As this month’s controversy over Sony’s distribution of music CDs with
flawed digital rights management (DRM) software continues to play itself
out, the whole mess is already primed to become a classic case study in
why corporations need competent Privacy Officers to keep them out of
According to news reports, about 20 different CD titles issued in recent
months by Sony’s BMG music distribution group have been outfitted with
software called eXtended Copy Protection (XCP). Designed to thwart
illegal copying of music files, more than two million CDs containing XCP
were shipped, mainly to retailers in the United States.
If you’re like tens of millions of music lovers around the world, you
often use your computer as your CD player, choosing to manage your music
through software like Apple’s iTunes or Yahoo’s Musicmatch.
But when you pop one of these new Sony CDs into your computer, you’ve
taken the first step on a dangerous journey into privacy violations,
security holes, draconian licensing agreements, and maybe even a broken
Making use of the CD ”autorun” feature — the default setting on most
Windows-based operating systems — the Sony software starts up
immediately when you insert one of the problematic CDs into your
computer. During the autorun sequence, the XCP software quietly installs
itself from the CD, without your explicit knowledge or permission, much
like your run-of-the-mill virus or spyware application.
At this point in the story, let me note for the record that I don’t know
whether Sony has a privacy officer. But it hardly takes a doctoral degree
in privacy to appreciate that in this era, anything with spyware-like
installation behavior is probably going to get you into trouble.
The fact that nobody at Sony stopped this from happening suggests to me
they may not have had someone on the team tasked with asking the kinds of
privacy and security questions that would have raised red flags. When
there’s nobody to see the warning signs and no one empowered to pull the
cord on the emergency brake, it becomes a lot harder to keep the train
from running off the edge of the cliff.
In the case of Sony’s software, the train was going to hit many bumps in
the track before it launched itself over that cliff.
Security analysts discovered the XCP software opens a backdoor into your
computer — mimicking the behavior of a class of malicious software that
security experts call a ‘rootkit’.
These rootkits allow another party, in this case Sony, to secretly access
your system via the Internet, allowing them to execute programs, gather
information, and send back detailed information about your computer usage
and other bits of potentially personal information about you.
In some instances, the risks posed by rootkits are considered negligible
and theoretical. That wasn’t the case with Sony’s software.
According to one of
my colleagues here at eSecurityPlanet, the bad guys already
have figured out how to exploit it to seize control of PCs.
The story of Sony’s dastardly DRM debacle doesn’t stop there. Other
security analysts have discovered even more problems. One investigator
discovered that attempting to remove XCP caused his CD drive to be
completely disabled. Another expert reported that using a removal tool
for another type of DRM software used by Sony could cause yet another
rootkit-type security hole to be left wide open.
Glaringly Obvious Problems
I can understand Sony’s desire to protect its artists’ music from being
illegally copied. I even can understand their motivation for exploring
DRM technologies like XCP.
But at every turn, the problems that have come to light are so glaring
and so obvious that it’s impossible to think that a competent pre-launch
review of the privacy and security consequences wouldn’t have caused them
to shelve the idea until the problems were solved.
Instead, what has emerged in these past few weeks is a picture of a major
corporation whose executives neither understood, nor cared, what negative
impacts their poor decision making would have.
It’s important to remember that plenty of good companies make mistakes.
But in my book, what sets a good company apart from a bad one is how they
react when their mistakes are discovered.
When interviewed on the radio, the president of Sony BMG’s Global Digital
Business, Thomas Hesse, said, ”Most people, I think, don’t even know
what a rootkit is, so why should they care about it?”
Note to Mr. Hesse: ”Who cares?” is seldom a good response.
I’m betting that Mr. Hesse didn’t know what a rootkit was before this
issue arose, and from the tone of his comments, you can be sure he still
doesn’t understand the consequences of it. Unfortunately for him, the
gross tonnage of what he doesn’t understand about how his company screwed
up only now is coming to light.
Security experts are estimating that, given the number of compromised CDs
distributed by Sony, there could be more than half a million networks
worldwide — including critical systems at banks, universities,
healthcare, and military installations — where a simple attempt to
listen to some music has resulted in computers being infected with Sony’s
rootkit. Now they’re just sitting there waiting to be hacked.
Contempt for Consumers
Throughout the controversy, it has become quite clear that it never
dawned upon Sony executives that they should give some thought to the
risks to their brand and reputation, as well as the possible legal
liabilities, arising from their DRM plans.
Looking more deeply at Sony’s efforts to protect itself against music
theft, however, suggests the problems are caused by more than just
corporate ineptitude. A careful reading of the End User License Agreement
(EULA) that is bundled with its music and software reveals a level of
contempt for consumers that is truly breathtaking.
In an analysis of the Sony EULA posted by the
Electronic Frontier Foundation, if you think you own the rights to play
the music you just bought, you’re sadly mistaken.
According to the EULA, you cannot transfer the music from the CD to your
computer. If you ever lose the CD, you also lose any rights to listen to
that CD on your iPod. If you move out of the country, fail to install any
of Sony’s rootkit software updates, or if you file bankruptcy — yes,
bankruptcy — you must immediately delete the music.
Buckling under the weight of all the negative press, Sony has announced
it is recalling all of its compromised CDs and will provide patches to
fix security holes — holes that Sony spokesmen still deny present any
security risks at all!
Unfortunately, this entire episode suggests that Sony’s executives aren’t
very clued into the concerns of consumers and haven’t yet accepted the
consequences of their poor decisions. This suggests to me that we
probably haven’t heard the last of Sony’s invasive and intrusive DRM
Now would be an excellent time for them to consider hiring a talented
privacy officer to help them negotiate the difficult times they are still
facing as the full scope of this mess begins to be understood.