Security

Rulings in PS3 jailbreaking suit should worry you

A judge recently ruled in Sony's suit against a PS3 jailbreaker that visitors to his Website are subject to subpoena. This is only the beginning of the problems in this case.

George Hotz has become well-known for his iPhone hacks. In fact, he traded an unlocked iPhone for quite an impressive package: a Nissan 350Z and eight iPhones that had not yet been unlocked. That comes out to roughly USD $30K in trade value. He stated he was planning to distribute the locked iPhones to the other members of the team who worked on the unlocking hack with him.

More recently, he has become embroiled in legal troubles as a result of his efforts to jailbreak the Sony Playstation 3. Apparently unfamiliar with the concepts of privacy, ethics, and physical ownership of a device, to say nothing of the EFF's victory for jailbreakers, federal magistrate Joseph Spero has issued rulings contrary to any good sense (PDF), as reported in the Wired article Judge Lets Sony Unmask Visitors to PS3-Jailbreaking Site:

  • Sony has been given the go-ahead to subpoena visitor IP address records to the defendant's Website, to find out who has visited the site.
  • Sony has also been granted a subpoena to get data from YouTube . . .
  • . . . Google . . .
  • . . . and Twitter.

The domain hosting provider in question is Bluehost, one of the most popular Webhosts on the Internet that people who know anything about security and Webhosting do not avoid as a matter of course. The overly broad demands in this subpoena include:

Documents reproducing all server logs, IP address logs, account information, account access records and application or registration forms

Further requirements include:

Any other identifying information corresponding to persons or computers who have accessed or downloaded files hosted using your service

It seems the only limitation the judge was willing to place on Sony's free-for-all access to information about people who may not have ever done anything wrong (nor even illegal) is specifying that the data must somehow be related to the geohot.com site Hotz maintained.

Sony's excuse for this data collection claims that all this data is needed to prove that Hotz "distributed" the offending information on the site (which in fact only requires hosting provider Bluehost to deliver the number of times the specific files in question were accessed, and not who accessed them), and to show that many of the people who accessed his site were in California so that Sony can pursue the case in San Francisco (for courts more likely to prove biased in Sony's favor) rather than New Jersey where Hotz lives.

The problems revolve around the Digital Millennium Copyright Act and related legislation. Part of the hack involves the use of a decryption key that was distributed in the system's firmware — once again proving the folly of DRM as a "security" measure. The whole idea revolves around the Digital Rights Management (DRM) software distributor trusting that all users will either be stupid or sympathetic to the distributor's desires. Distribution of DRM keys has figured quite large in technology news in the past as well, specifically in the case of HD-DVD and Blu-Ray copy protection. Courts ultimately ruled that printing a decryption key on a t-shirt did not constitute a violation of law.

In addition to a decryption key, Hotz also offered the tools to make use of the key to jailbreak the PS3. Distribution of such tools is also prohibited by the DMCA, which has turned out to be one of the most problematic laws signed into law during President Bill Clinton's term in the White House.

EFF staff attorney Corynne McSherry said of the ruling:

I think the these subpoenas, the information they seek, is inappropriate.

In addition to this incredible understatement, she also sent a letter to Spero describing the subpoenas as "overly broad." For an example of what "overly broad" means in this case, consider that:

  • The YouTube subpoena requests data identifying viewers of a video demonstrating the Hotz hack, including "documents reproducing all records or usernames and IP addresses that have posted or published comments in response to the video."
  • The Google subpoena requests visitor logs for the Blogger account "geohotps.3", maintained by Hotz.
  • The Twitter subpoena requests "documents sufficient to identify all names, addresses, and telephone numbers associated with the Twitter account."

Among the charges filed against Hotz are:

  • Breach of Contract (PlayStation Network User Agreement)
  • Contributory copyright infringement
  • Misappropriation
  • Tortious interference
  • Trespass
  • Violating California Comprehensive Computer Data Access and Fraud Act
  • Violating the Computer Fraud and Abuse Act
  • Violating the Digital Millenium Copyright Act

Some of these will likely seem patently ridiculous to readers, but the most ludicrous example ("Trespass") will probably be thrown out. One charge in particular may have especially far-reaching implications that the judge in this case probably does not even remotely grasp, though — the claim that acting out of accord with the PlayStation Network User Agreement constitutes breach of contract. There is a lot of legal ambiguity surrounding the enforceability of license agreements, which have so far resisted being permanently identified by case law as "contractual" in nature, for good reasons. The disconcerting possibility that Sony might win a breach of contract suit against Hotz for a user license issue could result in significant loss of freedom for consumers to use what they purchase as they see fit, and even further narrowing of the protections afforded by the doctrine of fair use.

This is one non-lawyer's interpretation of events and implications, but in my experience there is no such thing as being too paranoid about the ill effects major corporations wish to impose on the lives of their own customers. There is likewise no such thing as being too concerned about their ability to get what they want by the simple expedient of throwing large sums of money at the court system.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks