Tuesday, June 22, 2021

Where was Sony’s Privacy Officer?

As this month’s controversy over Sony’s distribution of music CDs with

flawed digital rights management (DRM) software continues to play itself

out, the whole mess is already primed to become a classic case study in

why corporations need competent Privacy Officers to keep them out of

trouble.

According to news reports, about 20 different CD titles issued in recent

months by Sony’s BMG music distribution group have been outfitted with

software called eXtended Copy Protection (XCP). Designed to thwart

illegal copying of music files, more than two million CDs containing XCP

were shipped, mainly to retailers in the United States.

If you’re like tens of millions of music lovers around the world, you

often use your computer as your CD player, choosing to manage your music

through software like Apple’s iTunes or Yahoo’s Musicmatch.

But when you pop one of these new Sony CDs into your computer, you’ve

taken the first step on a dangerous journey into privacy violations,

security holes, draconian licensing agreements, and maybe even a broken

computer.

Making use of the CD ”autorun” feature — the default setting on most

Windows-based operating systems — the Sony software starts up

immediately when you insert one of the problematic CDs into your

computer. During the autorun sequence, the XCP software quietly installs

itself from the CD, without your explicit knowledge or permission, much

like your run-of-the-mill virus or spyware application.

At this point in the story, let me note for the record that I don’t know

whether Sony has a privacy officer. But it hardly takes a doctoral degree

in privacy to appreciate that in this era, anything with spyware-like

installation behavior is probably going to get you into trouble.

The fact that nobody at Sony stopped this from happening suggests to me

they may not have had someone on the team tasked with asking the kinds of

privacy and security questions that would have raised red flags. When

there’s nobody to see the warning signs and no one empowered to pull the

cord on the emergency brake, it becomes a lot harder to keep the train

from running off the edge of the cliff.

In the case of Sony’s software, the train was going to hit many bumps in

the track before it launched itself over that cliff.

Security analysts discovered the XCP software opens a backdoor into your

computer — mimicking the behavior of a class of malicious software that

security experts call a ‘rootkit’.

These rootkits allow another party, in this case Sony, to secretly access

your system via the Internet, allowing them to execute programs, gather

information, and send back detailed information about your computer usage

and other bits of potentially personal information about you.

In some instances, the risks posed by rootkits are considered negligible

and theoretical. That wasn’t the case with Sony’s software.

According to one of

my colleagues here at eSecurityPlanet, the bad guys already

have figured out how to exploit it to seize control of PCs.

The story of Sony’s dastardly DRM debacle doesn’t stop there. Other

security analysts have discovered even more problems. One investigator

discovered that attempting to remove XCP caused his CD drive to be

completely disabled. Another expert reported that using a removal tool

for another type of DRM software used by Sony could cause yet another

rootkit-type security hole to be left wide open.

Glaringly Obvious Problems

I can understand Sony’s desire to protect its artists’ music from being

illegally copied. I even can understand their motivation for exploring

DRM technologies like XCP.

But at every turn, the problems that have come to light are so glaring

and so obvious that it’s impossible to think that a competent pre-launch

review of the privacy and security consequences wouldn’t have caused them

to shelve the idea until the problems were solved.

Instead, what has emerged in these past few weeks is a picture of a major

corporation whose executives neither understood, nor cared, what negative

impacts their poor decision making would have.

It’s important to remember that plenty of good companies make mistakes.

But in my book, what sets a good company apart from a bad one is how they

react when their mistakes are discovered.

When interviewed on the radio, the president of Sony BMG’s Global Digital

Business, Thomas Hesse, said, ”Most people, I think, don’t even know

what a rootkit is, so why should they care about it?”

Note to Mr. Hesse: ”Who cares?” is seldom a good response.

I’m betting that Mr. Hesse didn’t know what a rootkit was before this

issue arose, and from the tone of his comments, you can be sure he still

doesn’t understand the consequences of it. Unfortunately for him, the

gross tonnage of what he doesn’t understand about how his company screwed

up only now is coming to light.

Security experts are estimating that, given the number of compromised CDs

distributed by Sony, there could be more than half a million networks

worldwide — including critical systems at banks, universities,

healthcare, and military installations — where a simple attempt to

listen to some music has resulted in computers being infected with Sony’s

rootkit. Now they’re just sitting there waiting to be hacked.

Contempt for Consumers

Throughout the controversy, it has become quite clear that it never

dawned upon Sony executives that they should give some thought to the

risks to their brand and reputation, as well as the possible legal

liabilities, arising from their DRM plans.

Looking more deeply at Sony’s efforts to protect itself against music

theft, however, suggests the problems are caused by more than just

corporate ineptitude. A careful reading of the End User License Agreement

(EULA) that is bundled with its music and software reveals a level of

contempt for consumers that is truly breathtaking.

In an analysis of the Sony EULA posted by the

Electronic Frontier Foundation, if you think you own the rights to play

the music you just bought, you’re sadly mistaken.

According to the EULA, you cannot transfer the music from the CD to your

computer. If you ever lose the CD, you also lose any rights to listen to

that CD on your iPod. If you move out of the country, fail to install any

of Sony’s rootkit software updates, or if you file bankruptcy — yes,

bankruptcy — you must immediately delete the music.

Buckling under the weight of all the negative press, Sony has announced

it is recalling all of its compromised CDs and will provide patches to

fix security holes — holes that Sony spokesmen still deny present any

security risks at all!

Unfortunately, this entire episode suggests that Sony’s executives aren’t

very clued into the concerns of consumers and haven’t yet accepted the

consequences of their poor decisions. This suggests to me that we

probably haven’t heard the last of Sony’s invasive and intrusive DRM

practices.

Now would be an excellent time for them to consider hiring a talented

privacy officer to help them negotiate the difficult times they are still

facing as the full scope of this mess begins to be understood.

Similar articles

Latest Articles

3 AI Implementations That...

I was on a joint educational call for the World Talent Economic Economic forum on mobile computing this week. We drifted to topics that...

Survey of Site Reliability...

NEW YORK — Site reliability engineers (SREs) are warning of a looming scalability ceiling and saying the adoption of AIOps isn’t happening at a...

Druva Integrates sfApex to...

SUNNYVALE, Calif. — A maker of software for cloud data protection and management is helping companies safeguard essential customer data that their sales and...

Best Data Science Tools...

Data science has transformed our world. The ability to extract insights from enormous sets of structured and unstructured data has revolutionized numerous fields —...