Cyndi Lauper and Ray Charles are on the full list of XCP CDs

Sony BMG, the world's second largest record label, has for the past three weeks been the subject of a corporate embarrassment that rivals earlier public relations nightmares involving tampered Tylenol and contaminated Perrier.

While in the short-term one of the world's best-known brands has suffered enormous damage, the longer-term implications are even more significant - a fundamental re-thinking of policies toward digital locks known as technological protection measures (TPMs).

The Sony case started innocently enough with a Halloween day blog posting by Mark Russinovich, an intrepid computer security researcher.

Mr Russinovich discovered his own tale of horror - Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a "rootkit" on users' computers.

The use of the rootkit set off alarm bells for Mr Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into "zombies" that can send millions of spam messages, steal personal information, or launch denial of service attacks.

While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers



Although users were presented with a series of terms and conditions that refer to software installation before launching the CD, it is safe to assume that few, if any, realised that they were creating both a security and potential privacy risk as well as setting themselves up for a "Hotel California" type program that checks in but never leaves.

Class action

While Sony and the normally vocal recording industry associations stood largely silent - a company executive dismissed the concerns stating that "most people don't even know what a rootkit is, so why should they care about it" - the repercussions escalated daily.

One group identified at least 20 affected CDs, including releases from international artists such as Celine Dion and Neil Diamond.

Class action lawsuits were launched in the US, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit.

Nearly two weeks after the initial disclosure, Sony finally issued an apology, indicating that it was suspending use of the TPM and issuing a software patch to remove the rootkit.

At about the same time things went from bad to worse. It was soon discovered that Sony's patch created its own security risk - potentially leaving personal computers even more vulnerable than with the initial rootkit - and was pulled from its website.

Sony BMG has released the full list of XCP CDs

The recall was even bigger than anticipated as Sony disclosed that there were at least 52 affected CDs. Moreover, researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.

Finally, just when it appeared that Sony had hit bottom, analysis of the rootkit revealed that it included open source software code contrary to the applicable licence.

In other words, Sony itself may have infringed the copyright of a group of software programmers and be on the hook for significant copyright infringement damages.

While the Sony saga has still not ended, it is increasingly clear that it will have a long-term impact on consumers and policy makers.

The incident has alerted millions of consumers to the potential misuse of TPMs as well as to the need for consumer protections from such systems.

While policy makers have raced to provide legal protections for TPMs (known as anti-circumvention legislation since the provisions prohibit attempts to circumvent the digital locks), the real need is to protect against the misuse of this technology.

The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks.

The US Computer Emergency Response Team was jointly established in 2003 by the US government and the private sector with the aim of protecting the internet infrastructure from cyber-attacks.

It advised users that they should not "install software from sources that you do not expect to contain software, such as an audio CD".

Moreover, Stewart Baker, the US Department of Homeland Security's assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property - it's not your computer.

"And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Worldwide action

Mr Baker's comments point, as well, to another issue that has been percolating for some time, namely that TPMs not only put users' property at risk, but they also limit use of lawfully-acquired personal property.

Justice Ian Binnie of the Supreme Court of Canada raised this concern in a copyright case several years ago when he noted that "once an authorised copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it".

The Australian High Court expressed similar sentiments in a decision issued last month that ironically also involved Sony.

It rejected Sony's attempt to block the use of "mod chips", utilised by video game players to unlock copy-protected games purchased outside the country.

It emphasised that "the right of the individual to enjoy lawfully acquired private property (a CD-Rom game or a PlayStation console purchased in another region of the world or possibly to make a backup copy of the CD-Rom) would ordinarily be a right inherent in Australian law upon the acquisition of such a chattel."

The incident should also galvanise regulators and political leaders worldwide.

Data protection commissioners should use their powers to investigate other potentially invasive uses of TPMs, while fair business practice regulators should consider whether Sony violated deceptive practice legislation.

Moreover, countries should begin to reconsider the rush to provide legal protection for TPMs as embodied in the US Digital Millennium Copyright Act and the European Union's Copyright Directive.

The approach evidently has the effect of protecting spyware, undermining consumer confidence, and ultimately reducing the sales of musical artists.

The Tylenol and Perrier debacles led to dramatic changes in corporate practice and consumer protections.

Similarly, with consumer backlash against protected music CDs and licensing agreements, policy maker worries about the privacy and security implications of TPMs, and the courts' concern for personal property rights, the Sony rootkit case is destined to resonate long after the CDs disappear from store shelves.



Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law