A Legal Analysis of the Sony BMG Rootkit Debacle

YIAAL writes "Two lawyers from the Berkeley Center for Law and Technology look at the Sony BMG Rootkit debacle: 'The Article first addresses the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, and argues that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict these harms on the public.' Yes, under 'even the most charitable interpretation' it was a lousy idea. The article also suggests some changes to the DMCA to protect consumers from this sort of intrusive, and security-undermining, technique in the future."

Nothing like...

[ellenbee]

Good old greed..

Re:

[donaldm]

I suppose anything that uses DRM protection can be considered greed because this uses some form of stealth to stop so called unauthorised use.

Actually I think you really need to define what a root-kit is http://en.wikipedia.org/wiki/Rootkit [wikipedia.org] (I particularly like the part about "non-hostile rootkits") and in the case of the Sony-BMG root-kit it all boiled down to DRM and greed if you like which actually installed hidden files which were difficult to find by "normal" means. Ok this was not a good thing but

Re:

[level_headed_midwest]

Actually I think you really need to define what a root-kit is http://en.wikipedia.org/wiki/Rootkit [wikipedia.org] (I particularly like the part about "non-hostile rootkits")

If somebody does something to my computer that is intended to be hidden from my knowledge and prevents me from doing something with my computer, I sure as hell consider it hostile.

Re:

[iminplaya]

They don't even care about money.

Look at it this way. During the time you spend filling the tank in your H2, you will have made ten or twenty times the the money you will spend on the gas. You don't need to care about the money. It ended up being a pittance anyway. They effectively lost nothing. And consumers still flock to buy their stuff as fast as they can put it out. How much longer till someone discovers XCP v2.0? Rinse, repeat. v3...4...5 This won't stop until we vote their shills out of office and qu

Re:

[infonography]

They don't even care about money.

Look at it this way. During the time you spend filling the tank in your H2, you will have made ten or twenty times the the money you will spend on the gas. You don't need to care about the money. It ended up being a pittance anyway. They effectively lost nothing. And consumers still flock to buy their stuff as fast as they can put it out. SNIP

Sony doesn't care, They only have that end of the biz to offset the huge buckets of money they get from their electronics and movie side. Rock stars are whinny little bitches with attitudes. They make no money from Sony until the fourth album and most of their living comes off their concerts. Oh and Sony gets a nice slice of that too.

And nobody bothers with Payola anymore as they stations get a slice of the concerts that they promote. Maybe the DJs get some duckets from up and comers but self interest on t

Re:

[Boycott BMG]

In fact Sony/BMG gets no money from electronics because they don't make electronics. Sony Corporation makes electronics. Sony/BMG is not Sony, that's why they have the "BMG" in their name. In case you were interested Sony/BMG was formed by the combination of spinoffs Sony Music and 'B'ertelsmann 'M'usic 'G'roup, with all of the higher ups from the Bertelsmann side. It is 50/50 owned by Sony and Bertelsmann.

Re:

[NeoSkink]

This won't stop until we vote their shills out of office and quit buying their "crappy" products, from them and from any other company in their portfolio.

And I'd love to! I really would! But how do you find independent music?

Labels provide advertisement and exposure. I know what artists I like because I hear them on the radio, in movies and coke commercials. I'd like to switch to supporting independent artists (because like all of Slashdot, the labels really piss me off) but I don't know how to find the

Re:

[iminplaya]

But how do you find independent music?

You're not serious! My god They're all over the place. Playing at your local bar, park, what have you. They advertise in the papers sometimes. They're all over this new fangled "internet" thing. Of course the majors are trying to put an end to that. I wouldn't know where to begin, the options are so many. There still might be some decent college stations around. Start here [google.com] maybe? That alone should keep you occupied for the rest of the day.

It's the wee hours...

[explosivejared]

... of the morning, so I'll bite. I'll admit that I only got as far as reading the abstract, so sue me. I really don't see the need for a journal published paper to dissect the situation. Sony got caught up in the zeitgeist over Napster and how digital distribution was going to destroy their business model, just like how Hollywood freaked over the VCR. I think paranoia and utter indifference to the customer pretty much sums up the whole situation. Other than that, I don't see the need to dredge up a two-yea

Re:

[qzjul]

My immediate thoughts upon reading it were quite the opposite actually: Having a journal article written about this might make these issues more difficult for congress to ignore or dismiss as sensationalism; if they actually take note, those who are not already in the pockets of the recording industry may find it more difficult to follow those who are.

Any piece of solid, credible research that demonstrates the reality of the situation is welcomed by me; eventually - if enough of these sorts of things are

Its a moral issue.

[Anonymous Coward]

This shouldn't be about laws, its a moral issue.

Laws don't and should not be the only guiding factor in the actions of people or corporations. It is not the case that anything specifically prevented by law is allowed. A person or corporation should also be a good citizen, and there are things you just should not do, such as inflict root kits on other people's computers.

The question then is; how did somebody at Sony arrive at the conclusion that they should try to protect their IP right in this manner?

Waas this a comittee decision where moral judgement went out the window in a corporate meeting? Or are people at Sony severely lacking personal moral judgement?

I would like to know.

Re:Its a moral issue.

