Court orders SONICblue to develop and deploy spyware for Big Media

May 3, 2002

Here's part of the actual order. On April 26, 2002, Judge Charles Eick of the U.S. District Court, Central District of California, gave SONICblue 60 days to:

1. take the steps necessary to use their broadband connections with ReplayTV 4000 customers to gather all available information about how users of the ReplayTV employ the devices, including all available information about what works are copied, stored, viewed with commercials omitted, or distributed to third parties with the ReplayTV 4000, when each of those events took place, and the like;
2. implement Defendants' offer to collect available data from a second source -- the MyReplayTV.com web site -- about how users of the ReplayTV employ the devices, but for all time periods for which that data can be collected, rather than just for a short period;
3. provide the foregoing data to Plaintiffs in a readily-understandable electronic format and provide any technical assistance that may be necessary for Plaintiffs to review the data;
4. provide Plaintiffs with all documents about Defendants' consideration of what data to gather or not to gather about their customers' uses of the ReplayTV 4000; and
5. provide Plaintiffs with any other documents (such as emails or logs) reflecting what works have been copied with the ReplayTV 4000 and how those works have been stored, viewed, or distributed.

Now who gets all of this data? The plaintiffs in the case against SONICblue (the makers of the ReplayTV 4000). Roughly, Time Warner, HBO, Warner Brothers, TBS, New Line Cinema, Castle Rock Entertainment, WB TV, MGM Studios, Orion Pictures, 20th Century Fox, Universal City Studios, Fox Broadcasting, Paramount Pictures, Disney, NBC, Showtime, United Paramount Network, ABC, Viacom, CBS, Columbia Pictures, Columbia TV, and Tristar.

The plaintiffs are also ordered to pay 3/4 of the cost of gathering the data. But the order says nothing about who will pay customers for their resulting loss of privacy. It's as if privacy were a non-concept: weightless, odorless, valueless.

Come on. Our courts have no business ordering a company to spy on its own customers just because big media want to put the company out of business.

At the Privacy Foundation, we saw a lot of consumer outrage after we released our report about TiVo's privacy disclosure and practices. TiVo did a pretty good job of responding to the situation; they spent a lot of time with the press, and they wrote a white paper explaining what had happened. (We still have some gripes about their system, but that's another story.) The point is that companies are very sensitive about tweaking their customers' privacy, because they know customers don't have much patience for it. So when the court orders a company to spy on their customers, it's basically a punitive act. The customers will revolt and get mad at everyone. I'm no lawyer, but I'm pretty sure the discovery of evidence phase of a lawsuit isn't supposed to be punitive.

In this case it's worse than just a privacy squabble. Either the court doesn't understand or the court doesn't believe ReplayTV's repeated explanation that they simply don't have the information demanded by this order. See, in April 2001 some months after our TiVo report came out, I showed a ReplayTV exec my traces that proved that their current model also collected some type of viewing information. This scared them, and in May 2001 - before the ReplayTV 4000 existed - they disabled the collection function, since they had never used the data for anything. This is what they told me, and this is what they've sworn to the court in testimony.

Now the ReplayTV 4000 is a different product than the one I investigated, and ReplayTV has said that they never reenabled the old tracking code, nor did they update it to make it monitor the newer features - like automatically skipping commercials and sending recordings to other ReplayTV 4000 units. But that's precisely the type of data that the plaintiffs are demanding to see in this case!

So what we have is a court ordering SONICblue to prepare a new software release that implements new spying features, and then ordering them to force it upon all of their customers, out of fairness to Big Media in their case against them. Considering that SONICblue has probably updated their customers' software only a few times ever, this is like ordering Microsoft to create, distribute, and maintain a new version of Outlook that checks to see if any of its users are sending MP3s as attachments!

I guess this is a sneak preview of the type of consumer broadband "protection" we can look forward to in the very near future: the CBDTPA. The reasoning is simple. In order to prosecute copyright infringers, you have to have some evidence. So, first make sure that consumer electronics devices always report exactly how they are being used-- that's what we're seeing now under the guise of "discovery". Second, sue to obtain the records that the devices now are forced to create.

What happens next: SONICblue is planning to file papers with the overseeing judge in U.S. District court objecting to this order. If that doesn't go their way, then I guess they'll be working on a new software release.

--David Martin

Updates

On May 15, SONICblue was granted a stay of the order until it can be reviewed. Judge Florence-Marie Cooper is scheduled to review the order on June 3.

On May 31, Judge Cooper permanently reversed the Magistrate Judge's order on the grounds that it impermissibly required defendants to create new data in order to comply. This seems to settle the whole mess in SONICblue's favor. Whew!

External Resources

• Official case documents from Fenwick & West, attorneys for SONICblue
• EFF's document repository, including plaintiff filings
• Newsindex.com search for "ReplayTV"
• The Privacy Foundation's report on TiVo Privacy
• Thread at slashdot.org
• Google search for "CBDTPA"