Spore

In Part 2, I finished up with a brief look at the claims that purchasers “who loaded and installed” Spore were given “No notification of the nature, function, and operation of the SecuROM program” or of its “secret installation.” Claims that were made based entirely on an FAQ from the Spore Support site and on 1-star Amazon reviews, without a single mention of the EULA. In this third part of my look at the class action filed against Spore, we’ll look at some of the resulting implications.

Now that I have had time to reinstall Spore on another PC (one which is not connected to the Internet, and thus does not detract from the number of PCs on which I can install Spore), I have had another look at the EULA provided to purchasers of Spore at the point of installation. It contains the same paragraph titled Technical Protection Measures (paragraph 1. B.) which was available in PDF from the Gametreeonline website. So, ignoring the controversy and contested legality of click-wrap/shrink-wrap licenses for the moment, we could further discern that purchasers and installers of Spore are given some notification that a copy protection/DRM component is going to be installed at the same time that they install their game. The people who cared enough to actually sit down and read that EULA before rushing to install their game could reasonably have taken the time to fire up the browser of their choice and Google searches such as, “Spore copy protection” or “Spore DRM”, and found quite easily exactly what form the DRM was provided in – at which point they can then click the “I don’t agree” option, of course getting a refund is an altogether different battle.

Of course anyone who would actually reconsider whether they purchase the game or not (such as Melisa Thomas – as claimed in paragraph 20) should have been searching such things before purchasing in the first place. After all, if you care enough about the type of DRM used to the point that you file a class action lawsuit, surely you could have cared enough to have spent 5 to 10 minutes searching the internet for information on the copy protection/DRM used? It would have been a less costly approach that’s for sure. No legal fees involved! For the record, paragraph 20 reads as follows:

Plaintiff brings this class action on behalf of a global class of consumers who have purchased Electronic Arts’ Spore computer game which contained an undisclosed, secret, separately installed, stand alone, uninstallable DRM program which would install itself to the command and control center of the computer and oversee function and operation of the computer, preventing certain user actions, preventing certain user programs from operating, or disrupting hardware operations. Plaintiff and the proposed class members would not have purchased the Spore computer game and/or paid as much for it have they known the truth about the product.

There are some interesting allegations in that paragraph which deserve to be looked at in some more detail and these will be covered later on. For now though, we’ll concentrate on how the lawyers are trying to claim that purchasers were given no notice of the DRM used. Paragraph 16 of the lawsuit is a copy and paste deal of the FAQ page on the Spore Support site dealing with questions about the DRM used in Spore (and for that matter, in Mass Effect too). The lawyers then go on to make a rather astounding assumption in paragraph 17:

17. In fact, all of EA’s representations about its Spore DRM talk in terms of “online authentication” - as if all DRM protection was entirely online-based and resident at EA’s website, instead of being program-based at the operating system level of the user’s own computer. These representations by EA are clearly significant misrepresentations of EA’s DRM program permanently installed onto the hard drive of the user’s computer.

Words almost literally failed me when I first read paragraph 17. The assumption that anyone would assume that all of Spore’s DRM would be purely online based at EA’s Spore website is simply dumbfounding. Either the lawyers themselves do not understand the basic concepts of authentication, or they are trying to imply that all the purchasers of Spore are, to put it bluntly, idiots. Do these lawyers really not understand the simple concepts on how authentication works? How do they propose that the DRM authenticate a copy of Spore and track its number of installs if it cannot identify that copy of Spore? To explain it simply for the sake of these lawyers, lets look at how the most basic form of online authentication (passwords and usernames) works. In order to use a site that requires you to be logged in, you must first login to the site (to authenticate yourself with the site). This is done via directly inputting a password with the use of a keyboard attached to your PC and then subsequently through the use of a cookie – typically a small text file stored in a somewhat hidden location on your PC. Thus we can conclude that even with the most basic form of “online authentication” there is a local element involved in the authentication process.