[arivanov]

The problem is that morals are specifically off the society book nowdays. Standalone (without religios tint) morals and how society functions are not something kids study in school or at home. At best they get a version which was skewed and slanted through the prism of their family religion. At worst they do not get anything. The situation is same all over US, UK and most of Europe. The rest of the world closely follows.

Sigh... As usually Heinlein "Starship Troopers" is probably right. We need "History and Moral Philosophy" lessons in school. Though there is noone to teach them in the current generation.

Re:

[rucs_hack]

Sigh... As usually Heinlein "Starship Troopers" is probably right. We need "History and Moral Philosophy" lessons in school. Though there is noone to teach them in the current generation.

Quite probably, but his main point, which that lesson was supposed to back up, was granting of franchise only on completion of public service. You'd never get that one through.

As much as I like that story, and its one of my all time favorite books, it starts with the premise that returning soldiers would essentially take ov

Re:Its a moral issue.

[BlueStrat]

As much as I like that story, and its one of my all time favorite books, it starts with the premise that returning soldiers would essentially take over the world and everything would be wonderful thereafter. History has shown quite clearly that every time this occurs things go badly.

Except that they don't become "Citizens" until *after* they have served, and are no longer in the military. History has indeed shown that when the military takes over the government, then yes, bad things happen. But that's not the system that was described. It was civilians who had *previously* served in the military. Even today, one of the qualifications that many people look for in their elected leaders is previous military service.

History has shown that when citizens are ignorant of history, the means by which they both first gained and retain their freedoms, and by which their country remains free from attack, very bad things happen. Pearl Harbor happened because Japan saw that America after WW1 had shrunk their military to a fraction of its' previous strength, and the citizens and most of the government had a policy of isolationism and retreat from world conflict. Japan failed to take into account the American peoples' outrage and anger, and the sleeping industrial might America could bring to bear.

The surest way to get robbed in a big city is to look and act like a victim. The surest way to start a war is to appear conquerable to other nations with acceptable losses. That's precisely what the people who advocate unilateral disarmament, and also those who preach disengagement when targeted by terrorists, fail to understand.

As to the Sony/BMG rootkit incident, as long as the punishment for getting caught in bad corporate behavior is acceptable, expect to see such behavior repeated.

Cheers!

Strat

Minor correction

[Nursie]

"Even today, one of the qualifications that many people look for in their elected leaders is previous military service."

"Even today, one of the qualifications that many people IN THE USA look for in their elected leaders is previous military service."

The US has a weird, hyper-patriotic society that a lot of Europeans find bizarre, brainwashing and militaristic.

And only giving the franchise to people who have previously served in the military? Screw you! What gives you the right to decide that? What gives those citizens the right to decide how everyone else gets to live? Nothing whatsoever.

Re:

[mangu]

And only giving the franchise to people who have previously served in the military? Screw you! What gives you the right to decide that? What gives those citizens the right to decide how everyone else gets to live?

If you do not feel ready to stand up to the bullies, then what are you complaining about? Either *you* decide how you get to live or someone else will. Ethics will only survive if there are enough people ready to defend basic principles, even by force if necessary.

The simple fact is that if you are

Re:

[Nursie]

Ah, right, so if I don't join the military I'm not interested in my rights. Gotcha.

Because I couldn't possibly care about my right to choose my own battles, rather than become the tool of a.... tool like George Bush.

No, I will not fight for the state. The state will never be aligned with every individual and the individual should never be subsumed into the state if he wants a say.

Re:

[Ernesto Alvarez]

And only giving the franchise to people who have previously served in the military? Screw you! What gives you the right to decide that? What gives those citizens the right to decide how everyone else gets to live? Nothing whatsoever.

You haven't read the book, have you? The rationale is explained there.

First, military service is not the only way of getting a franchise, there are other ways, although military service would be the most common way. People incapable of fighting would get their chance too.

The ide

Re:

[Nursie]

"The rationale behind that is people willing to risk their life for others would value the well being of society above theirs, so they would be great leaders that protect society instead of filling their own pockets with cash or abusing their power for their own benefit."

Yes, makes perfect sense.

Did you know Robert Mugabe was a military hero in Zimbabwe before turning into today's repressive dictator?
And that many dictators come from military backgrounds and are propped up by military support?

Mr Heinlein h

Re:

[civilizedINTENSITY]

Would you consider fighting forest fires? Working as a Nurses Aid in ghetto clinics? Riding in ambulances that service ghetto areas? There are many areas of service that would qualify...

Re:

[bentcd]

The idea is that in order to be a citizen you need to risk your life defending your species. The usual way is fighting, but might be testing drugs, or equipment, or exploration, etc. The rationale behind that is people willing to risk their life for others would value the well being of society above theirs, so they would be great leaders that protect society (...)

Or else they just have an endorphine addiction.

Re:

[coolGuyZak]

And only giving the franchise to people who have previously served in the military? Screw you! What gives you the right to decide that? What gives those citizens the right to decide how everyone else gets to live? Nothing whatsoever.

In theory, democratic legitimacy grants those citizens the authority to prompt everyone for military service. In the case of the US, our constitution would need to be rewritten to award citizenship after service, but nothing prevents forced participation in the military (save p

Re:

[Nursie]

The thing that gets me is that you're no longer describing a free society. You're describing one in which you need to perform certain duties before you can have a voice. And if we're talking about military service (which you're not doing exclusively) then the very point of it is to change people and break down their differences and opinions and subsume them to the chain of authority.

