on a product’s
functionality. Since the rootkit incident, Microsoft has taken at least one
step that increases end user control over software installation. In Windows
Vista, its most recent operating system, Microsoft has altered the AutoRun
mechanism. On first encounter with an AutoRun disc, the user has the op-
portunity to permit or deny the automatic execution of code and can set
defaults for future AutoRun discs.187 The lessons learned from Sony
BMG’s decision to use AutoRun, and its misuse in other “drive-by”
download exploits no doubt influenced this redesign. It is more consistent
with the principles of usable security discussed below, and will likely as-
sist users in avoiding the installation of some insecure software.
Sony BMG has paid dearly for its deployment of XCP and MediaMax
through the investigations, litigation, and settlements that came in the
wake of the rootkit incident.188 The example made of Sony BMG will
185. The difficult of delineating “spyware” solely on the basis of software behavior
has led legislators and industry to focus increasingly on the quality of the notice and con-
sent procedures around a software program’s installation in addition to its behavior. The
Anti-Spyware Coalition’s Best Practices Guide is an example of this revival of interest in
constraining reasonable notice and consent mechanisms and procedures. See A
OF POTENTIALLY UNWANTED TECHNOLOGIES (2007), available at http://www.-
CD AutoRun Basics: Windows Vista AutoPlay and AutoRun,
shellrun/AutoRun.htm#vista (last modified Dec. 19, 2006).
188. See, e.g., Settlement Agreement, supra note 69; Robert McMillan, Second Sony
Rootkit Settlement Ups Payout to $5.75M, COMPUTER WORLD, Dec. 21, 2006, http://-
620; Agreement Containing Consent Order, In re Sony BMG Music Entm’t, FTC File
No. 062 3019 (Jan. 30, 2007), available at
likely shape future DRM deployments by injecting security considerations
into their development and by influencing notice and consent practices.189
These developments, as we discuss in Part VI, provide a solid foundation
for broader interdisciplinary efforts to improve privacy and security in the
online environment. But rather than analyze the sufficiency of the price
paid by Sony BMG for its misdeeds, we seek to understand why existing
law failed to prevent the deployment of DRM with known security and
privacy risks. In hindsight, it is apparent that Sony BMG’s decision to de-
ploy its DRM was woefully misguided, and that the statements about its
data collection were inaccurate and incomplete. Assuming Sony BMG had
competent legal counsel, the question is why the law failed to clearly alert
Sony BMG of the illegality of this strategy. Equally important is an under-
standing of the failure of the law to empower users with the information
and control to avoid these security and privacy risks.
A complicated picture emerges. We contend in Section V.A that Sony
BMG’s likely reliance on the hidden nature of the DRM’s functionality
was buttressed in part by the Digital Millennium Copyright Act’s anti-
circumvention rules, which discourage experts from studying the security
risks posed by technological protection measures. By exposing security
researchers to liability for their research, the DMCA discourages the front-
line of security defense in the online environment. The anti-trafficking
rules similarly interfere with the distribution of information or tools that
could assist users in disabling technological protection measures, like the
Sony BMG DRM, in order to avoid risks to their privacy and security.
Second, existing contract law has failed to set meaningful limits on the
substance and formalities of click-wrap contracting. The unwillingness of
courts to set substantive limits on EULAs and to critically consider the
consent experience created an environment in which unreasonable mate-
rial terms can be inserted into EULAs with impunity. And without a
meaningful consent experience, users cannot even hope to have notice of
the terms foisted upon them by these mass-market form contracts. Third
and finally, the focus of U.S. privacy initiatives on a narrowly defined
class of “personally identifiable information” created uncertainty about
privacy rules for businesses using unique identifiers, such as IP addresses,
to identify or monitor users. By discouraging security research on techno-
logical protection measures, failing to take a hard look at the terms and
189. Pamela Samuelson & Jason Schultz, Regulating Digital Rights Management
Technologies: Should Copyright Owners Have to Give Notice About DRM Restrictions?,
J. TELECOMM. & HIGH TECH. L. (forthcoming 2007) (manuscript at 17, available at
formalities of “click-wrap” agreements, and neglecting to provide guid-
ance on privacy issues beyond those arising with “personal identifying in-
formation,” courts and regulators failed to strike the appropriate balance
between commercial convenience, on the one hand, and consumer protec-
tion and empowerment, on the other.
A. The DMCA’s Veil of Secrecy
At present, federal law does not explicitly endorse invasive attacks by
copyright holders against the computers of suspected infringers. Proposals
like H.R. 5211, introduced by Representative Howard Berman in 2002,
would have enabled such self-help hacking in the name of enforcing intel-
lectual property rights.190 Congress rightly rejected this approach.191 But
even in the absence of any official congressional imprimatur on invasive
self-help, Congress has created a set of disincentives through the DMCA
that, if not appropriately checked, could yield the same result—namely,
unrestrained and overzealous copyright enforcement mechanisms that en-
danger the security of personal computers and the network generally.
This Section considers the implications of the DMCA on the security
researchers who serve as the primary source of information regarding abu-
sive protection measures for the public, law enforcement, and regulators.
By imposing potential liability for discovery, disclosure, and deactivation
of harmful protection measures, the DMCA was perhaps the primary
component of the legal framework that failed to prevent the rootkit inci-
In the weeks and months prior to the public disclosure of the XCP
rootkit, two prominent computer security and DRM researchers, Professor
Ed Felten and J. Alex Halderman, were forced to divide their energy be-
tween researching and publicizing the dangerous implications of Sony
BMG’s protection measures, on the one hand, and engaging in protracted
discussions of potential DMCA liability with both their outside legal team
and the general counsel of their academic institution, on the other.192 The
190. H.R. 5211, 107th Cong. (2d Sess. 2002), available at
191. Legislative History of H.R. 5211, 107th Cong. (2002),
192. Halderman and Felten were clients of the Samuelson Law, Technology & Public
Policy Clinic directed by Mulligan. Perzanowski was the student most intimately and
continuously involved in advising Halderman and Felten. Clinic Fellow Jack Lerner and
clinic student interns Sara Adibisedeh, Azra Medjedovic, and Brian W. Carver all par-
ticipated in the representation at various times. Joseph Lorenzo Hall, a Ph.D student at
Berkeley’s Information School and a long-standing participant in the Samuelson Clinic’s
caution displayed by Halderman and Felten is hardly surprising given their
personal histories with the DMCA. Both have been threatened with legal
action in the past and are therefore acutely aware of the exacting toll of
litigation threats, regardless of the merits of the claims.193 But the neces-
sary delay caused by legal uncertainty left millions at risk for weeks
longer than necessary.
