Tuesday, November 15, 2005

On Music, Rootkits, IP, and Being Human

I should preface this post by noting that I am not a philosopher, lawyer, or computer nerd and that I do not possess in-depth knowledge of the things I'm about to discuss. Rather, I'm just an ordinary Joe with certain ideas about the world and, like plenty of other folks, I'm using the Internet as a way of thinking out loud about contemporary events and trends.

By now, most everyone has probably heard or read something about the Sony BMG music discs* that install, without the consumer's knowledge or proper consent, potentially insecure and exploitable software whenever the disc is inserted into a Windows-based computer. The software sneakily comes as part of a proprietary player, which the consumer "agrees" to install by clicking "OK" on an "End-User License Agreement" (EULA). The software was designed by a Sony BMG contractor, First 4 Internet, with the goal of limiting the number of copies of the disc that could be made, among other efforts at combatting what Sony BMG views as music piracy. It uses a nasty technique known as a rootkit to render itself invisible to the hapless consumer. Further, it seems to secretly pass information about the consumer's computer to Sony BMG via the Internet. It is also, for most intents and purposes, un-installable, meaning once the junk gets on someone's machine, that someone had better be a total computer brainiac or else have endless patience in dealing with Sony BMG** in order to get it off his system. (The only other option is apparently re-formatting the hard drive -- not normally a viable decision for most people, and quite a penalty to pay just for listening to a music disc you bought.)

Since a Windows programmer geek discovered what Sony BMG was doing a couple weeks ago, this particular business practice has generated quite a lot of consumer outrage and media coverage. The software has also been labeled as spyware by several anti-virus makers, including the folks at Microsoft.

So much for background. The whole story, still developing as I type this, has got me thinking again about music, copyright law, and the simple art of being human. My thoughts are not very organized, so I'm going to resort to the old technique of putting points in bold so as to look and sound more like I know what I'm talking about.

Treating paying customers like criminals is a bad business strategy.

Probably the most obvious point of this fiasco is that Sony BMG (and Sony generally) will likely pay a heavy price for acting in such a thoughtless and disrespectful way. Already at least two class action lawsuits have been filed, in California and New York, and the public relations disaster alone is sure to cost the company significant business as more and more consumers learn that they are viewed not as customers but as criminals. Which, ironically, leads me to my second point.

Installing crap -- especially spyware-type crap -- on people's computers without their knowledge or permission is a form of theft and aggression.

Look, it's like this. I spent my own money to buy a computer, which I spend money to maintain. I pay for the electricity needed to run it, the software and the Internet connection that lets me do the things I want to do on it, and the hardware that helps give me the performance I want. Anything that degrades my system's performance, clogs up my Internet connection, or limits my computer's functionality without my knowledge or consent is stealing money from me. Period.

Sony BMG's zealous (and ultimately fruitless) attempt to enforce the profits from its current moribund business model with this dangerous malware is akin to the behavior of a criminal intruder. I don't care what some ill-conceived and poorly written legislation might say on the matter; no one has the right to put anything on my computer that I don't want and agree to have there. And if they manage to do it, I have the absolute right to take any measure to remove it. (If time is money, then wasting my time as I repair security breaches due to, and recover my system's previous performance and functionality from, sneaky, crappy software is a form of theft too.)

Do I exaggerate? I don't think so. Everyone is always trying to get a hand in your pocket, and I am pretty tired of companies who think we (as consumers) have infinite amounts of time and money to waste on them. And some companies' irritating sense of entitlement really ticks me off.

The current copyright regime is flawed -- probably due to "intellectual property" being a myth -- and needs to be re-thought.

I realize that sounds bold and implies I have all the answers, but I admit up front that I don't. What I do know is that there are serious problems with any law that requires (or at least invites) such knuckle-dragging thuggery to enforce and which criminalizes ordinary and natural human behavior (more on this later) for no other reason than that some mega-company would prefer a guaranteed and perpetual pipeline to people's wallets. Sorry, no. There is no moral right to a guaranteed profit, especially profit that is the result of "selling" the same thing over and over to the same people who already bought it, or thought they bought it (as Mike Evangelist notes: "The [record companies] want to pretend to 'sell' us their product, but they don't want us to actually have it").

I also realize I am opening a huge can of worms here, particularly with regard to that last sentence. All I will say is that smarter people than me have made strong arguments against "intellectual property," and not necessarily from some commie pinko "what's yours is ours" perspective. I bring this up because a lot of people, while criticizing Sony BMG's use of digital rights management (DRM) malware, concede that they and other companies like them have a right to "protect" their "property" in this way. I don't know that I concede that because I don't know if I agree that "owning" music or ideas or phrases is the same thing as owning a house or a car or a chair. It just defies logic and common sense.

I would add that this is not the same thing as saying that artists of whatever stripe have no right to make money off of their creativity. As someone who would one day ideally like to support himself entirely on creative writing (though likely never will), I would not argue I had no right to do so. But I do question the current system where the Sony BMGs of the world rake in bundles from shiny little (and now defective) discs and the artists whose music is on the little discs have to tour their butts off to break even.

