30 Days of DRM – Day 11: Involuntary Installation of Software (Circumvention Rights)

Yesterday's post addressed the negative impact of anti-circumvention legislation on security research.  There is another security issue that merits discussion – the involuntary installation of software that may constitute a personal security threat to individual computer users.  Such software is frequently classified as spyware – software programs that are placed on users' computers without their informed consent that proceed to cause havoc by compromising personal information, posing an identity theft risk, sending spam, and infecting other computers.

While spyware can worm its way onto a personal computer in many different ways, inclusion within a DRM is a possibility. The best-known example of the DRM-spyware connection is last year's Sony rootkit fiasco

The Sony case started innocently enough with a Halloween-day blog posting by Mark Russinovich, an intrepid computer security researcher.  Russinovich discovered his own tale of horror – Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a "rootkit" on users' computers. The use of the rootkit set off alarm bells for Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into "zombies" that can send millions of spam messages, steal personal information, or launch denial of service attacks.  Moreover, attempts to uninstall the program proved difficult, as either his CD-Rom drive was no longer recognized or his computer crashed.

While Sony and the normally vocal recording industry associations stood largely silent – a company executive dismissed the concerns stating that "most people don't even know what a rootkit is, so why should they care about it" – the repercussions escalated daily.  There were dozens of affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace.  Class action lawsuits were launched in the United States and Canada, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit.  Researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.

The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks.  The U.S. Computer Emergency Response Team, which was jointly established in 2003 by the U.S. government and the private sector to protect the Internet infrastructure from cyber-attacks, advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD."  Moreover, Stewart Baker, the U.S. Department of Homeland Security’s assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property – it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Baker is right, but governments that enact anti-circumvention legislation must share in the blame.  Not only do these policies encourage DRM use, but they also pose a security threat since the simple act of circumventing a TPM to stop DRM-supported spyware on a personal computer may violate the law.  It should be beyond doubt that people should have the right to circumvent to protect their own personal security against software that is installed involuntarily without their informed consent.  Indeed, the Australian parliamentary committee investigating TPM exceptions reached the same conclusion, recommending an exception for "circumvention for software installed involuntarily or without acceptance, or where the user has no awareness a TPM or no reasonable control over the presence of a TPM."  Canadians deserve no less.