According to news reports, about 20 different CD titles issued in recent months by Sony's BMG music distribution group have been outfitted with software called eXtended Copy Protection (XCP). Designed to thwart illegal copying of music files, more than two million CDs containing XCP were shipped, mainly to retailers in the United States.
If you're like tens of millions of music lovers around the world, you often use your computer as your CD player, choosing to manage your music through software like Apple's iTunes or Yahoo's Musicmatch.
But when you pop one of these new Sony CDs into your computer, you've taken the first step on a dangerous journey into privacy violations, security holes, draconian licensing agreements, and maybe even a broken computer.
At this point in the story, let me note for the record that I don't know whether Sony has a privacy officer. But it hardly takes a doctoral degree in privacy to appreciate that in this era, anything with spyware-like installation behavior is probably going to get you into trouble.
The fact that nobody at Sony stopped this from happening suggests to me they may not have had someone on the team tasked with asking the kinds of privacy and security questions that would have raised red flags. When there's nobody to see the warning signs and no one empowered to pull the cord on the emergency brake, it becomes a lot harder to keep the train from running off the edge of the cliff.
In the case of Sony's software, the train was going to hit many bumps in the track before it launched itself over that cliff.
Security analysts discovered the XCP software opens a backdoor into your computer -- mimicking the behavior of a class of malicious software that security experts call a 'rootkit'.
These rootkits allow another party, in this case Sony, to secretly access your system via the Internet, allowing them to execute programs, gather information, and send back detailed information about your computer usage and other bits of potentially personal information about you.
In some instances, the risks posed by rootkits are considered negligible and theoretical. That wasn't the case with Sony's software.
According to one of my colleagues here at eSecurityPlanet, the bad guys already have figured out how to exploit it to seize control of PCs.
The story of Sony's dastardly DRM debacle doesn't stop there. Other security analysts have discovered even more problems. One investigator discovered that attempting to remove XCP caused his CD drive to be completely disabled. Another expert reported that using a removal tool for another type of DRM software used by Sony could cause yet another rootkit-type security hole to be left wide open.
Glaringly Obvious Problems
I can understand Sony's desire to protect its artists' music from being illegally copied. I even can understand their motivation for exploring DRM technologies like XCP.
But at every turn, the problems that have come to light are so glaring and so obvious that it's impossible to think that a competent pre-launch review of the privacy and security consequences wouldn't have caused them to shelve the idea until the problems were solved.
Instead, what has emerged in these past few weeks is a picture of a major corporation whose executives neither understood, nor cared, what negative impacts their poor decision making would have.
It's important to remember that plenty of good companies make mistakes. But in my book, what sets a good company apart from a bad one is how they react when their mistakes are discovered.
When interviewed on the radio, the president of Sony BMG's Global Digital Business, Thomas Hesse, said, ''Most people, I think, don't even know what a rootkit is, so why should they care about it?''
Note to Mr. Hesse: ''Who cares?'' is seldom a good response.
I'm betting that Mr. Hesse didn't know what a rootkit was before this issue arose, and from the tone of his comments, you can be sure he still doesn't understand the consequences of it. Unfortunately for him, the gross tonnage of what he doesn't understand about how his company screwed up only now is coming to light.
Security experts are estimating that, given the number of compromised CDs distributed by Sony, there could be more than half a million networks worldwide -- including critical systems at banks, universities, healthcare, and military installations -- where a simple attempt to listen to some music has resulted in computers being infected with Sony's rootkit. Now they're just sitting there waiting to be hacked.
Contempt for Consumers
Throughout the controversy, it has become quite clear that it never dawned upon Sony executives that they should give some thought to the risks to their brand and reputation, as well as the possible legal liabilities, arising from their DRM plans.
Looking more deeply at Sony's efforts to protect itself against music theft, however, suggests the problems are caused by more than just corporate ineptitude. A careful reading of the End User License Agreement (EULA) that is bundled with its music and software reveals a level of contempt for consumers that is truly breathtaking.
In an analysis of the Sony EULA posted by the Electronic Frontier Foundation, if you think you own the rights to play the music you just bought, you're sadly mistaken.
According to the EULA, you cannot transfer the music from the CD to your computer. If you ever lose the CD, you also lose any rights to listen to that CD on your iPod. If you move out of the country, fail to install any of Sony's rootkit software updates, or if you file bankruptcy -- yes, bankruptcy -- you must immediately delete the music.
Buckling under the weight of all the negative press, Sony has announced it is recalling all of its compromised CDs and will provide patches to fix security holes -- holes that Sony spokesmen still deny present any security risks at all!
Unfortunately, this entire episode suggests that Sony's executives aren't very clued into the concerns of consumers and haven't yet accepted the consequences of their poor decisions. This suggests to me that we probably haven't heard the last of Sony's invasive and intrusive DRM practices.
Now would be an excellent time for them to consider hiring a talented privacy officer to help them negotiate the difficult times they are still facing as the full scope of this mess begins to be understood.