In broad terms, the DMCA undergirds the technological protection
measures adopted by copyright holders with the force of law. The statute
prohibits circumvention of any measure that effectively protects access to
a copyrighted work.194 In addition, the DMCA imposes liability on those
who traffic in tools, devices, components, or services primarily designed,
marketed, or commercially viable only for the purpose of circumventing
protection measures that control access to or copying of copyrighted
works.195 Both the anti-circumvention and anti-trafficking provisions of
the DMCA contribute to the ominous shadow that hangs over researchers
examining the security of any product protected by a technological protec-
tion measure,196 a pall most strongly felt by those examining the protection
research, provided technical advice and support to law students working on this project.
As Felten and Halderman wrote, “Sadly, research of this type does seem to require sup-
port from a team of lawyers.” As much as the lawyers enjoyed the privilege of working
with and representing interesting people doing important work, they share their former
clients’ dismay at this particular state of affairs.
193. In 2000, Felten and a team of researchers, after accepting a challenge from the
Secure Digital Music Initiative (SDMI), succeeded in breaking SDMI’s digital audio wa-
termark. After facing legal threats under the DMCA, Professor Felten filed for declara-
tory judgment seeking a determination that his research did not violate the DMCA. Only
after the RIAA disavowed any intent to file suit was that action dismissed. See Tinkerers’
Champion, THE ECONOMIST, June 22, 2002; First Amended Complaint, Felten v. Re-
cording Indus. of Am., Inc., No. CV-01-2660 (D.N.J. June 26, 2001), available at http://-
In 2003, Halderman published an academic paper discussing his research on
SunnComm’s MediaMax protection measure. See supra note 4. Shortly thereafter,
SunnComm threatened Halderman with legal action for his academic publication. Kevin
Maney, Debate Heats Up as Student Spots Hole in CD Protection, USA TODAY, Oct. 27,
2003, at 1A. After scathing criticism of its attempt to silence legitimate research,
SunnComm publicly retracted this threat. See Lisa Napoli, Compressed Data; Shift Key
Opens Door to CD and Criticism, N.Y. TIMES, Oct. 13, 2003, at C3.
194. 17 U.S.C. § 1201(a)(1)(A) (2000).
195. 17 U.S.C. § 1201(a)(2), (b)(1) (2000).
196. See generally Chamberlain Group, Inc. v. Skylink Techs., Inc., 381 F.3d 1178
(Fed. Cir. 2004); Lexmark Int’l, Inc. v. Static Control Components, Inc., 387 F.3d 522
(6th Cir. 2004).
measures applied to creative works—music, movies, novels—that the
DMCA was intended to protect.197
In their efforts to determine the security threats posed by DRM sys-
tems like XCP and MediaMax, researchers are likely to disable or remove
some portion or the entirety of the protection measure, and thus potentially
run afoul of the DMCA’s prohibition against circumvention.198 Assuming
researchers—and their institutions—are willing to accept these risks, they
could face further threats of litigation for publishing the results of their
research. To the extent that publication of sufficiently detailed findings
enabled others to circumvent the protection measure, it could lead to
claims of trafficking. Although such claims are unlikely to succeed,199 the
197. As discussed supra, the Digital Millennium Copyright Act (DMCA) has been
used to threaten academic research. But the chilling effect of the DMCA has extended far
beyond security research. It has impeded tinkering with online games and gadgets and
interfered with online speech. See supra notes 151 and 152; ELECTRONIC FRONTIER
Nor is the DMCA the only legal barrier to improving computer security. Bucking the
call for growing scrutiny and improvement of electronic voting technology, dominant
election system vendors have used the threat of legal action based on intellectual property
violations to interfere with competition, impede the review of electronic systems by regu-
lators, and chill public discourse about the lax security of their machines. For an over-
view of the issues faced by election officials see AARON BURSTEIN ET AL., SAMUELSON
198. The great irony, of course, is that although during the exploration of the security
risks posed by the DRM researchers are likely to disable or remove some portion or the
entirety of the protection measure, and thus potentially run afoul of the DMCA, engaging
in such research does not constitute copyright infringement. Indeed, security researchers
are concerned with the manner in which protection measures function and the security
threats they may pose; they have no interest in the copyrighted content those measures
are meant to protect.
199. Statements made by the Department of Justice in Felten v. RIAA are instructive.
In that case, the DOJ argued against an interpretation of “tools” that would include “nor-
mal scientific research” and publishing. Defendant John Ashcroft’s Memorandum in
Support of Motion to Dismiss, at 17, Felten v. Recording Indus. Ass’n of Am., No. 01-
CV-2669 (D.N.J. Sept. 25, 2001) (“[t]he Plaintiffs are scientists attempting to study ac-
cess control technologies. The DMCA simply does not apply to such conduct.”). The
DOJ did reserve the possibility that “making available a publication that describes in de-
tail how to go about circumventing a particular technology, if written or marketed for the
express purpose of actually circumventing that technology,” could be prosecuted under
the statute. Id. at 17 n.5. Some cases involving defendants who publicly distribute and
advertise what effectively amount to step-by-step instruction guides on how to commit
crimes have resulted in successful prosecutions in other areas. See, e.g., Rice v. The Pala-
threat of litigation and the associated expense is sufficient to alter research
agendas. Finally, assuming researchers discovered a security flaw that
posed a significant threat to the public, as in the case of Sony BMG’s
DRM, and sought to provide a tool to enable the average computer user to
quickly and safely avoid the harms posed by the protection measure, they
almost certainly would raise the ire of the content industry to a fever pitch
and draw a trafficking claim under the DMCA. Together the anti-
circumvention and anti-trafficking provisions chill computer security re-
search and create enormous disincentives to provide the information and
tools necessary to enable computer users to avoid security and privacy
risks once dangerous technologies have been deployed.
A detailed analysis of potential liability under the DMCA and the
ways in which it complicates research, publication, and the dissemination
of tools related to DRM is beyond the scope of this Article.200 Nonethe-
less, there are good reasons to doubt that liability should attach in these
circumstances. First, the more enlightened courts to analyze the DMCA
recognize that liability requires some nexus between the act of circumven-
tion and an act of copyright infringement.201 Where circumvention and
din Enters., 128 F.3d 233, 266-67 (9th Cir. 1997); United States v. Barnett, 667 F.2d 835,
842 (9th Cir. 1982). However, sharing general information about how to commit criminal
acts that is unlikely to incite others to imminently take lawless action typically fails to
justify restricting its expression. McCoy v. Stewart, 282 F.3d 626, 632 (9th Cir. 2002).
