Sony's long-term rootkit CD woes
Internet professor Michael Geist explains why Sony's rootkit problems have significant long-term implications for the industry.
Sony BMG, the world's second largest record label, has for the past three weeks been the subject of a corporate embarrassment that rivals earlier public relations nightmares involving tampered Tylenol and contaminated Perrier.
While in the short-term one of the world's best-known brands has suffered enormous damage, the longer-term implications are even more significant - a fundamental re-thinking of policies toward digital locks known as technological protection measures (TPMs).
The Sony case started innocently enough with a Halloween day blog posting by Mark Russinovich, an intrepid computer security researcher.
Mr Russinovich discovered his own tale of horror - Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a "rootkit" on users' computers.
The use of the rootkit set off alarm bells for Mr Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into "zombies" that can send millions of spam messages, steal personal information, or launch denial of service attacks.
While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers
Moreover, attempts to uninstall the program proved difficult, as either his CD-Rom drive was no longer recognised or his computer crashed.
Although users were presented with a series of terms and conditions that refer to software installation before launching the CD, it is safe to assume that few, if any, realised that they were creating both a security and potential privacy risk as well as setting themselves up for a "Hotel California" type program that checks in but never leaves.
Class action
While Sony and the normally vocal recording industry associations stood largely silent - a company executive dismissed the concerns stating that "most people don't even know what a rootkit is, so why should they care about it" - the repercussions escalated daily.
One group identified at least 20 affected CDs, including releases from international artists such as Celine Dion and Neil Diamond.
Class action lawsuits were launched in the US, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit.
Nearly two weeks after the initial disclosure, Sony finally issued an apology, indicating that it was suspending use of the TPM and issuing a software patch to remove the rootkit.
At about the same time things went from bad to worse. It was soon discovered that Sony's patch created its own security risk - potentially leaving personal computers even more vulnerable than with the initial rootkit - and was pulled from its website.
The company also recalled millions of CDs, losing tens of millions in revenue and effectively acknowledging that the CD was a hazardous product.
The recall was even bigger than anticipated as Sony disclosed that there were at least 52 affected CDs. Moreover, researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.
Finally, just when it appeared that Sony had hit bottom, analysis of the rootkit revealed that it included open source software code contrary to the applicable licence.
In other words, Sony itself may have infringed the copyright of a group of software programmers and be on the hook for significant copyright infringement damages.
While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers.
The incident has alerted millions of consumers to the potential misuse of TPMs as well as to the need for consumer protections from such systems.
While policy makers have raced to provide legal protections for TPMs (known as anti-circumvention legislation since the provisions prohibit attempts to circumvent the digital locks), the real need is to protect against the misuse of this technology.
The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks.
The US Computer Emergency Response Team was jointly established in 2003 by the US government and the private sector with the aim of protecting the internet infrastructure from cyber-attacks.
It advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD".
Moreover, Stewart Baker, the US Department of Homeland Security's assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property - it's not your computer.
"And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."
