Revisiting the Sony Rootkit
Imagine someone buys a music CD in a store. They go home and put it into their computer to listen to it. Without their knowledge, a program is installed. This program secretly checks whether that person started a program to copy CDs, and if so, forces them to stop. It also slows down their computer and opens security holes which can be used by others to attack their own computer.
That is what happened 10 years ago if you bought one of 25 million music CDs from Sony. This attack by Sony on people's computers was discovered on 31 October 2005 and was later referred as the "Sony rootkit". It affected more than 550,000 networks in more than one hundred countries, including thousands of US military and defence networks.
Sony's rootkit provides a good example of what companies are willing to do to restrict users' behaviour with technical means. Even though the Sony rootkit is now 10 years old, hurtful digital restrictions are everywhere. They are shipped in PCs, laptops, netbooks, ebook readers, audio players, cars, coffee machines, and other devices. As Digital Restriction Management (DRM) prevents uses of the device which the manufacturer does not intend, they can control and limit what a general purpose computer may be used for. In case of IT devices with internet access, they can alter these usage restrictions at any time without even informing the device owner. As a result, IT manufacturers can take away at will common rights owners of products usually receive.
"Manufacturers should never be in a position where they permanently control the devices they produce. Those who own a device, be it individuals, companies, public or non-public organisations, should be the ones who can control it and legally use it." say FSFE's president Matthias Kirschner. "Such restrictions limit a sustained growth in the development and use of software, for which unrestricted general purpose computers are crucial."
What Sony Did
On 31 October 2005, tech security expert Mark Russinovich published his discovery on his blog about a piece of spyware, known as a rootkit, that secretly installed itself on his computer. He concluded that the rootkit was connected to the proprietary music player that was included in Sony music CDs. The hidden rootkit program was used to spy on users and their listening habits, and share that information with Sony, as well as prevent other third party audio programs from reading the disk.
In the process of spying, the rootkit created additional security flaws which opened the doors for other, more malicious attacks. Even if users detected the rootkit, safely uninstalling it without damaging their computer was another problem.
In total, the rootkit was loaded onto roughly 25 million CDs and infected more than 550,000 networks in more than one hundred countries, including thousands of US military and defence networks.
But Sony BMG's president, Thomas Hesse, dismissed the issue completely, and was quoted saying "Most people, I think, don't even know what a Rootkit is, so why should they care about it?". The press published what Sony was secretly doing to people's personal property and Sony was forced to settle numerous lawsuits and repair customers' trust as soon as possible.
Despite the fallout of Sony's rootkit experiment, 10 years later restrictions on users' personal property are more prevalent than ever. Restrictions are commonly found in legitimately purchased ebooks, video game hardware, and all manner of proprietary software. It has even found ways into our cars, and coffee machines. Even Steve Jobs lamented the forceful implementation of restriction software, software his own company was well known for using.
The computer: a general purpose machine
Technological restrictions on the legitimate use of devices are dangerous because they are slowly transforming our computers from being general purpose machines with diverse capabilities, to being a singular device with limited scope of power. Private companies limit computers' functionality because it is better for business when users are locked in to a particular service provider.
When users are locked in by restrictions from content providers and oppressive copyright legislation, society suffers because people lose out on the possibilities of innovating and experimenting with new products or services, as well as their ability to fix and improve their own devices. By trying to restrict the use of devices or content for one specific case (i.e. unauthorised copying or to prevent outsiders from accessing the device), companies prevent to use computer for all other legitimate purposes that users may be entitled to.
This is a major obstacle for future innovations and destroys the computer as a general purpose machine. Furthermore, these restrictions do not differentiate between legitimate or illegal manipulations performed on the computer by its users, imposing blanket constraints on everyone. As a consequence, no one beside the manufacturer has control over machines that control our lives, and the data stored on them.
FSFE's goal is to ensure that the owners of IT devices can always be in full and sole control of them. For maintaining sustained growth in the development and use of software, the broad availability of general purpose computers is crucial.
- FSFE demands that before purchasing a device, buyers must be informed concisely about the technical measures implemented in this device, as well as the specific usage restrictions and their consequences for the owner.
- FSFE and other organisations are calling on lawmakers to safeguard the right to tinker for everyone. The right to tinker makes sure that the owner of every device is allowed to replace or supplement the software in that device if they so choose, thereby empowering owners to control their own property. To ensure this protection, FSFE asks the European Commission to propose legislation strengthening a computer owner's rights, by requiring that every computer owner must be enabled to modify and exchange the software and hardware on any computing device, and afterwards be allowed to sell it with those modifications.
- It is clear that any right to tinker must also be coupled with a legal provision that allow circumvention of technological restrictions in such cases. For this reason, the FSFE asks the Commission to propose legislation to ensure that consumers can make use of digital goods which they have acquired within the full scope of copyright exceptions and limitations.
- Defective By Design - FSF's sideproject blog specifically against DRM
- EFF's DRM info database - EFF's database of all things DRM related
- BoingBoing timeline - covers major events following Russinovich's blog post
- MIT Technology Review - In depth article on the technology, companies, and fallout of Sony's rootkit
- DRM.info leaflets - FSFE's leaflets on the dangers of DRM available for download or hard copy
- Keynote on General Purpose Computing - by FSFE President Matthias Kirschner