Sony incident wake-up call for regulators
Sony BMG, the world’s second largest record label, has for the past three weeks been the subject of a corporate embarrassment that rivals earlier public relations nightmares involving tampered Tylenol and contaminated Perrier.
While in the short- term one of the world’s best- known brands has suffered enormous damage ( particularly given that unlike in the Tylenol case the damage is self- inflicted), the longer- term implications are even more significant — a fundamental rethinking of policies toward digital locks known as technological protection measures ( TPMs). The Sony case started innocently enough with a Halloweenday blog posting by Mark Russinovich, an intrepid computer programmer.
Russinovich discovered his own tale of horror — Sony was using a copy- protection TPM on some of its CDs that quietly installed a software program known as a “ rootkit” on users’ computers. The use of the rootkit set off alarm bells for Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into “zombies” that can send millions of spam messages, steal personal information, or launch denial of service attacks. Attempts to uninstall the program proved difficult, as either his CD-ROM drive was no longer recognized or his computer crashed.
Although users were presented with terms and conditions that refer to software installation before launching the CD, it is safe to assume few, if any, realized that they were creating a security and potential privacy risk or setting themselves up for a “Hotel California” program that checks in but never leaves.
While Sony and the normally vocal recording industry associations stood largely silent — a company executive dismissed the concerns stating that “ most people don’t even know what a rootkit is, so why should they care about it” — the repercussions escalated daily. One group identified at least 20 affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace.
Class action lawsuits were launched in the United States, a criminal investigation began in Italy, and anti- spyware suppliers updated their programs to include the Sony rootkit.
Nearly two weeks after the initial disclosure, Sony issued a half- hearted apology, indicating that it was suspending use of the TPM and issuing a software patch to remove the rootkit.
At about the same time things went from bad to worse. It was discovered Sony’s patch created its own security risk — potentially leaving personal computers even more vulnerable than with the initial rootkit — and was pulled from its website. The company also recalled millions of CDs, losing tens of millions in revenue and effectively acknowledging that the CD was a hazardous product. The recall was even bigger than anticipated as Sony disclosed that there were at least 52 affected CDs. Researchers estimated the damaging program had infected at least 500,000 computers in 165 countries.
Finally, just when it appeared that Sony had hit bottom, analysis of the rootkit revealed it included open source software code contrary to the applicable license. In other words, Sony itself may have infringed the copyright of a group of software programmers and be on the hook for significant copyright infringement damages.
While the Sony saga has still not ended, it is increasingly clear that it will have a longterm impact on consumers and policy makers. The incident has alerted millions of consumers to the potential misuse of TPMs as well as to the need for consumer protections from such systems. While policy makers have raced to provide legal protections for TPMs ( known as anticircumvention legislation since the provisions prohibit attempts to circumvent the digital locks), the real need is to protect against the misuse of this technology. The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks. The U. S. Computer Emergency Response Team, which was jointly established in 2003 by the U. S. government and the private sector to protect the Internet infrastructure from cyberadvised users that they should not “install software from sources that you do not expect to contain software, such as an audio CD.”
Moreover, Stewart Baker, the U. S. Department of Homeland Security’s assistant secretary of policy, admonished the music industry, reminding them that “ it’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”
Baker’s comments point, as well, to another issue that has been percolating for some time, namely that TPMs not only put users’ property at risk, but they
also limit use of lawfullypersonal property.
Justice Ian Binnie
of the Supreme Court
of Canada raised this
concern in a copyright case several
years ago when he noted that “ once an authorized copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it.’’ The Australian High Court expressed similar sentiments in a decision issued last month that ironically also involved Sony.
It rejected Sony’s attempt to block the use of “ mod chips,” utilized by video game players to unlock games with TPMs purchased outside the country, emphasizing that “ the right of the individual to enjoy lawfully acquired private property ( a CD ROM game or a PlayStation console purchased in another region of the world or possibly to make a backup copy of the CD ROM) would ordinarily be a right inherent in Australian law upon the acquisition of such a chattel.” The incident should also galvanize Canadian regulators and political leaders. The Privacy Commissioner of Canada should use her audit powers to investigate other potentially invasive uses of TPMs, while the Competition Bureau should consider whether there have been violations of deceptive practice legislation. Moreover, Industry Minister David Emerson and Canadian Heritage Liza Frulla should reconsider their proposal to protect TPMs, which evidently has the effect of protecting spyware, undermining consumer confidence, and ultimately reducing the sales of Canadian musical artists. The Tylenol and Perrier debacles led to dramatic changes in corporate practice and consumer protections.
Similarly, with consumer backlash against deceptive music CDs and licensing agreements, policy maker worries about the privacy and security implications of TPMs, and the courts’ concern for personal property rights, the Sony rootkit case is destined to resonate long after the dangerous CDs disappear from store shelves. Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.