OPINION
Rooting Out Spyware: Sony's Lesson

On October 31 programmer Mark Russinovich sounded the alarm. He blogged about a music CD from SonyBMG that, when inserted into a user's CD drive, secretly installed software known as a "rootkit." The software not only spied on the person's music habits, but it also made their computer extremely vulnerable to hacker attacks.

After the news got out, Sony released a software patch to fix the problem, but that created even more vulnerabilities. The entire debacle took the computer security industry by surprise. Indeed, Sony's flawed copy-protection scheme had been in use for seven months before being discovered. Even computers run by the Department of Defense were affected, making Sony's ploy to protect its intellectual property a menace to national security.

Flawed Strategy

One might ask why a big, mostly-respected company would cause customers around the world to regard its actions as irresponsible and potentially malicious. Harming customers is never good business strategy, so perhaps one explanation is that the company believed nobody would notice.

"Most people don't even know what a rootkit is, so why should they care about it?" said Thomas Hesse, SonyBMG's president of global digital business, in an interview with National Public Radio. The problem with this response is that Sony knows full well what a rootkit is and the company's particular rootkit put users' computers and privacy at risk.

This information and its relevance were not kept secret, which shows the power of free speech combined with the Internet. The blogosphere quickly exploded with rage, prompting mainstream media to cover the issue and certification agency TRUSTe to announce a new "Trusted Download Program" similar to a privacy seal program, but focused on spyware.

Self-Regulation

According to TRUSTe's November 16 press release, the purpose of the new program is to provide "market incentives for adware and other software companies to clearly and unavoidably communicate key functionalities and obtain informed consumer consent prior to download." Self-regulation is the proper market response in a free and open society, but there is more to the story than meets the eye.

Usually when there is a major security breach, anti-virus companies scramble like mad to fix the problem, but according to influential security analyst Bruce Schneier, that didn't happen this time. For example, Schneier laments that security company McAfee didn't remove the rootkit from its customers' computers as of November 15th. He points readers to McAfee's Web site, which states that the company's removal of only part of Sony's code "will not impair the copyright-protection mechanisms installed from the CD."

This apparent hesitation to fix the security problems created by Sony's anti-piracy technology likely stems from fear of violating the draconian DMCA . A section in that law makes it illegal to circumvent anticopying technology. Indeed, Tim Wu, a law professor at Columbia University, recently told reporter Declan McCullagh, "It's pretty clear that circumventing Sony's controls violates the DMCA." This leaves consumers in a precarious position.

Culture of Fear

It should not be illegal for a consumer or their security company to expunge spyware that both violates privacy and creates security risks. Some representatives in Congress recognize these problems and have introduced legislation to address the spyware issue, but getting the balance right is difficult.

Defining spyware is hard because it's possible for a software function to be legitimate in one instance and not legitimate in another. The worry is that Congress will unwittingly make the creation or use of some technologies a crime -- a situation that would make things worse, not better.

When it comes to poor actors in the marketplace, the Sony story shows that a free and open society will respond quickly and effectively. Sony has already issued a recall for all the offending CDs, a private seal company has come up with a self-regulation plan for industry, and one can bet that no other content company wants to go through the pain and brand damage that befell Sony.

The real problem is a poorly crafted law that gives undue power to content owners and creates fear in the security industry. Instead of focusing on new spyware legislation that could potentially harm technology innovation, Congress should fix the DMCA.

Sonia Arrison, a TechNewsWorld columnist, is director of Technology Studies at the California-based Pacific Research Institute. She also serves on the Technology Advisory Board for the Acceleration Studies Foundation.