Given that security research is not marketed for the purpose of circumvention, it is
unlikely to be found to incite others to imminently commit unlawful acts.
200. As counsel to Halderman and Felten, the authors have conducted an exhaustive
analysis of this issue.
201. Chamberlain Group, Inc. v. Skylink Techs., Inc., 381 F.3d 1178 (Fed. Cir.
2004), succinctly sets forth the applicable law on this point:
A plaintiff alleging a violation of § 1201(a)(2) must prove: (1) owner-
ship of a valid copyright on a work, (2) effectively controlled by a
technological measure, which has been circumvented, (3) that third par-
ties can now access (4) without authorization, in a manner that (5) in-
fringes or facilitates infringing a right protected by the Copyright Act,
because of a product that (6) the defendant either: (i) designed or pro-
duced primarily for circumvention; (ii) made available despite only
limited commercial significance other than circumvention; or (iii) mar-
keted for use in circumvention of the controlling technological meas-
Chamberlain Group, Inc., 381 F.3d at 1203; accord Storage Tech. Corp. v. Cus-
tom Hardware Eng’g & Consulting, Inc., 421 F.3d 1307 (Fed. Cir. 2005) (in
order to prevail in a DMCA claim, the plaintiff must also be able to succeed on
the merits in an underlying copyright infringement suit).
publication take place in the context of academic research, courts should
be reluctant to find the requisite nexus.
Second, at least with respect to Sony BMG’s DRM, it is far from clear
that the technological protection measures at issue would have been found
to “effectively control access” to the CDs.202 Absent such a finding, re-
search and subsequent publication, or even distribution of a tool, would
not be actionable under the DMCA’s anti-circumvention and anti-
trafficking provisions.203 In Lexmark Int’l, Inc. v. Static Control Compo-
nents, Inc., the Sixth Circuit explained that section 1201(a)(2) does not
extend to a technological measure that restricts one form of access but
leaves another route wide open.204 XCP and MediaMax both left audio
content unprotected and accessible by other obvious means.205 Purchasers
could access the tracks without restriction on their CD players, any Apple
computer, or any Windows machine on which AutoRun was disabled.206
Under these circumstances, the availability of DMCA protection is an
open question.
202. Per the statute, “controls access to a work” means that if the measure, in the or-
dinary course of its operation, requires the application of information, or a process or a
treatment, with the authority of the copyright owner, to gain access to the work. 17
U.S.C. § 1201(a)(3)(B) (2000).
203. 17 U.S.C. § 1201 (a), (b) (2000).
204. Lexmark Int’l, Inc. v. Static Control Components, Inc., 387 F.3d 522, 547 (6th
Cir. 2004).
205. Some files, such as bonus video content or compressed audio files, are not ac-
cessible through these other means. But since removal of the protection measure does not
grant access to these files, the fact that they remain protected cannot support a claim of
206. DRM vendors and copyright holders would likely have argued that their controls
are effective “in the ordinary course of its operation,” i.e., in the environment in which
they were intended to be used. This argument assumes that the DRM vendors have some
authority to control the underlying configuration of a user’s machine. Given that access to
the audio files is not protected on some standard-configured Windows computers and on
Macs, this argument would implicitly suggest that users with “normally configured” ma-
chines are engaged in illegal circumvention. To succeed on this argument, Sony BMG
would have to convince the court to adopt the position that the licensor has the right to
control the general computing environment in which the consumer makes personal use of
the CD audio files. It is difficult to imagine this argument proving persuasive, given its
rather radical and broad implications, and given that its adoption would run counter to the
“no technology mandates” provision in the DMCA, which states: “Nothing in this section
shall require that the design of, or design and selection of parts and components for, a
consumer electronics, telecommunications, or computing product provide for a response
to any particular technological measure . . . .” 17 U.S.C. § 1201(c)(3) (2000).
An additional wrinkle in the analysis of potential liability facing re-
searchers arises from the security testing exemption in section 1201(j),
which applies to both the anti-circumvention provision and the anti-
trafficking provision of 1201(a). It is the only statutory exemption that
could potentially shield security researchers who disable protection meas-
ures like XCP and MediaMax and traffic in tools that enable others to
avoid security risks. However, the scope of this exemption is, at best, un-
certain,207 and its applicability to the rootkit incident and similar potential
circumstances is unsettled. First, section 1201(j)(1) limits the definition of
“security testing” to “accessing a computer, computer system, or computer
network, solely for the purpose of good faith testing.”208 This definition
may not apply to circumvention of technological measures that protect
third party content stored on removable media, such as sound recordings
on CDs, that are distinct from the computer, system, or network. The scant
legislative history offers some support for this reading. Section 1201(j)
was adopted to accommodate concerns raised by developers of firewalls
who wanted to ensure that they, their customers, and their competitors
could test the effectiveness of their products.209 In addition, since the sole
purpose of security research is not to “promote the security of the owner
or operator,” but rather to protect the security of the public broadly—a
purpose that may require widespread publication of information regarding
removing the protection measure at issue—this sort of research could run
207. Section 1201(j) has been given short shrift in judicial opinions addressing the
DMCA. Aside from a passing and dismissive reference in Universal City Studios v.
Reimerdes, 111 F. Supp. 2d 294, 321 (S.D.N.Y. 2000), the exemption has been ignored
by both courts and litigants. What attention the Reimerdes court did pay to 1201(j) was
marred by a misreading of the statute. The court held that because “defendants sought,
and plaintiffs granted, no authorization for defendants’ activities” § 1201(j) did not apply.
Id. The leading academic interpreting the statute also finds that the statute requires au-
thorization. See Pamela Samuelson & Suzanne Scotchmer, The Law and Economics of
Reverse Engineering, 111 YALE L.J. 1575, 1648 n.339 (2002) (“The computer security
exception requires that the researcher actually get, and not just ask for, permission to de-
feat the technical protection measure.”). However, the statute requires authorization not
from the copyright holder, but from the owner or operator of the computer. This
Reimerdes court’s reading is therefore almost certainly a misapplication of the statute.
208. 17 U.S.C. § 1201(j) (2000).
209. The Conference Report on the DMCA offers further support for this narrow
reading of the definition of security testing under 17 U.S.C. § 1201(j). That report ex-
plained, “It is not unlawful to test the effectiveness of a security measure before it is im-
plemented to protect the work covered under title 17. Nor is it unlawful for a person who
has implemented a security measure to test its effectiveness.” H.R. REP. NO. 105-796, at
67 (1998) (Conf. Rep.).
afoul of the statute.210 As discussed infra, the scope of the security re-
search exemption was sufficiently unclear to justify the Copyright Office’s
decision to grant a temporary exemption to enable research on security-
flawed CD-based protection measures.
