The truth about Sony's rootkit disaster

Rewind your tech memory to November 2005 and you'll find Sony (more particularly Sony BMG) embroiled in a massive PR hoo-ha. The cause? A particularly damaging brand of corporate paranoia that saw thousands of music buyers' PCs infected with a malicious root-kit that stole their privacy and opened them up to attack from trojans and other malware.

Well now two US lawyers have published an exhaustively researched study into the scandal, says BoingBoing. And with a title like 'The Magnificence of the Disaster: Reconstructing the Sony rootkit incident', you know it's going to be a cracking read [PDF link]. The study explains how Sony BMG got itself into the mess in the first place, how it came to chose two particularly flawed DRM schemes and how it tried - and largely failed - to dig itself out of a hole subsequently. Here's a sample quote:

"The outcry from fans, artists, and consumer advocates alike gave rise to a palpable shift in the public perception of Sony BMG and its parent corporations. Online petitioners called for a boycott of not only protected Sony BMG CDs, but Sony products generally.

"In the fallout of the root- kit incident, one leading technology media outlet ranked Sony BMG's protected discs fifth in its list of the worst technology products in history. The incident earned Sony BMG further distinction by being named one of the top ten 'dumbest moments in business' for 2005.

"Although the financial impact of this public relations disaster is difficult to estimate, Sony BMG remains, in the eyes of many consumers, inextricably associated with its misguided attempts at content protection."

What do you mean paranoid?

However the lawyers go on to suggest that Sony BMG itself fell victim to a wider corporate paranoia:

"The aggressive stance adopted by Sony in halting innovative consumer-driven uses of products like the Aibo robotic dog and the PlayStation suggest a willingness to seek maximum protection of Sony intellectual property, even at the risk of consumer alienation."

But most damning of all is the lawyers' claim that Sony BMG and its DRM partners deliberately used spyware-like methods to keep tabs on buyers of its CDs:

"In the face of predictable user reluctance to actively impede their own lawful uses of legally purchased CDs, Sony BMG and its DRM vendors leveraged the dominant operating system's lack of end user control over software installation decisions to clandestinely alter the personal computing environment of millions of users.

"In doing so, Sony BMG relied in part on methods used by spyware distributors to spread malicious code and seize remote control of users' computers. Arguably, the decision to use these stealth techniques was motivated by the same desires—limiting user knowledge, engagement, and choice—that motivate their use in the spyware and malware contexts.