Team for Research in
Ubiquitous Secure Technology

The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident
Deirdre Mulligan, Aaron K. Perzanowski

Citation
Deirdre Mulligan, Aaron K. Perzanowski. "The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident". Berkeley Technology Law Journal, 22(3):1157, January 2007.

Abstract
Late in 2005, Sony BMG released millions of Compact Discs containing digital rights management technologies that threatened the security of its customers' computers and the integrity of the information infrastructure more broadly. This Article aims to identify the market, technological, and legal factors that appear to have led a presumably rational actor toward a strategy that in retrospect appears obviously and fundamentally misguided.

The Article first addresses the market-based rationales that likely influenced Sony BMG's deployment of these DRM systems and reveals that even the most charitable interpretation of Sony BMG's internal strategizing demonstrates a failure to adequately value security and privacy. After taking stock of the then-existing technological environment that both encouraged and enabled the distribution of these protection measures, the Article examines law, the third vector of influence on Sony BMG's decision to release flawed protection measures into the wild, and argues that existing doctrine in the fields of contract, intellectual property, and consumer protection law fails to adequately counter the technological and market forces that allowed a self-interested actor to inflict these harms on the public.

The Article concludes with two recommendations aimed at reducing the likelihood of companies deploying protection measures with known security vulnerabilities in the consumer marketplace. First, Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent exemptions from its anti-circumvention and antitrafficking provisions that enable security research and the dissemination of tools to remove harmful protection measures. Second, the Federal Trade Commission should leverage insights from the field of human computer interaction security (HCI-Sec) to develop a stronger framework for user control over the security and privacy aspects of computers.

Keywords: DRM, TPM, copy protection, HCI-Sec, rootkit, copyright, DMCA, security

Electronic downloads

Citation formats  
  • HTML
    Deirdre Mulligan, Aaron K. Perzanowski. <a
    href="http://www.truststc.org/pubs/316.html"
    >The Magnificence of the Disaster: Reconstructing the
    Sony BMG Rootkit Incident</a>, <i>Berkeley
    Technology Law Journal</i>, 22(3):1157, January 2007.
  • Plain text
    Deirdre Mulligan, Aaron K. Perzanowski. "The
    Magnificence of the Disaster: Reconstructing the Sony BMG
    Rootkit Incident". <i>Berkeley Technology Law
    Journal</i>, 22(3):1157, January 2007.
  • BibTeX
    @article{MulliganPerzanowski07_MagnificenceOfDisasterReconstructingSonyBMGRootkitIncident,
        author = {Deirdre Mulligan and Aaron K. Perzanowski},
        title = {The Magnificence of the Disaster: Reconstructing
                  the Sony BMG Rootkit Incident},
        journal = {Berkeley Technology Law Journal},
        volume = {22},
        number = {3},
        pages = {1157},
        month = {January},
        year = {2007},
        abstract = { Late in 2005, Sony BMG released millions of
                  Compact Discs containing digital rights management
                  technologies that threatened the security of its
                  customers' computers and the integrity of the
                  information infrastructure more broadly. This
                  Article aims to identify the market,
                  technological, and legal factors that appear to
                  have led a presumably rational actor toward a
                  strategy that in retrospect appears obviously and
                  fundamentally misguided. <p>The Article first
                  addresses the market-based rationales that likely
                  influenced Sony BMG's deployment of these DRM
                  systems and reveals that even the most charitable
                  interpretation of Sony BMG's internal strategizing
                  demonstrates a failure to adequately value
                  security and privacy. After taking stock of the
                  then-existing technological environment that both
                  encouraged and enabled the distribution of these
                  protection measures, the Article examines law, the
                  third vector of influence on Sony BMG's decision
                  to release flawed protection measures into the
                  wild, and argues that existing doctrine in the
                  fields of contract, intellectual property, and
                  consumer protection law fails to adequately
                  counter the technological and market forces that
                  allowed a self-interested actor to inflict these
                  harms on the public. <p>The Article concludes with
                  two recommendations aimed at reducing the
                  likelihood of companies deploying protection
                  measures with known security vulnerabilities in
                  the consumer marketplace. First, Congress should
                  alter the Digital Millennium Copyright Act (DMCA)
                  by creating permanent exemptions from its
                  anti-circumvention and antitrafficking provisions
                  that enable security research and the
                  dissemination of tools to remove harmful
                  protection measures. Second, the Federal Trade
                  Commission should leverage insights from the field
                  of human computer interaction security (HCI-Sec)
                  to develop a stronger framework for user control
                  over the security and privacy aspects of
                  computers. 	 <p>Keywords: DRM, TPM, copy
                  protection, HCI-Sec, rootkit, copyright, DMCA,
                  security 	},
        URL = {http://www.truststc.org/pubs/316.html}
    }
    

Posted by Christopher Brooks on 29 Feb 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.