Dennis D. McDonald ( consults from Alexandria Virginia. His services include writing & research, proposal development, and project management.

Fallout from the Sony BMG "Rootkit" DRM Debacle

Sony is issuing a DRM software patch

Sony is issuing software patches through the Internet. Mainstream media (such as this morning's Washington Post) have picked up the story.

There's no telling how this will spin out. At minimum, it will make more people suspicious of music publishers.

Sony has validated some of the fears that people have about DRM. The fact that Sony's to-be-replaced "rootkit"  software (thousands if not millions of copies of which are still in retail and distributor inventories around the world, ready to "infect" unknowing customers) was designed to hide its existence might even raise the attention of law enforcement officials and legislators.

I wouldn't be surprised if, over the next week or so, we start seeing stories about people who, going back to older CD's published with this DRM, begin to blame Sony for some problems they've experienced on their machines, whether these problems really were created by rootkit DRM or not. This situation could get very messy. 

What to do?

Sony's rush to put out a "patch" (which I learned about via email this morning as a response to a query I submitted yesterday to Sony BMG about Santana's new album) is a good start.

Personally, I'm not sure what to do about Santana's new album now. If I buy a copy from existing inventory and try to play it on one of my Windows computers (which is how I play most CD's any more) I'll have to load the old software then immediately remove it using the patch.

That's unreasonable. Maybe I could just limit my PC based playback to my old Macintosh? Or maybe I should dust off an old CD player and hope it plays? Or, can I get it into iTunes to play it? Or, load the CD with DRM software, burn an "uninfected" copy for use around the house and in the car, then uninstall the software?

I could work all this out if I wanted to. But all I want to do is to play my music!  I don't want to have to worry about software patches, updates, viruses, and incompatibilities-- I already have Windows software to worry about!

What we have learned

Let's step back and review what we've learned from this debacle:

  1. Sony has proven that its customers have a right be suspicious about DRM enabled CD's. There's no going back from this.
  2. We don't know how other of the Big Four music companies are handling DRM. For all we know, incompatibilities will start popping up now that folks are looking.
  3. Sony is now incurring costs to repair the situation, as are its network of distributors and retailers.

Has Sony advanced its goal of preventing unauthorized copying?

I assume that this type of DRM has no impact on the massive pirating that has already been documented by the industry. So we have to look at other areas for impacts.

Will this DRM software -- hidden rootkit or not --  prevent unathorized sharing of CD tracks via P2P and other file sharing systems? I think not. Sony's own website instructs people how to bypass the software and software-savvy people will be inclined just as before to rip and upload.

Will this DRM prevent small scale copying and sharing? It might for those who don't worry about infecting their operating system or those who might be inclined to make CD copies for 4 or more of their friends. In other words, this "speedbump" approach to DRM might very well have some impact on unauthorized copying.

From a business perspective, though, Sony must be wondering whether or not the costs are worth the benefits of continuing to aggravate its customers. Does it really understand what those costs are?

Maybe not. It is possible that the company that developed the hidden rootkit DRM system was a contractor, hired for a specific job. The Sony executive who oversaw the contract may or may not have understood the details of the software being developed.

  • If the details were understood, that suggests that Sony executives were in agreement that hidden DRM routines are a justified way to prevent unauthorized copying.
  • If the Sony executives who oversaw the contract were not able to understand the details of the software architecture, one might be justified in wondering if they were qualified to provide project oversight in the first place.

At any rate, what we now have is a messy software update/bug fix/software patching process, the costs of which will have to be borne by Sony and its business partners. We now have multiple versions of Sony DRM software in the field, one old, one new.

The industry will have to adjust

Most people won't be able to tell the difference. As someone familiar with software development and software publishing, I think that what we are now going to see is an increasing exposure to the public of the software side of the entertainment business. How can we know, for example, whether a new security patch from Microsoft will or will not "break" some aspect of someone's DRM software, making a product unplayable? Will "consumer testing" web sites arise to publish the details of whether or not it is "safe" to buy and use a new music CD? Will Amazon provide detailed "DRM version" information to supplement the generic "copy protection" information it already publishes?

This situation reminds me of the Bad Old Days before the architecture and distribution channels for PC software drivers were standardized through "plug and play" technology. In these bad old days, if you wanted to publish a CD-ROM for PC access, for example, you had to publish the application software as well as a family of tested software drivers to enable the PC to communicate with all the possible CD-ROM drives in the marketplace.

This driver distribution process has become a lot better organized nowadays so this mucking around with multiple versions of DRM software seems like a bad dream. The saving grace is that we now have the Internet we can use for distributing software patches.

Sony is aware of all this. They manufacture computers, game software, and game systems. It's possible that, had the "technology" side of the business been more involved, this "rootkit" debacle would not have arisen.

What's needed now

Over the past few months I have been keeping pretty close track of the DRM situation for music. It's a personal interest of mine, for a variety of reasons, not the least of which is that I love music and I see the current situation as killing off the distribution and access standards that have benefited so many people.

What I think is needed now is for companies like Sony to take a good hard look at the overall costs and benefits of attempts to control end-user behavior concerning music products. At each step of the supply chain, companies need to understand what is involved in developing, maintaining, and upgrading all the DRM and related systems that are associated with controlling, monitoring and, potentially, for charging for product use.

If I were to buy another music CD -- which I find unlikely -- I would like very much to know what percentage of the price goes to the artist, what percent goes to the distributor, what percent goes to the publisher -- and what percent goes to manage and maintain this now additional overhead associated with usage monitoring and control, and to the inevitable fixes when a portion of the system breaks.

Things to Consider Before Changing a Voice Response System

Is The New Santana Album Infected?