When Copy Protection Becomes Malware

Computer security guru Bruce Schneier says media companies won't ease up on invasive technology until consumers balk.

Cryptographer Bruce Schneier is chief technical officer at Counterpane Internet Security in Mountain View, CA, and a frequent critic of how companies implement computer security technologies. He publishes a widely read monthly security newsletter, Crypto-Gram, and is the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Schneier has been particularly outspoken in public statements and editorials about Sony BMG's botched attempt last year to limit copying of its music CDs; the company used a tool called a "rootkit" to hide copy-protection software on people's computers, inadvertently opening up those computers to attack by hackers (see "Inside the Spyware Scandal").

Bruce Schneier, chief technical officer, Counterpane Internet Security, Mountain View, CA. (Photo by Steve Woit.)

Technology Review senior editor Wade Roush interviewed Schneier about the Sony episode on March 16.

Technology Review: Last year, Sony BMG released CDs carrying copy protection software called XCP written by U.K. company First4Internet, which hid itself using a rootkit-like technique. Once the rootkit became public knowledge, security experts immediately labeled XCP as malware. Why?

Bruce Schneier: When you take functionality away from the user -- where there is a mechanism by which some third party can bypass what the user wants -- that, inherently, is what malware is. It's a system that does things behind the user's back that the user doesn't want. So almost by definition, these copy protection programs are indistinguishable from malicious code.

TR: Will the Sony rootkit episode lead to consumers viewing digital media in a different way? For example, do you think they'll eventually demand less restrictive types of digital rights management?

BS: I hope so, but it's always dicey trying to guess what consumers will do. In the market for computers and software, consumers usually don't know what they're buying. They don't have a clue. This debacle gave a window into what is going on. But was it enough to make consumers realize that they need to not buy certain products, or that they're being sold substandard goods? The answer is probably not. And that's too bad, because if buyers can't make intelligent buying decisions, the whole structure of capitalism starts to break down.

TR: Okay, let's say you're a consumer and want to buy some digital content, but you don't want to give up control of your computer. What should you do?

BS: Write your congressman. If all consumers can get is what is being sold, and what is being sold has copy protection, consumers can't get what they want. The only way consumers can get what they want is if we as a society either demand it or force it. We could boycott [the media companies], but that's probably not going to happen. The boycotts against Sony BMG didn't last, and the media companies know that.