decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.

To read comments to this article, go here
Blogs, Customers & Sony's Rootkit
Saturday, November 12 2005 @ 04:19 AM EST

So Sony has decided to stop planting rootkits on its customers' computers. For the time being.

That's a start. . . .

Might that be because they are being sued? You think? They don't promise never to do it again:

"As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," it said in a statement. . . .

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," Sony BMG added. . . .

Sony BMG said it stands by content protection technology "as an important tool to protect our intellectual property rights and those of our artists."

Ah, corporateese. Where do they find people willing to express themselves like that? And where do you go to learn how to do it? Words crafted to hide your true meaning.

They thought we'd never notice or even know what a rootkit is, I gather. Sony's president of Global Digital Business, Thomas Hesse, said that "most people, I think, don't even know what a rootkit is, so why should they care about it?" But one blogger did notice and he told the rest of us, and we do care.

You see, Sony and the entire Entertainment Industry Gang have been calling their customers pirates and criminals and making pious declarations about their IP rights for so long that those same customers are not inclined to cut Sony any breaks when they do something allegedly criminal which violates their customers' rights.

[UPDATE: There is now an allegation of possible copyright violation, in that LGPL code may have been used in the rootkit, without Sony abiding by the terms of that license. ]

Huh? Customers have rights too? You can fairly smell that question in the Sony air. They so don't get it. "Ease of customer use" isn't the problem, guys. The problem is ethics. The lack thereof, not to put too fine a point on it. If you wish to sell us rootkits, you need to spell it out honestly. Sony, under pressure, now provides uninstall directions, but states that if you follow them, you can no longer play the CD you bought. Oh. Say. Do you at least get your money back?

But let's not get sidetracked into thinking this is only about Sony. Sony is just a symptom. The problem is old-think companies totally wigged out by what technology suddenly lets people do, companies unwilling to morph their business model to take advantage of opportunities the new tech presents. Instead, they snuff it out the second it raises its head above the surface of the ground. They are clinging to their old ways with white knuckles. Not even iTunes' success penetrates their noggins. They just can't get it that most people will pay for music, as long as they can get it in the form factor they want and can share at least on a small scale with friends and family and as long as the terms and price are half-way fair. We'd settle for that, but what we'd really like is if you'd get into the 21st century, let technology bloom, and figure out how to make money from P2P. Could you get on that?

But no. They prefer to criminalize normal human behavior -- wasn't it your Mommy who taught you to share? -- and prevent any use of the new technology if it conflicts with their old business model. We all have to stay frozen in the '90s, so they can continue to make money in the manner to which they are accustomed. They intuit that customers are getting the shaft, so they have suspicious ideas about their customers and plan all their business strategies to outwit the worst person on the planet. As a Christian Science Monitor headline succinctly put it, "Sony aims at pirates - and hits users ".

But you see, they think we are all pirates. Sony is absolutely not unique in that attitude, nor is the problem only in the music industry. Apple has just applied for a patent for "tamper resistant code" -- the very title is wildly offensive -- and if you put that thought together with Sony's system for what they call "sterile burning," well, you have seen the future these paranoid loons would like to arrange for us.

The real problem is corporations that have lost touch with their customers. They seem to have no concept of user rights, no understanding that messing with a customer's computer is wrong. If they want to damage our computers and hobble our CDs, it's in a righteous cause, in their lopsided thinking. Remember Orrin Hatch suggesting destroying computers owned by copyright infringers? Well, Sony preemptively did it, in their subtle way, but to everyone. They are wigged out, I'm telling you. And like all wigged out people, they are stuck in their own version of "reality", thinking emotionally, and only of themselves.

But the ironic part is this: this DRM won't stop infringement. All it does is annoy customers that wouldn't infringe in the first place. It won't in any way interfere with determined infringers, as the Christian Science Monitor article points out:

As it turns out, the way the antipiracy software is designed makes it easy to defeat. Just hold down the "shift" key when you insert a CD to play it.

"The reality is that this isn't going to stop any kind of so-called piracy," says [EFF's Jason] Schultz. "All this technology does is inhibit you from making the same kind of personal, fair-use music you've always made. The real pirates are going to easily circumvent this technology. The bootleggers won't even blink."

