December 20, 2006 3:16 PM PST
Sony has far to go in rootkit case
Sony BMG, which Sony operates jointly with Bertelsmann Music Group, agreed earlier this week to pay $1.5 million in fines and pay customers in California and Texas whose computers suffered damage as a result of Sony's surreptitiously installed digital rights management (DRM) software. The company declined to comment for this story other than to say that it was pleased to have reached the agreement with California and Texas.
Likely so, but the deal with California and Texas won't be the end of the "rootkit" fiasco for the music giant. Sony still has to contend with a consortium of 13 states, including Massachusetts, Nebraska and Florida, that are expected to look for a similar deal, according to Jeff McGrath, deputy district attorney for Los Angeles County, which took part in California's case against Sony. In addition, McGrath said an investigation launched earlier this year by the Federal Trade Commission looms. A spokesperson for the FTC declined to comment.
The uproar over Sony's DRM started in October 2005 when a computer programmer discovered that one of the company's CDs was restricting his computer's ability to copy music. He had installed Sony software that enabled him to listen to a CD on his computer, but without his knowledge, the disc also installed a DRM program that would limit the number of copies he made of the CD and barred him from creating unprotected MP3s. The DRM also provided a place where malicious software could hideout and operate undetected. The feature is known as a rootkit.
The case has hounded Sony BMG and undermined the company's credibility, say Sony critics.
"I think that there was a lot of record labels who got carried away with the idea of DRM," said Cindy Cohn, legal director for the Electronic Frontier Foundation, one of the groups that filed a class-action suit against Sony last year on behalf of those affected by the antipiracy software. "I don't think many of them stopped to think about the impact to their customers when they used DRM."
McGrath, who is a member of the Los Angeles district attorney's high-tech crime unit, said he understands what Sony BMG was trying to do when it loaded the software.
"Much of what we do is go after pirates," McGrath said. "We are keenly aware of the individual's right to protect intellectual property. But if you're installing some kind of content protection and altering peoples' systems, you have to do it in a way that you're not damaging property. You also must be certain to fully disclose what you're doing."
McGrath said he believes Sony BMG, which has apologized to customers, has learned a valuable lesson. He said the company was very cooperative during negotiations and is looking for "ways to make it right" with customers.
As part of the settlement, Sony BMG agreed to reimburse any consumer whose computer was damaged as a result of the antipiracy program, provided they can provide verification. Consumers in California and Texas can receive up to $175 in compensation.
The EFF's Cohn said that something positive may come from the fiasco: the case provides another reason for entertainment companies to abandon DRM.
She said that there are indications some entertainment companies may be ready to do just that. First, Sony hasn't placed any DRM on CDs since the the rootkit ordeal surfaced. The latest example came this week with reports that Amazon.com is preparing to launch a music download site featuring DRM-free songs.
"I think we're seeing a growing consensus that DRM isn't working," Cohn said. "I think DRM was a bad idea that had a heyday but that it will be fading away soon. The (entertainment companies) are learning that DRM is an anticompetitive tool that ultimately hurts their business."