Did Sony CD Malware Violate U.S. Computer Fraud and Abuse Act?

By Richard Menta 11/03/05

If David Smith, the creator of the Melissa virus, were to orchestrate the covert delivery of millions of rootkits onto the computers of unsuspecting users he would be in handcuffs right now. There is no maybe about it, this is a sure thing.

So when a large corporation like Sony performs the same act isn't it reasonable to assume there will be legal repercussions? The truth is corporations are taken to court all the time. This summer Sony paid a $10 million settlement to NY state who took the company to court for payola.


The 30GB iPod Video is available on Amazon

Sony's recent rootkit scandal - installing covert malware as part of a digital rights management scheme - may constitute a felony. In my opinion, and it is just my opinion, it warrants a formal investigation. The scale of this violation of consumer trust matches that of the most insidious viruses. Hackers are already taking advantage of the rootkit, which may go down as one of the more successful security breeches of all time. Giving hackers easy access to millions of systems may not have been Sony's intention, but that is the end result of an overly agressive plan where the company attempted to take some control the computers of every consumer who buys its wares.

But do the facts warrant investigation? I am not a judge or a member of law enforcement, but I can read the applicable statutes and - if the law is not too cluttered with legalize to stump the layman - one might be able to get a sense if there is a case.

Sony certainly can afford the legal team to defend themselves against any such accusations, but what would be most damaging to them is not some form of conviction. The trial itself would be a PR debacle of monumental proportions, monumental because it serves notice to the world the the CDs you buy at the record store are not safe. As Andrew Brandt of PC World stated this scandal could kill the CD as the default format for music.

So does this incident break any laws? As Larry Seltzer of eWeek says in his opinion piece on the subject: "I'm not so sure about U.S. law, but I know there were states working on laws that this program would violate. The law needs to clamp down hard on this and make it clear that this isn't acceptable practice for legitimate companies".

Below are some parts of section 1030 of the U.S. Computer Fraud and Abuse Act that might be applicable with some thoughts from a non-professional. Beyond this we'll leave it to the US District Attorney to decide if this warrants any action.

§ 1030. Fraud and related activity in connection with computers. Release date: 2005-08-03

Whoever—

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

-- People play CDs on their computers at work. This includes people who work in local, state, and federal jobs. Is it reasonable to assume that some of Sony's CDs were played on government PCs, loading the rootkit onto them? Assumptions are not enough, of course, such files have to turn up on government systems. If they do and that information is recorded Sony may have a problem.

(5)
(A)
(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

-- Intention to cause damage is the key phrase here. Is it fair to say that Sony intentionally weakened systems to allow hackers easier access? I would say no.


(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

-- Recklessly cause damage is the kicker here. This imposes due diligence standards with regard to the quality and manner of any code an entity loads on a computer. Mark Russinovich, the person who identified the rootkit gave an expert opinion when he said to the press "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall". Because of the covert and aggressive way Sony applied this rootkit this particular subsection may be the one that exposes Sony the most..


(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and

-- Identicle to the above subsection, but with the word "recklessly" removed. You just need to prove damage. Lawyers will probably spend a lot of time fighting over what constitutes damage, but the exposure for Sony seems clear.


(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)—

(iv) a threat to public health or safety; or

-- Mass delivery of a rootkit that can make it easier for hackers to exploit million of home computer could qualify as creating a threat to public safety. Again, only a legal mind can say this actually applies.


(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;

-- Hopefully no one in the police department, the FBI, or the military are a Van Zant fan.

Those are my thoughts. Any lawyers out there interested in taking a stab at this law as well as the UK's Computer Misuse Act?

Other MP3 stories:
Can iTunes Resurrect Old Time TV?
Bang & Olufsen Beosound 3


The 4GB iPod Nano is available on Amazon

Back to