Where was Sony's Privacy Officer?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
As this month's controversy over Sony's distribution of music CDs withflawed digital rights management (DRM) software continues to play itselfout, the whole mess is already primed to become a classic case study inwhy corporations need competent Privacy Officers to keep them out oftrouble.

According to news reports, about 20 different CD titles issued in recentmonths by Sony's BMG music distribution group have been outfitted withsoftware called eXtended Copy Protection (XCP). Designed to thwartillegal copying of music files, more than two million CDs containing XCPwere shipped, mainly to retailers in the United States.

If you're like tens of millions of music lovers around the world, youoften use your computer as your CD player, choosing to manage your musicthrough software like Apple's iTunes or Yahoo's Musicmatch.

But when you pop one of these new Sony CDs into your computer, you'vetaken the first step on a dangerous journey into privacy violations,security holes, draconian licensing agreements, and maybe even a brokencomputer.

Making use of the CD ''autorun'' feature -- the default setting on mostWindows-based operating systems -- the Sony software starts upimmediately when you insert one of the problematic CDs into yourcomputer. During the autorun sequence, the XCP software quietly installsitself from the CD, without your explicit knowledge or permission, muchlike your run-of-the-mill virus or spyware application.

At this point in the story, let me note for the record that I don't knowwhether Sony has a privacy officer. But it hardly takes a doctoral degreein privacy to appreciate that in this era, anything with spyware-likeinstallation behavior is probably going to get you into trouble.

The fact that nobody at Sony stopped this from happening suggests to methey may not have had someone on the team tasked with asking the kinds ofprivacy and security questions that would have raised red flags. Whenthere's nobody to see the warning signs and no one empowered to pull thecord on the emergency brake, it becomes a lot harder to keep the trainfrom running off the edge of the cliff.

In the case of Sony's software, the train was going to hit many bumps inthe track before it launched itself over that cliff.

Security analysts discovered the XCP software opens a backdoor into yourcomputer -- mimicking the behavior of a class of malicious software thatsecurity experts call a 'rootkit'.

These rootkits allow another party, in this case Sony, to secretly accessyour system via the Internet, allowing them to execute programs, gatherinformation, and send back detailed information about your computer usageand other bits of potentially personal information about you.

In some instances, the risks posed by rootkits are considered negligibleand theoretical. That wasn't the case with Sony's software.

According to