November 18th, 2005
Sony rootkit: The untold story
In light of the way Bruce Schneier has published Sony’s DRM Rootkit: The real story — a story that recounts how quickly things have gone from bad to worse for Sony, I thought it would only be fitting to publish the untold story (does our industry have the equivalent of the E! Hollywood True Story? I don’t know). But before getting to the untold story, it should be noted things have actually gone from worse to worser for Sony.
Just when I thought that one of worst public relations nightmares in technology history was finally coming to a conclusion, I woke up this morning to learn that the never ending tale has taken another salacious twist. This time, on the open source front. While many people are worried about how open source code may infringe on the proprietary world’s intellectual property (and the open source community is responding by circling its patent wagons), Sony is now caught in the Web of news that things are actually the other way around for its rootkit. According to a Reuters report on ZDNet, it looks as though UK-based First4Internet, the company that developed the rootkit software used on the Sony CD, probably used open source code in its proprietary product without proper attribution. It’s a copyright gaff that most in consumer-land won’t understand but that open source advocates are likely to make serious hay about.
Now onto the untold story.
In his column on Wired.com, Schneier makes his own hay because of the way that the anti-malware providers may have been co-conspirators in the rootkit fiasco. They apparently gave First4Internet (and by way of inheritance, Sony) a hall pass to surreptitiously install and run the rootkit on users’ PCs. Now you know why I called it a Trojan horse when I first wrote about it. Dan Gillmor picked up on Schneier’s report. Indeed, if the anti-malware companies have been lured into becoming foxes that watch the henhouse, that’s a major problem. But, while that may be the real story, and while there’s obviously another big story lurking in the fact that the blogosphere is ultimately what sent Sony reeling from explaining itself to offering fixes to withdrawing the product from the market in only two short weeks (wow. just wow), the untold story, if you ask me is that the outrage against Sony is being misplaced.
Sony, as it turns out, is a very small fish in the big Digital Restrictions Management (DRM) sea. This incident is only a hint of the the trainwreck that’s coming because the various players with their hands in the entertainment pie aren’t playing nice. Not with each other. Not with consumers. When news first surfaced about DRM-protected CDs, it had nothing to do with rootkits. It was a story on CNN.com (one that has very mysteriously disappeared) about how the band Switchfoot was disappointed to learn that its CDs were being sold with copy protection on them — copy protection that prevented the music from being transferred to the most popular portable audio players in the world: Apple’s iPods.
Sony’s explanation for resorting to its own DRM scheme is that it has been left with no choice because Apple is refusing to license the proprietary DRM technology (Fairplay) found in its iPods. Forgetting for a minute why, it is absolutely an outrage that corporate greed is what’s standing in the way of letting music and video buyers freely move the content they’ve purchased from one of their devices to another. As long as this situation persists, the entertainment industry might as well come right out and tell consumers that it is now their policy to make consumers pay for the same content again and again for each device they want to play it on.
Sony’s rootkit, as bad as it was, isn’t the real story. The way the entertainment cartel is applying DRM as a whole is the real story. They’re applying DRM in a way that the Sony fiasco was inevitable. This wasn’t the first time lack of DRM interoperability manifested itself in the end-user experience in an ugly way, and it won’t be the last. Sure, the rest of the entertainment industry is rewriting its DRM playbook to keep from repeating Sony’s history. But rest assured, another DRM-inspired trainwreck will come along that will light the grapevine ablaze and some other content company will end up with egg on its face when, in reality, it’s Microsoft and Apple that we should really be angry with; two companies that are driving incompatible DRM technologies into the marketplace in a way that twists the royal (or should that be "royalty") screws into the world.
And, it’s only going to get worse. Unbeknownst to most people, what started with music (let’s just say audio) already applies to video and it’s not going to stop there. Video that’s wrapped in Microsoft’s DRM has been in the market for quite some time already. The fact that video has been added to Apple’s iPods and that FairPlay-protected video will be sold through Apple’s iTunes Music Store (IMS) only adds insult to injury. Just like with music purchased at the IMS, the video you buy at the IMS can only be played back where Apple lets you play it back. This is different from the old days where you could buy a DVD knowing that you could play it in any DVD player.
Unfortunately, for us, video is not the end of the line for DRM. Text — the form of content that dwarfs all others — is next. Consider the many media companies that force you to log in into their Web sites before you can view their content, or the ones that make you pay for that privilege, and then the ones whose intellectual property gets completely lost when their content gets cut and pasted into things like e-mail, blogs, and Web sites. I’m supposed to pay to get to the Wall Street Journal’s content. But, because of text’s equivalent to the broadcast industry’s analog hole (good ole’ cut n paste), I never do. I read the Wall Street Journal for free all the time because other people just keep forwarding its stories to me (By the way, I don’t ask for this. Usually, I just get these stories along with a question like "What do you think?"). Much the same way the entertainment industry struggled with the copying problem for years (before DRM came along), the text industry is still struggling to plug the holes through which its content leaks. They call this "gating" (as in putting a gate on the content).