Even assuming a competent legal team and success on the merits, de-
fending against a DMCA suit consumes enormous resources. The threat of
litigation understandably chills security research related to DRM. Sup-
pressing research of this sort disables an important check on the safety and
soundness of products in the consumer marketplace. Just as Consumers
Union and other independent analysis and benchmarking entities act as
independent checks on quality and safety for consumer products, computer
security researchers play an important role in evaluating the security, pri-
vacy, usability, and other consumer-relevant effects of software. Prevent-
ing computer security researchers from evaluating products that contain
technological protection measures removes an important player in the
market ecosystem with respect to consumer protection.
Without the efforts of security researchers who discovered and publi-
cized the risks created by Sony BMG’s DRM,211 consumers and policy-
makers would be nearly universally uninformed about security threats and
other unknown consequences of DRM—a fact likely well understood by
copyright holders who choose to deploy stealth protection measures with
undisclosed functionalities. The vast majority of computer users lack the
expertise to discover these threats independently. There is no government
agency that is explicitly authorized to examine DRM or other technologi-
cal protection measures to assess their policy implications or ramifica-
tions—security or other—on behalf of consumers. As a result, consumers
must either rely on the research conducted by security experts212 or blindly
trust software developers and content owners to exercise restraint in de-
signing protection measures that respect consumers’ privacy and security
210. 17 U.S.C. § 1201(j)(3) (2000).
211. See supra Section I.A.
212. The DMCA harms consumers not only by denying them the expertise of re-
searchers, but also by imposing liability for self-help. Once some information regarding
the existence and functionality of a protection measure becomes available, many enter-
prising users could remove it on their own. However, the DMCA creates threats against
users as well as researchers.
213. Posting of Ed Felten & J. Alex Halderman to Freedom to Tinker, http://www.- (Nov. 15, 2005, 07:07 EST). The rootkit incident and the
historic use of monitoring in online content distribution systems suggests that such reli-
ance would be misplaced. Deirdre K. Mulligan et al., How DRM-based Content Delivery
B. The Insufficiency of Consent
Aside from the force of law conferred by the DMCA, Sony BMG’s
DRM scheme benefited from some degree of legal protection offered by
its software licenses. These licenses arguably enabled Sony BMG to main-
tain that users of XCP and MediaMax assented to the installation and
functionality of Sony BMG’s DRM. But the vast majority of Sony BMG
customers lacked any meaningful understanding of the functionality of
these protection measures, in part as a result of Sony BMG’s misleading
license terms and in part because of deficiencies in the consent experience
associated with click-wrap licenses generally. Despite these barriers to
meaningful consent, under contemporary contract doctrine, most of the
terms of the XCP and MediaMax EULAs would be enforced against users,
further emboldening Sony BMG.
XCP and MediaMax, like almost all consumer software, were distrib-
uted under the terms of EULAs. Typically EULAs disclose, among other
things, the data collection, advertising, and other program functionalities
of software, and require a “click” or other affirmative act to acknowledge
the user’s consent to the terms. In the case of the Sony BMG DRM pro-
tected CDs, the EULAs contained false statements claiming that no per-
sonal information would be collected about the user or their computer.214
Indeed, the EULA governing DRM-protected Sony BMG CDs explicitly
disavowed any collection or dissemination of data related to customers or
their computers. The XCP EULA stated in part “the SOFTWARE will not
be used at any time to collect any personal information from you, whether
Systems Disrupt Expectations of “Personal Use”, in ASSN FOR COMPUTING MACHIN-
214. The EULA stated, “[T]he SOFTWARE will not be used at any time to collect
any personal information from you, whether stored on YOUR COMPUTER or other-
wise.” Sony BMG MediaMax EULA (emphasis added) (on file with authors). The use of
the term “personal information”, rather than “personally identifiable information”, cre-
ated exposure here for Sony BMG, as discussed infra in Section V.C. Information at the
SunnComm Sony BMG customer care website further misleads consumers, stating, “No
information is ever collected about you or your computer without you [sic] consenting”
and also states: “Is any personal information collected from my computer during the digi-
tal key delivery process? No, during the digital key delivery process, no information is
ever collected about you or your computer.” Posting of J. Alex Halderman to Freedom to
Tinker, (Nov. 12, 2005, 12:30 EST) (empha-
sis added). The lack of any modifiers with respect to “information” is startling. This state-
ment would prohibit any connection to a remote server. The lack of consistency in termi-
nology across the documents and the failure to use existing legally accepted definitions to
describe the data they were claiming not to collect proved exceedingly problematic.
stored on YOUR COMPUTER or otherwise.”215 The MediaMax license
agreement contained similar language.216 In fact, both the XCP and Me-
diaMax DRM collected and transmitted to Sony BMG the user’s IP ad-
dress, the time the CD was played, and a code corresponding to the par-
ticular CD title being played. Additionally, the EULA contained a host of
overreaching terms.217 The most significant was a provision permitting
Sony BMG to install and use backdoors in the DRM and media player to
enforce its rights at any time and without notice to the user.218 Like the
security threats introduced by XCP and MediaMax, the overreaching,
false, and confusing statements found in the EULA were of the sort typi-
cally associated with spyware.
Since components of Sony BMG’s DRM installed—sometimes per-
manently—before customers were confronted with the EULA terms, the
CD packaging provided the only available means of pre-installation no-
tice. But the information conveyed by the packaging left much to be de-
sired. It too failed to provide adequate information about the installation
and functionality of the software. XCP-protected discs contained the IFPI
“Content Protected” logo on the front of the CD jewel case spine219 and a
small “content protection grid,” illustrated below in Figure 1, on their back
covers.220 The majority of MediaMax discs included similar grids.221 Oth-
ers featured ambiguous disclosures in miniscule type, buried within sys-
tem requirements.222 Some neglected to inform customers that the CD
215. Sony BMG XCP EULA (Jan. 7, 2005) (on file with authors).
216. “At no time will any information provided by you in connection with the instal-
lation of the software system be collected about you or your computer.” Sony BMG Me-
diaMax EULA, supra note 214.
217. See supra note 27.
218. “As soon as you have agreed to be bound by the terms and conditions of the
EULA, this CD will automatically install a small proprietary software program (the
‘SOFTWARE’) onto YOUR COMPUTER. The SOFTWARE is intended to protect the
audio files embodied on the CD, and it may also facilitate your use of the DIGITAL
CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until
removed or deleted.” Sony BMG XCP EULA, supra note 215.
