Sony/BMG’s Rootkit EULA: Enforceable here?

Re: Applicability of the Sony/BMG’s Rootkit EULA in Philippine law

Gentlemen:

We write in response to your legal concerns on the above-referenced subject matter.

From documents and reports found supplied, the facts are the following:

1. As part of Sony/BMG’s Digital Rights Management (“DRM”) strategy, it produced so-called “œRed Book”-compliant audio files that can be played on any standard CD player.

2. But before a buyer can play the audio files on his computer or create and/or transfer the digital content thereof to such computer, one will need to review and agree to be bound by an end user license agreement or “œEULA”, the terms and conditions of which are set forth below. Once one has read these terms and conditions, he will be asked whether or not he agrees to be bound by them.

3. Clicking “œAGREE” signifies consent to be bound by the EULA. Clicking “œDISAGREE” mean one doed not agree to be bound. But if he doed not agree to be bound by these terms and conditions, he will not be able to utilize the audio files or the digital content on his computer.

4. The CD will then install a small proprietary software on to the computer, called “Extended Copy Protection” or “XCP” to enforce the digital rights granted by Sony/BMG to the buyer.

5. As it turns out, the “small proprietary” program turns out to be a rootkit. Mark Russinovich posted to his blog an extremely detailed and technical analysis of the behaviour of the software contained on Sony music CDs. The article asserts vocally that the software is illegitimate and that digital rights management had “gone too far”. He further sheds light on shortcomings in the software design that manifest themselves as security holes and could be exploited by malicious software such as worms or viruses. As a matter of fact, such malicious software has already sprang up. Further, attempts to remove XCP from the computer (albeit within the legal rights of the buyer) have caused system-wide crashes.

6. The salient point of this EULA, as posted in this link, are as follows:

1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That’s because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

2. You can’t keep your music on any computers at work. The EULA only gives you the right to put copies on a “personal home computer system owned by you.”

3. If you move out of the country, you have to delete all your music. The EULA specifically forbids “export” outside the country where you reside.

4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

5. Sony-BMG can install and use backdoors in the copy protection software or media player to “enforce their rights” against you, at any time, without notice. And Sony-BMG disclaims any liability if this “self help” crashes your computer, exposes you to security risks, or any other harm.

6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That’s right, no matter what happens, you can’t even get back what you paid for the CD.

7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

8. You have no right to transfer the music on your computer, even along with the original CD.

9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

From the foregoing, you wish to know whether or not the Sony/BMG XCP EULA, particularly the provisions on non-warranty and limitation of liability is enough to shield it from lawsuits for damages caused by this software.

Our answer is in the negative. Sony/BMG cannot use the EULA to shield it from possible lawsuits for damages, much less limit its liability under Philippine jurisdiction.

The pertinent provisions of the EULA read as follows:

Article 5. EXCLUSION OF WARRANTIES

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU ARE INSTALLING AND USING THE LICENSED MATERIALS AT YOUR OWN SOLE RISK. THE LICENSED MATERIALS ARE PROVIDED “œAS IS” AND WITHOUT WARRANTY, TERM OR CONDITION OF ANY KIND, AND SONY BMG, ITS LICENSORS AND EACH OF THEIR LICENSEES, AFFILIATES AND AUTHORIZED REPRESENTATIVES (EACH, A “œSONY BMG PARTY”) EXPRESSLY DISCLAIM ALL WARRANTIES, TERMS OR CONDITIONS. EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT AND FITNESS FOR A GENERAL OR PARTICULAR PURPOSE. NO ORAL, WRITTEN OR ELECTRONIC INFORMATION OR ADVICE GIVEN BY ANY SONY BMG PARTY SHALL CREATE ANY WARRANTY, TERM OR CONDITION WITH RESPECT TO THE LICENSED MATERIALS OR OTHERWISE. SHOULD THE LICENSED MATERIALS PROVE TO BE DEFECTIVE, YOU (AND NOT THE SONY BMG PARTY CONCERNED) AGREE TO ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIRS OR CORRECTIONS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, TERMS OR CONDITIONS IN CERTAIN INSTANCES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS ARTICLE WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY MANDATES LIABILITY, DESPITE THE FOREGOING DISCLAIMER, EXCLUSION AND LIMITATION.