I have no problem with anyone who considers service to their society a moral duty. But make it a legal one and you're crossing

Re:

[coolGuyZak]

Well, my ideas don't preclude you from voicing an opinion during service, albeit I realize that's how our military works at present. I hadn't thought of that particular ramification, though. I'll have to ponder it for a while.

But make it a legal one and you're crossing the line to something other than participatory democracy and the right of man to self determination, IMHO.

In my opinion, democracy is not participatory, it is not something you should choose to do. Participatory democracy falls to apathy, an

Re:

[Nursie]

Oh indubitably you'd end up with a nicer city. You'd also end up with people trying to buy their way out of it, or around it. You'd end up with folks refusing. Lots of very indignant people refusing to take part as they don't see why they owe anything to the rest of those a**holes out there.

And I'd have some sympathy with them. I work hard and pay my taxes. My time is worth more to me, to the economy and to the tax office when it's invested in what I'm most skilled at. Why should I not pay others to clean m

Re:

[Nursie]

"It's the USAs' military might that saved Europe in WW1 and WW2"

That's a subject for debate, not proclamation, as is the rest of your nonsense about soviet satellites. Plus, given the Iraqi mess and the despicable things your country asks of its allies, I'm willing to say we don't want your sort of protection. And we don't need it.

"Plus, we're talking theoretically about a science fiction novel."

And people are proposing it as a good model and a natural one. It's not, it's only in the US that the military ar

Re:Minor correction

[BlueStrat]

"It's the USAs' military might that saved Europe in WW1 and WW2"

That's a subject for debate, not proclamation...

I think Britain, France and Italy might might disagree. Without the USA's support, Britain would have been invaded by the Nazis. France and Italy were liberated.

And people are proposing it as a good model and a natural one. It's not, it's only in the US that the military are seen as some sort of gods.

I don't know whose post you're responding to here. I said nothing about anyone being gods nor does anyone I know in the USA think of the military in that way or even close. Nor was I seriously proposing the Starship Troopers society as an actual model. Just the un-arguable fact that a weak military invites attack from others that have expansionist aims.

Cheers!

Strat

Re:

[ucblockhead]

The Battle of Britain, in which Britain gained air superiority thus dooming any invasion attempt, occurred before the US entered the war. At best, US support prevented Britain from suing for peace, which it probably would have been forced to do without American supplies, but it would have likely retained its independence.

Without US support, France and Italy would likely have been "liberated" by the Russians.

Re:

[bentcd]

It's the USAs' military might that saved Europe in WW1 (...)

Europe didn't need much "saving" in WW1. What the US did was at best to help decide which wrong side would win. WW1 was a classical European war in that its long-term effects would be rather minor whichever side won (as always, I am sure Alsace/Elsaß and Lorraine/Lothringen might change sides, etc.).

The real long-term fallout from WW1 (if we ignore WW2) was the fall of the colonial empires, but that happened in spite of the biggest of them being one of the winners of that war.

Mods are having a bad morning, again.

[ColdWetDog]

That's about an un-trollish response (to a possibly trollish GP) that I've seen downmodded.

Short note to the person with mod points -

- CAREFULLY read the post that you are considering moderating.
- ALWAYS take ALL of your medication as prescribed
- READ the Slashdot FAQ again.
- DO NOT taunt happy fun ball.

Re:

[Nursie]

"Europe has had the hyper-patriotic societies that led the world to war."

Why do you think that looking at the US concerns us so?

"you don't even know what the words "hyper" and "patriotic" mean."

Hmmm, lets look at some definitions. "Hyper" [google.co.uk] - prefix meaning excessive, above, or beyond, eg, hyperactive.
"Patriotic" [google.co.uk] - Inspired by love for you country.

So, hyper-patriotic would be "excessively inspired by love for your country", which is exactly what I meant. The flag worship, the daily pledge recitations, the "GA

Dear moderators

[Nursie]

Whilst my above post is off topic, I'm not sure I see how it's a troll, I'm merely continuing the discussion and answering the points raised by the parent post. It's not even a particularly inflammatory post.

Of course, I guess "troll" will do because there is no "-1 anti-american" and I appear to have touched a nerve with this one.

Re:

[elrous0]

I'm sorry, but I grew up a military brat. Most of the soldiers that I knew, both active and retired, were close-minded, mean-spirited dolts too damn stupid for college and in too much trouble for any other job. Sorry if that sounds harsh, but it's the truth. The term "G.I." was all but a curse word among civilians where I grew up (around Army bases). I know I'm supposed to be all like "our brave, noble, men and women in uniform" and all that, but it's nothing like that in real life living around those peopl

Re:Its a moral issue.

[lareader]

Just a minor thing on Starship Troopers:
Not all the people who volunteered for public service ended up as soldiers - they simply ended up doing what their society thought it needed and they had the ability to do.