219. Electronic Frontier Foundation, supra note 57.
220. CD’s Containing XCP Content Protection Technology, Sony BMG, http://cp.-
221. Electronic Frontier Foundation, supra note 57.
222. For a number of examples, see Gallery of Variations on SunnComm MediaMax
CD Labeling, (last visited
Sept. 6, 2007).
would automatically install software on their systems,223 while others
failed to disclose any of the restrictions on copying or accessing content
imposed by the MediaMax software.224 These half-hearted disclosures
failed to provide Sony BMG customers with fair warning of the security
and privacy threats or the scope of the limitations on use imposed by its
Figure 1
Users who took the time to sift through the nearly 3000-word XCP
EULA225 gleaned some additional detail beyond the cursory notice pro-
vided on the CD packaging. But the EULA failed to fully disclose the se-
curity and privacy risks imposed by Sony BMG’s protection measures.
Once customers purchased CDs and attempted to listen to them using their
computers, the EULA—assuming they read it226—informed them:
Before you can play the audio files on YOUR COMPUTER or
create and/or transfer the DIGITAL CONTENT to YOUR
COMPUTER, you will need to review and agree to be bound by
223. See, e.g.,
224. Some stated:
This CD is enhanced with Media Max software . . . . Software will
automatically install . . . . Usage of this CD on your computer requires
acceptance of the End User License Agreement and installation of spe-
cific software contained on this CD . . . . Certain computers may not be
able to access the enhanced portion of this disc. None of the manufac-
turer, developer, or distributor [sic] makes any representation or war-
ranty, or assumes any responsibility, with respect to the enhanced por-
tion of this disc.
225. Sony BMG XCP EULA, supra note 215.
226. Users frequently ignore or fail to read EULAs. Nathaniel Good et al., User
Choices and Regret: Understanding Users’ Decision Process About Consensually Ac-
quired Spyware, 2 I/S: J.L. & POLY FOR THE INFO. SOCY. 283 (2006).
an end user license agreement . . . . As soon as you have agreed
to be bound by the terms and conditions of the EULA, this CD
will automatically install a small proprietary software program
WARE is intended to protect the audio files embodied on the
CD, and it may also facilitate your use of the DIGITAL CON-
So while the EULA informed users that a small program would be in-
stalled on their machines, it provided no information about the specific
restrictions that program placed on use of the CD or the manner in which
it operated. Even customers who proactively sought information about the
XCP software had no way, short of installing the software and running
sophisticated diagnostic tests,228 to discover the security vulnerabilities it
introduced or that its explicit assurances regarding the collection of per-
sonal information were false. The same held true for the MediaMax
EULA.229 All but the most sophisticated users were left to blindly trust
Sony BMG’s incomplete and misleading disclosures. By doing so, they
unwittingly opened their PCs to crippling attacks and their personal infor-
mation to collection and transmission, both in exchange for restricted ac-
cess to the music they believed they had purchased.
Because the EULA did disclose, albeit poorly, provisions that pro-
vided for Sony BMG’s backdoor access and remote control over the user’s
computer—the provisions posing the greatest threats to security—courts
would likely enforce those terms.230 While EULA language is typically far
from clear, even for those familiar with legal documents, courts are reluc-
tant to excuse violations on the basis of unclear language. Nor do courts
excuse consumers from license obligations on the basis of their failure to
read EULA terms. As a matter of contract formation, courts typically find
227. Sony BMG XCP EULA, supra note 215.
228. Exceedingly few users possess the software and know-how necessary to conduct
the sort of investigation engaged in by Mark Russinovich or Felten and Halderman. See
Mark’s Blog, supra note 6; Halderman & Felten, supra note 11.
229. “In order to properly utilize this CD on your computer, it is necessary to install a
small software program on your computer hard drive.” Sony BMG MediaMax EULA,
supra note 214.
230. See Jane K. Winn, Contracting Spyware by Contract, 20 BERKELEY TECH. L.J.
1345 (2005). The doctrine of unconscionability, while unlikely to succeed, would provide
the strongest basis for voiding this particular term. The form contracting of the EULA,
the unexpected behavior of the software, and the general surprise of consumers that any
software at all was being downloaded on to their computer, along with the potential harm
the consumer is exposed to would lend support to a finding of unconscionability.
that installing or using the software is sufficient to establish acceptance of
EULA terms even when users are not required to click “I Agree.”231
Whether consumers actually read the EULAs or whether they were de-
signed to encourage reading or comprehension is generally not of interest
to courts. When a document is reasonably understood to create legal obli-
gations, courts impose a duty to read.232 This obligation to read extends
not just to EULAs, but to documents hyperlinked from EULAs as well.233
If users read and understood the terms of software EULAs, many would
be surprised by the number of legal obligations they create. As with the
bizarre terms in the Sony BMG license that prohibited use of the CDs on
office computers and terminated the licensee’s rights in the CD if it was
stolen or if the user filed for bankruptcy, the restrictions and obligations
created in EULAs are often incongruous with consumer expectations
about the contents of these documents.234
Unless squarely at odds with public policy or deemed unconscionable,
EULA terms are generally enforced. Unconscionability requires both pro-
cedural defects in the contract formation process and substantive terms
231. See Tarra Zynda, Note, Ticketmaster Corp. v., Inc.: Preserving
Minimum Requirements of Contract on the Internet, 19 BERKELEY TECH. L.J. 495, 504-
05 (2004).
232. Heller Fin., Inc. v. Midwhey Powder Co., 883 F.2d 1286, 1292 (7th Cir. 1989).
233. Hubbert v. Dell Corp., 835 N.E.2d 113 (Ill. App. Ct. 2005). Hubbert was fol-
lowed twice in Nadler v. Merlin Int’l, Inc., 2007 U.S. Dist. LEXIS 19651 (S.D. Ill. Mar.
20, 2007) and Provencher v. Dell, Inc., 409 F. Supp. 2d 1196 (C.D. Cal. 2006).
234. Nathan Good et al., Noticing Notice: A Large-Scale Experiment on the Timing of
COMPUTING SYSTEMS 607 (Bo Begole & Stephen Payne eds., 2007), available at
noticing_notice.pdf; Deirdre Mulligan et al., Stopping Spyware at the Gate: A User Study
(2005). The overreaching and unexpected content of Sony BMG’s EULA does not set it
apart as an outlier. For example, after just a few clicks, a user installing a well-known and
popular file-sharing program agrees to provisions that prohibit reverse engineering, dis-
abling advertisements, and removing third party software; force them into mandatory
arbitration; permit the sharing of the user’s contact information and browsing history; and
bind all subsequent users of the software to the EULA.
