Dennis D. McDonald ( consults from Alexandria Virginia. His services include writing & research, proposal development, and project management.

Sony Rootkit "Phones Home"? (Smells like ... DIVX?)

Checking my RSS news feeds this morning I discovered several postings around the Web that seem to say that Sony's original "rootkit" DRM not only hides itself in the bowels of the Windows operating system, it also installs a mechanism whereby, when the CD's "play" command is selected, information is sent back via the web to Sony about that event.

Sony has issued denials stating they are not monitoring the use of their products but I think the cat is out of the bag at this point. Even I know that web based transactions are always accompanied by some data about the originator. Existence of this player-initiated communication -- assuming it is true -- shows that Sony has installed a program on a customer's machine that, at minimum, could provide the basis for Sony's tracking usage when communications are not blocked via some kind of firewall.

Whether or not the infected CD's EULA informs the customer of this communication mechanism being installed is another issue. Given Sony's willingness to hide the original code for its “rootkit” software, the possibility that surreptitious monitoring could take place does not require too much paranoia to imagine. It is possible, of course, that Sony's only intent is to send back updated information about a product when it receives information about its use; that is entirely possible. Anyone who is familiar with how the web operates will understand this.

But I think we need to step back and consider the larger significance of this issue. Here we have one of the largest entertainment conglomerates on the earth knowingly employing software tools to not only prevent certain post-sale actions concerning their products; they might also be establishing the foundations for a mechanism for monitoring how and when those products are used.

It does not take a genius to figure out that "prevention" and "monitoring" are essential to control over how products are used.

This situation is not new. Those of us who are old enough to remember way back to 1997-1999 will remember a now defunct technology called “Digital Video Express” (DIVX, not to be confused with the current codec) that was promoted by Circuit City as a competing DVD standard. Essentially a “pay per view” DVD, DIVX incorporated a DVD player that would communicate by phone with a central server to obtain authorization to play a movie additional times beyond an initial 48 hour period.

The experiment failed miserably. Circuit City lost millions of dollars. Customers did not want to have to phone someone every time they popped a DVD in to watch a movie, especially since an inherent part of the system was the centrally controlled monitoring of the number and times a movie could be watched before its license expired.

Fast Forward to the 21st Century. Pay per view schemes are commonplace on cable TV. Also, DVD movie sales have proven to be a massive profit-generator to entertainment companies such as Sony.

Still, there apparently is a mindset among some industry executives that, "If we could only control when and how our customers use our products, we could ...." The usual words that are publicly filled in at this point are "piracy" and the looming threat of web based distribution of unauthorized copies of complete motion pictures.

Since I don't really think that DRM schemes such as being implemented by Sony via its "rootkit" technology are really going to have any significant impact on piracy, I think they need to be viewed in the longer term. DRM schemes are not only about piracy prevention, they are about someone's having the ability to control customer behavior, with the end goal (I'm guessing) being to require payment for each use of the product, whether or not it is being accessed via a computer, seen in a theater, or played on a home media network.

For good or ill, this situation is a natural evolution of the Internet which, by design, maintains a constant two way flow of information about message source and message recipient; music and movie companies are simply taking advantage of this network.

I am not saying that security is a bad thing. Rather, people who use the Web need to be aware of its open nature and how easy it is to exploit. Sony's “rootkit” exploit may simply be a clumsy example of where we are headed.

If Sony management is smart, it will at least be more open and above board about what its goals and objectives are. If its real goal is to eventually do away with standalone media products such as CD's and DVD's, and replace them with products that only function in a pay per use environment, it should say so.

Meanwhile, Sony should stop penalizing law abiding customers by restricting legal uses of its products and should focus it efforts on working with, instead of against, its own customers.


War of the Worlds DVD is Copy Protected

Things to Consider Before Changing a Voice Response System