Heinlein actually wrote a bit about the "world" of Starship Troopers in Expanding Universe (in a retrospective on his literary career).
At the time when the events in the book take place, quite a lot of people were needed as soldiers - but due to the way we people are wired (with tight-nit social groups as soldiers), soldiers were usually the last to stop serving in public and thus the last to actually get to vote.
Yes, you didn't get the franchise until *after* you've stopped serving in that world.

I do agree that the premise is shaky - but the idea of not giving everyone franchise just because they were 18 years old and alive was one of the ideas Heinlein was toying with in that book.
Of course, he argued that clearly the founders of US of A never intended everyone to get the franchise either - his criterion were simply a bit more merit-based.

In Expanding Universe he did mention that the idea of having stable people with a stake in maintaining a working society as a rather good idea, and goes on arguing for removing the franchise from men and giving it to women who have born children, as they have a personal reason for being interested in having a society that works... and makes a rather convincing argument of it.

I can heartily recommend Expanding Universe if you are interested in what Heinlein said he was thinking when writing.
As with all things written down, of course, you must consider the source - but I got a lot of amusement out of his writings, and like his meritocratic views personally.
The book "Requiem" is also a good read, if a trifle sad at times - but it did contain his speeches at a few scifi conventions which I hadn't read - highly interesting for a person not born until the last years of the Red Scare.

(Sorry for pushing Heinlein, but I really liked those books and they represent a very enlightening perspective on what Heinlein professed to believe.)

Re:

[rucs_hack]

Ooh, I had no idea he wrote further on the Starship troopers universe. I'll get with the buying right away.

Thanks for that one.

Re:

[vtcodger]

***Quite probably, but his main point, which that lesson was supposed to back up, was granting of franchise only on completion of public service. You'd never get that one through.***

Eh, why not? The US political system accepts more peculiar stuff than that every year -- DMCA, prohibition, NAFTA, the War on Drugs, Guantanamo. A few TV ads; a couple of movies; an all out offensive on the talk shows; (and a grandfather clause for the current crop of reprobates). I think it'd be an easy sell.

***As much

Re:

[rucs_hack]

Actually, history pretty much neutral on the subject. Military men are not necessarily either authoritarian or pro-war. Witness Carter (he's an Annapolis graduate and served 7 years on active duty) or Colin Powell who seems to have been the only guy in the top rank of the Bush administration who tried to head off the Iraq fiasco. Not that military men are necessarily the best men to put in charge. Some -- Washington, Eisenhower -- did pretty well. Some didn't.

All those men you speak of were elected, and the

Re:

[dpilot]

It's also worth mentioning that of the 2001 Bush administration, the only higher-up who had front-rank military service was Sec'y of State Colin Powell, and though he eventually went along with the "slam-dunk" arguments for invading Iraq, he was also the only higher-up who dragged his feet on the issue. Other members of the Bush administration generally served in the National Guard or had other means of draft deferment. In the 60's and 70's, even though the US had many times more soldiers in Viet Nam, the

Re:

[kmac06]

Let me get this straight...rather than the family instilling values in their children, you think it should be the responsibility of the GOVERNMENT RUN SCHOOLS to teach people morality?

Maybe we should just skip this step, and go straight to government reeducation centers.

Re:

[Hal_Porter]

Islam certainly teaches a system of morality. Whether it is the one you want taught is another matter.

http://humanists.net/alisina/islamic_morality.htm [humanists.net]

Re:

[arivanov]

Read my post again. The bit about "prism of religion". In fact Islam and the Evangelicals was exactly what I meant there. Sigh...

Re:

[arivanov]

Ugh... The movie... Puke...

It has nothing to do with the original message from the novel. The novel had a number of very powerful messages regarding social structure, moral, etc. These are all absent from the film. And in the novel the enemy was anything but low tech.

What is this morality you speak of?

[EmbeddedJanitor]

Most companies, like most people, will take what they can. Only the law limits what most companies/people would take. Is it morally right that some have so much, and continue to take, while some have so little and seem to have less each day? It should not be like that, but it is.

Re:Its a moral issue.

[phalse phace]

"The question then is; how did somebody at Sony arrive at the conclusion that they should try to protect their IP right in this manner?"

Seems like when it comes to protecting their a$$e$, they don't care about morals. Anything goes. It's sad to say, but it all comes down to the all mighty dollar for these companies/corporations.

Then again, I'm a cynic.

Re:

[Tim C]

Laws are there to make immoral and amoral people act according to the moral will of society.

In other words, laws enforce society's idea of moral behaviour.

Re:

[Karellen]

It's one of the reasons I run Linux -

"Let's put it this way: if you need to ask a lawyer whether what you do is "right" or not, you are morally corrupt. Let's not go there. We don't base our morality on law."

  -- Linus Torvalds

Re:Its a moral issue.

[Frater 219]

The question then is; how did somebody at Sony arrive at the conclusion that they should try to protect their IP right in this manner?

This is probably not best discussed in terms of "protecting IP rights" but rather in terms of:

1. Individual decision-makers in the organization trying to protect their own personal interests (cover your ass, look busy, do something!);
2. An interest in seizing control (squatting, adverse possession, invasion) of the user's desktop, in order to use that as a foothold to greater control over the medium;
3. High-pressure and deceptive sales tactics by the spyware makers.