Now, the mainstream media didn't discover and tell us about this rootkit. It was a solitary blogger. Just go to Google and search News for "Sony DRM rootkit" and then choose to view the results by date, and you'll see what I mean. Of course, everyone is all over this story now. But had we relied just on the mainstream media, we might never have found out about the rootkit. It was a blogger who first noticed the rootkit. His site doesn't even show up on the Google results list, intriguingly enough, except that everyone refers to it. Presumably he'll be showing up now. BoingBoing gave the story legs when Cory Doctorow wrote about it, and then Slashdot and Charlie Demerjian at The Inquirer. But it was one man who blogged about his experience that got the ball rolling. And he changed the world.

Those pesky bloggers. There are now 20 million bloggers. Why can't they mind their own business? I'll tell you why. Because we buy those trapdoor CDs, if our consciousness is not sufficiently raised, as they used to say, and so we are Sony's customers. Well. Not me personally. I gave up on the music industry some time ago. I'll buy from them again when they figure out that they are cutting off their nose to spite their face. I don't like to be treated like a criminal when I'm not one. Call me quirky.

Customers of Sony have a stake in what Sony does. And they blog. It's that simple. Now do you understand why people read blogs instead of just the mainstream media? If we relied on them, no one would have told us about the rootkit. At least, no one did. So we rely on each other.

Dana Blankenhorn captures the issue:

The assumption is a lack of ethics by all. Sony is treating all its customers like criminals, and acting in a criminal manner in response. . . .

It's one thing for large institutions to be on guard against consumers or employees, to take precautions against theft. It's quite another for them to take the law into their own hands, or to take on the characters of a police state in response, to assume by their actions that everyone is a thief.

Can you imagine what Sony would say if they caught an individual doing exactly, exactly, what they did? They'd be citing computer abuse laws like scripture. "Off with their heads," would be their song. I know. Sony'd say that they did it to their *own* property, so it's different than if a hacker did it. Um. No. Our computers are *our* property. So are the CDs after we buy them. Get it? Ever hear of fair use? That is part of the law too, you know. Or did you forget that part? I have an idea: let's all abide by the law.

So several class action lawsuits are in the works. The first, to my knowledge, is the one in California [PDF]. A patent lawyer started collecting all the details on his blog and now he has set up a dedicated blog just for Sony and the DRM story. A company is in real trouble when a lawyer sets up a website dedicated to its misbehavior. Solutions began to appear to help victims detect the rootkit and remove it. Sony finally did the same, grudgingly offering a "service pack":

"This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.'"

I have news for Sony. Any time the computer owner loses control of his or her computer, their security has been compromised. Sony's clumsy damage control only made the situation worse. Then the class action lawyers showed up in force, leaving comments on blogs, looking for Sony victims willing to sign on. EFF put up a list of affected CDs and are interested in hearing about members who were victims of the rootkit, for a possible class action lawsuit. In addition to the California class action litigation, other firms are investigating a possible consumer class action against Sony Music Entertainment Corp. for selling CDs encoded with the XCP2, without disclosing XCP2's nature or effects on its users' computers. The firms are trying to locate people who 1) bought a compact disc released after March 2005 and 2) played or attempted to play it on a Windows computer.

In Italy, ALCEI (Association for Freedom in Electronic Interactive Communications -- the Italian equivalent of EFF) filed a complaint on November 4th with the Commander in Chief of the Fraud Contrast Group of the Financial Police in Italy (Guarda di Finanza), which they describe in a press release:

On November 4th 2005 ALCEI asked the Financial Police to identify the authors of the software, and those who made the willful decision of distributing it in a hidden form, and also to detect if other organizations commited similar abuses. This is the preliminary phase of an action which means to penally prosecute anybody who, in Sony BMG Entertainement, has committed such illegal acts in Italy, those who helped in committing such crimes – and anybody else who performed similar actions.

No wonder companies are beside themselves, wondering what to do about blogs. It's such a drag for them that there aren't clueless customers anywhere any more. Presumably, Sony would like to be able to plant rootkits on our computers and get away with it. Corporations prefer clueless customers, I guess, but the Internet is wiping out cluelessness.