Then, along comes DRM. Much the same way DRM’d music and videos can’t be e-mailed around, posted to blogs, or cut and pasted into Web pages, could the same be done with text? The answer is yes and much the same way incompatible DRM technologies prevent us from listening to or viewing music or videos on the device or platform of our choice, imagine a day when you’ll need one device or platform to read one text item (a news story, a book, a magazine article, etc.) and you’ll need another to read another text item. After all, Apple is controlling where you can view IMS-purchased music and videos. What on earth would prevent the same thing from happening to text? Particularly since the technology to do the same thing to text is already here and evolving as I write this.
Today, on an Internet level, the application of DRM to text is largely limited to electronic books which are often distributed by way of marriage between Adobe’s Portable Document Format (PDF) and DRM technology. On a private (intranet level), businesses can use the same marriage to tighten the security around sensitive documents — particularly ones that contain trade secrets. I don’t hear, see, or frequently bump into the marriage and, whereas Apple and Microsoft have done a masterful job of e-commerce enabling DRM’d audio and video (when you click to buy, what goes on under the hood is nothing short of extraordinary), the application of e-commerce to DRM’d text is apparently pretty kludgy (here’s one fubar-ish account of how it’s a bit immature). Given its expertise in e-commerce, now that Microsoft is in the PDF and the PDF-killer games, my expectation is that that will change.
Consider that XPS (code-named Metro, Microsoft’s own PDF-esque technology) is a format that Microsoft is not only marrying its DRM to, but that it will very likely support across all its platforms. In other words, documents will be easily saved in XPS with products like Microsoft Office 12 and readable across its desktop and mobile platforms (phones, "content" players, etc.) in precisely the same way that Windows Media formatted files (wrapped in Microsoft’s DRM) can be transferred across and listened to or viewed across those same platforms. Marry that to e-commerce much the same way that the Microsoft PlaysForSure-compliant content that can only be played on PlaysForSure-compliant devices is now available from PlaysForSure-compliant stores — the other big DRM silo with which nothing in the Apple world is compatible, and the DRM trainwreck we’re heading for takes on a whole different dimension. In saying:
Is Microsoft about to inflict on us another e-book reader tied to Windows, just like Microsoft Reader? And DRMed books that can’t be read on other platforms?…Beware. Even “open formats” don’t count with closed DRM, especially if the full works will run just on Windows machines. Let’s hope that the dots don’t connect and that we won’t see in effect another proprietary approach…
David Rothman, a ringleader of the OpenReader Consortium that’s focused on applying open Web standards to PDFesque documents in a way that drives down access to eBooks for the poor (amazingly consistent with Nicholas Negroponte’s $100 notebook project), spotted the the potential trainwreck in April of this year. As a side note, given the proprietary DRM silo that Microsoft is very rapidly building, I couldn’t help but notice a bit of kettle-pot-black in the way Microsoft expressed concern over the Sony rootkit. It’s the continued erection of non-interoperable DRM silos by companies like Microsoft that are getting us into this mess in the first place. Which leads me back to my main point. The bigger picture.
The Sony rootkit fiasco is the equivalent of that red light somewhere way down the line that some runaway train in the movies blew through. Somewhere in a control booth far away is someone flicking some indicator light with his finger. He knows something’s wrong, but he’s not ready to sound the alarms just yet. It’s the squadron of Japanese Zeros heading for Pearl Harbor that the radar technicians mistook for a flock of birds. We are ignoring the warning signs even though they’re right in front of our faces. We are heading for a situation that we are all going to dreadfully regret — essentially the bad pipe dream that Doc Searls wrote about in his recent treatise — if we don’t treat the Sony rootkit issue as a symptom of a much much bigger problem.
If the Sony rootkit case study teaches us anything, it’s how the fear of Internet-inspired economic punishment can result in a rapid change of direction. Sony is pulling its rootkit CDs from the market and not a moment too soon. Though we don’t know what Sony will come up with over the long term to replace it, it is ultimately the best conclusion anybody could have asked for. It’s proof that public outrage can work. Now, if only we can apply that same outrage to the real problem, then and only then will things start to look up.
[BOF Update: One thing I forgot to mention is that, at the upcoming Syndicate Conference in San Francisco (Dec 12-14), I'll probably be leading an ad hoc BOF (birds of a feather) session on the business challenges created by the current DRM regime. The session will be for technologists, businesspeople, and media executives who want to plan now in order to successfully navigate the future DRM labyrinth later. The session *is* ad hoc so the plans aren't 100 percent firm yet. But even so, for anybody with a business interest in current and future content management, distribution, and syndication technologies, Syndicate should prove to be a worthwhile event. Disclosure: I'm an unpaid member on the conference's Board of Advisors.]