Someone at Sony was charged with "doing something" and "making the piracy problem go away". They were desperate. They also wanted something to show for their efforts, namely, an ability to exercise power on user desktops. (Recall, the copyright terrorists have long wanted "self-help" capabilities that amount to sabotaging users' property at will.)

Spyware must have seemed like a perfect solution: it doesn't just "do something" about the pirates, it accomplishes a long-standing goal of seizing greater control of the medium. It is not at all about "IP rights"; it's about power -- in this case, about ripping power out of the users' hands.

Re:

[inviolet]

Spyware must have seemed like a perfect solution: it doesn't just "do something" about the pirates, it accomplishes a long-standing goal of seizing greater control of the medium. It is not at all about "IP rights"; it's about power -- in this case, about ripping power out of the users' hands.

There are only three basic goals that humans pursue:

• pride,
• power (aka money), and
• pussy

And deep down in our genes, the first two are little more than a means to the third. ('Novelty' may be in there too, but proba

Reminds me of a sign I saw in a Wal-Mart

[langelgjm]

Laws don't and should not be the only guiding factor in the actions of people or corporations.

Heh, reminds me of a sign I saw in a Wal-Mart. "Buying tobacco for minors: It's not just wrong, it's illegal." As if being wrong isn't a good enough reason not to do it?

Re:

[Hatta]

It *is* about laws. Computer hacking is illegal. It's also about the failure of our government to enforce those laws.

Re:

[Hal_Porter]

this article uncovers the modivation behind the rootkit project... Rootkit Open Sourced (link to http://fohootville.myminicity.com/ [myminicity.com] )

Link in parent is some sort of datamining site

[06:52] gotcha: MyMiniCity is designed to capture information from all its visitors. thank you for your participation.

Precedent.

[Raindance]

It was a push on legal norms. The recording industry has done it before, and more successfully.

A quote from Lessig's Free Culture:

After Vivendi purchased MP3.com, Vivendi turned around and filed a malpractice lawsuit against the lawyers who had advised it that they had a good faith claim that the service they wanted to offer would be considered legal under copyright law. This lawsuit alleged that it should have been obvious that the courts would find this behavior illegal; therefore, this lawsuit sought to punish any lawyer who had dared to suggest that the law was less restrictive than the labels demanded.

Legal norms are not just about judicial precedent.

Auto-run is evil

[0123456]

Of course this would be a non-issue if Windows didn't automatically run software when you put a CD in the drive; this is just another reason why auto-run is an insanely bad idea.

Re:

[QuantumG]

you're not just whistl'n Dixey brother [insomnia.org].

Re:Auto-run is evil

[RuBLed]

say bye bye to autorun.inf...

One quick trick prevents Autorun attacks [windowssecrets.com]

Re:

[z0idberg]

Autoplay have fuck all to do with it.

To play the music on your PC you have to run the player software that is on the CD.

So if you want to play music through your PC, whether autorun runs it or you run it you end up rooted. Autorun gets you rooted quicker, but even if autorun was never invented the issue still exists.

Am I missing something?

[SanityInAnarchy]

The entire reason you need the software to play this music is because when you first inserted the CD, it installed itself and made sure of that.

So if you had autorun/autoplay completely disabled, you could run, say, Windows CD Player, and play it without running any software off the disc.

Or you could boot Linux and just play it.

Re:

[Hal_Porter]

Vista prompts you before autorunning stuff

http://www.phdcc.com/shellrun/autorun.htm [phdcc.com]

And actually from the same link -

In Windows NT4, 2000 and XP systems, only Administrators and Power Users can use AutoRun.

Re:

[Cro Magnon]

In Windows NT4, 2000 and XP systems, everyone is an Administrator/Power User. Except maybe Aunt Tillie, who got her account set to "limited" by her geek nephew.

Re:

[SanityInAnarchy]

Can you imagine the outcry if MS decided that Windows no longer had any form of auto run capability? Things like that are what make users switch platforms.

No other platform that I know of has autorun, and no one seems to care, except on Windows.

Specifically, my Linux has an autoplay-like capability -- if it sees an audio CD, it prompts me to run Amarok. If it sees a DVD, it prompts me to run Kaffeine. And if it sees a CD full of images, it might prompt me to run Gwenview. If it doesn't know what to do, it

I'll try one more time

[zappepcs]

Can we please get an Icon that has a foot and a handgun?

what they are really saying is...

[Simonetta]

the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measur

what their saying (reformated better)

[Simonetta]

...the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems...
  That's pretty simple. They thought that there was a vast network of 13-year-old superhackers that were going to destroy the company by sharing files of music recordings. Then some schmuck (names? anyone who knows?) in the firmware special projects department told some marketing manager that he knew how to keep 13-year-old superhackers from copying music from CDs by simply adding a little piece of code. ...demonstrates a failure to adequately value security and privacy.
  The only security and privacy that they care about is their own. These concepts don't exist for people who are not executives in the company. Especially customers.

