Earlier this year, Sony BMG Music Entertainment started to make use of software designed to protect its intellectual property (IP). Initially released on selected CDs from various artists, and only distributed in the US, the software was intended to ensure that the music on the CD would not be easily copied in bulk, essentially restricting the ability of a computer to copy the contents at will.
The software had to be installed in order for the CD to play in a computer, and an agreement to install was presented to the buyer of the product. On the face of things, this seems mildly inconvenient to the consumer, but is not an entirely unreasonable course for the content provider to take – piracy is still a serious issue, and the music industry and Hollywood claim to lose millions in sales every year as a direct result, after all.
However, the means by which this protection was being enabled was in no way made clear to the consumers who bought these CDs, and this is why Sony BMG’s plan has backfired so badly, generating a wave of negative opinion and even outright hostility. A number of lawsuits have already been filed against the company, and the scheme may yet cost millions more than it might have saved through having any effect against piracy.
The Sony BMG software essentially installed a rootkit onto a consumer’s computer, according to investigation by various security vendors, a measure that not only seizes control of functionality without the owner’s explicit consent, but which can also impact upon performance of devices as well. Consider the likelihood that CD owners may have taken their new Sony CDs to listen to at work, and we are suddenly faced with the very real possibility that those machines now represent dangerously open doors into the organization’s network.
Rootkits are commonly used hacking tools, and in the vast majority of instances would only be found as the result of a successful attack against a machine. The rootkit subverts the performance of the machine and dictates what it can be used for. In the case of Sony BMG, this involved the ability of the computer on which it was installed to copy protected content. At first, there was a serious risk that attempting to uninstall the software could corrupt the CD drive to such an extent that it would be unusable, although this is no longer the case – more effective tools were quickly drafted to remove the Sony BMG software, and the company itself has since backed away from the scheme and will no longer distribute CDs that make use of it.
However, before this could be done, code was already in circulation that allowed the software to be subverted and controlled by a hacker, leaving devices upon which the software had been placed open to attack. The code evolved quite quickly after appearing, and although the window of opportunity for any attacks is believed to be fairly small, the fact seems to be that Sony BMG’s scheme left its consumers in a poorly protected position.
Furthermore, the fact that it was not open about how the software was intended to achieve its aims has resulted in widespread condemnation from security experts, a factor that will likely weigh heavily as cases reach the courts. The state of California has very specific technology laws designed to protect its constituents, and it seems likely that Sony BMG will fall foul of these.
The damage to the company’s reputation has been immediate and is still escalating, but the possible costs of litigation could rival those levied against Microsoft during its time with the US Department of Justice.
This whole business has been something of a farce, and betrays a complete lack of interest in the rights of the consumers that Sony BMG needs in order to survive – angering one’s customer base is never the sharpest move that an organization can make, and doing so deliberately is even more unwise. In this instance, the decision may have been made without proper awareness of the consequences, but this is no excuse.
Many of us face IP protection issues, and for some the implementation of some form of DRM will be a necessity sooner rather than later. Sony BMG’s experience is a useful lesson in this regard, and serves as a warning that we are likely to be stepping into a legal minefield when we restrict the actions and rights of others, and that we should not presume that we have free rein to do so, even when the content we need to protect is our own.
Source: OpinionWire by Butler Group (www.butlergroup.com)