On the one hand, I am shocked that any major corporation would be so stupid as to place a rootkit on content-protected CDs (see this most illuminative article by Mark Russinovich to see how Sony is putting rootkits on their CDs in the name of copy protection). On the other hand, I’m almost grateful to them for doing so. Why?
Very simple: they attempted to pull a very sophisticated ploy, but did so in such a clumsy fashion that they might have left a window of opportunity open for the right case law to set some strong precedents. Look at what they did:
- They installed a rootkit — a program that installs at the lowest levels of the operating system, actively hides signs of its presence, and fundamentally changes the behavior o the operating system without any warning. Without the flimsy excuse of their EULA, this would be computer trespass.
- They used a deceptive EULA (end-user license agreement) to do so; the EULA does not disclose, the full and obvious affects of the software (such as the inability to remove the software through normal methods, the potential loss of functionality to the CD-ROM drive, or the ability for other non-affected files to be hidden from the user). The deceptive EULA might, with luck and the right lawyer, be enough to allow this to be called what it is — criminal computer trespass.
- They used a poorly written rootkit written by an inexperienced third-party company. Again, with the right lawyer, this could be leveraged to show negligence and lack of good intent and help criminalize their actions.
I hope that the right lawyer can take this on and get Sony nailed for criminal actions; we need this kind of precedent with DRM. Eventually, I suspect that we’re going to see the music companies forced to abandon DRM as a method of protecting music and movie content, allowing the industry to focus on using it where it will actually do some good — helping ensure regulatory compliance.