... then-existing technological environment that both encouraged and enabled the distribution of these protection measures...
  "Since we own the music on the disk that is placed into a computer CD drive, we, by the simple and obvious extension of corporate logic, thereby own the computer and all of the data inside it." If you want to become a corporate executive, you need to start thinking like one. ... flawed protection measures...
  If it keeps ordinary people from copying stupid pop songs from our CDs, then it is not flawed. If it destroys or corrupts the data on user's PC, we don't care. Serves them right as they are supposed to only be listening to CDs on a real Sony CD player. After all, we invented the CD so we can set the terms on its use. ... contract, intellectual property, and consumer protection law... ...is whatever the hell Sony's legal department says it is. And we have many, many millions of dollars, euro, UK pounds, or yen to prove it. Without the cash, talk is trash.

... Yes, under 'even the most charitable interpretation' it was a lousy idea...
Next year's rootkit software will work. And the first thing that it will do is send your name and address to our lawyer's office who will prepare a standardized form charging you with theft of intellectual property (which is some illiterate junkie thug under Sony corporate contract moaning 'baby, baby, baby' over and over). Our bot software will then serve this to anyone who puts a Sony music CD into any device with internet access (unless, of course, the device is a $999 Sony model DRM-XKE CD player with hi-def 2-inch LCD screen and wireless internet access). After all, we invented the CD so we can set the terms on its use.

suggests some changes to the DMCA ...
    The only changes that our legal department will allow the US politicians to pass will be ones that increase the criminal penalties for possession of music. This will happen when Sony completes its corporate merger with Wackenhut and CCA and completes the vast network of corporate prisons being built in distant lands. These will be needed to hold the vast number of unemployed former American college students who not only illegally listened to music, but also fell behind on their student loan payments.

Re:what their saying (reformated better)

[mpe]

The only security and privacy that they care about is their own. These concepts don't exist for people who are not executives in the company. Especially customers.

Add "copyrights" to the list. Since there are several cases showing how little the "entertainments" industry cares about other people's copyrights.

The only changes that our legal department will allow the US politicians to pass will be ones that increase the criminal penalties for possession of music.

Unless someone can get the changes sneaked past. e.g. something tacked onto the end on an anti-terrorism bill :)

Re:

[Sique]

The only security and privacy that they care about is their own. These concepts don't exist for people who are not executives in the company. Especially customers.

Add "copyrights" to the list. Since there are several cases showing how little the "entertainments" industry cares about other people's copyrights.

The Sony BMC Rootkit was actually one of those examples. First4Internet used GPLed code and didn't publish the source for their product, and neither did Sony BMC which distributed First4Internet's modifications.

So Sony BMC was infringing on someone else's copyright there.

Left hand, meet right hand

[QuantumFTL]

Unfortunately, due to scaling problems, any sufficiently large and diverse corporation will have components that exhibit behavior that are detrimental to other components, or even the whole. While this can be reduced and discouraged, I do not believe it can be completely solved - something will always manage to slip its way through the cracks.

Sony has a huge image problem (especially among the geek elite) due to this effect, and due to the fact that its goals do not seem to align with the geeks of Slash

Re:Left hand, meet right hand

[otomo_1001]

And now meet what I like to call handcuffs.

An easy solution to this problem, and it would only take a few instances, would be to seize all assets of the company in question and begin prosecution. If corporations are damn near treated like real humans, then let them see the other side of the coin. Make every failure in process hurt them where it matters, I guarantee we won't have this happen again. Or we end up with less corporations willing to "risk" product release in the US.

As it stands companies can seemingly get away with whatever they want to protect their business model.

Re:

[philipgar]

I think someone should be in handcuffs over this. At least a much more sever punishment. i don't agree that all of Sony should be split up or bankrupted over this, but the people who let this through at the top should have some serious punishments. I know if I installed rootkits on Sony's computers, and then logged remotely into them, and got caught, I'd likely be charged with computer crimes (or whatever the proper term is), and sent to jail for a couple years. Why if a major company does the same thi

Re:

[QuantumFTL]

As someone who has worked on magnetohydrodynamic simulations on a massively parallel cluster (#50 supercomputer in the world, at the time), I can say that the Cell architecture is not well supported by current programming language paradigms. And, if you look at the current crop of PS3 games, it's clear that they are not living up to the potential of the hardware - with all of it's power it should blow away the 360, and yet it does not.

That's not why I hate the PS3. It's just that, well, I like to have f

Re:

[account_deleted]

Comment removed based on user account deletion

Law

[Archangel Michael]

"The article also suggests some changes to the DMCA to protect consumers from this sort of intrusive, and security-undermining, technique in the future."

How about this, when an industry pushes legislative half assed measures and gets them passed in to law, they forfeit normal protections afforded every other group out there.

In this case DMCA law prohibits the consumer from doing all sorts of things, in an effort to protect a particular industry. Since Sony installed, without permission, software that effectively broke computers, they'd held to a HIGHER standard than any other organization.

In this case the law should have revoked the corporate charter surrendered all assets to the government. Since the Corporation is a "legal" entity, the same as a person, the government should treat it exactly like a person caught doing the same thing.

My $.02

Re:

[Hatta]

We shouldn't need another law in this case. We already have laws against computer hacking. If any individual had done what Sony did, they would have gone to jail for a long, long time. Yet Sony doesn't even get a slap on the wrist.

What we really need is a way to prevent this kind of selective enforcement of the law. Perhaps the failure of the government to prosecute a clear cut case of computer hacking should serve as a defense in future cases of computer hacking. If Sony can get away with putting a t

Legal solution?

