Appeared in the Toronto Star on November 21, 2005 as Sony Incident Wakeup Call For Regulators
Appeared on the BBC Online on November 21, 2005 as Sony's Long-Term Rootkit Woes
Sony BMG, the world's second largest record label, has for the past three weeks been the subject of a corporate embarrassment that rivals earlier public relations nightmares involving tampered Tylenol and contaminated Perrier. While in the short-term one of the world' s best-known brands has suffered enormous damage (particularly given that unlike in the Tylenol case the damage is self-inflicted), the longer-term implications are even more significant - a fundamental re-thinking of policies toward digital locks known as technological protection measures (TPMs).
The Sony case started innocently enough with a Halloween-day blog posting by Mark Russinovich, an intrepid computer security researcher. Russinovich discovered his own tale of horror -- Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a "rootkit" on users' computers.
The use of the rootkit set off alarm bells for Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into "zombies" that can send millions of spam messages, steal personal information, or launch denial of service attacks. Moreover, attempts to uninstall the program proved difficult, as either his CD-Rom drive was no longer recognized or his computer crashed.
Although users were presented with a series of terms and conditions that refer to software installation before launching the CD, it is safe to assume that few, if any, realized that they were creating both a security and potential privacy risk as well as setting themselves up for a "Hotel California" type program that checks in but never leaves.
While Sony and the normally vocal recording industry associations stood largely silent -- a company executive dismissed the concerns stating that "most people don't even know what a rootkit is, so why should they care about it" -- the repercussions escalated daily. One group identified at least 20 affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace. Class action lawsuits were launched in the United States, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit.
Nearly two weeks after the initial disclosure, Sony finally issued a half-hearted apology, indicating that it was suspending use of the TPM and issuing a software patch to remove the rootkit.