The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident

Intellectual Property, Privacy and Security and Copyright and Trademark

Article Snapshot

Author(s)

Deirdre Mulligan and Aaron Perzanowski

Source

Berkeley Technology Law Journal, Vol. 22, No. 3, pp. 1157-1232, 2007

Summary

This paper asks how a major firm came to create serious security risks for consumers’ computers.

Policy Relevance

Regulators and legislators should respond to Sony’s error in distributing the “rootkit” by setting out new ground rules for software distribution.

Main Points

  • In 2005, many people discovered that digital rights management (DRM) tools used by  Sony BMG on its CDs, the XCP rootkit and MediaMax, created security holes that allowed hackers access to their computer.
 
  • After the rootkit was revealed, hackers developed “Trojan horses” and other attacks to take advantage of the vulnerabilities it created.
 
  • The end user license agreement that Sony distributed did not reveal the security holes, or disclose that its technology collected data from consumers.
 
  • Sony recalled many of its CD’s, and online sales plummeted. Artists objected to technological restrictions on their work. DRM-free formats took off. Consumers expect to be free to move copies of digital music from one device to another.
 
  • It is doubtful that Sony could have been ignorant of the security impact of the rootkit, because it is a technologically sophisticated firm. Sony might have chosen to keep the rootkit’s effect secret, because DRM is unpopular with consumers. 
 
  • The Digital Millennium Copyright Act (DMCA) should be amended so that its anti-circumvention provisions exempt security research and the use of tools that allow the removal of harmful technology.
    • The exemptions allowed by the Copyright Office are not enough.
 
  • The FTC should regulate how software licenses disclose aspects of the product that affect privacy and security, so that consumer’s consent is meaningful. New technology raises unexpected issues, so broad and flexible regulatory powers are helpful.

Get The Article

Find the full article online

Search for Full Article

Share