[Kohath]

Why is a legal solution needed? Clearly, the whole incident worked out very badly for Sony-BMG. Any company can see this example and determine that this kind of software should not be used.

I don't hit my hand with a hammer, even though no law that restrains me from doing it. Is there a role for government in keeping folks from hitting their hand with a hammer?

Re:

[Nursie]

Yeah, what with them filing for bankruptcy and pretty much giving stuff away just to get some cash flow as the general public decided to completely boycott...

Oh, wait, that's not what happened at all. Here's what happened - outside of a few geeks and a couple of other unlucky folks nobody cared. And even of those that did care, only a few geeks still do. Everyone else either didn't hear about it, didn't understand it, didn't care about it, or forgot. That's the way of the world.

Re:

[Kohath]

Yeah, what with them filing for bankruptcy and pretty much giving stuff away just to get some cash flow as the general public decided to completely boycott...

So every last person who worked for Sony BMG should have lost their job? And every investor in Sony BMG should have lost their entire investment?

You must believe in the death penalty for every crime then too.

...outside of a few geeks and a couple of other unlucky folks nobody cared...

It seems like most people cared in approximate proportion to the am

Re:

[PolyDwarf]

It seems like most people cared in approximate proportion to the amount of damage caused -- not much. And some people cared because they hate various people or entities for whatever reason and they want their chosen enemies destroyed. You seem to be in the second group.

So, with that logic, no personal crime should have punishment, because the vast majority of people don't care about it. Why would I care if someone's car got carjacked in Minneapolis, when I'm in Phoenix?

And yet, there are punishments for th

Re:

[Kohath]

Why would I care if someone's car got carjacked in Minneapolis, when I'm in Phoenix?

Why should you? What makes it any of your business? I'm sure the folks in Minneapolis can take care of their own problems without your input. Not everything is about you.

And those punishments are sometimes strict enough to cause that person to not do it again.

In this case, it was. There's no benefit in doing this again. There was no benefit in doing it the first time. And there are some hefty consequences. So no one w

Re:

[Kohath]

I don't think that's an entirely accurate analogy.

There's no such thing as an entirely accurate analogy.

But the point is that Sony-BMG wishes they'd never used that software. They won't do it again. No one who knows about the situation would ever do it again. Isn't that the desired result?

So, since the desired result is already achieved without a new "legal solution", why do we need a new "legal solution"?

Remember Sony/BMG and Sony Corp aren't the same

[Boycott BMG]

The rootkit was put on those CDs by Sony/BMG, which is a separate entity that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group). Furthermore, the people at the top, who make all of the important decisions are all from the BMG side. So, if either company is more to blame, it is Bertelsmann. Does this mean you should boycott Bertelsmann? It does seem a bit silly to boycott Random House (major book publisher and Bertelsmann subsidiary) over what happened to some music CDs, and yet that is what some are doing w.r.t. Sony Vaio, Sony cameras, etc. My suggestion would be to boycott the product that Sony/BMG puts out-their music CDs.

Re:

[AlXtreme]

It does seem a bit silly to boycott Random House (major book publisher and Bertelsmann subsidiary) over what happened to some music CDs

Why does that seem silly? I say boycott both Sony and Bertelsmann, and all their subsidiaries. Give a clear signal to those in charge that you don't want to put up with BS like this: vote with your money and shop somewhere else.

Re:

[CoolGopher]

Does this mean you should boycott Bertelsmann? It does seem a bit silly to boycott Random House (major book publisher and Bertelsmann subsidiary) over what happened to some music CDs, and yet that is what some are doing w.r.t. Sony Vaio, Sony cameras, etc.

Or maybe that's just what's needed. A bit of collateral damage to cause corporations to tell other corporations to lay off the bad moves. Because so far just having a bunch of customers doing it hasn't worked.

Re:

[line-bundle]

The rootkit was put on those CDs by Sony/BMG, which is a separate entity that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group).

I was going to mod you down, but here goes.

Even though Sony/BMG is a separate entity it still has the Sony name. It's in their to make sure their name does not get sullied. It's not our job to find out exactly which part belongs to whom.

Also why do corporations not investigate which aspect of a person failed to pay their credit card bill. I'm talking about universal default here (not the best example though). They don't care. As long as your name appears somewhere you are in trouble

Re:

[Random_Goblin]

It's in their to make sure their name does not get sullied.

Your post lacks interest

An excellent article !

[golodh]

This article really was a pleasure to read (although it took me most of a day).

Not just because of the conclusions ("Part III examines potential market-based rationales that influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy.") but also because of the rant-free and very lucid and illuminating analysis of the factors involved.

To me, the best part was: "After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures in Part IV, we examine law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, in Part V. We argue that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict such harms on the public.".

Those who have hopes for political action to amend the current crop of laws may be interested to read: "Finally in Part VI, we present two recommendations aimed at reducing the likelihood of companies deploying protection measures with known security vulnerabilities in the consumer marketplace. First, we suggest that Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent exemptions from its anti-circumvention and anti trafficking provisions in order to enable security research and the dissemination of tools to remove harmful protection measures. Second, we offer promising ways to leverage insights from the field of human computer interaction security (HCI-Sec) to develop a stronger framework for user control over the security and privacy aspects of computers."