The iTunes EULA includes: “You also agree that you will not use these products for
the development, design, manufacture, or production of missiles, or nuclear, chemical or
biological weapons.” Apple QuickTime 7.0.4 (free version for Windows) and iTunes
EULA (on file with authors).
that unfairly oppress one party to the contract.235 In the context of the
Sony BMG EULA, many courts would not object to the formation process
itself, given Sony BMG’s use of current industry standard mechanisms
like the scroll box and click through assent.236 Nonetheless, research and
experience show this process does not engage users in any meaningful
way in the contracting process.237 And, while the installation of software
that can be remotely updated and can enforce Sony BMG’s rights with re-
spect to content sounds substantively problematic, it is consistent with the
operation of other online content delivery systems for movies and mu-
sic.238 So embedding a term requiring users to consent to the installation of
a backdoor allowing remote updates and ongoing access to the user’s
computer in a dense and lengthy EULA is not quite the aberration it seems
to be, although we contend that it should be. This is, in fact, the direction
in which content protection schemes in the PC environment are moving.239
Although the security and privacy flaws created by the DRM could pro-
vide a basis for a substantive challenge to the EULA, unconscionability
requires both substantive and procedural defects.
235. See, e.g., Williams v. Walker-Thomas Furniture Co., 350 F.2d 445 (D.C. Cir.
236. But see Ting v. AT&T, 319 F.3d 1126, 1148 (9th Cir. 2002) (“[A] contract of
adhesion, i.e., a standardized contract, drafted by the party of superior bargaining
strength, that relegates to the subscribing party only the opportunity to adhere to the con-
tract or reject it” is necessarily procedurally unconscionable).
237. Good et al., supra note 234.
238. See Mulligan et al., supra note 213 (discussing monitoring of user activities
identified in EULAs and by monitoring program activities).
239. The general movement toward platforms and software that allow for remote
attestation about software behavior is found in industry efforts around the creation of a
trusted computing platform. This technology is designed to allow one party to verify the
“state” and operations of another’s machine. In the context of asset management, where a
business wants to assure that all the machines remotely connecting to its network are con-
figured in a manner that will protect business interests (personal information, intellectual
property, etc.) remote attestation is a promising development. In the context of content
owners seeking to monitor the state (what software is running) and activity of a home
user’s computer in order to protect digital content, the issue of remote attestation is far
more problematic and has come, appropriately, under fire. In fact, one legislative effort to
deputize this sort of private sector monitoring of private use of content and to privilege
self-help by content companies was already vetted and rejected. Hopefully other systems
that support remote access to consumers’ computers will not introduce security holes,
although developing systems that allow for remote access and control of networked PCs
that cannot be exploited by a motivated attacker is likely a complicated task. Ross Ander-
son, ‘Trusted Computing’ Frequently Asked Questions,
tcpa-faq.html (last updated Aug. 2003); SCHOEN, supra note 158.
Existing law did not dissuade Sony BMG from introducing DRM-
protected CDs that created security flaws. While it is almost certain that
users had little to no idea that installing the XCP and MediaMax DRM
would open security backdoors into their computers or allow remote moni-
toring of their activities and knowledge of their machine configuration,
current EULA and contract law provides little hope for fixing the structure
of either the consent process or the substantive terms of such contracts. As
discussed supra, courts have shown little interest in examining all but the
most egregious of contract terms and formation issues.
The need to consider the totality of the consumer contracting experi-
ence, rather than specific terms in isolation, suggests that successfully re-
structuring these interactions will require detailed fact finding about con-
sumers’ understandings and expectations, and the harms and risks to con-
sumers and competition created by specific terms and consent procedures.
Creating more nuanced and specific rules to govern consent with respect
to software downloads is a task better undertaken by an administrative
agency with deep expertise in consumer protection and the ability to pro-
vide guidance and forward-looking rules than by the courts. In the next
Section, we consider the Federal Trade Commission’s response to the
flawed notice and consent provisions of Sony BMG’s DRM and the pri-
vacy concerns to which they contributed.
C. Defining Deceptive and Unfair Acts: The Problem with
Software Downloads and Privacy
At the time Sony BMG placed its DRM-protected CDs on the market,
the FTC had already long demonstrated its authority to investigate and pe-
nalize parties making false statements about the collection, use, and dis-
closure of personal information.240 In particular, successful enforcement
240. See Agreement Containing Consent Order, In re Sony BMG Music Entm’t, FTC
File No. 062 3019 (Jan. 30, 2007), available at
[T]he disclosure shall be unavoidable and shall be presented prior to the
consumer installing any content protection software or, if the disclosure
is related to Internet connectivity, prior to causing any transmission to
respondent about consumers, their computers, or their use of a covered
product through Internet servers. The disclosure shall be of a size and
shade, and shall appear on the screen for a duration, sufficient for an
ordinary consumer to read and comprehend it. The disclosure shall be
in understandable language and syntax.
Id. See FTC v. Seismic Entm’t, Inc., No. 04-377, 2004 U.S. Dist. LEXIS 22788 (D.N.H.
Oct. 21, 2004) (enjoining the unfair practice of exploiting a known vulnerability in the
Internet Explorer web browser to download spyware to users’ computers without their
actions were brought against companies, like Sony BMG, that offered
public statements falsely disavowing the collection of information from
users.241 More recently, the FTC used its authority to bind companies to
practices and procedures that provide a “reasonable” level of security for
users’ personal information.242 Importantly, it successfully settled claims
against companies for failing to implement practices to address commonly
known and well-understood security vulnerabilities and for failing to iden-
tify and prevent security vulnerabilities that put customer information at
In light of these existing FTC actions, Sony BMG’s inaccurate state-
ments about data collection practices and software security, including vul-
nerabilities that could compromise personally identifiable information,
appear inexplicable. However, a more careful consideration of the FTC’s
prior actions sheds some light on why Sony BMG may not have consid-
ered its practices objectionable as a matter of established FTC guidelines.
The centerpiece of the FTC’s privacy enforcement actions has been the
protection of individually identifiable personal information.244 But, under
knowledge); In re, FTC File No. 042 3196 (Sept. 12, 2005). See also
Complaint, FTC v. Odysseus Mktg., Inc., No. 05-CV-330 (D.N.H. Sept. 21, 2005) (fail-
ure to clearly and conspicuously disclose bundled software with security and privacy
risks is deceptive).
241. See Microsoft Corp., 67 Fed. Reg. 52,723 (Fed. Trade Comm’n Aug. 13, 2002)
(proposed consent order) (alleging that Passport misrepresented its data collection activi-
ties and obtaining consent order prohibiting such misrepresentations).
