Sony and Bertelsmann were once the prides of Japan and Germany. Having grown up to become world-spanning megacorporations, they spawned a reckless delinquent named Sony BMG. As children often do, the youngster is having a hard time finding its way in the world - selling music, in particular, as well as controlling the distribution of music it manages to sell. So Sony BMG resolved to turn your computer into a battleground.
The war, of course, is the struggle to control unauthorized duplication of copyrighted material. Music fans demand to make copies, and to its credit Sony tried to meet them halfway. But en route to the meeting place, the company turned down a path that leads to a dark future.
On at least 50 titles released last year, Sony BMG included software that allows users to make up to three copies. To count the number of duplicates made, the discs install programs on the user's computer. And to keep savvy customers from monkeying with the software, the company included a rootkit, secret code that makes itself and the copy-protection files invisible.
The ability to hide files is an invitation to every hacker with, well, something to hide. Miscreants use it to cloak programs designed to take control of the host computer. Players of online games use it to conceal cheats. But there was more to Sony BMG's rootkit. The code could also send information about the user's system back to the mothership.
Blogger Mark Russinovich wrote about the Sony BMG exploit in November, and music fans exploded in righteous fury. After much denial and obfuscation, Sony BMG provided an uninstall routine. It also stopped manufacturing rootkitted titles and recalled those it had shipped. But the damage had been done. More than 2 million discs were already in consumers' hands, ready to blast holes in the system of anybody unfortunate enough to pop one into a CD drive.
I'm not going to scold Sony BMG. The problem here is larger than one *company's effort to own its customers' desktops and spy on their behavior. The real issue is the blurring of lines between blackhat hacking and legitimate business. It's one thing when Russian gangsters take over a few million computers to shake down online casinos. It's another when commercial enterprises adopt the same methods to protect their market. At that point, good corporate citizenship devolves into vigilantism and the implicit trust between supplier and customer unravels.
Sony BMG isn't the only company to have mistaken malicious exploits for mainstream business practices. The British software developer First 4 Internet, which licensed the rootkit to Sony BMG, built its product on techniques developed for creating viruses, and the company's programmers left a trail of newsgroup requests for information about hacks like crippling CD drives. Ironically, First 4 Internet appropriated parts of its music player from an app known as LAME - a bald infringement of the LAME copyright.
Imagine the mayhem if this kind of attitude were to become widespread: Coca-Cola would use your desktop to propagate spam about its latest bottle-cap sweepstakes. Vonage would keep Skype offers from reaching your inbox. Samsung would make sure that, when your browser tried to load Sony.com, it reached a fake Sony site where nothing worked. Companies would compile vast archives of customer data merely because they could, hoping they'd stumble on a revenue model.
It's time for lawmakers, trade groups, and public-interest organizations to get down to the hard work of hammering out standards for what businesses can and can't do to customers' computers. Such an effort will need to be international, because the Net knows no bounds. It will need to come up with simple, understandable language for end-user licensing agreements. It will need to draw red lines around unacceptably invasive hacks and map gray areas between spying and market research.
I'm not holding my breath, though. After all, we asked for this. We didn't want to ruffle the feathers of the goose that laid the golden egg of technological progress, so we allowed manufacturers to claim more and more control over the ways we use their products and what they can do with our information. It should come as no surprise that they're using that power as a cover for bigger, possibly more lucrative schemes.
You may not be interested in the digital rights war, but that doesn't mean you'll have the luxury of sitting on the sidelines. Because the other side is very, very interested in you.