Sony BMG, the world’ s second largest record label, has for the past three weeks been the subject of a corporate embarrassment that rivals earlier public relations nightmares involving tampered Tylenol and contaminated Perrier. While in the short-term one of the world’ s best-known brands has suffered enormous damage (particularly given that unlike in the Tylenol case the damage is self-inflicted), the longer-term implications are even more significant – a fundamental re-thinking of policies toward digital locks known as technological protection measures (TPMs).
The Sony case started innocently enough with a Halloween-day blog posting by Mark Russinovich, an intrepid computer security researcher. Russinovich discovered his own tale of horror – Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a "rootkit" on users’ computers.
The use of the rootkit set off alarm bells for Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into "zombies" that can send millions of spam messages, steal personal information, or launch denial of service attacks. Moreover, attempts to uninstall the program proved difficult, as either his CD-Rom drive was no longer recognized or his computer crashed.
Although users were presented with a series of terms and conditions that refer to software installation before launching the CD, it is safe to assume that few, if any, realized that they were creating both a security and potential privacy risk as well as setting themselves up for a "Hotel California" type program that checks in but never leaves.
While Sony and the normally vocal recording industry associations stood largely silent – a company executive dismissed the concerns stating that "most people don’t even know what a rootkit is, so why should they care about it" – the repercussions escalated daily. One group identified at least 20 affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace. Class action lawsuits were launched in the United States, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit.
Nearly two weeks after the initial disclosure, Sony finally issued a half-hearted apology, indicating that it was suspending use of the TPM and issuing a software patch to remove the rootkit.
At about the same time things went from bad to worse. It was soon discovered that Sony’ s patch created its own security risk – potentially leaving personal computers even more vulnerable than with the initial rootkit – and was pulled from its website.
The company also recalled millions of CDs, losing tens of millions in revenue and effectively acknowledging that the CD was a hazardous product. The recall was even bigger than anticipated as Sony disclosed that there were at least 52 affected CDs. Moreover, researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.
Finally, just when it appeared that Sony had hit bottom, analysis of the rootkit revealed that it included open source software code contrary to the applicable license. In other words, Sony itself may have infringed the copyright of a group of software programmers and be on the hook for significant copyright infringement damages.
While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers.
The incident has alerted millions of consumers to the potential misuse of TPMs as well as to the need for consumer protections from such systems. While policy makers have raced to provide legal protections for TPMs (known as anti-circumvention legislation since the provisions prohibit attempts to circumvent the digital locks), the real need is to protect against the misuse of this technology.
The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks. The U.S. Computer Emergency Response Team, which was jointly established in 2003 by the U.S. government and the private sector to protect the Internet infrastructure from cyber-attacks, advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD."
Moreover, Stewart Baker, the U.S. Department of Homeland Security’ s assistant secretary of policy, admonished the music industry, reminding them that “it’s very important to remember that it’s your intellectual property – it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days."
Baker’ s comments point, as well, to another issue that has been percolating for some time, namely that TPMs not only put users’ property at risk, but they also limit use of lawfully-acquired personal property.
Justice Ian Binnie of the Supreme Court of Canada raised this concern in a copyright case several years ago when he noted that "once an authorized copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it."
The Australian High Court expressed similar sentiments in a decision issued last month that ironically also involved Sony. It rejected Sony’ s attempt to block the use of "mod chips", utilized by video game players to unlock games with TPMs purchased outside the country, emphasizing that "the right of the individual to enjoy lawfully acquired private property (a CD ROM game or a PlayStation console purchased in another region of the world or possibly to make a backup copy of the CD ROM) would ordinarily be a right inherent in Australian law upon the acquisition of such a chattel."
The incident should also galvanize Canadian regulators and political leaders. The Privacy Commissioner of Canada should use her audit powers to investigate other potentially invasive uses of TPMs, while the Competition Bureau should consider whether Sony violated deceptive practice legislation. Moreover, Industry Minister David Emerson and Canadian Heritage Liza Frulla should reconsider their proposal to protect TPMs, which has the effect of protecting spyware, undermining consumer confidence, and ultimately reducing the sales of Canadian musical artists.
The Tylenol and Perrier debacles led to dramatic changes in corporate practice and consumer protections. Similarly, with consumer backlash against deceptive music CDs and licensing agreements, policy maker worries about the privacy and security implications of TPMs, and the courts’ concern for personal property rights, the Sony rootkit case is destined to resonate long after the dangerous CDs disappear from store shelves.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at firstname.lastname@example.org or online at www.michaelgeist.ca.