SonyBMG and First4Internet are in the doghouse now, having been caught installing rootkit-like software on the computers of SonyBMG music customers, thereby exposing the customers to security risk. The question now is whether the companies will face up to their mistake and try to remedy it.
First4Internet seems to be trying to dodge the issue. For example, here’s part of a news.com story by John Borland:
The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.
In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company’s CEO.
“I think this is slightly old news,” Gilliat-Smith said. “For the eight months that these CDs have been out, we haven’t had any comments about malware (malicious software) at all.”
The claim that the software is not a risk is simply false, as Alex explained yesterday. And if the company is indeed working on new ways to hide the contents of your computer from you, that just shows that they haven’t learned their lesson. The problem is not that they used a particular rootkit method. The problem is that they used rootkit methods at all. Switching to a new rootkit method will, if anything, make the problem worse.
The claim that there haven’t been any complaints about the software is also false. The reviews on Amazon have plenty of complaints, and there was a discussion of these problems at CastleCops. And, of course, Mark Russinovich has complained.
The claim that this is old news is just bizarre. First4Internet is offering this system to record companies – today. SonyBMG is selling CDs containing this software – today. And this software is sitting on many users’ computers with no uninstaller – today.
If the First4Internet wants to stop spinning and address the problem, and if SonyBMG wants to start recovering consumer trust, I would suggest the following steps.
(1) Admit that there is a problem. The companies can admit that the software uses rootkit-like methods and may expose some consumers to increased security risk.
(2) Modify product packaging, company websites, and EULA language to disclose what the software actually does. Thus far there hasn’t been adequate notification. For example, the current EULA says this:
As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.
Clearly a rootkit neither protects the audio files nor facilitates use of the content. This is not the only misleading aspect of the description. For example, this does not convey to users that they will be unable to make lawful uses of the music such as downloading it to an iPod, or that there is no way to uninstall the software (indeed, it strongly implies the opposite), or that attempting to remove the software may make the computer’s CD drive inaccessible.
(3) Release a patch or uninstaller that lets any consumer easily remove or disable the rootkit-like functions of the software. Having caused security problems for their users, the least the companies can do is to help users protect themselves.
(4) Make clear that the companies support, and give permission for, research into the security implications of their products. Saying “trust us” won’t cut it anymore. Having betrayed that trust once, the companies should publicly welcome the Mark Russinoviches of the world to keep studying their software and publishing what they find. If you act like you have something to hide – and you have had something to hide in the past – the public will be smart enough to conclude that you’re probably still hiding something. This is especially true if you announce that you are trying to find new ways to do the thing that you were just caught doing!
Finally, let me just point out two things. First, we don’t know yet whether the First4Internet/SonyBMG software causes even more security or privacy problems for users. Given what we’ve seen so far, I wouldn’t be at all surprised if there are more problems lurking.
Second, this general issue applies not only to F4I and SonyBMG’s technology. Any attempt to copy-protect CDs will face similar problems, because this kind of copy-protection software has a lot in common with standard malware. Most notably, both types of software try to maintain themselves on a user’s computer against the user’s will – something that cannot be done without eroding the user’s control over the computer and thereby inhibiting security.
If you’re using a recent version of Windows, you can protect yourself against this type of software, and some other security risks, by disabling autorun.