Cryptographer Bruce Schneier is chief technical officer at Counterpane Internet Security in Mountain View, CA, and a frequent critic of how companies implement computer security technologies. He publishes a widely read monthly security newsletter, Crypto-Gram, and is the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Schneier has been particularly outspoken in public statements and editorials about Sony BMG’s botched attempt last year to limit copying of its music CDs; the company used a tool called a “rootkit” to hide copy-protection software on people’s computers, inadvertently opening up those computers to attack by hackers (see “Inside the Spyware Scandal”).

Technology Review senior editor Wade Roush interviewed Schneier about the Sony episode on March 16.

Technology Review: Last year, Sony BMG released CDs carrying copy protection software called XCP written by U.K. company First4Internet, which hid itself using a rootkit-like technique. Once the rootkit became public knowledge, security experts immediately labeled XCP as malware. Why?

Bruce Schneier: When you take functionality away from the user – where there is a mechanism by which some third party can bypass what the user wants – that, inherently, is what malware is. It’s a system that does things behind the user’s back that the user doesn’t want. So almost by definition, these copy protection programs are indistinguishable from malicious code.

TR: Will the Sony rootkit episode lead to consumers viewing digital media in a different way? For example, do you think they’ll eventually demand less restrictive types of digital rights management?

BS: I hope so, but it’s always dicey trying to guess what consumers will do. In the market for computers and software, consumers usually don’t know what they’re buying. They don’t have a clue. This debacle gave a window into what is going on. But was it enough to make consumers realize that they need to not buy certain products, or that they’re being sold substandard goods? The answer is probably not. And that’s too bad, because if buyers can’t make intelligent buying decisions, the whole structure of capitalism starts to break down.

TR: Okay, let’s say you’re a consumer and want to buy some digital content, but you don’t want to give up control of your computer. What should you do?

BS: Write your congressman. If all consumers can get is what is being sold, and what is being sold has copy protection, consumers can’t get what they want. The only way consumers can get what they want is if we as a society either demand it or force it. We could boycott [the media companies], but that’s probably not going to happen. The boycotts against Sony BMG didn’t last, and the media companies know that.

TR: What about the act that Rep. Zoe Lofgren has introduced into Congress, BALANCE, for “Benefit Authors without Limiting Advancement or Net Consumer Expectations”? It would take some teeth out of the provisions of the DMCA [Digital Millennium Copyright Act] of 1998 that make it illegal to circumvent copy-protection technologies.

BS: It would be neat if that passed – but never underestimate the power of the lobbyists to kill that stuff. Lobbyists are clever.

TR: Let’s talk about the antivirus companies. The Sony BMG rootkit was the kind of thing that antivirus software should have detected on people’s computers. Yet it wasn’t reported by anyone, until the Finnish security company F-Secure started looking into the matter.

BS: It is a black eye for the antivirus industry. But if big corporate buyers say to Symantec and other antivirus companies “What the hell were you doing while all this happened?” things are more likely to change. There are press reports that the Department of Homeland Security was really annoyed that their antivirus software didn’t catch the Sony rootkit. Now there’s a consumer with a little more leverage! The question is: Is all of this just noise, or will it turn into a change in behavior?

TR: It appears that Sony BMG, at least, won’t behave this way again.

BS: Why not? A few years from now, after the controversy goes away, why wouldn’t they, unless they’re told not to? The media companies have a business model that’s fighting for survival. And this time around they have realized that they can extend their business model through the legal system, by lobbying for laws like the DMCA. So they’re not going to go away quietly. They are going to defend it even after it stops making sense.