Under the current legal climate, intellectual property is a given. But whether, logically and morally, that should be the case is certainly up for debate. In any case, the existing law needs to be re-visited.

End-User License Agreements (EULAs) do not constitute meaningful consent, are not "contracts" in the normal sense of the word, and, in most cases, should not be legally enforceable.

It's hardly a secret that nobody reads the pages and pages of legal gobbledygook that now routinely come with any computer program (and now, apparently, with music discs). That means nobody knows what they're "agreeing" to when they install a game or listen to some tunes. It also means companies believe they can put any old thing in there and have it be legally binding. To take a not-random example, the Electronic Frontier Foundation dissected the 3000-word EULA that Sony BMG issues with its malware-infected music discs. Some pretty asinine restrictions turned up, including not being able to listen to any digital copies of the music at your place of work. The EULA also decrees that in the event of any problems with its product, Sony BMG will never owe you more than $5 for your trouble. Sorry, isn't a court supposed to decide things like damages?

Another argument is that companies using the EULA don't seem to take it seriously themselves. Sony BMG is again the example, as Princeton professor Ed Felten points out that another of Sony BMG's DRM malware schemes, Suncomm's MediaMax, installs itself even before the user accepts the EULA and does things the EULA either doesn't disclose or explicitly denies it does.

I understand the need for companies to limit their legal liabilities, especially in this age of hyperactive lawsuits and torts run amok. But does anyone beside software or record company types think it is reasonable to expect someone is going to pay for a product at the store, rush home to try it out, call their lawyer when they see some legalese they think sounds dubious, decide not to accept the EULA, and then go back to the store to return the product -- which they will get a credit for, since it's been opened, meaning they can likely only exchange for some other EULA-laden product?

Again, this is a large waste of people's time and resources. If the EULA is really meant to be an end-all, be-all legal contract, maybe companies should be required to print them on their products' boxes. That way, consumers can know up-front what their money is getting them and decide at the store if it's worth it. Heck, maybe they even actually sign a copy of the EULA and the store sends it to the manufacturer. Is all this impractical or unreasonable? Yep, but no more so than the idea of the EULA itself. (And I won't even get started on the absurdity of the "shrink-wrap license" concept.)

My understanding is there is some doubt over the legal status of EULAs. I haven't read up on it, but common sense would seem to indicate to anyone without a vested self-interest in selling-but-not-really-selling products that EULAs are essentially the tools of, well, tools.

Whether it be music, stories, thoughts, ideas -- creativity is at the heart of what it means to be human and to be free. How can anyone claim the right to control that?

All right, there is probably some overlap between this point and my point about copyright above, but what I want to say here is this: Even if no one ever made a dime from singing a song, playing an instrument, writing a story, or just dorking around with a gadget in a garage, people would still do these things. There would still be music, there would still be books, there would still be inventions -- because these things are the products of that which makes us human. There are motivations other than profit-making that drive our behavior -- things like love, curiosity, the desire to connect with others. (This is not to denigrate the necessary impulse to make money and earn a living, but it is to note that man stubbornly refuses to be reduced to merely an economic model.)

We are social creatures -- even the mad scientist working feverishly alone in his castle is usually trying to prove something to somebody -- and if you believe in God, as I do, you know that is because that is how he made us. If you don't believe in God -- well, it doesn't take much imagination to know that what I'm saying is true. To that extent, we will always have the urge to explore, create, invent, and share the results with others. Because that's how we are and it's what we do. How much money, if any, some media conglomerate presently makes off of these activities is irrelevant.

This Sony BMG fiasco is about much more than copyright profits and computer security.

That this whole issue touches on the essentially human is what sparks my interest in the subject, and is also why this post has become so damn long. There is simply so much to be said about anything that fundamentally affects who we are (and/or who we want to be). I've merely scratched the surface here.

But back to the immediate point, Sony BMG's decision to hold up a large "Do Not Do Business With Us" sign will have its intended effect, at least as far as my own purchasing habits go. Even more, owing to the enormous importance of this issue beyond Sony BMG's bottom line, I will instead be looking into donating the money I might have spent on buying music (or, uh, the license to listen to a musical recording under certain circumstances) to the EFF and other like-minded groups, since they seem to be on top of things and understand what the stakes are. So thanks and congratulations, Sony BMG, for throwing these issues into such sharp relief for me.

And that's my opinion.

* I am referring to Sony BMG's discs as music discs and not CDs because "Compact Disc" refers to a specific, defined standard for a digital audio disc -- and that standard precludes copy prevention schemes. That is why the Sony BMG discs, and others like them, do not (and cannot) have the "Compact Disc" logo on them. They are technically... something else.

** Late-breaking word is that the uninstaller available from Sony BMG, after much hoop-jumping, creates even more of a security problem. In fact, it's about as insecure as anything I've ever heard of. Good job, Sony.