242. See MTS Inc., 69 Fed. Reg. 23,205 (Fed. Trade Comm’n Apr. 28, 2004) (pro-
posed consent order) (failure to implement procedures that were reasonable and appropri-
ate to detect and prevent “broken account and session management” vulnerabilities was
unfair or deceptive given Tower Records’s statements about attention to security and
privacy); Eli Lilly & Co., 67 Fed. Reg. 4,963 (Fed. Trade Comm’n Feb. 1, 2002) (pro-
posed consent order) (lack of proper controls to avoid disclosure of e-mail addresses was
unfair or deceptive given statements to the contrary).
243. See Decision and Order, In re MTS, Inc., FTC File No. 032 3209 (May 28,
2004), available at; Deci-
sion and Order, In re Guess?, Inc., FTC File No. 022 3260 (Aug. 5, 2003), available at; Decision and Order, In re Petco Animal
Supplies, Inc., FTC File No. 032 3221 (Mar. 4, 2005), available at http://www.ftc.-
gov/os/caselist/0323221/050308do0323221.pdf; Agreement Containing Consent Order,
In re BJ’s Wholesale Club, Inc., FTC File No. 042 3160 (May 17, 2005), available at
244. See Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 (2000).
[Personal information means] individually identifiable information
about an individual collected online including (a) a first and last name;
(b) a home or other physical address including street name and name of
a city or town; (c) an email address or other online contact information,
a literal reading of the FTC’s application of that term, Sony BMG was not
collecting “personal information.” According to the FTC, the Sony BMG
media player “establish[ed] a connection with Internet servers through
which the user’s or proxy server’s Internet Protocol (IP) address and a
numerical key identifying the album being played will be transmitted from
the user’s computer to the servers.”245 Such information was “used to dis-
play images and/or promotional messages on users’ computers that are
retrieved from those servers.”246 Under its only official statement on the
issue, the FTC has said that “unless [IP addresses] are associated with
other individually identifiable personal information, they would not fall
within the . . . definition of ‘personal information’” regulated by the Chil-
dren’s Online Privacy Protection Act.247 Sony BMG’s stance—that it col-
lected no personal information that raised privacy concerns248—may seem
counterintuitive, but viewed in light of the prevailing FTC definition of
“personal information,” Sony BMG’s position becomes somewhat more
coherent. While this in no way excuses the misleading statements found in
including but not limited to an instant messaging user identifier, or a
screen name that reveals an individual’s email address; (d) a telephone
number; (e) a social security number; (f) a persistent identifier, such as
a customer number held in a cookie or a processor serial number, where
such identifier is associated with individually identifiable information;
or a combination of a last name or photograph of the individual with
other information such that the combination permits physical or online
contacting; or (g) information concerning the child or the parents of
that child that the operator collects online from the child and combines
with an identifier described in this definition.
privacy2000/privacy2000.pdf (asking for legislation establishing rules, and providing the
FTC with regulatory authority, to govern the commercial websites that collect “personal
identifying information” from or about consumers).
245. Complaint, In re Sony BMG Music Enter., FTC File No. 062 3019, at para. 18
(Jan. 30, 2007), available at
246. Id.
247. FTC Children’s Online Privacy Protection Rule, 16 C.F.R. § 312 (2006).
248. Carrie Kirby, Sony Gets an Earful Over CD Software, S.F. CHRON., Nov. 11,
2005, at A1; Jack Kapica, CIPPIC Files Complaint Against SonyBMG Settlement,
GLOBEANDMAIL.COM, Sept. 21, 2006,
RTGAM.20060921.gtsony0921/TPStory/Technology/columnists; Brian Garrity, Sony
BMG Agrees to DRM Settlement, BILLBOARD, Jan. 7, 2006, at 5; Iain Thomson, Sony
BMG Settles Rootkit Lawsuit, VNUNET.COM, Jan. 9, 2006,
Sony BMG’s EULA, the narrow scope of the FTC’s definition of personal
information provides important context in which to consider Sony BMG’s
At the time Sony BMG put its DRM-protected CDs on the market, the
FTC had already brought several actions—some pending and others suc-
cessfully settled—against companies that had installed software without
appropriate notice and consent procedures.249 The majority of these cases
involved “bundled software,”250 where EULA disclosures were found in-
sufficient to provide notice of the hidden software which typically served
pop-up advertisements, collected click-stream data, or engaged in some
other invasive data collection technique. Frequently the EULAs accompa-
nying bundled software include multiple embedded or linked EULAs
making the identification of the terms of the exchange complicated and
The software on the Sony BMG CDs, however, was not bundled in the
traditional sense. Users did not intend to install some software but un-
knowingly install other software through the Sony BMG CD. Rather, most
users likely did not intend to obtain any software at all during this interac-
tion. Although the hidden and unexpected nature of the transactions at the
root of the spyware-bundling cases provided a parallel to the Sony BMG
CDs, Sony BMG may not have understood itself to be intentionally hiding
the software in quite the same way as spyware companies.
249. FTC v. Seismic Entm’t, Inc., No. 04-377, 2004 U.S. Dist. LEXIS 22788 (D.N.H.
Oct. 21, 2004) (holding FTC was likely to succeed on the merits because it is an unfair
practice to exploit a known vulnerability in the Internet Explorer web browser to
download spyware to users’ computers without their knowledge, and enjoining this
method of software distribution); Analysis of Proposed Consent Order to Aid Public
Comment, In re, FTC File No. 042 3196 (Aug. 3, 2005) (holding failure
to clearly and conspicuously disclose bundled software that traced browsing deceptive);
see also Complaint, FTC v. Odysseus Mktg., Inc., No. 05-CV-330 (D.N.H. Sept. 21,
2005) (alleging that failure to clearly and conspicuously disclose bundled software with
security and privacy risks is deceptive).
250. In “bundled” software offerings, the user understands that they are installing one
program, but because they fail to read the EULA, and the software attempts to hide itself
in other ways, they fail to understand that they are in fact installing several different
software programs and often creating relationships with several different companies.
Typically these programs engage in invasive activities (pop-up or other forms of push
advertising) or extractive activities (monitoring and data collection) that users presuma-
bly would avoid if given appropriate notice. In re, FTC File No. 042
3196 (Sept. 12, 2005) (holding failure to clearly and conspicuously disclose bundled
software that traced browsing deceptive); see also Complaint, FTC v. Odysseus Mktg.,
Inc., No. 05-CV-330 (D.N.H. Sept. 21, 2005) (holding that failure to clearly and con-
spicuously disclose bundled software with security and privacy risks is deceptive).