Now, what's a corporate entity to do in the face of bloggers everywhere, telling the world all about every stupid, greedy, or even malicious thing the company does? Let's agree that retaliatory dirty tricks might tend to get you indicted and should be avoided. The bright light of the Internet makes that hazardous to your reputation anyway, and that's your problem to begin with. Instead, you might like to read a chapter of a book called International Corporate Governance, available online, and there is one chapter [PDF] called "New technology issues for corporate governance: internet message boards," by Jonathan Carson and James Felton. It's chapter 13.

It talks about how companies can handle online chatter, without breaking the law or adopting dirty tricks, specifically chatter on Yahoo! message boards, with specific examples of success and failure in handling criticism of a company. What I learned from the book is that companies need to engage with their customers, including bloggers. And I also learned that posters on Enron's Yahoo! message board blew the whistle on Enron two years before the famous memo from Sherron Watson to Ken Lay showed up in the mainstream media. The HealthSouth story surfaced there first too. Two years is a long time.

Here's just one segment from the chapter:

Enron investors were left in the dark by Enron's executives and middle-managers, their law firm Vinson & Elkins, and their auditor Arthur Andersen. Also implicated were the sell- side analysts at JP Morgan Chase, Salomon Brothers, Credit Suisse First Boston, Boston USA, Bank of America, Merrill Lynch and Lehman Brothers who may have had access to inside information (before Regulation Fair Disclosure took effect in October 2000).

Individuals in all of these key roles failed to blow the whistle. However, the one place that investors could have received indications about the mounting crisis was Enron's Yahoo! stock board. Posters to that forum, some of them company insiders, began warning of Enron's financial dealings at least two years before Ms Watkins' famous memo. In June 1999 'Bearene' wrote:

Do not confuse the multitude of Enron 'entities' as companies in the sense that each is an actual business. Many (or most) are utilized to 1) segregate discrete lines of businesses; 2) for manage- ment reporting purposes; 3) tax planning vehicles. I am sure this is not very different than any other large corporation. Enron's core businesses can still be counted on one (or two) hands.

While this post did not provide investors with a 'smoking gun' detailing Enron's usage of special-purpose entities to hide debt, it at least gave investors a topic for further research. In March 2000 'arthur86plz' gave a more specific warning: 'Dig deep behind the Enron financials and you'll see a growing mountain of off-balance sheet debt which will eventually swallow this company. There's a reason they layer so many subsidiaries and affiliates. Be careful.'

In April 2001, four months before Sherron Watkins' internal memo, when Enron was still selling in the high US$50s, 'Enron is a scam' wrote:

It will soon be revealed that Enron is nothing more than a house of cards that will implode before anyone realizes what happened. Enron has been cooking the books with smoke and mirrors. The Enron executives have been operating an elaborate con scheme that has fooled even the most sophisticated analysts. When the truth is uncovered, those analysts and ENE investors will feel like a raped school girl. The first sign of trouble will be an earnings shortfall followed by more warn- ings. Criminal charges will be brought against ENE executives for their misdeeds. Class action lawsuits will complete the demise of ENE. Get out now while you can.

I found the epilogue interesting because it mentions HealthSouth's then-CEO Richard Scrushy's attempt to sue a Yahoo! poster back in 1999, and how it backfired when she demanded that HealthSouth turn over its financial records she claimed would validate her comments on Yahoo!, truth being a defense to defamation allegations. HealthSouth's legal troubles first were publicly talked about on Yahoo!

Other allegations of financial fraud at HealthSouth poured forth in 2003, and amongst these came the real silver bullet. A cover story in The Wall Street Journal broke the news of a former HealthSouth junior-level accountant and his attempts at blowing the whistle on the company. When complaints to his ex-supervisors and to HealthSouth's auditor Ernst & Young led nowhere, Michael Vines took his information to Yahoo!'s HealthSouth board in February 2003: "What I know about the accounting at HRC will be the blow that will bring HRC to its knees", he wrote: "if discovered by the right people [this] will bring change to the accounting department at HRC if not the entire company".

