"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
- Thomas Hesse, president of Sony BMG's global digital business division, interviewed on National Public Radio's "Morning Edition" on Nov. 4.
In 1951 and 1952 the U.S. Army filled balloons with the bacterium Serratia marcescens and burst them over San Francisco. This experiment, called Operation Sea-Spray, was to study how biological weapons might be deployed. Within the next few weeks doctors in the area noticed a drastic increase in pneumonia and urinary tract infections. Worse still, people died.
These weren't the only biological weapons experiments that were done. From 1949 to 1969 (when President Richard Nixon put a stop to the U.S. biological weapons program) some 239 "open-air" tests of biological agents or simulations using chemicals were performed. And all of these tests and their consequences were kept secret until they were leaked to the press in the mid-1970s.
I relate this tale because the government's thinking was completely in line with Hesse's stated position.
The arrogance of Hesse reveals a lot about his and his company's attitude toward consumers. Perhaps most troubling is that he presumes that the ignorance of others is a reasonable basis for doing something to their property. Even worse is the fact that something could have unknown side effects and consequences.
The truth about the Sony BMG rootkit called XCP Content Management, which was provided by First 4 Internet, has slowly emerged, even while Sony and First 4 Internet continue to claim that XCP neither invades user privacy nor is a source of risk or system instability.
Sony and First 4 Internet attempted to rebut some of Mark Russinovich's findings, but Russinovich sliced and diced their comments and the particulars haven't changed. Computer Associates has classified the Sony digital rights management (DRM) system as a Trojan and spyware because it reports back to the Sony BMG mothership! (Check out Gibbsblog, where I have an interview with CA's vice president of eTrust Security Management.)
It seems you are as appalled as I am. Reader Mark Bruch wrote "some teenager that gets a virus on his home computer plays with it, and the new strain gets in the wild. He didn't invent the virus, but our government, in order to show they are protecting us, breaks in armed and seizes everything in the family house and throws the book at the underage kid in court."
Bruch pointed out that if there is any justice, the Sony executives who authorized the use of this DRM system will wind up behind bars. I think everyone who was in the chain of command that led to the use of the DRM system (technicians and all) should be prosecuted.
The class-action lawsuit that I was hoping for has started: On Nov. 1 a group of California consumers filed suit, claiming that Sony BMG violated two California statutes. The first protects consumers from unfair and deceptive business practices, and the second prohibits the installation of spyware. The suit also alleges that Sony has violated the California Unfair Competition law.
Another suit was to be filed last week in New York, and Italian authorities were asked to investigate Sony's actions.
Sony BMG's insane use of DRM is just the leading edge of a potential wave of corporate technological tyranny intended to protect profits and control markets. You can bet there are feverish meetings going on at the Recording Industry Association of America and the Motion Picture Association of America to organize political pressure to minimize any judgment on Sony BMG's actions.
If Sony BMG isn't held accountable, worse assaults on consumers by not only Hollywood but any content or software publisher who pleases will quickly follow.