Article 6. LIMITATION OF LIABILITY

NO SONY BMG PARTY SHALL BE LIABLE FOR ANY LOSS OR DAMAGE, EITHER DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR OTHERWISE, ARISING OUT OF THE BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, TERM OR CONDITION, BREACH OF CONTRACT, NEGLIGENCE, STRICT LIABILITY MISREPRESENTATION, FAILURE OF ANY REMEDY TO ACHIEVE ITS ESSENTIAL PURPOSE OR ANY OTHER LEGAL THEORY ARISING OUT OF, OR RELATED TO, THIS EULA OR YOUR USE OF ANY OF THE LICENSED MATERIALS (SUCH DAMAGES INCLUDE, BUT ARE NOT LIMITED TO, LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF USE OF THE PRODUCT OR ANY ASSOCIATED EQUIPMENT, DOWN TIME AND USER’S TIME), EVEN IF THE SONY BMG PARTY CONCERNED HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, THE ENTIRE LIABILITY OF THE SONY BMG PARTIES, COLLECTIVELY, UNDER THE PROVISIONS OF THIS EULA SHALL BE LIMITED TO FIVE US DOLLARS (US $5.00). SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CERTAIN INSTANCES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS ARTICLE WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING DISCLAIMER, EXCLUSION AND LIMITATION.

First, these provisions are part of a “contract of adhesion,” that is, a contract to be consented by a party on an “as is” basis, a ready-made form of contract which the other party may accept or reject, but which the latter cannot modify.

The Philippine Supreme Court has declared that a contract of adhesion may be struck down as void and unenforceable, for being subversive to public policy, only when the weaker party is imposed upon in dealing with the dominant bargaining party and is reduced to the alternative of taking it or leaving it, completely deprived of the opportunity to bargain on equal footing. And when it has been shown that the complainant is knowledgeable enough to have understood the terms and conditions of the contract, or one whose stature is such that he is expected to be more prudent and cautious with respect to his transactions, such party cannot later on be heard to complain for being ignorant or having been forced into merely consenting to the contract. (PCIB vs. Court of Appeals, G.R. No. 97785, 29 March 1996)

Using this test in the case at bar, the EULA can be struck down as void and unenforceable. The buyer is the weaker party reduced to the alternative of taking it or leaving it, and completely deprived of the opportunity to bargain on equal footing. The buyer is likewise not knowledgeable enough to have understood the terms and conditions of the contract or expected to be more prudent and cautious with respect to his transactions, since he cannot reasonably foresee that the XCP is a rootkit with exploitable security holes. As a matter of fact, only very technical people could have discovered the potential damage and harm it may do to a computer system.

As this EULA can be struck down as void and unenforceable, Sony/BMG cannot use the provisions stated above to extricate itself from liability, much less limit it to US$5.00.

Second, it is fundamental that the pertinent laws are deemed written into contracts (PIA vs. Ople, G.R. No. 61594, 28 September 1990) and contracting parties may establish such stipulations as they may deem convenient, “provided they are not contrary to law, morals, good customs, public order or public policy (Article 1306, Civil Code).

Sony/BMG may have violated Philippine law and hence, cannot seek refuge using its EULA.

It may have violated Section 33 of Republic Act No. 8792, otherwise known as the “œE-Commerce Act of 2000″³ that states:

Hacking or cracking which refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic document shall be punished by a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years.

XCP, introduced by Sony/BMG into an unwary buyer’s computer, can be considered under this category as it gains unauthorized access and/or interfered with a buyer’s computer system. It may even corrupt it.

Hence, not only will Sony/BMG be unable to seek refuge in its EULA, the responsible officers thereof may even be criminally liable under the above-stated provision, without prejudice to damage and class suits.

We trust we have sufficiently addressed your concerns. If you have further inquiries, please do not hesitate to contact us.

Regards,
Punzi

Our incredible deals of testking E20-001 and free 646-364 tutorials make your success certain for the final testking 640-822 exam and you can get ccsp dumps & pass4sure mcp.

For more technology news and gadget reviews, follow us on Facebook, Twitter and Instagram
  • Hehe, very legalese … though I got myself a few laughs reading the quoted stipulations under the EULA, as paraphrased by the EFF.

    Now in any case my house is burgled, I’ll be sure to delete any Sony music on my computer.

    Wait, the crooks just took my computer! 😛

  • While it is fair that the officers be liable for the “damages” caused by the software, most likely, they had no idea of the extent of the program. most likely, they got presented an option by their IT department that they had a way to prevent piracy. IT of course, paints a pretty picture, without discussing the details.

    the boss, liking what he hears, gives the green light. because of the green light, they stop further testing, and they include it in every cd they produce, and then wham!

    while im not defending what they did, i do just want to point out that sony, in it’s entirety, isn’t directly responsible for what happened. unfortunately, as the program was the fruit of the labors of one of their subsidiaries (or departments), the entity (sony) carries the blame.

  • @Migs: That’s a valid defense.