Thursday, May 18, 2006

Inside the Spyware Scandal -- Part 3

Continued from page 2

By Wade Roush

Good DRM
The questions raised by the Sony BMG rootkit saga are whether protecting content necessarily means violating consumers' right to control their private property, compromising the computer's role as an instrument of culture and creativity, and sacrificing the principle of "fair use" (a provision in U.S. copyright law that allows the reproduction of copyrighted works for purposes of criticism, reporting, research, and archiving).

The initial signs are not good. Sony BMG's blunder -- however inadvertent it may have been -- was an indication to many observers that copyright holders are in fact escalating the technology war, choosing to meddle more and more deeply with the workings of customers' computers in a hasty and careless effort to limit freeloading.

"If Sony didn't stop and take the time to ask First 4 Internet what XCP actually did, it's their fault," says Schneier of Counterpane Internet Security. "I find First 4 Internet less culpable, because Sony wanted to buy some sort of magic bullet, and they just said, 'Here, use ours.'"

Sony BMG has never fully accepted the blame; even in the December settlement agreement the company denied that it bore any legal liability or that anyone had been damaged by any wrongful conduct. Still, by most measures of corporate responsibility, Sony BMG has gone to remarkable lengths to make up for the rootkit fiasco. The company now seems to be wary of crossing Russinovich's "fine line." "There has to be a balance struck between protection of content and nurturing and protection of technology," acknowledges Sony BMG spokesman Cory Shields.

Indeed, Sony BMG's mistakes in the rootkit case provide some insights into what good digital rights management would, by contrast, look like.

First, say computer security professionals, good DRM should be transparent. To these professionals, the rootkit episode carried secrecy too far. If a rootkit provides a hiding place for viruses, worms, and Trojans, it makes the job faced by computers' virus-scanning software much more difficult. And if more legitimate companies start to design their software to mimic malware, that job becomes nearly impossible. "Now all of your security software has to distinguish between 'good' malicious code and 'bad' malicious code," Schneier says.

To be consumer friendly, therefore, DRM software must be computer friendly. It should not hide itself from the computer's operating system, nor take up more than its share of processing or memory. And the terms of use and functions of the software should be spelled out in a way that is clear to the user, not buried in a 20-page EULA. "People should understand the bargain they are making and the restrictions they may be subject to," says David Sohn, a staff counsel specializing in intellectual-property law at the Center for Democracy and Technology in Washington, DC.

Second, DRM technology should respect users' privacy and security. It should collect only that personal information needed for authentication, and only after obtaining the users' consent. And content protection measures cannot be implemented at the expense of a computer system's security against real malware.

Third, good DRM should be user serviceable. If a DRM system breaks, consumers should still be able to access the content they purchased, and if it becomes a security threat, they should be able to turn it off. Yet under the U.S. Digital Millennium Copyright Act (DMCA) of 1998, it is unlawful to circumvent the technology protecting digital content. There is no exception for cases such as that of the Sony BMG rootkit, where the DRM technology itself may be causing harm. This bizarre situation might be remedied if efforts by some lawmakers to amend the DMCA succeed. On December 14, for the third congressional session in a row, Rep. Zoe Lofgren, a Democrat from Silicon Valley, introduced a bill that would make it legal to circumvent DRM technology if the unprotected content is then used for noninfringing purposes, such as archiving. Lofgren's bill has been referred to the House Committee on the Judiciary, where it awaits review.