To further expand on this, the cookie typically contains an encrypted string or hash, which is used by the website to identify your username and password. If you remove the cookie from your PC, you lose the ability to authenticate and must, therefore, login to the site again. At which point a new cookie will be created. SecuROM basically acts in the same fashion. When you first run Spore, the Spore executable checks for the existence of SecuROM and, in the event it doesn’t find it on the PC already, it then installs the SecuROM components required by the Spore executable to carry out the online authentication and storing of the Spore authentication key. The authentication key component of SecuROM acts like the cookie for the website. Although in the case of SecuROM it is stored as a registry entry and a file on your harddrive. Both the registry entry and file are in a format in which they cannot be accidentally deleted. While many will claim this is for a nefarious reason, the most logical reason for this is nothing more than simply ensuring a user doesn’t delete a key, losing one of their limited authentications in the process, by complete accident or through doing something stupid.

Basic reasoning skills should be enough for anyone to determine that for any form of DRM to reasonably function properly and successfully it would need a local component for ensuring authentication. Even other “online” authentication systems, such as Valve’s Steam service, require a local component for authentication purposes. In the case of Steam, it’s the actual Steam client. Without that installed, you can neither authenticate nor run your games. Of course the glaring difference between Spore’s use of SecuROM and Steam is that users have to actually agree to installing Steam before they can even install their game. Although many people may not actually realise that Steam is in essence a glorified DRM service disguised as a digital distribution platform which offers many features besides the DRM component (for the record, Steam certainly has seen its share of controversy too). Although I am very interested in how the lawyers expect such authentication to work without this two way exchange of data.

Paragraphs 18 and 19 once again focus on the infamous 1-star Amazon reviews, trying to pass them off as a true representation of what the majority of actual consumers think about DRM. Sadly, once you start reading the reviews it becomes all to obvious that they are more a representation of clueless individuals, bandwagon riders and people just having a laugh, with very few, if any of the reviews actually being honest accounts from actual players of legal copies of Spore. The number of claims that SecuROM is a virus or malware for example, further highlights the fact that these people are just blindly accepting rumours as to the nature of SecuROM without bothering to investigate it for themselves. And this too is reinforced by the large number of false claims that SecuROM cannot be fully uninstalled without formatting the PC. With the danger of sounding like a broken record, I must reiterate that this simply is not true. Even the anti-DRM propaganda sites show you how to fully remove SecuROM and the authentication key information in easy to follow steps (such as those I posted back in Part 1).

For SecuROM to actually be classed as malware (malicious software) it would have to be proven that SecuROM was created with the sole intent of harming the PC it is found to reside in. One definition of malware as found on Wikipedia states the following:

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.

At a very long stretch you could try to classify SecuROM as malware by trying to call it a rootkit. However, no firm reliable proof has been provided to support that reasoning – in fact it appears that the claim of it installing to the kernel (Ring 0) originates from an unsubstantiated (and possibly falsified) claim posted on a games forum and requests for proof to back up the claim seem to have been left unanswered, the author preferring to troll instead. Further to that, the author states that they don’t consider it to be a rootkit in the first place! So we are only left with SecuROM being “unwanted software” and that argument isn’t going to stand up at all when you consider that it’s placed in the software in a futile attempt to stop piracy.

Some of the Amazon reviews also carry on with the point that SecuROM was installed without their permission, yet they agreed to the EULA that was displayed when they installed the game regardless. And the EULA does make a reference to DRM being used and although it does not explicitly name SecuROM, the person installing Spore was given the option of aborting the install if they didn’t like what was written in the EULA. So it is highly possible that EA’s very expensive lawyers will focus on this important little step in the installation process. It’s not EA’s fault if a user decides to click OK to continue installing without bothering to read the EULA. Besides, unless you read it, you’ll never know if the EULA is trying to claim your soul, or worse, your first-born.

Coming up in Part 4, the truth about the program!

Thanks for reading!

Read the first part of this series
Read the second part of this series
Read the fourth part of this series
Read the final part of this series

Also worth reading: