CIPPIC Drills Sony BMG Canada Over Rootkit Drew Wilson | September 21, 2006 As recently reported, CIPPIC (Canadian Internet Policy and Public Interest Clinic) is launching a legal battle against Sony BMG. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes The problem with the settlement is that some say the settlement is way too lax. The documents are in now and CIPPIC is definitely in the Sony BMG case. To think that this next chapter on the marathon Sony BMG story all started with a little DRM (Digital rights Management) encoded into some albums. “The complaints, filed with consumer protection authorities, privacy commissioners, and the federal Competition Bureau, focus on Digital Rights Management (“DRM”) technologies on music CDs manufactured and distributed by Song BMG, including Sony BMG’s notorious “rootkit” DRM.” Explains CIPPIC in their press release (PDF), “The complaints stem from Sony BMG’s negotiating position in efforts to settle the class action. Phillipa Lawson, Executive Director of CIPPIC, explains: “The US litigation settled in early 2006, and included important consumer protection provisions. Sony BMG has offered to settle the Canadian litigation, but has obstinately refused to include those same consumer protection provisions in the Canadian settlement. It’s bad enough that Canadians get less money in the settlement, but the exclusion of the consumer protections is completely unacceptable: Canadian consumers deserve the same consideration as American consumers.” Sony BMG in part points to the absence of Canadian regulatory action as justifying its treatment of Canadians.” David Fewer was also quoted in the press release saying, “I suspect that Sony BMG’s willingness to modify its behaviour through the US Settlement Agreement played a role in Canadian regulators’ decisions not to investigate Sony BMG. Why start an investigation when the company has voluntarily agreed to clean up its act? Sony BMG’s position on the Canadian settlement, however, shows its true colours: it will only respect consumer rights if forced to. It’s time for Canadian authorities to step in.” According to their letter to the Competition Bureau (PDF), CIPPIC states, “We complain that, in engaging in the Wrongful Conduct, Sony et al have engaged in misrepresentations to the public, in violation of s.52 and/or s.74.01 of the Competition Act (“the act”). In particular, we submit that, by failing to notify CD purchasers of the DRM on its CDs and of the implications of such DRM, Sony BMG made representations to the public that were misleading in the material respect. Consumers do not expect CDs they purchase to install software onto their computers that is designed to send information back to the manufacturer and that is difficult if not impossible to uninstall.” For the purpose of clarity, the competition act sections in question state the following: “52. (1) No person shall, for the purpose of promoting, directly or indirectly, the supply or use of a product or for the purpose of promoting, directly or indirectly, any business interest, by any means whatever, knowingly or recklessly make a representation to the public that is false or misleading in a material respect. […](1.2) For greater certainty, a reference to the making of a representation, in this section or in section 52.1, 74.01 or 74.02, includes permitting a representation to be made. (2) For the purposes of this section, a representation that is (a) expressed on an article offered or displayed for sale or its wrapper or container, (b) expressed on anything attached to, inserted in or accompanying an article offered or displayed for sale, its wrapper or container, or anything on which the article is mounted for display or sale, (c) expressed on an in-store or other point-of-purchase display, (d) made in the course of in-store, door-to-door or telephone selling to a person as ultimate user, or (e) contained in or on anything that is sold, sent, delivered, transmitted or made available in any other manner to a member of the public” “74.01 (1) A person engages in reviewable conduct who, for the purpose of promoting, directly or indirectly, the supply or use of a product or for the purpose of promoting, directly or indirectly, any business interest, by any means whatever” The CIPPIC letter concludes, “We believe that Sony et al’s Wrongful Conduct is harmful to competition in the Canadian marketplace for the delivery of entertainment products, and that the Commissioner should therefore use his/her powers to investigate and make a compliance order against Sony et al., and to impose penalties on Sony et al., and on each of them as appropriate, in respect of each of the Sony BMG DRMs and in respect of each violation of the Act.” In CIPPIC’s complaint to the Ontario Consumer Branch, “We complain that in engaging in the Wrongful Conduct, each of the Defendants have violated Ontario’s Consumer Protection Act, 2002, including, among other things: – Section 14’s prohibition against the making of false, misleading or deceptive representations; – Section 15’s prohibition against making unconscionable