Ed Felten has posted about the question that must scare Sony the most: have they committed a criminal act by distributing music CDs with spyware and rootkits on them?
The Computer Fraud and Abuse Act is a US federal criminal statute that punishes people who gain unauthorized access to computers, misappropriate their information, and break their machines. Felten's no lawyer, but his analysis of how Sony violates the CFAA is pretty compelling — and many parts of this analysis reach to cover other abusive DRM practices.
Can't wait to see if Sony ends up facing a federal rap on this — that'd sure put the fear of the law into every other customer-hating, DRM-using entertainment dinosaur.
The provision also requires that there be "damage". According to the CFAA, damage includes "any impairment to the integrity or availability of data, a program, a system, or information, that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals". As I understand it, the cost of detecting and mitigating a problem, including the value of time spent by people on detection and mitigation, can be included in the loss. Given that, there can be little doubt that each of these software systems caused damage of more than $5000 total. For example, if a system was installed on 100,000 computers and imposed at least five cents in detection and mitigation costs on each one of those computers, the aggregate damage is more than $5000.It seems clear, too, that the installation of a rootkit, or the installation of software without permission — not to mention the security vulnerabilities caused by the software — constitutes an impairment to the integrity of users' systems.
Previous installments of the Sony DRM Debacle Roundup: Part I, Part II, Part III, Part IV, Part V
(Cool Sony CD image courtesy of Collapsibletank)
