Before putting the problem aside, Guarino did one very important thing. He e-mailed his logs to F-Secure, a computer security firm in Helsinki, Finland, whose software he had used to detect the files. Though F-Secure’s malware watchers had not previously encountered the rootkit, they were quickly able to confirm Guarino’s suspicions. Over the next two weeks, they came to another, much more troubling realization: the rootkit could hide other files as -easily as it hid Sony BMG’s copy protection software. Every computer that had ever been used to play a copy-protected Sony BMG disc was now, in effect, an open receptacle for worms, viruses, and other malware.
On October 17, F-Secure contacted Sony. Two weeks later, respected security expert Mark Russinovich found the rootkit on his own computer and publicized his findings on his widely read blog. He also discovered that other software installed along with the copy protection program secretly contacted Sony BMG via the Internet every time a PC user played a copy-protected disc. And over the next several months, what had begun as a curiosity in Guarino’s little shop escalated into a full-blown scandal, complete with backroom negotiations, public exposés, heated denials, angry boycotts, vengeful lawsuits, and rueful apologies.
Though its original purpose was to hide software that prevented listeners from making more than three copies of their music, Sony BMG’s rootkit became the most public symbol to date of the perceived excesses of DRM tech-nology – and of the growing suspicion media companies seem to harbor toward their own customers. The scandal is still having repercussions. It has reignited a dispute in the public sphere over the ways consumers should be allowed to use copyrighted digital information and, conversely, just how far copyright holders can go to secure their intellectual property against piracy. (See “Who Will Own Ideas?”, a TR special package published in June 2005.)
Taken to extremes, experts say, digital rights management not only curtails people’s right to make “fair use” of copyrighted material, which is guaranteed by U.S. copyright law, but can even create new technological hazards. “When you build computer systems where you’re not protecting the user, but something from the user, you have very bad security,” says Bruce Schneier, a luminary in the field of computer security and chief technical officer of Counterpane Internet Security in Mountain View, CA. “That’s my biggest fear – this notion that the user is the enemy.”
The story of the Sony BMG rootkit fiasco is about more than bad corporate judgment or the ongoing struggle over the rights of consumers to do what they want with the things they own. It is also about fear and the excesses it can arouse. When media companies apply such powerful, secret tools to content protection, it suggests that their nervousness over piracy has turned to panic. Although Sony BMG insists that the rootkit was deployed unintentionally, the episode persuaded many observers that the music industry had come to see deception as an indispensable component of digital rights management. It should be no surprise when customers who feel they are being treated like thieves stop buying things. If there is one message in Sony BMG’s experience for other companies entering the digital world, it is that distrust engenders distrust.