While spyware can worm its way onto a personal computer in many different ways, inclusion within a DRM is a possibility. The best-known example of the DRM-spyware connection is last year's Sony rootkit fiasco.
While Sony and the normally vocal recording industry associations stood largely silent – a company executive dismissed the concerns stating that "most people don't even know what a rootkit is, so why should they care about it" – the repercussions escalated daily. There were dozens of affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace. Class action lawsuits were launched in the United States and Canada, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit. Researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.
The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks. The U.S. Computer Emergency Response Team, which was jointly established in 2003 by the U.S. government and the private sector to protect the Internet infrastructure from cyber-attacks, advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD." Moreover, Stewart Baker, the U.S. Department of Homeland Security’s assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property – it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."
Baker is right, but governments that enact anti-circumvention legislation must share in the blame. Not only do these policies encourage DRM use, but they also pose a security threat since the simple act of circumventing a TPM to stop DRM-supported spyware on a personal computer may violate the law. It should be beyond doubt that people should have the right to circumvent to protect their own personal security against software that is installed involuntarily without their informed consent. Indeed, the Australian parliamentary committee investigating TPM exceptions reached the same conclusion, recommending an exception for "circumvention for software installed involuntarily or without acceptance, or where the user has no awareness a TPM or no reasonable control over the presence of a TPM." Canadians deserve no less.