The following month, the Securities and Exchange Commission filed a civil lawsuit claiming that HealthSouth had overstated earn- ings by US$1.4 billion since 1999. HealthSouth's stock crashed by 90 per cent. In April 2003, HealthSouth fired Scrushy and began searching for a new auditor.

Here's a 1999 Wall St. Journal article on Mr. Scrushy's legal efforts to shut his critics up, covering it most favorably. Bruce Fischman was Mr. Scrushy's attorney. The funny thing is, not only were all the watchdogs completely silent about HealthSouth, so was the mainstream media, according to this Forbes article from 2003, after the scandal broke:

For nearly all of Scrushy's tenure, press reports about the company were almost universally positive. In 1995, for instance, in the wake of one in a series of HealthSouth merger offers, Bloomberg News reported that then-U.S. House Speaker Newt Gingrich (R-Ga.) wanted Scrushy in Congress, and Alabama businessmen wanted him to run for governor. It quoted William Harnish, president of Forstmann Leff Associates, a money management firm with a large holding in Healthsouth, who said, "There may not be another person who has come so far and accomplished so much in corporate America." . . .

A rare, and odd, exception to the universal cheers came in 1999 when HealthSouth and Scrushy sued a rare critic for libel. Those critics were anonymous posters on Yahoo! Finance bulletin boards.

Scrushy was painted as the victim of irresponsible rumors. "Here I am, the CEO of a multibillion-dollar company, and I'm having to answer about what some weirdo has said on a message board," Scrushy lamented to The Wall Street Journal.

But at the time, Scrushy rarely had to answer to anyone else. It may have been that Scrushy went to such lengths to track down the Internet chatters because he feared any investigation by more legitimate-sounding sources would expose that their charges contained some truth, as one former HealthSouth employee, Kimberly Landry, said at the time.

Mr. Scrushy was ultimately found not guilty, after blaming the accounting fraud on the CFO. [UPDATE 2: Mr. Scrushy was indicted in October 2005 on racketeering charges and again on Dec. 12, 2005, charging him with paying off the Alabama Governor for a seat on the state health regulatory board and for wielding improper influence over the board. UPDATE 3: June 28, 2007 - Mr. Scrushy was sentenced to serve nearly 7 years in prison, was fined $150,000 and ordered to pay restitution of $267,000 to be paid to United Way of Central Alabama.] The jurors believed he was not personally involved:

"This shows that when you go after a CEO, they can put forth the best possible presumption of innocence, and there are times that defense will work," said Joshua Newberg, an associate professor of law and business ethics at the Robert H. Smith School of Business at the University of Maryland. "You don't get to be a CEO without understanding the ability to charm.". . .

HealthSouth jurors seemed more willing to accept that there was reasonable doubt about Scrushy's involvement.

Newsweek's article, "The Alpha Bloggers", lists some other stories that bloggers broke before the traditional media.

What we have here is a new and unmediated link in the information food chain. . . . All you need to start your own Weblog is the software—which is low-cost, or free, and very easy to use—and something to say. Out of the inchoate chatter of the Web, the sharpest voices simply emerge. . . . people, by a combination of writing skills, unyielding curiosity, canny instinct and lots of sweat equity, rise up from total obscurity to join the big dogs in the community. . . . Most are isolated, and there are about 100,000 that have 20 or more "inbound" links (that means that a blogger has identified an item on someone else's Weblog and set up a one-click pathway for a reader to move directly to that item on the other author's site). But about 10,000 people have more than 100 inbounds. Now we're getting into the realm of the alphas.

On a good day, the article said, alphas would have 20,000 visitors. Not to boast, but Groklaw has that many visitors for each article, and we have more than 3,500 sites linking to us. So I guess Groklaw is Uber Alpha.

: )

My point is just this: a lot of people read blogs. Millions of people. Why? Because they trust the folks whose blogs they choose to read. And millions of people like to write blogs too. Corporations may not like blogs, but all they are is customers providing you vital feedback. Had Sony listened to a word their customers have been saying, they wouldn't be in this mess.

And blogs are not going away. After tracing the Sony story, my question is, would you want them to?

  View Printable Version

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )