A recent lawsuit filed by Sony against several security researchers for allegedly jailbreaking the company's PS3 hardware is evoking howls of protest from the Electronic Frontier Foundation (EFF).
In a blog post this week, the digital rights advocacy group called Sony's lawsuit ( download PDF ) a dangerous move designed expressly to scare security researchers away from looking at flaws in its products.
"The real point, it appears, is to send a message to security researchers around the world: publish the details of our security flaws and we'll come after you with both barrels blazing," the EFF wrote .
Sony did not respond to a request for comment.
Sony earlier this month filed a lawsuit against hacker George Hotz and two other people, one in Spain, the other in Hungary. The suit lists another 100 unidentified "John Does."
According to Sony, Hotz and members of a group of hackers calling themselves Failoverflow circumvented the PS3's anti-tampering measures designed to prevent users from installing or playing unauthorized software and video games on the system. Sony contends that the hack allows Hotz and others to run pirated games on the console.
In its complaint, Sony accused Hotz and the other defendants of not only breaking its anti-tampering technology but of then publicizing their findings at the Chaos hacker conference in Berlin in December. Sony alleges that Hotz and the others publicly talked about and widely distributed code and detailed instructions on how to jailbreak the PS3.
"Unless Defendants are immediately enjoined, users will be able to copy, create, sell and play unauthorized or pirated games without limit," Sony argues.
The lawsuit alleges that Hotz and the others violated the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act, which carries both criminal and civil penalties.
But Corynne McSherry, intellectual property director at the EFF, called the Sony lawsuit misdirected and an attempt to intimidate security researchers.
Based on information in the complaint, the jailbreak appears to be the result of a security vulnerability that Hotz and the other defendants exploited. What Sony has done is to invoke the DMCA in an attempt to stop the researchers from publishing details of the security hole they discovered, she said.
In this case, the information has already been widely distributed "so it's not like they are going to be able to put the cat back in the bag again," she said. Enjoining the defendants now will mean that only Hotz and the others have no access to their own work, while everyone else that downloaded their instructions will. "This is clearly about punishment," McSherry said.
The company's attempt at using the Computer Fraud and Abuse Act (CFAA) is "outrageous," she said. The basic gist of Sony's argument is that when Hotz and the others modified their PS3's they also violated the terms and conditions Sony imposes on users of its PS3 network.
However, it appears that the researchers simply modified systems they had purchased with their own money, she said. None of their research was done using Sony's networks. In essence, what Sony is claiming is that it's illegal for users to access their own computers in a way that Sony doesn't like.
"That's a pretty scary message to send to researchers and to customers," McSherry said.
The case is another example of how the DMCA is being misused, McSherry argued. "We have been worried since the bill was passed that it would be used to try to intimidate people from publishing information and sharing their research," she said.
Among the other examples the EFF lists on its site is a case involving Apple and BluWiki, a free wiki hosting site that was hosting a discussion on reverse engineering iPods to work with non-Apple software. Apple threatened legal action against BluWiki's owner citing DMCA, was countersued and ultimately dropped its case .
In 2003, SunnComm used DMCA to threaten to sue Princeton security researcher Alex Halderman in a bid to prevent him from publishing a report documenting weaknesses in a CD copy-protection technology developed by the vendor. The threat was later withdrawn.