By Sonia Arrison

Sony used to be associated with the popular Walkman music player, but these days its brand is more likely to conjure up images of nasty spyware. The company's anti-piracy measures have created a security problem for unwary Sony customers -- and highlighted the inadequacies of a key piece of federal legislation, the Digital Millennium Copyright Act (DMCA) of 1998.

On October 31, 2005, programmer Mark Russinovich blogged about a music CD from SonyBMG that, when inserted into a user's CD drive, secretly installed software known as a “rootkit.” The software not only spied on the person’s music habits, it also made his or her computer vulnerable to hacker attacks.

After the news got out, Sony released a software patch to fix the problem, but that created even more vulnerabilities. The debacle took the computer security industry by surprise. Indeed, Sony's flawed copy-protection scheme had been in use for seven months before being discovered. Even computers run by the U.S. Department of Defense were affected, making Sony's ploy to protect its intellectual property a menace to national security.

One might ask why a big, mostly respected company would cause customers around the world to regard its actions as irresponsible and potentially malicious. Perhaps one explanation is that the company believed nobody would notice. “Most people don't even know what a rootkit is, so why should they care about it?” said Thomas Hesse, SonyBMG's president of global digital business, in an interview with National Public Radio. The problem with this response is that Sony knows what a rootkit is, and the company’s particular rootkit put users’ computers and privacy at risk.

Usually when there is a major security breach, antivirus companies scramble like mad to fix the problem. However, according to influential security analyst Bruce Schneier, that didn't happen this time. Fifteen days after Russinovich’s blog broke the story, Schneier lamented that security company McAfee had not yet removed the rootkit from its customers' computers. He pointed readers to McAfee's Web site, which still states that the company's removal of only part of Sony's code “will not impair the copyright-protection mechanisms installed from the CD.”

This apparent hesitation to fix the security problems created by Sony’s anti-piracy technology likely stems from fear of violating the draconian DMCA. A section in that law makes it illegal to circumvent anticopying technology. Indeed, Tim Wu, a law professor at Columbia University, told CNET, “It's pretty clear that circumventing Sony's controls violates the DMCA.” This leaves consumers in a precarious position.

It should not be illegal for consumers or their security company to expunge spyware that both violates privacy and creates security risks. Some representatives in Congress recognize these problems and have introduced legislation to address the spyware issue, but getting the balance right is difficult. Defining spyware is hard because it's possible for a software function to be legitimate in one instance and not legitimate in another. The worry is that Congress will unwittingly make the creation or use of some technologies a crime -- a situation that would make things worse, not better.

When it comes to poor actors in the marketplace, the Sony story shows that a free and open society will respond quickly and effectively. Sony has already issued a recall for all the offending CDs. To protect companies that do engage in best practices, TRUSTe announced the creation of its “Trusted Download” self-regulation program for the downloadable-software industry. And one can bet that no other content company wants to go through the brand damage that befell Sony.

The real problem is a poorly crafted law that gives undue power to content owners and creates fear in the security industry. Instead of focusing on new spyware legislation that could potentially harm technology innovation, Congress should fix the DMCA.

Sonia Arrison is director of the Pacific Research Institute. This article is extracted from a piece she published in TechNewsWorld in December.

 

MAXAMINE