In contrast to the bundled spyware cases, Sony BMG was installing
only one piece of software and using a single EULA, which was, in form,
consistent with the standard industry practice. The combination of stan-
dard disclosure through a EULA and the collection of no “personal infor-
mation” may have led Sony BMG to conclude that their installation and
data collection procedures were consistent with the law and industry
norms. This may have been further buttressed by the failure of surveil-
lance law generally to set limits on surreptitious monitoring and data col-
lection in the context of advertising and commercial dealings as long as
such monitoring is disclosed in the EULA.251
In the Sony BMG consent order, the FTC provided a new twist to the
existing privacy landscape. The order stands for the propositions that: (i)
clear and prominent notice and consent is required on CDs that condition
access to content on the installation of software that monitors and reports
on user activities; and (ii) clear and prominent notice and consent is re-
quired, again, before information about users, their computers, or their use
of the CD’s content is transmitted.252 Through the Sony BMG order and
bundled spyware orders, the FTC has established that software that col-
lects and transmits information about users, their computers, or their use
of the content—even if not “personal information” under the COPPA
definition—raises privacy concerns.253 The Sony BMG order also creates
a requirement, at least with respect to Sony BMG, that the installation of
software from a CD, and the transfer of information by such software, re-
251. Patricia L. Bellia, Spyware and the Limits of Surveillance Law, 20 BERKELEY
TECH. L.J. 1283, 1306-11 (2005) (discussing courts’ general willingness to allow consent
to interception to be given through “click-wrap” EULA provisions and therefore limiting
the utility of Wire Tap Act and Computer Fraud and Abuse Act to provide remedies to a
large set of spyware problems).
252. Agreement Containing Consent Order, In re Sony BMG Music Entm’t, FTC
File No. 062 3019 (Jan. 30, 2007), available at
253. Where collection and transmission is part of the standard operation of internet
protocols, clearly this cannot be the case. This line, which we are identifying, but is not
clearly established in the settlements, may be a hard one to identify and maintain. In the
context of traditional web-based interactions, IP addresses are routinely disclosed to the
servers from which a user is requesting content (a web page, for example). In this context
the requirement that notice and consent occur seems inappropriate. The Sony BMG
phone-home feature is the opposite end of the spectrum, in that there is no need for users’
machines to interact with Sony BMG’s servers. There are many areas in between, and as
technology changes, what is necessary and expected will likely change with it.
quires heightened “clear and prominent”254 notice and consent.255 Interest-
ingly, the order does not create an obligation to analyze the security prop-
erties of products before release. Such obligations are found in earlier FTC
orders and the absence here is noteworthy, particularly given that a provi-
sion of Sony BMG’s settlement with the Attorney Generals requires that at
least one qualified, independent third-party expert review future content
protection software and conclude that it creates no “confirmed security
vulnerabilities” prior to use by Sony BMG.256
Like the security vulnerability at issue in prior FTC actions, rootkits
and privilege escalation are known, dangerous security vulnerabilities.
However several factors make the Sony BMG system distinct, and dis-
tinctly troubling. As discussed supra in Part II, it seems likely that the
choices to design and deploy software with these security vulnerabilities
were deliberate and intentional design decisions, not failures of otherwise
secure software or loopholes left unaddressed despite a security-conscious
design process. Reflecting these distinctions, the FTC complaint against
Sony BMG and, to some extent, the final order, included an unfairness
claim based on the installation of the security vulnerabilities and the lack
of adequate notice and consent during installation in addition to deception
claims based on the affirmatively misleading omissions of material facts.
The unfairness claim is the most important element of the order be-
cause unfairness does not rely upon the content or sufficiency of state-
ments made to the public, but rather evaluates the substantive impact of
254. See Agreement Containing Consent Order, In re Sony BMG Music Entm’t, FTC
File No. 062 3019 (Jan. 30, 2007), available at
[T]he disclosure shall be unavoidable and shall be presented prior to the
consumer installing any content protection software or, if the disclosure
is related to Internet connectivity, prior to causing any transmission to
respondent about consumers, their computers, or their use of a covered
product through Internet servers. The disclosure shall be of a size and
shade, and shall appear on the screen for a duration, sufficient for an
ordinary consumer to read and comprehend it. The disclosure shall be
in understandable language and syntax.
255. See id. (prohibiting downloads unless a consumer “dictates his/her assent to in-
stall such software by clicking on a button or link that is clearly labeled or otherwise
clearly represented to convey that it will activate the installation, or by taking a substan-
tially similar action”).
256. Settlement Agreement at 27, In re Sony BMG CD Techs. Litig., No. 1:05-CV-
09575 (S.D.N.Y. Dec. 28. 2005), available at
the businesses activity itself. In this way it is akin to substantive uncon-
scionability in contract law. The FTC found that Sony BMG’s installation
practices and security vulnerabilities caused substantial injury that users
could not reasonably avoid and were not outweighed by any countervail-
ing interests.257
The Sony BMG order set two important new baselines. First, the com-
plaint and ensuing order make clear that certain software may not be in-
stalled on a user’s computer regardless of the consent experience.258 In
particular it prohibits the installation of content protection software that
hides, cloaks or misnames files, folders, or directories, or misrepresents
the purpose or effect of files, directory folders, formats, or registry en-
tries.259 This effectively prohibits the installation of content protection
software that uses a rootkit like the one contained in XCP. While the order
does not explicitly prohibit software that alters system, directory, or file
privileges, such as MediaMax, it does require that such software be fairly
represented to the consumer both through disclosures during installation
and appropriate naming conventions.260
Second, where limits are placed on the expected functionality of a CD
or information about the consumers’ use of the CD is to be transferred, the
user must receive clear and prominent notice and must communicate as-
sent affirmatively.261 This extends to information beyond the personally
identifiable information traditionally at the heart of the FTC’s privacy ini-
tiatives and enforcement actions. The first of these provisions is signifi-
cant because it begins to establish an obligation to provide heightened no-
tice aimed at truly informing consumers of material changes to functional-
ity of media containing copyrighted works. The second is significant be-
257. See Agreement Containing Consent Order, In re Sony BMG Music Entm’t, FTC
File No. 062 3019 (Jan. 30, 2007), available at
258. Id. at 6.
259. Id.
[Software] shall not install or cause to be installed on a consumer’s computer
any content protection software that prevents the consumer from readily locating
or removing the software, including but not limited to by: (1) hiding or cloaking
files, folders, or directories; (2) using random or misleading names for files,
folders, or directories; or (3) misrepresenting the purpose or effect of files, direc-
tory folders, formats, or registry entries.
260. Id.
261. <