Appeared in the Toronto Star on November 21, 2005 as Sony Incident
Wakeup Call For Regulators
Appeared on the BBC Online on November 21, 2005 as Sony's Long-Term
Sony BMG, the world's second largest record label, has for the past
three weeks been the subject of a corporate embarrassment that rivals
earlier public relations nightmares involving tampered Tylenol and
contaminated Perrier. While in the short-term one of the world' s
best-known brands has suffered enormous damage (particularly given
that unlike in the Tylenol case the damage is self-inflicted), the
longer-term implications are even more significant - a fundamental
re-thinking of policies toward digital locks known as technological
protection measures (TPMs).
The Sony case started innocently enough with a Halloween-day blog
posting by Mark Russinovich, an intrepid computer security
researcher. Russinovich discovered his own tale of horror -- Sony was
using a copy-protection TPM on some of its CDs that quietly installed
a software program known as a "rootkit" on users' computers.
The use of the rootkit set off alarm bells for Russinovich, who
immediately identified it as a potential security risk since hackers
and virus writers frequently exploit such programs to turn personal
computers into "zombies" that can send millions of spam messages,
steal personal information, or launch denial of service attacks.
Moreover, attempts to uninstall the program proved difficult, as
either his CD-Rom drive was no longer recognized or his computer
Although users were presented with a series of terms and conditions
that refer to software installation before launching the CD, it is
safe to assume that few, if any, realized that they were creating both
a security and potential privacy risk as well as setting themselves up
for a "Hotel California" type program that checks in but never leaves.
While Sony and the normally vocal recording industry associations
stood largely silent -- a company executive dismissed the concerns
stating that "most people don't even know what a rootkit is, so why
should they care about it" -- the repercussions escalated daily. One
group identified at least 20 affected CDs, including releases from
Canadian artists Celine Dion and Our Lady Peace. Class action lawsuits
were launched in the United States, a criminal investigation began in
Italy, and anti-spyware companies gradually updated their programs to
include the Sony rootkit.
Nearly two weeks after the initial disclosure, Sony finally issued a
half-hearted apology, indicating that it was suspending use of the TPM
and issuing a software patch to remove the rootkit.