representations; and, – Section 17’s prohibition against unfair practices.” The complaints continue to build as they also made the following statement (PDF) to the “Office de la Protection du Consommateur”, “We complain that in engaging in the Wrongful Conduct, each of the Defendants have violated Quebec’s Consumer Protection Act, including, among other things: “s. 219 prohibition against making false or misleading representations to a consumer. The Act defines “misrepresentation” to include omissions. “s. 208 and 215’s prohibition against making representations that constitute a “prohibited practice”, as they gave consumers the general impression that nothing unusual or harmful will result from the use of Sony BMG’s CDs, or of the Sony BMG DRM.” The complaints continue with the complaint to the Business Practices and consumer Protection Authority (British Columbia), “We complain that in engaging in the Wrongful Conduct, each of the Defendants have violated British Columbia’s Business Practices and Consumer Protection Act, [SBC 2004] Chapter 2 including, among other things: s. 5’s prohibition against deceptive acts or practices, as defined in s. 4(1); and, s. 9’s prohibition against unconscionable acts or practices, as defined in s. 8(1). We allege that the Defendants, and each of them are “suppliers”, as defined in s. 1 of the Act. We believe that grounds exist under Part 10 of the Act for the Director to investigate and make compliance order against the Defendants, and to impose administrative penalties on the Defendants and on each of them, in respect of each of the Sony BMG DRMs and in respect of each violation of the Act. We also suggest that the Defendants may have committed an offence under the Act that would subject the Defendants, and each of them, to penalties under Part 13 of the Act.” The alleged rap sheet, seemingly longer then a Canadian winter, of Sony BMG Canada continues with the Complaint to the Privacy Commissioner of Canada where it listed alleged PIPEDA (Personal Information Protection and Electronic Documents Act) violations: “Principle 4.3, Schedule 1 4.2 – Consent – The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. 4.3.2 – The Principle requite “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purpose for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. 4.3.5 – In obtaining consent, the reasonable expectations of the individual are also relevant…” And yet, even more complaints were made to the Office of the Information and Privacy Commissioner for British Columbia, “In explicitly excluding IP addresses from the definition of “personal data” under the Canadian settlement agreement, Sony BMG seeks to evade liability and responsibility for its personal information practices, in particular, the gathering of user IP addresses for undisclosed purposes. With respect to content usage data, Justice LeBel of the Supreme Court of Canada has sounded a warning about why we ought to tread carefully at the intersection of copyright and privacy: “[an individual’s surfing and downloading activities] tend to reveal core biographical information about a person. Privacy interests of individuals will be directly implicated where owners of copyrighted works or their collective societies attempt to retrieve data from Internet Service Providers about an end user’s downloading of copyrighted works. We should therefore be chary of adopting a test that may encourage such monitoring.” Society of Composers, Authors and Music Publishers of Canada v Canadian Association of Internet Providers, 2004 SCC 45, at para. 155.” Finally, there was a complaint to the Office of the Information and Privacy Commissioner (Calgary), “Albertans have a right under PIPA to be informed of the collection, use and disclosure of personal use data where it can be linked back to their identity, and to refuse consent to such unnecessary collection use or disclosure: Section 7 of PIP provides: 7(1) Except where this Act provides otherwise, an organization shall not, with respect to personal information about an individual, (a) collect that information unless the individual consents to the collection of that information, (b) collect that information from a source other than the individual unless the individual consents to the collection of that information from the other source, (c) use that information unless the individual consents to the use of information, or (d) disclose that information unless the individual consents to the disclosure of that information (2)An organization shall not, as a condition of supplying a product or service, requite an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.” Each of these complaints also features a definition on how SunnComm MediaMax and the First4Internet rootkit technology operates. One thing is clear, CIPPIC seems to have legally cornered Sony BMG for now with the mountain of complaints highlighting an impressive number of laws and cases relevant to the case. It also appears that even roughly one year later, the Sony BMG fiasco may be continuing for some time to come. Drew Wilson on Twitter: @icecube85 and Google+.