A View from Wade Roush
Rooting Out Sony's Rootkit
Why you should care about the decade’s worst digital rights management debacle.
My feature story “Inside the Spyware Scandal” – published this week in TR’s print magazine and here on our website – asks how the world’s second-largest record label, Sony BMG, became one of the world’s largest distributors of malware.
Fifty-two Sony BMG CDs released last year carried the notice “Content Enhanced & Protected.” The main “enhancement”: a proprietary player program that restricted owners of the CDs to ripping and burning no more than three digital copies of the music. (Those copies were “sterile,” meaning they couldn’t be copied again, and they were in Windows Media format, meaning they couldn’t be played on the most popular mobile music player, the iPod.)
The player software, which users had to install in order to listen to the CDs, secretly placed a hacker tool called a “rootkit” on users’ hard drives as a way of cloaking key elements of the copy-protection system against prying eyes and tampering.
The cloaking technique was highly effective. In fact, it was too clever by half. The problem – which went unnoticed by Sony BMG or anyone else for 10 months – was that a rootkit amounts to a haven for anything hackers might want to hide, such as viruses, worms, and Trojan horse programs.
Other software on the CDs transmitted a computer’s Internet address to Sony BMG whenever a user loaded a disc. Once security experts discovered the rootkit and the “phone home” behavior – and exactly how that mystery unfolded is the core of my story – consumers who had bought the CDs were understandably outraged by what they saw as an invasion of their privacy and property. So were advocates of freedom of information in the digital world, such as the indefatigable attorneys at the Electronic Frontier Foundation.
But why should you care about Sony BMG’s blunder?
* Because when you buy music on a CD, you expect to be able to listen to it wherever you like.
* Because when you install software on your computer, you expect it to behave politely, not invite viruses and worms and Trojan horses to take over your machine and infect others’.
* Because you probably don’t want that same software reporting your Internet address to the recording studio every time you listen to a CD on your computer.
* Because you benefit from the free flow of ideas bolstered by the “fair use” provisions of U.S. copyright law.
* Because you believe in a thriving culture industry – and you don’t want to see the mutually profitable exchange of great content between creators and consumers slowed by a coagulation of ill-conceived digital rights management technologies.
If you’re concerned about the future of art and literature in the digital age, I urge you to read my piece and leave your comments – and to think twice before buying your next “Enhanced & Protected” CD.
More discussion to come.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today