We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Business Impact

When Copy Protection Becomes Malware

Computer security guru Bruce Schneier says media companies won’t ease up on invasive technology until consumers balk.

Cryptographer Bruce Schneier is chief technical officer at Counterpane Internet Security in Mountain View, CA, and a frequent critic of how companies implement computer security technologies. He publishes a widely read monthly security newsletter, Crypto-Gram, and is the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Schneier has been particularly outspoken in public statements and editorials about Sony BMG’s botched attempt last year to limit copying of its music CDs; the company used a tool called a “rootkit” to hide copy-protection software on people’s computers, inadvertently opening up those computers to attack by hackers (see “Inside the Spyware Scandal”).

Bruce Schneier, chief technical officer, Counterpane Internet Security, Mountain View, CA. (Photo by Steve Woit.)

Technology Review senior editor Wade Roush interviewed Schneier about the Sony episode on March 16.

Technology Review: Last year, Sony BMG released CDs carrying copy protection software called XCP written by U.K. company First4Internet, which hid itself using a rootkit-like technique. Once the rootkit became public knowledge, security experts immediately labeled XCP as malware. Why?

Bruce Schneier: When you take functionality away from the user – where there is a mechanism by which some third party can bypass what the user wants – that, inherently, is what malware is. It’s a system that does things behind the user’s back that the user doesn’t want. So almost by definition, these copy protection programs are indistinguishable from malicious code.

TR: Will the Sony rootkit episode lead to consumers viewing digital media in a different way? For example, do you think they’ll eventually demand less restrictive types of digital rights management?

BS: I hope so, but it’s always dicey trying to guess what consumers will do. In the market for computers and software, consumers usually don’t know what they’re buying. They don’t have a clue. This debacle gave a window into what is going on. But was it enough to make consumers realize that they need to not buy certain products, or that they’re being sold substandard goods? The answer is probably not. And that’s too bad, because if buyers can’t make intelligent buying decisions, the whole structure of capitalism starts to break down.

TR: Okay, let’s say you’re a consumer and want to buy some digital content, but you don’t want to give up control of your computer. What should you do?

BS: Write your congressman. If all consumers can get is what is being sold, and what is being sold has copy protection, consumers can’t get what they want. The only way consumers can get what they want is if we as a society either demand it or force it. We could boycott [the media companies], but that’s probably not going to happen. The boycotts against Sony BMG didn’t last, and the media companies know that.

TR: What about the act that Rep. Zoe Lofgren has introduced into Congress, BALANCE, for “Benefit Authors without Limiting Advancement or Net Consumer Expectations”? It would take some teeth out of the provisions of the DMCA [Digital Millennium Copyright Act] of 1998 that make it illegal to circumvent copy-protection technologies.

BS: It would be neat if that passed – but never underestimate the power of the lobbyists to kill that stuff. Lobbyists are clever.

TR: Let’s talk about the antivirus companies. The Sony BMG rootkit was the kind of thing that antivirus software should have detected on people’s computers. Yet it wasn’t reported by anyone, until the Finnish security company F-Secure started looking into the matter.

BS: It is a black eye for the antivirus industry. But if big corporate buyers say to Symantec and other antivirus companies “What the hell were you doing while all this happened?” things are more likely to change. There are press reports that the Department of Homeland Security was really annoyed that their antivirus software didn’t catch the Sony rootkit. Now there’s a consumer with a little more leverage! The question is: Is all of this just noise, or will it turn into a change in behavior?

TR: It appears that Sony BMG, at least, won’t behave this way again.

BS: Why not? A few years from now, after the controversy goes away, why wouldn’t they, unless they’re told not to? The media companies have a business model that’s fighting for survival. And this time around they have realized that they can extend their business model through the legal system, by lobbying for laws like the DMCA. So they’re not going to go away quietly. They are going to defend it even after it stops making sense.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
More from Business Impact

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Print + All Access Digital.
  • Print + All Access Digital {! insider.prices.print_digital !}*

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.