30 Days of DRM – Day 11: Involuntary Installation of Software (Circumvention Rights)

Yesterday's post addressed the negative impact of anti-circumvention legislation on security research.  There is another security issue that merits discussion – the involuntary installation of software that may constitute a personal security threat to individual computer users.  Such software is frequently classified as spyware – software programs that are placed on users' computers without their informed consent that proceed to cause havoc by compromising personal information, posing an identity theft risk, sending spam, and infecting other computers.

While spyware can worm its way onto a personal computer in many different ways, inclusion within a DRM is a possibility. The best-known example of the DRM-spyware connection is last year's Sony rootkit fiasco

The Sony case started innocently enough with a Halloween-day blog posting by Mark Russinovich, an intrepid computer security researcher.  Russinovich discovered his own tale of horror – Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a "rootkit" on users' computers. The use of the rootkit set off alarm bells for Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into "zombies" that can send millions of spam messages, steal personal information, or launch denial of service attacks.  Moreover, attempts to uninstall the program proved difficult, as either his CD-Rom drive was no longer recognized or his computer crashed.

While Sony and the normally vocal recording industry associations stood largely silent – a company executive dismissed the concerns stating that "most people don't even know what a rootkit is, so why should they care about it" – the repercussions escalated daily.  There were dozens of affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace.  Class action lawsuits were launched in the United States and Canada, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit.  Researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.

The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks.  The U.S. Computer Emergency Response Team, which was jointly established in 2003 by the U.S. government and the private sector to protect the Internet infrastructure from cyber-attacks, advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD."  Moreover, Stewart Baker, the U.S. Department of Homeland Security’s assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property – it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Baker is right, but governments that enact anti-circumvention legislation must share in the blame.  Not only do these policies encourage DRM use, but they also pose a security threat since the simple act of circumventing a TPM to stop DRM-supported spyware on a personal computer may violate the law.  It should be beyond doubt that people should have the right to circumvent to protect their own personal security against software that is installed involuntarily without their informed consent.  Indeed, the Australian parliamentary committee investigating TPM exceptions reached the same conclusion, recommending an exception for "circumvention for software installed involuntarily or without acceptance, or where the user has no awareness a TPM or no reasonable control over the presence of a TPM."  Canadians deserve no less.


  1. Russell McOrmond says:

    Petition in Canada
    Readers should note that there is a Canadian petition to protect Information Technology Property rights which includes:

    THEREFORE, your petitioners call upon Parliament to prohibit the application of a technical protection measure to a device without the informed consent of the owner of the device, and to prohibit the conditioning of the supply of content to the purchase or use of a device which has a technical measure applied to it. We further call upon Parliament to recognise the right of citizens to personally control their own communication devices, and to choose software based on their own personal criteria.

  2. Russell McOrmond says:

    Forgot URL
    [ link ]

  3. Eternal Sony-BMG Rootkit
    Sadly, these “rootkit” CDs are still in circulation – at libraries, smaller stores, used stores and in people’s collections. They’ll be mucking up computers for years to come. Thank you, Sony-BMG!

  4. MC
    I know that the Barenaked Ladies are opposed to a lot of this type of stuff and have formed a group opposed to much of it on behalf of the artists (which several prominent Canadian artists have joined) Have you tried contact them and working with them?

  5. Sonys Management
    I think The management of Sony should be ether thrown in Jail or
    have to spend at least all there weekends and vacaion time spent in a Computer service center fixing computers till the last one is fixed. Which is a very long time because the CD\\\’s are still out there.
    At least it will make them think twice before they try this nonsence again.

    I will never buy a CD with any form of DRM or Copy control

  6. hiro protagonist says:

    this happens with almost every single ga
    ntoe that this happens with almost every game that you buy these days (starforce in particular).

    after you install the game, you try to run it for the first time and get a \’software installed, please reboot\’ question, without any indication of what exactly has just happened. well, the answer is that some invasive drm software has just installed a custom driver for your ide drives (cd-rom/dvd-rom in particular), which are very well known for screwing up hardware, not uninstalling when the game is removed and a whole list of things that are at least as bad as the whole sony rootkit fiasco.

    and this is common practice for the game industry.

    visit the \’boycott starforce\’ site for more info on the extremely long list of games that are protected by this one drm scheme in particular, let alone the dozens of other systems that companies employ to \’protect\’ their games.

    [ link ]