"hanges to the DMCA to protect consumers"

[Joce640k]

Pigs will be ice skating in hell before that happens...

Hardware vs Software

[TTURabble]

The way I see it, my computer is my property much like my house is also my property. They both have "doors" to the outside world, but that doesn't mean that anyone can just walk in and have a beer. I guess my favorite analogy is buying a new TV. What if you went out and bought a new TV that had a hidden camera in it, but you didn't know about the hidden camera, and it was broadcasting a signal to anyone who wanted to watch. Would you keep the TV? Would you litigate against the company that made the TV? Th

Sony/BMG EULA - the choral music setting

[JPMH]

The Sony/BMG EULA - set as haunting choral plainchant [wired.com].

One of my favourite examples of "transformative" fair use ever.

Elvis-wannabes who went into FLOPPY DISKS in '01?

[abb3w]

No, really, read the paper before you mod me off-topic — page 1180 (24th of PDF [ssrn.com]):

SunnComm, the company that delivered MediaMax, offered even more cause for concern. The company began as a provider of Elvis impersonation services. After a change in management following a false press release announcing a non-existent $25 million production deal with Warner Brothers, the company purchased a 3.5" floppy disk factory in 2001, displaying a disturbing dearth of technological savvy. After two employees an

Oh yes, It's just you.

[Nursie]

Moron.

Sony products are everywhere. I saw lines of people taking away sony tvs when they were on offer at a supermarket in the UK the other day.

PS3 outsells xBox 360 in the EU.
It's currently outselling the Wii in Japan.

They aren't going anywhere.

Re:

[Nursie]

I'm no zealot, but your original remark:

"It seems that Sony has been making a lot of really bad mistakes and it is heading freefall."

is just wrong. The company may have made a few mistakes from the geek perspective, but people as a whole just don't care. It's a sad fact, but companies all over the world do far, far worse things (in moral terms) than Sony have done, yet continue to go from success to success. Look at MS, look at Coca Cola, look at Nestle.

BTW, those things I said about PS3 - look 'em up. All

Re:

[fbjon]

The "outselling Wii in Japan" thing was reported on /. within the last few weeks, the PS3 has been outselling the 360 in europe for a while now.

"Outselling" the Wii is a stretch, looking at the numbers. It did so temporarily a few weeks ago, but not anymore, certainly not in Japan. It is indeed outselling the 360 in Europe/Japan though.

Re:

[Nursie]

Yes, just read up on it a bit more. It outsold the Wii in Japan for November, and is now firmly back in second place.

Still, not really an indication of a lost cause or a total flop is it?

Re:

[fbjon]

I think Sony has made some dreadful mistakes, but still the PS3 is really decent, and quite a piece of hardware. I don't think that the problem for Sony is whether the PS3 is a flop or success, because it seems to be gaining speed finally, it's that the Wii is a steamroller they never even saw the rear lights of as it disappeared beyond the horizon.

Re:

[Nursie]

"1) Your caffeine levels are no excuse."

Fine, just trying to clear the air with a minor capitulation on my part, I can see the effort was unappreciated.

"2) As I said later, freefall not in a size/market point of view, but from a credibility point of view."

Umm, yeah, and as I said, the average person doesn't give a crap. The rootkit stuff either didn't affect them personally, or they didn't understand what it was, or they didn't care. Either way they've forgotten by now.

"3) Yes, people do care. Wouldn't you

Re:

[Nursie]

"Not to underappreciate your effort, but that was just a note/remark that in the future, you should try to refrain from making those comments instead of appologising for them"

Well, I'm not _that_ upset over it, I was quite annoyed by the multiple backslapping "Sony are going down the pan!" "yeah d00d!" comments that slashdot has been running for a decade now on the likes of MS. It's all fun I'm sure, but largely incorrect and masturbatory. The world doesn't run on logic or good practice, much to my own chag

Re:

[Nursie]

Because they make powerful, lightweight laptops with very pretty screens.

They also make great TVs that not only perform well but are finished and styled well too.

Face it - they make good stuff and relatively few people heard of or care about this issue. And even if they did care, there's not many folks in the world that actually engage their brain when spending money.

Re:

[Tony Hoyle]

It installed a device driver. Once that's done no OS prevention or design would stop them doing what they wanted.

The same would happen in Linux if they had a CDROM and some idiot forgot to mount the drive containing the install binary nosuid.

So how should it work?

[SanityInAnarchy]

Linux does not, and cannot, prevent this kind of attack. That you think it could shows you have a profound lack of understanding of what the attack was. (Here's a hint -- where do you think the word "rootkit" came from? Duh?)

There is, of course, exactly one difference: On Windows, AutoRun is the default, and entirely specified by the CD. On Linux, AutoRun barely exists at all, and where it does, it's entirely controlled by the OS -- it never runs a program off the CD, if anything, it launches a media playe

Re:

[delt0r]

Also sony are not the only ones. The DVD Mr and Mrs Smith we got from the library here in Vienna (1 Euro for 2 weeks..) had a warning on it not to use it on a pc because it installs a virus [wikipedia.org].

Its not just sony. Its all of them and sony just got caught.

Re:

[account_deleted]

Comment removed based on user account deletion