Digital Rights Management and the Sony Rootkit Controversy
What is Digital Rights Management (DRM) technology? DRM refers to a cluster of technologies used by content owners to “control access to data (such as software, music, and movies) and hardware” (Wikipedia, 2006). DRM technologies enable content providers and software manufacturers to embed code in digital media to control how their products are used.
Defenders of DRM systems argue that this technology is needed to prevent copyright violations on the part of users. But many of DRM’s critics are concerned about the ways in which DRM can be used to enforce copyright law. Other critics worry that DRM technology allows content owners to exercise considerably more control over users of copyrighted works in digital media compared to the kind of control that was provided in traditional copyright protection schemes. For these reasons, Richard Stallman, founder of the Free Software Foundation (FSF), believes that DRM can be better understood as “digital restrictions management.”
Other critics worry that DRM systems could be abused by content owners to control users’ computers (behind the scenes) and could even be used by companies to “spy” on unsuspecting users. This concern recently became apparent in the case of Sony BMG Music Entertainment, which used a DRM system called Extended Copy Protection (XCP) to protect its music CDs.
The Sony incident drew considerable attention in October 2005, when a blogger wrote an article that identified flaws in the design of Sony’s copy protection software- flaws in the form of security holes that could be exploited by malicious software programs, including viruses and worms. The blogger also noted that Sony did not provide users with an “uninstall” program to remove the XCP software. Shortly after this flaw had been made public, Sony released a utility intended to enable users to remove the controversial software. Unfortunately, Sony’s removal utility exposed hidden files in the “rootkit” component of XCP (and did not remove the rootkit itself). The exposure or “unmasking” of the rootkit raised even more privacy and security concerns. Sony eventually released an updated version of the removal utility that enabled users to successfully uninstall the rootkit.
Some of Sony’s critics argued that the company, through its XCP system, had violated the privacy of its customers by using code that created a “backdoor” into their machines. Others argued that Sony’s DRM program had actually infringed on copyright law. In response to these and other criticisms, Sony decided to back away from its copy protection software; it recalled all unsold CDs from stores and it allowed customers to exchange their CDs for versions that did not include the XCP software. Sony’s plan to remedy the situation, however, did not satisfy all of the companies’ critics. A number of class-action lawsuits have since been filed against Sony BMG, including lawsuits by the states of California, New York, and Texas.
The following kinds of questions arise in the Sony rootkit case. Do certain DRM systems infringe copyright law rather than protect it? Do they violate personal privacy? Can ordinary users trust content owners, such as Sony, which are easily able to spy on them and to control aspects of their computers via the use of DRM technology? Are the kinds of DRM systems used by Sony justifiable on the grounds that content companies need DRM systems to protect their intellectual property rights?