Zone of Freedom
The recalls, exchanges, and apologies of November 2005 did not put the matter to rest. New York attorney general Eliot Spitzer criticized Sony in late November, after investigators found that discs carrying XCP had not yet been removed from stores. The Federal Trade Commission opened an inquiry, and Texas attorney general Greg Abbott sued Sony BMG for violating the state’s antispyware laws. Plaintiffs in at least five states filed suit, claiming damages against Sony BMG for impairing their computers.
Sony dealt with these suits quickly. Before December was out, the company had reached a tentative settlement with attorneys, who had consolidated the suits into a single complaint in the U.S. District Court for southern New York. The settlement provides anyone who owns a disc with XCP with a replacement disc, a $7.50 cash payment, and (ironically) free digital downloads of the music on the CD and up to three others. At press time, the court had not yet approved the full settlement, but the replacement program had begun.
But anger over the rootkit in the media and the blogosphere persisted even after news of the proposed settlement. What truly bothered consumers, it seemed, was not the damage done to their computers: the Troj/Stinx-E Trojan horse had not spread far, and there wasn’t time for a serious epidemic of other malware exploiting the XCP rootkit to emerge. Rather, CD buyers were upset that the software deliberately concealed its presence and contacted Sony BMG without their permission. They felt that XCP had trespassed against fundamental protections – the rights to privacy and private ownership and the freedoms of expression and access to information.
“I’m a music fan, and I’ve been watching with dismay the whole march of DRM, to the point that you practically have to sign a contract to open a CD box,” says Tim Jarrett, a Framingham, MA, Web developer and technology blogger. “So when I saw that Sony was not only including this DRM but doing it in such a way that it was opening up people’s computers to being exploited, I think something inside me just kind of snapped.” Jarrett decided to start the Sony Boycott Blog, which functioned for three months as one of the main clearinghouses for information about the rootkit saga. Judging from the comments they left, Jarrett’s -readers – who numbered up to 5,000 per day – were just as irked. “You have a zone of personal freedom – a personal space within which you can decide, for example, to read a book back to front, or read it 20 times, or make margin notes, or read it in the bathtub, or do a skit acting out the book to a friend,” says law professor Julie Cohen, who studies intellectual-property and data privacy law at the Georgetown University Law Center. “And having an automatic policeman or even just a flat-out architectural prohibition that appropriates that personal space is something that people experience as very intrusive.”
“I think we’re in this period where the content providers are trying to push the boundaries,” says Mark Russinovich. “They want to see just how far they can go to protect their content, and where that fine line is between protecting their content from casual piracy and annoying the consumer.”