Sony's Rootkit Creates a Legal Fiasco

As if Celine Dion's voice wasn't bad enough, one of her albums poses a major security threat to computer users. When inserted in a PC, the CD installs an insidious piece of software known as a rootkit--an application that hackers typically use to implant viruses and trojans on victims' computers.

What's strange is that Sony BMG, the album's label, purposefully included the software, known as XCP, on nearly 20 of its titles. Developed by U.K.-based First 4 Internet, XCP does in fact protect CDs from illegal duplication. It disables the users ability to burn multiple copies of protected CDs and tracks users listening habits. However, it also enables Sony to secretly collect information about a computer user, opens a backdoor for hackers, can disable a computer's CD-ROM drive and causes a computer's hard drive to burnout in one-third of its normal lifespan.

"Sony was saying they used this technology to be a speed bump to piracy," says Cindy Cohn, legal director of the California-based Electronic Frontier Foundation (EFF), a digital consumer-advocacy group that has sued Sony over the damage the rootkit causes. "What they really put forth was a land mine."

With litigation pending in multiple jurisdictions, Sony is feeling the heat of the firestorm it created. Now the rest of the music industry sits poised, watching Sony's fiasco unfold to determine whether they can make use of the rootkit in their anti-piracy efforts.

"I am quite sure that the other record companies are sitting and watching to see what the fallout is of this and to see if this is something they can implement or if they should stay away from it," says Brad Gross, a partner at Becker & Poliakoff in Fort Lauderdale, Fla.

Keeping Watch

What these other companies will be watching is the mountain of litigation that began piling up in Sony's inbox less than a week after users discovered the rootkit. While Sony was trying to calm the media frenzy, plaintiffs' attorneys were gathering class action participants. Lawyers have filed suits in California, New York and Italy.

"You are starting to see a situation here where companies have to be careful not to promote their own IP rights to a level superior to that of the customer," says Scott Kamber, a New York attorney who represents a class of consumers who purchased CDs containing the rootkit. His complaint alleges that Sony violated the Federal Computer Fraud Law and committed common law trespass and common law fraud.

The fact that the software relays information back to Sony about the user's listening habits and IP address also may create significant liabilities for Sony.

"If Sony's rootkit reports more specific information and transmits it back to Sony or performs some record-keeping function that crosses the line from protection to some privacy invasion, then Sony is going to have a problem," Gross says.

In addition to the consumer class actions, Texas' attorney general has filed suit alleging that Sony's use of XCP violates the state's anti-spyware law. The law allows the state to recover up to $100,000 in damages for each violation, of which the attorney general says there were thousands.

Despite Sony's legal troubles, the music and movie industries will still seek ways to use the powerful technology of the rootkit to protect their IP. As rootkit technology becomes more prevalent, companies need to take action to ensure that their computers do not become susceptible to the software's unintended effects.

Computer Rules

It is not only consumers who are worried about the dangers of rootkits. Any employee mindlessly popping an album into a company PC could potentially open the company up to massive liabilities. A chief concern is hackers taking advantage of these rootkits to steal and manipulate private company information.

"Hackers can use these systems to send spam or gather credit card information," says Sam Curry, vice president of security management at Computer Associates. "They also can rent out system as dedicated computer networks against the will of the user."

Rootkits create another cost to companies besides legal liability. Uninstalling rootkits is a challenging process, one that even a skilled IT technician may find difficult to do without damaging the system's hardware.

"When getting rid of a rootkit, in some cases the drives themselves are entirely disabled," Gross says. "So now you have a network going down because employees were doing seemingly harmless things. It's a lesson to be learned."

For most companies the simplest solution is to ban employees from playing CDs on their computers.

"Companies should not only list impermissible uses of office computers but also list permissible uses so that ambiguity is reduced," Gross says. "Employers really have to take an audit of what their computer usage policy says and how it can be improved."

Technology Editor

Keith Ecker

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.