November 03, 2005

SonyBMG EULA and "rootkit" : Truth-In-EULA opportunity?

Ed Felten comments on the infamous Sony "Rootkit" "copy-protection" software:

Meanwhile, lawprof Eric Goldman asks whether the SonyBMG EULA adequately disclosed what the company was doing to users' computers. If not, the company may be legally liable for trespass to chattels, or may even have violated the Computer Fraud and Abuse Act. Goldman concludes that the disclosure may be adequate as a legal matter, though he doesn't assert that it's a good business practice.

While the legal question is beyond my expertise, it's awfully hard to see how, from a common-sense viewpoint, SonyBMG could be said to have disclosed that they might be installing rootkit-like software. Surely the user's consent to installing "a small proprietary software program ... intended to protect the audio files embodied on the CD" does not give SonyBMG free rein to do absolutely anything they like to the user's computer. Whether, as a legal matter, Sony exceeded their user-granted authorization to modify the user's computer would ultimately be for a court to decide.

Goldman says, with some justification, that today's EULAs expose a "crisis" in contract law by attenuating, almost beyond recognition, the notion of consent to a contract. Part of the problem is the well-known fact that hardly anybody reads EULAs. But another part of the problem is that EULAs don't give even the most diligent users a clear idea of what they are consenting to.

I run into something like this issue all the time when discussing censorware. If a censorware program is described as "filtering pornography", people are highly likely to be in favor of it. If I bring up the fact that censorware requires the loss of all privacy, anonymity, or even third-party content services, sometimes I can get people to think a bit more deeply about the implications (if I'm not getting flack from certain other activists who give me tremendous grief for taking that approach ...). But, sadly, it's a struggle.

I suspect it's going to be very difficult to get any sort of Truth-In-EULA obligations, to require understandable disclosure, given the spotty record of attempts at requiring plain language legal contracts.

Still, it's a good-talking point. Anyone for a "Truth In EULA" legal proposal? That is, a disclosure cannot be legally deemed to have been made unless a "reasonable" person would have some sort of "material" understanding of the risk entailed in the "small proprietary software program"?

It may not pass, it likely won't pass. But it would be a great opportunity to publicly grill some of the most egregious offenders.

By Seth Finkelstein | posted in copyblight | on November 03, 2005 06:04 PM (Infothought permalink)
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage


A problem of "plain language" proposals is that it is awfully hard to define, much less in plain language! I think that it's not entirely impossible to get a "plain language truthful EULA" proposal passed, but making it effective would be a lot harder. That said, courts in many jurisdictions do interpret contracts according to the sophistication of the user who is supposed to sign them in different ways, and can declare them unenforceable.

Posted by: David at November 4, 2005 02:00 PM